关键词: 报警关联, 入侵场景, 攻击图, 报警相似性, 关联模型

Abstract: In order to reveal logic attack strategy information from alarms generated by intrusion detection system and reconstruct attack scenario, a hybrid model of alarm correlation was proposed, which was based on attack graph and alert similarity analysis. This model combined the advantages of attack graph and alert data analysis. First of all, it described the causal relationship between alarms, according to the initial attack graph defined by the prior knowledge of intrusion attack. Afterwards, it used the similarity analysis of the alert data to repair the defects of the initial attack graph. And then it implemented alert correlation. The experimental results show that the model can not only recover attack scenario but also be able to fully repair the attack graph in the absence of a single attack step.

Key words: alert correlation, intrusion scenario, attack graph, alert similarity, correlation model