摘要
现有告警关联聚合方法无法深度刻画攻击意图,难以挖掘告警之间的内在逻辑关系。针对上述问题,设计一种考虑攻击连续性的告警关联聚合方法。该方法按照源IP到目的IP过滤原始告警序列,从攻击载荷相似性、攻击者身份信息、攻击触发位置和武器平台信息等4方面出发评估相邻恶意请求的连续性,并以此为依据将初始告警聚合成组。在多种真实漏洞构建的场景中,开展2种不同类型的攻击实验。实验结果证明,所提算法能够在聚合冗余告警的同时区分攻击类型,为多步骤攻击的分析关联工作提供支撑。
Existing alert correlation and aggregation methods fall short in deeply characterizing the attack motivation and exploring the internal logical relationship among alerts.To address the above problems,an attack-continuity-based method is designed for alert correlation and aggregation in this paper.In this method,the original alert sequence is filtered from source IP to destination IP,and then the continuity of neighboring malicious requests is evaluated in terms of malicious payload similarity,attacker identification,attack triggering location,and weapon platform information,based on which the original alerts are aggregated into groups.The experiments on two different types of attacks with a variety of real vulnerabilities are carried out.The results prove that the attack types can be differentiated under the premise of aggregating redundant alerts using this proposed algorithm,which can provide support for analyzing and correlating multi-step attacks.
作者
王文博
马海龙
韩伟涛
王程禹
WANG Wenbo;MA Hailong;HAN Weitao;WANG Chengyu(Information Engineering University,Zhengzhou 450001,China;Key Laboratory of Cyberspace Security,Ministry of Education,Zhengzhou 450001,China)
出处
《信息工程大学学报》
2024年第3期292-297,共6页
Journal of Information Engineering University
基金
国家自然科学基金(62176214)。
关键词
高级持续性威胁检测
告警关联
告警聚合
恶意连续性
advanced persistent threat detection
alert correlation
alert aggregation
attack continuity
