Abstract
Recognizing attack intention is crucial for security analysis. In recent years, a number of methods for attack intention recognition have been proposed. However, most of these techniques mainly focus on the alerts of an intrusion detection system and use algorithms of low efficiency that mine frequent attack patterns without reconstructing attack paths. In this paper, a novel and effective method is proposed, which integrates several techniques to identify attack intentions. Using this method, a Bayesian-based attack scenario is constructed, where frequent attack patterns are identified using an efficient data-mining algorithm based on frequent patterns. Subsequently, attack paths are rebuilt by recorrelating frequent attack patterns mined in the scenario. The experimental results demonstrate the capability of our method in rebuilding attack paths, recognizing attack intentions as well as in saving system resources. Specifically, to the best of our knowledge, the proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.
Similar content being viewed by others
References
Yi P, Xing H, Wu Y, Cai J. Alert correlation through results tracing back to reasons. In: Proceedings of the 2009 International Conference on Communications and Mobile Computing. Kunming, 2009, 465–469
Ning P, Xu D, Healey C, Amant R. Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium. 2004, 97–111
Soleimani M, Ghorbani A. Critical episode mining in intrusion detection alerts. In: Proceedings of the 6th Communication Networks and Services Research Conference, Halifax, 2008, 157–164
Wang L, Li Z, Li D, Lei J. Attack scenario construction with a new sequential mining technique. In: 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. 2007, 53–87
Agrawal R, Srikant R. Fast Algorithms for Mining Association Rules. IBM Alamnden Research Center. 1994
Han J, Pei J, Yin Y, Mao R. Mining frequent patterns without candidate generation: A frequent-pattern tree approach. Data Mining and Knowledge Discovery, 2004, 8(1): 53–87
Pei J, Han J, Wang W. Constraint-based sequential pattern mining: the pattern-growth methods. Journal of Intelligent Information Systems, 2007, 28(2): 133–160
Cuppens F, Miege A. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. 2002, 202–215
Xiao S, Zhang Y, Liu X, Gao J. Alert fusion based on cluster and correlation analysis. In: Proceedings of International Conference on Convergence and Hybrid Information Technology 2008. Gyeongbuk S. Korea, 2008, 163–168
Yusof R, Selamat S R, Sahib S. Intrusion alert correlation technique analysis for heterogeneous log. IJCSNS International Journal of Computer Science and Network Security, 2008, 8(9), 132–138
Long W, Xin Y, Yang Y. Vulnerabilities analyzing model for alert correlation in distributed environment. In: Proceedings of the 2009 IITA International Conference on Services Science, Management and Engineering. Zhangjiajie, 2009, 408–411
Liu Z, Wang C, Chen S. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In: Proceedings of the International Conference on Information Security and Assurance. Busan, 2008, 214–219
Xu M, Wu T, Tang J. An IDS alert fusion approach based on happened before relation. In: Proceedings of 4th International Conference on Wireless Communications, Networking and Mobile Computing. Dalian, 2008, 1–4
Yi P, Xing H, Wu Y, Li L. Alert correlation by a retrospective method. In: Proceedings of the 23rd international conference on Information Networking. Chiang Mai, 2009, 380–382
Li Z, Lei J, Wang L, Li D. A Data mining approach to generating network attack graph for intrusion prediction. In: Proceedings of 4th International Conference on Fuzzy Systems and Knowledge Discovery. Haikou, 2007, 307–311
Li Z, Zhang A, Lei J, Wang L. Real-time correlation of network security alerts. In: Proceedings of IEEE International Conference on e-Business Engineering. 2007, 73–80
Li W, Tian S. Preprocessor of intrusion alerts correlation based on ontology. In: Proceedings of 2009 International Conference on Communications and Mobile Computing. Kunming, 2009, 460–464
Qin X, Lee W. Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th Annual Computer Security Applications Conference. 2004, 370–379
Qin X, Lee W. Statistical causality analysis of INFOSEC alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection. 2003, 73–93
Ou X, Govindavajhala S, Appel A. MulVAL: A logic-based network security analyzer. In: 14th USENIX Security Symposium. Society for Industrial and Applied Mathematics. 2005, 8–8
Ou X. Logic-programming approach to network security analysis. PhD thesis. Department of Computer Science. Princeton University. 2005
Mei H, Gong J. Intrusion alert correlation based on D-S evidence theory. In: Proceedings of 2nd International Conference on IEEE Communications and Networking in China. Shanghai, 2007, 377–381
Hofmann A, Dedinski I, Sick B, deMeer H. A novelty-driven approach to intrusion alert correlation based on distributed hash tables. In: Proceedings of 12th IEEE Symposium on Computer and Communications. Averio Portugal, 2007, 71–78
Pei J, Han J, Lu H, Nishio S, Tang S, Yang D. H-mine: hyperstructure mining of frequent patterns in large database. In: Proceedings of 1st IEEE International Conference on Data Mining. 2001, 441–448
Zhai Y, Ning P, Iyer P, Reeves D. Reasoning about complementary intrusion evidence. In: Proceedings of the 20th annual Computer Security Applications Conference. 2004, 39–48
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bai, H., Wang, K., Hu, C. et al. Boosting performance in attack intention recognition by integrating multiple techniques. Front. Comput. Sci. China 5, 109–118 (2011). https://doi.org/10.1007/s11704-010-0321-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11704-010-0321-y