A multi-step attack-correlation method with privacy protection 被引量：2

导出

摘要 In the era of global Internet security threats,there is an urgent need for different organizations to cooperate and jointly fight against cyber attacks.We present an algorithm that combines a privacy-preserving technique and a multi-step attack-correlation method to better balance the privacy and availability of alarm data.This algorithm is used to construct multi-step attack scenarios by discovering sequential attack-behavior patterns.It analyzes the time-sequential characteristics of attack behaviors and implements a support-evaluation method.Optimized candidate attack-sequence generation is applied to solve the problem of pre-defined association-rule complexity,as well as expert-knowledge dependency.An enhanced k-anonymity method is applied to this algorithm to preserve privacy.Experimental results indicate that the algorithm has better performance and accuracy for multi-step attack correlation than other methods,and reaches a good balance between efficiency and privacy.

作者 ZHANG Yongtang LUO Xianlu LUO Haibo

机构地区 Department of Computer Science and Technology Jiangxi Microsoft Technology Center

出处《Journal of Communications and Information Networks》 2016年第4期133-142,共10页 通信与信息网络学报（英文）

基金 This work is supported by the Ordinary University Innovation Project of Guangdong Province(Nos.2014KTSCX212,2014KQNCX24).

关键词 network security multi-step attack intrusion detection sequential pattern privacy protection data mining

分类号 TP3 [自动化与计算机技术—计算机科学与技术]

引文网络
相关文献

参考文献1

1武斌,杨义先,郑康锋.入侵检测中基于序列模式的告警关联分析[J].电子科技大学学报,2009,38(3):415-418. 被引量：3

二级参考文献10

1CUPPENS F, MIEGE A. Alert correlation in a cooperative intrusion detection framework[C]//IEEE Symposium on Security and Privacy. Maryland: IEEE Computer Society, 2002.
2VALDES A, SKINNER K. Probabilistic alert correlation[C]//4th International Symposium on Recent Advances in Intrusion Detection. Davis: Lecture Notes In Computer Science, 2001.
3NING P, CUI Y, REEVES D S. Constructing attack scenarios through correlation of intrusion alerts[C]//9th ACM Conference on Computer and Communications Security. Washington: ACM, 2002.
4AMEL M, NOUREDDINE B. Multi-violation detectors an algebraic tool for alert correlation and intrusion detection[C]//ICTTA'06. Damascus: IEEE Computer Society, 2006.
5AMEL M, SIHEM G F, SIHEM B. An efficient correlation method for intrusion detection[C]//12th IEEE International Conference on Electronics, Circuits and Systems. Tunisia: 1EEE Circuits And Systems Society, 2005.
6STEFANOS M, MARVIN C, DAN Z, et al. A data mining analysis of RTID alarms[J]. Computer Networks, 2000, 34(4): 571-577.
7KLAUS J, MARC D. Mining intrusion detection alarms for actionable knowledge[C]//8th ACM International Conference on Knowledge Discovery and Data Mining. Edmonton: ACM SIGKDD, 2002.
8JIN H, SUN J H. A fuzzy data mining based intrusion detection model[C]//10th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS04). [S.l.]: IEEE Computer Society, 2004.
9JULISCH K. Clustering intrusion detection alarms to support root cause analysis[J]. ACM Transactions on Information and System Security, 2003, 6(4): 443-471.
10MIKA K. A knowledge discovery methodology for telecommunication network alarm databases[D]. Helsinki: University of Helsinki, 1999.