考虑置信度的告警因果关联的研究

Research on Causal Correlation of Alerts with Confidence Measurement

一个成功的网络攻击往往由若干个处于不同阶段的入侵行为组成,较早发生的入侵行为为下一阶段的攻击做好准备。在因果关联方法中,可以利用入侵行为所需的攻击前提和造成的攻击结果,重构攻击者的攻击场景。论文引入了告警关联置信度的属性描述,用于分析因果关联结果的可信度,进而能够进一步消除虚假关联关系。通过DARPA标准数据集分析,该方法取得了较好的实验结果。

A successful network attack is usually composed of different attacks in different stages, with the early ones preparing for the later ones. In the method of causal correlating, intrusion alerts are correlated by using prerequisites and consequences of the corresponding attacks so as to reconstruct attack scenarios. In this paper, confidence measurement is introduced as an attribute of correlation between alerts, thus to analyze the reliability of causal correlation and reduce the false correlations. The desired results have been obtained in the experiment using the standard data set DARPA