ATTACK SCENARIO DETECTION BASED ON EXPERT SYSTEM

摘要

Traditional intrusion detection systems only focus on low-level attacks, and only generate isolated alerts.But in practice an attack is made up of a sequence of logical scenarios.As a result, it is difficult for human to understand alerts and take appropriate actions.This paper presents a practical technique to address this issue.The paper proposes a rule-based hierarchical model to construct attack scenarios, and use expert system (CLIPS) as the engine to detect scenarios.In this paper a concrete design method is discussed and applied to analyze snort alerts, the proposed approach can delect attack scenarios in real time, the rules only describe the properties of attacks in a high level and avoid to describe the concrete network or host information, this guarantee the generality of this method, we adopt the known general expert system as the detection engine, so the implementation become very easy.