Attack-graph-based intrusion response mode

Abstract

The invention discloses an attach-graph-based dynamic intrusion response method, which comprises the following steps of: presenting three kinds of cost comprising operation cost, response cost and loss cost for intrusion detection and response according to an intrusion detection and response reference mode which is an intrusion response based on attack graph (IRAG) model, and selecting a response measure on the basis of combining the three kinds of cost; defining the types of attackers executing attacks with certain aims by utilizing the preference of the attackers in security scales, and describing the attack aims of the attackers by using the types of the attackers; establishing two information sets which are an attacker information set and a system information set, wherein the attacker information set mainly comprises information obtained by the footprinting, sniffing and scanning of the attackers and according to the response information of a system, and information in the system information set comprises the alarming and log information from components comprising an intrusion detection system (IDS), a firewall, a host and the like in the system; and determining the action spaces of participation parties, wherein the system actually may determine a response set according to different attack types when giving the response.

Description

technical field [0001] The invention relates to a method for network intrusion detection response. Background technique [0002] Since James Anderson first proposed the concept of intrusion detection in the 1980s, intrusion detection system (IDS) as a component of network security has achieved great development. However, with firewalls, VPNs and other security components playing an increasingly important role For example, the role of IDS is not really reflected, the main reason is that the problem of alarm response has not been well resolved. Because with the improvement of attack methods, attacks are becoming more and more automated and complex, and the current response It is mainly manual, this asymmetry makes the work in the field of intrusion detection and response into a passive situation, in order to solve this problem, people began to study automatic or semi-automatic response methods. [0003] If it is considered that the static mapping response method starts first...

AI Technical Summary

Problems solved by technology

[0002]Since James Anderson first proposed the concept of intrusion detection in the 1980s, intrusion detection system (IDS) as a component of network security has achieved great development. But with Compared with security components such as firewalls and VPNs that play an increasingly important role, the role of IDS has not been truly reflected. The main reason is that the problem of alarm response has not been well resolved. Because with the improvement of attack methods, the attack becomes more and more serious. This asymmetry makes the work in the field of intrusion detection and response fall into a passive situation. In order to solve this problem, people began to use automatic or semi-automatic response

[0003] If it is considered that the response method starts from the static mapping type, that is, attacks are classified according to certain principles, and each alarm is mapped to a pre-set In terms of well-defined response measures, many current intrusion response systems (IRS) are based on this response method. Static mapping intrusion response largely solves the problems of long manual response time and heavy burden, but it also has Some obvious shortcomings, on the one hand, it is easy to be exploited by attacks, on the other hand, it does not fully consider the adaptability of intrusion response, the choice of response measures should be different with the network environment

Images