Method for reconstructing network attack path based on frequent pattern-growth algorithm

Abstract

The invention relates to a technology for reconstructing a network attack path based on a frequent pattern-growth algorithm, belonging to the technical field of network information safety and being suitable for an intrusion detection system (IDS) and other safety monitoring systems. In the invention, data of alarm event of the IDS and other security tools such as antivirus / scanner and the like are associated and fused into a complementary intrusion evidence so as to enable the attack per step to have a corresponding system state as objective reflection of attack effects; Bayesian network-based attack scenes are established on the basis of the data; frequent attack sequences are excavated from the attack scenes by adopting the frequent pattern-growth algorithm, thus improving the excavation efficiency and obviously reducing system expenses; and the excavated frequent attack sequences are associated once again so as to reconstruct the attack path and judge possible attack intentions clearly.

Description

Technical field [0001] The invention relates to an attack path reconstruction technology based on a frequent pattern growth algorithm, which belongs to the technical field of network information security and is suitable for intrusion detection systems (IDS) and other security monitoring systems. Background technique [0002] The intrusion detection system (IDS) detects the behavior or activity that violates the security policy or endangers the security of the system by checking the audit data of the operating system or the network data packet information, and responds according to the preset policy. Because IDS provides a large number of independent and original alarm events and there are missing and false alarms, these data cannot be used directly. At present, the commonly used method is to gather and correlate low-level alarm events to establish high-level attack scenarios, that is, to analyze a series of attack steps taken by the intruder to achieve the intrusion goal from a l...

AI Technical Summary

Problems solved by technology

[0022] 1. The Apriori algorithm will generate a large number of candidate sets during the mining process, which seriously consumes resources;

[0023] 2. The Apriori algorithm needs to scan the database repeatedly to mine frequent sequences of each length level, and the time complexity is high;

[0024] 3. Since the Apriori algorithm is not suitable for mining long frequent sequences, the SATA system can only mine attack sequences of no more than 10 steps, and is helpless for longer attack sequences

[0025] 4. Since the SATA system simply sorts the alarm event sequence in chronological order before mining, its mining objects are still discrete alarm events that have not been associated, resulting in the final mining results being all alarm events that meet the minimum support The simple aggregation of data cannot directly form an attack path, and the administrator needs to reprocess the data based on experience, so it is difficult to guarantee the accuracy of the results

Images