Method for comprehensively analyzing and processing real-time alarms on basis of attack strategy graphs and intrusion detection system thereof

Abstract

The invention provides a method for comprehensively analyzing and processing real-time alarms on the basis of attack strategy graphs and an intrusion detection system thereof; splitting of attack scene graphs can be effectively prevented, the complete attack scene graphs can be reconstructed, the subsequent attack can be predicted, attack scenes can be fused with one another, and alarm information capable of being directly utilized can be accurately provided for analysts. The method for comprehensively analyzing and processing the real-time alarm includes steps of (1), constructing the attack strategy graphs; (2), reconstructing attack scene graphs, adding missing alarms or inferences of attack links omitted deliberately by an attacker, utilizing inference results as inference alarms and adding the inference alarms into alarm sets to be associated; (3), predicting subsequent attacks; (4), fusing the attack scene graphs, expressing fused associated records by graphs, and acquiring fresh attack scene graphs. The method and the intrusion detection system have the advantages that splitting of attack scene graphs can be effectively prevented, and analyzing accuracy can be improved. The intrusion detection system is used for analyzing and processing safety events to alarms generated by the system by the analyzing and processing method.

Description

technical field [0001] The invention belongs to the field of alarm analysis and processing in a computer network intrusion detection system, in particular to a real-time alarm comprehensive analysis and processing method based on an attack strategy graph and an intrusion detection system thereof. Background technique [0002] Intrusion Detection System (IDS), as an important network attack prevention tool, has been more and more widely used. Users can detect and analyze security events based on the alarms generated by IDS. However, due to the huge number of alerts generated by traditional IDS, the quality and level of which are low, and the alerts are isolated from each other, it is difficult to be directly and effectively used by security analysts. Therefore, it is very important to correlate alarms to reduce the number of alarms, improve the quality of alarms, and reconstruct the attack scenario. [0003] In recent years, researchers have proposed a variety of different ...

AI Technical Summary

Problems solved by technology

While improving the operating efficiency of the system, this method also brings problems, that is, the system cannot correlate alarms whose time span exceeds the range of the sliding time window, and complex multi-step coordinated attacks often have a large time span

Wang et al. proposed a queue graph-based method [Wang et al., Journal of Computer Communications2006]. This method only "explicitly correlates" the latest alarm corresponding to the vulnerability, which has high efficiency, but it also affects the correlation The accuracy of the results has an impact

Images