Boosting performance in attack intention recognition by integrating multiple techniques

doi:10.1007/s11704-010-0321-y

Front Comput Sci Chin

2011, Vol. 5

Issue (1) : 109-118 https://doi.org/10.1007/s11704-010-0321-y

RESEARCH ARTICLE

Boosting performance in attack intention recognition by integrating multiple techniques

Hao BAI¹(

), Kunsheng WANG², Changzhen HU¹, Gang ZHANG², Xiaochuan JING²

1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China; 2. China Aerospace Engineering Consultation Center, Beijing 100048, China

Download: PDF(274 KB) HTML
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract

Recognizing attack intention is crucial for security analysis. In recent years, a number of methods for attack intention recognition have been proposed. However, most of these techniques mainly focus on the alerts of an intrusion detection system and use algorithms of low efficiency that mine frequent attack patterns without reconstructing attack paths. In this paper, a novel and effective method is proposed, which integrates several techniques to identify attack intentions. Using this method, a Bayesian-based attack scenario is constructed, where frequent attack patterns are identified using an efficient data-mining algorithm based on frequent patterns. Subsequently, attack paths are rebuilt by re-correlating frequent attack patterns mined in the scenario. The experimental results demonstrate the capability of our method in rebuilding attack paths, recognizing attack intentions as well as in saving system resources. Specifically, to the best of our knowledge, the proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.

Keywords attack path attack intention compensatory intrusion evidence FP-Growth

Corresponding Author(s): BAI Hao,Email:david_xiaobai@126.com

Issue Date: 05 March 2011

Cite this article:

Changzhen HU,Gang ZHANG,Xiaochuan JING, et al. Boosting performance in attack intention recognition by integrating multiple techniques[J]. Front Comput Sci Chin, 2011, 5(1): 109-118.

URL:

https://academic.hep.com.cn/fcs/EN/10.1007/s11704-010-0321-y
https://academic.hep.com.cn/fcs/EN/Y2011/V5/I1/109

Fig.1 Implementation of techniques

Fig.2 Algorithm to mine frequent attack pattern

Fig.3 Algorithm to rebuild attack path

Fig.4 Attack scenario

Fig.5 Attack path

Tab.1 Frequent attack patterns generated by Algorithm 1 and SATA []

Tab.2 Time consumed by Algorithm 1 and SATA []

Tab.3 Number of attack paths generated by Algorithm 2 and SATA []

1	Yi P, Xing H, Wu Y, Cai J. Alert correlation through results tracing back to reasons. In: Proceedings of the 2009 International Conference on Communications and Mobile Computing . Kunming, 2009, 465–469
2	Ning P, Xu D, Healey C, Amant R. Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium . 2004, 97–111
3	Soleimani M, Ghorbani A. Critical episode mining in intrusion detection alerts. In: Proceedings of the 6th Communication Networks and Services Research Conference, Halifax , 2008, 157–164 doi: 10.1109/CNSR.2008.62
4	Wang L, Li Z, Li D, Lei J. Attack scenario construction with a new sequential mining technique. In: 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing . 2007, 53–87
5	Agrawal R, Srikant R. Fast Algorithms for Mining Association Rules. IBM Alamnden Research Center. 1994
6	Han J, Pei J, Yin Y, Mao R. Mining frequent patterns without candidate generation: A frequent-pattern tree approach. Data Mining and Knowledge Discovery , 2004, 8(1): 53–87 doi: 10.1023/B:DAMI.0000005258.31418.83
7	Pei J, Han J, Wang W. Constraint-based sequential pattern mining: the pattern-growth methods. Journal of Intelligent Information Systems , 2007, 28(2): 133–160 doi: 10.1007/s10844-006-0006-z
8	Cuppens F, Miege A. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy . 2002, 202–215 doi: 10.1109/SECPRI.2002.1004372
9	Xiao S, Zhang Y, Liu X, Gao J. Alert fusion based on cluster and correlation analysis. In: Proceedings of International Conference on Convergence and Hybrid Information Technology 2008. Gyeongbuk S . Korea, 2008, 163–168
10	Yusof R, Selamat S R, Sahib S. Intrusion alert correlation technique analysis for heterogeneous log. IJCSNS International Journal of Computer Science and Network Security , 2008, 8(9), 132–138
11	Long W, Xin Y, Yang Y. Vulnerabilities analyzing model for alert correlation in distributed environment. In: Proceedings of the 2009 IITA International Conference on Services Science, Management and Engineering . Zhangjiajie, 2009, 408–411
12	Liu Z, Wang C, Chen S. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In: Proceedings of the International Conference on Information Security and Assurance . Busan, 2008, 214–219
13	Xu M, Wu T, Tang J. An IDS alert fusion approach based on happened before relation. In: Proceedings of 4th International Conference on Wireless Communications, Networking and Mobile Computing . Dalian, 2008, 1–4 doi: 10.1109/WiCom.2008.2937
14	Yi P, Xing H, Wu Y, Li L. Alert correlation by a retrospective method. In: Proceedings of the 23rd international conference on Information Networking . Chiang Mai, 2009, 380–382
15	Li Z, Lei J, Wang L, Li D. A Data mining approach to generating network attack graph for intrusion prediction. In: Proceedings of 4th International Conference on Fuzzy Systems and Knowledge Discovery . Haikou, 2007, 307–311
16	Li Z, Zhang A, Lei J, Wang L. Real-time correlation of network security alerts. In: Proceedings of IEEE International Conference on e-Business Engineering . 2007, 73–80
17	Li W, Tian S. Preprocessor of intrusion alerts correlation based on ontology. In: Proceedings of 2009 International Conference on Communications and Mobile Computing . Kunming, 2009, 460–464 doi: 10.1109/CMC.2009.63
18	Qin X, Lee W. Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th Annual Computer Security Applications Conference . 2004, 370–379
19	Qin X, Lee W. Statistical causality analysis of INFOSEC alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection . 2003, 73–93 doi: 10.1007/978-3-540-45248-5_5
20	Ou X, Govindavajhala S, Appel A. MulVAL: A logic-based network security analyzer. In: 14th USENIX Security Symposium. Society for Industrial and Applied Mathematics . 2005, 8–8
21	Ou X. Logic-programming approach to network security analysis. PhD thesis. Department of Computer Science . Princeton University. 2005
22	Mei H, Gong J. Intrusion alert correlation based on D-S evidence theory. In: Proceedings of 2nd International Conference on IEEE Communications and Networking in China . Shanghai, 2007, 377–381
23	Hofmann A, Dedinski I, Sick B, deMeer H. A novelty-driven approach to intrusion alert correlation based on distributed hash tables. In: Proceedings of 12th IEEE Symposium on Computer and Communications . Averio Portugal, 2007, 71–78
24	Pei J, Han J, Lu H, Nishio S, Tang S, Yang D. H-mine: hyper-structure mining of frequent patterns in large database. In: Proceedings of 1st IEEE International Conference on Data Mining . 2001, 441–448
25	Zhai Y, Ning P, Iyer P, Reeves D. Reasoning about complementary intrusion evidence. In: Proceedings of the 20th annual Computer Security Applications Conference . 2004, 39–48

Viewed

Full text

Abstract

Cited

Shared

Discussed