Dissertation > Excellent graduate degree dissertation topics show

Study on Method of Network Multi-stage Attack Plan Recognition

Author: WangLi
Tutor: LiZhiTang
School: Huazhong University of Science and Technology
Course: Computer System Architecture
Keywords: Network security Attack scenario construction Attack plan recognition Attack behavior sequential pattern Correlativity
CLC: TP393.08
Type: PhD thesis
Year: 2007
Downloads: 343
Quote: 6
Read: Download Dissertation


The information security industry has been very active in recent years. In order to counter security threats to computer systems and networks, many technologies have been developed and applied in security operations such as IDS, firewalls, routers. All those security application devices, whether aimed at prevention or detection of attacks, usually generate huge volumes of security audit data. Deploying information security systems can provide in-depth protection for networks. However, large volume of security data which is the output of different security sensors can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies.All the security event correlation methods are classified into four classes according to different problems they solve in this paper. They are aggregation correlation, cross correlation, multi-stage attack correlation, and others. Among these classes, multi-stage attack correlation methods which aim at correlating security alerts and discovering attack strategies are important correlation methods. Up to now, there have been several proposed techniques to analyze attack scenarios from security alerts. However, most of these approaches depend on complex correlation rule definition and hard-coded domain knowledge that lead to their difficult implementation and limited capabilities of detecting new attack strategies.A new multi-stage attack correlation method is proposed to solve the limitations and the problems based on the analysis of high level alerts. The technique first analyzes multi-stage attack activity patterns with attack sequential pattern mining method, then correlates the alerts which are in accord with certain attack sequential pattern using a quantitative method. The approach uses a RCI aggregation method to first aggregate the raw alerts into high level alerts. The number of the alerts reduced 95.5% after the process of RCI module during the experiment.A reformative Apriori-all algorithm MASP (Mining Attack Sequence Patterns) is also presented to mine attack sequence patterns from candidate attack sequence database. The idea of mining attack sequential patterns comes out from the observation that multi-stage attack strategy taken by the attacker usually has relatively fixed attack pattern and happens in a confined time span. Different attack activities in a multi-stage attack have their own attack sequential pattern. Series of attacker’s behaviors launched with certain intent have time consecutive association and appear in ordered sequence. The method only concerns the attack type attribute of the alerts and doesn’t rely on any correlation rules. It is easy to implement. Experiment shows the method can mine attack behaviour patterns from history database effectively and the relative execution times of MASP increases as the minimum support decreases and as attack scenario time window expands. The performance of the algorithm impoved 1.7 to 10 times higher after improvement.A new kind of tree structure APT (Attack Pattern Tree) is used to store the attack occurrence patterns mined from the history data. A new concept of correlativity is also proposed which reflects the reliability of two alerts aroused by two contextual attack behaviors occurred in certain time interval belonging to the same attack scenario. Therefore, the goal of real-time attack scenario constructing with the operation of online attack occurrence pattern matching and correlativity calculation is reached. The approaches are evaluated with DARPA 2000 data sets and live data collected from our network center. Experiments show that the approach can effectively construct attack scenarios and can accordingly predict the attack behavior 3.31 steps ahead at an average level. The detection rate reaches to 94%. Further analysis reveals that the miss detection rate is caused mainly because another two kinds of multi-stage attacks are performed during the test which did not appeare in the experiment of pattern mining. More complete history data can be collected to solve the problem and the security manager can also add new type of attack patterns manually to renew the attack sequence pattern database.

Related Dissertations

  1. The Research of Malware Detection Technology Based on Active Mode,TP393.08
  2. Topology Measurement and Security Analysis on Gnutella and eMule Network,TP393.08
  3. Research on the Correlativity for CUBS Male Athletes Trait Sport-Confidence and the Shooting Percentage,G841
  4. Region-based wireless sensor network key management scheme for research,TP212.9
  5. SX Provincial Public Security Bureau Network Security Corps Performance Evaluation Index System Design,D631.1
  6. The Research of Insurance Network Marketing of China Insurance Company,F724.6
  7. Research and Implemention of Information Security Encryption System Based on the RSA,TP309.7
  8. The Research of Attack Source Traceback in Distributed Denial-of-Service Attacks Based on VoIP,TP393.08
  9. Research on Streaming Media Detection Methods Against DoS\DDoS Attack Based on Analysis of Self-similarity,TP393.08
  10. Firewall and three switch - based campus network security policy research,TP393.08
  11. Research and Design of Secure Comunication of NVD on Demand System,TP309
  12. QH Software Services Marketing Strategy,F426.672
  13. Fast protocol identification based firewall system design and implementation,TP393.08
  14. IPsec-based remote access to corporate network systems design and implementation,TP393.08
  15. Behavior -based botnet detection method,TP393.08
  16. Based on TCP / IP, no shaft offset Remote Monitoring System Design,TP277
  17. Study browser security issues and solutions,TP393.092
  18. The Research of Security Issues in Cognitive Radio Networks,TN915.08
  19. The Design and Implementation of an Online Shopping System Based on PKI,TP393.09
  20. Zhengzhou, China Unicom office automation network security protection Strategy,TP393.08
  21. OTN networking and security technology and its applications in mobile networks in Nanjing Research,TN929.5

CLC: > Industrial Technology > Automation technology,computer technology > Computing technology,computer technology > Computer applications > Computer network > General issues > Computer Network Security
© 2012 www.DissertationTopic.Net  Mobile