Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the sim...Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.展开更多
Currently, most anomaly detection pattern learning algorithms require a set of purely normal data from which they train their model. If the data contain some intrusions buried within the training data, the algorithm m...Currently, most anomaly detection pattern learning algorithms require a set of purely normal data from which they train their model. If the data contain some intrusions buried within the training data, the algorithm may not detect these attacks because it will assume that they are normal. In reality, it is very hard to guarantee that there are no attack items in the collected training data. Focusing on this problem, in this paper, firstly a new anomaly detection measurement is proposed according to the probability characteristics of intrusion instances and normal instances. Secondly, on the basis of anomaly detection measure, we present a clustering-based unsupervised anomaly detection patterns learning algorithm, which can overcome the shortage above. Finally, some experiments are conducted to verify the proposed algorithm is valid.展开更多
基金the National High Technology Research and Development Programme of China(2006AA01Z452)
文摘Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.
文摘Currently, most anomaly detection pattern learning algorithms require a set of purely normal data from which they train their model. If the data contain some intrusions buried within the training data, the algorithm may not detect these attacks because it will assume that they are normal. In reality, it is very hard to guarantee that there are no attack items in the collected training data. Focusing on this problem, in this paper, firstly a new anomaly detection measurement is proposed according to the probability characteristics of intrusion instances and normal instances. Secondly, on the basis of anomaly detection measure, we present a clustering-based unsupervised anomaly detection patterns learning algorithm, which can overcome the shortage above. Finally, some experiments are conducted to verify the proposed algorithm is valid.
