Identifying attacking process based on Attack State Transition Graph

摘要

To defend against multi-step intrusions in networks, efficient methods are needed to correlate isolated alerts into attack scenarios so as to identify intruding process. In this paper a model for network safety analysis is proposed which is defined as Attack State Transition Graph (ASTG). The model is given a formalized description based on Expanded Finite-State Automata (EFSA). Based on ASTG all the possible paths to the target are found. Thus ASTG indicates attacker's intruding process and state transformation and so that it can be used to analyse attack situation and further to evaluate network risk. The algorithms for generating ASTG and searching paths are also provided. Finally a simulation experiment is used to verify availability and validity of this model and illustrates its advantage by comparing with two other models.