It is hard to find out multi-step attack in multi source and heterogeneous network alerting fusion, for solving this problem, put forward dig model based on of frequent altering sequence model. Used dynamic time window to divided alert data, changed the IDS, firewall alerting data into alerting sequence. According to alerting sequence similarity, establish attack sequence set, then used two attack sequence attribute information to judge correlation of attack steps in one attack environment. The test results analysis show that the model can automatically provide the minimum support degree to the users without establishing complex correlation rules and storing experience knowledge, it also can improve correctness of correlation algorithm and successfully find the multi-step attack.%为解决多源、异构网络告警融合中蕴含的多步攻击难以被发现的问题,提出一种基于频繁告警序列模式的挖掘模型.利用动态时间窗口对报警数据进行划分,将IDS、防火墙报警数据转化为报警序列;根据报警序列的相似度构造攻击序列集,从而利用两条攻击序列的属性信息判断同一个攻击场景的攻击前后步骤的关联性.实验结果证明:在不需要制定复杂关联规则和储备先验知识的基础上,该模型能自动地向用户提供最小支持度范围,提高关联算法的准确性,为成功发现多步攻击.
展开▼
