Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the sim...Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.展开更多
针对大规模网络环境下海量告警信息的重复性、不完整和不可管理给网络安全管理带来的新的挑战,提出了一种基于因果关系的实时入侵告警关联(RIAC)系统,以解决海量告警的实时关联和可视化管理问题。此RIAC系统利用分布式Agent实时地捕获...针对大规模网络环境下海量告警信息的重复性、不完整和不可管理给网络安全管理带来的新的挑战,提出了一种基于因果关系的实时入侵告警关联(RIAC)系统,以解决海量告警的实时关联和可视化管理问题。此RIAC系统利用分布式Agent实时地捕获和预处理告警信息,然后由因果关联引擎对其进行分析和处理,从而揭示告警信息背后隐藏的攻击场景和攻击意图。使用MIT Lincoln Lab提供的攻击场景数据集LLDOS1.0和真实IPv6数据集对该RIAC系统进行了测试,实验结果验证了其有效性和实时性。展开更多
基金the National High Technology Research and Development Programme of China(2006AA01Z452)
文摘Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.
文摘针对大规模网络环境下海量告警信息的重复性、不完整和不可管理给网络安全管理带来的新的挑战,提出了一种基于因果关系的实时入侵告警关联(RIAC)系统,以解决海量告警的实时关联和可视化管理问题。此RIAC系统利用分布式Agent实时地捕获和预处理告警信息,然后由因果关联引擎对其进行分析和处理,从而揭示告警信息背后隐藏的攻击场景和攻击意图。使用MIT Lincoln Lab提供的攻击场景数据集LLDOS1.0和真实IPv6数据集对该RIAC系统进行了测试,实验结果验证了其有效性和实时性。