| ¡¡ | Chinese Journal of Computers Full Text |
| Title | A Detection Algorithm for Multi-Step Attack Based on CTPN |
| Authors | YAN Fen1),2) HUANG Hao1) YIN Xin-Chun2) |
| Address | 1)(State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210093) 2)(Department of Computer Science and Engineering, Technology Institute, Yangzhou University, Yangzhou 225009) |
| Year | 2006 |
| Issue | No.8(1383¡ª1391) |
| Abstract & Background | Abstract As a matter of fact, most attacks are not single attack action. They are multi-step attacks which are composed by a set of attack actions. How to detect multi-step attack is an important aspect of IDS research. The traditional methods of modeling attack scenario is mainly based on special attack actions. It needs to build a large number of attack models, so that the process is very complex and the models are difficult to maintain. What¡¯s more, the detection efficiency is low. In this paper, the authors analyze the insufficiency of the traditional method.Through the study on patterns of the multi-step attack, a detecting and forecasting algorithm based on intrusion intention for multi-step attack is designed. This algorithm give an improvement and expansion of traditional attack modeling method that using Petri Nets. The authors use CTPN to model multi-step attack, and correlate alert records based on it. The method can not only detect multi-step attack, but also forecast the attack which will happen. The algorithm in this paper is more simple and utility than those old methods. In the same time, the experimental results prove the validity of our algorithm. keywords Petri net; multi-step attack; attack intention; detect attack; forecast attack background Intrusion detection is very important in the defense-in-depth network security framework and a hot topic in computer network security in recent years. An integrity attack process is a kind of multi-step attack which is composed of a set of attack actions. Researches on attack itself and its detection method is an important content in security domain. To detect multi-step attack is very difficult due to its multistage and complexity. Thus, researches on how to detect multi-step attack has great significance. It also becomes an important aspect of IDS research. This subject is supported by the project named ¡°The System of Distributed Network Monitoring and Forecasting¡± and the project named ¡°Research on Technologies of Active Defense, Monitoring, and Forecasting for Computer Network¡±. The researches work of these two projects is mainly to guarantee the security of computer network. This subject is motivated by the limitations of traditional attack modeling and detecting methods, which are complex and low efficiency. The focus of this subject is to research attack and the constructing method of attack scenario in intrusion detection domain, to explore reasonable and effective detection techniques of multi-step attack. On the basic of many studys on multi-step attack, attack detection, modeling scenario and constructing attack and application of Petri Net, we do some improvement and expansion on traditional methods of modeling attack scenario which based on Petri Net and attack action. A detection and forecast algorithm for multi-step attack based on intrusion intention is proposed in this paper. |