会议专题

Research on Complex Attack Oriented Hierarchical Alert Correlation

Complex attack usually brings huge number of alerts, which make alert correlation time-consuming and correlation results too complicated to understand. To solve these problems, a hierarchical alert correlation model based on causal correlation is proposed. The model had two alert correlation engines: service-level correlation engine and host-level correlation engine. At service level, alerts were classified by destination IP, and causal correlation was carried out to reconstruct attack path happened on single host in time order. Causal correlation based on aggregation could improve correlation performance effectively. At host level, source IP and destination IP belonging to the same alert were spatially correlated to reconstruct attack path happened between different hosts. Experimental results show that the hierarchical alert correlation algorithm reconstructs attack path accurately, and correlation results at dual levels describe attack scenario from different visual angles which help to analyze attack strategies, predict attack steps and recognize the vital parts.

hierarchical alert correlation complex attack causal correlation attack path Botnet

Zhu Li-Na Zhang Zuo-Chang Feng Li

Department of Computer and Information Management Guangxi University of Finance and Economics Nannin Center of Dependable and Secure Computing Wuhan Digital Engineering Institute Wuhan, China

国际会议

2010 International Conference on Information Security and Artificial Intelligence(2010年信息安全与人工智能国际会议 ISAI 2010)

成都

英文

386-390

2010-12-17(万方平台首次上网日期,不代表论文的发表时间)