| ¡¡ | Chinese Journal of Computers Full Text |
| Title | A Network Attack Plan Recognition Algorithm Based on the Extended Goal Graph |
| Authors | ZHUGE Jian-Wei HAN Xin-Hui YE Zhi-Yuan ZOU Wei |
| Address | (Institute of Computer Science and Technology, Peking University, Beijing 100871) |
| Year | 2006 |
| Issue | No.8(1356¡ª1366) |
| Abstract & Background | Abstract Based on the classical plan recognition methods in the domain of artificial intelligence, and considering the characteristics of attack plan recognition problem in the domain of network security operation, this paper extends the goal graph model, introducing the observation node to distinguish the planner¡¯s actions and the recognizer¡¯s observations against the actions, replacing the unitary action nodes using the hierarchy composed with detail actions and abstract actions, maintaining the precondition and effect conditions between the actions and security states in the abstract action level according to the abstract attack patterns, therefore, proposes the Extended Goal Graph(EGG) model. Furthermore, this paper proposes an attack plan recognition algorithm based on the Extended Goal Graph, the algorithm can recognize the hidden attack intention and plan from the large volume of low level intrusion detection system alerts correctly and effectively. Through the experiments using DARPA 2000 intrusion scenario correlation benchmark dataset and in-the-wild botnet scenarios data captured in the honeynet, the results show the completeness and soundness of the algorithm, as well as its advantage beyond the alert correlation systems such as TIAA£Û5£Ý. keywords plan recognition; knowledge representation; alert correlation; goal graph background This work is supported by the China Information Security Project, named ¡°Botnet Monitor System Research based on the Honeynet Technology¡±, under grant of No.2005C32. As well known, botnets have raised more and more threats to the Internet security. This project focuses on the discovery, tracking and treatment of the active botnets on the Internet using distributed honeynet technology. The recognition and reconstruction of botnet attack scenarios is essential to this project, and it also belongs to the attack plan recognition problem in the network attack and defense domain. With the foundation of classical planning graph and goal graph model in the domain of artificial intelligence, for dealing with the complexity of network attack and defense problem, this paper defines the EGG(Extended Goal Graph) model formally, and presents attack plan recognition algorithm based on the proposed EGG model. Furthermore, through the experiments using DARPA 2000 intrusion scenario correlation benchmark dataset and in-the-wild botnet scenarios data captured in the honeynet, the results show the completeness and soundness of the proposed algorithm. The proposed algorithm has been implemented as a botnet scenario recognition subsystem of the botnet monitor system. This work is done with The Artemis Project, initiated by Institute of Computer Science and Technology, Peking University, which is the only participant of world-wide Honeynet Research Alliance in China, and is known as Chinese Honeynet Project. The research direction of The Artemis Project is the measurement, analysis and treatment of practical and serious Internet treats based on honeypot and honeynet technologies. |