一种基于马尔可夫性质的因果知识挖掘方法

攻击者对网络目标设施的渗透破坏过程往往是渐进的，通过执行多个攻击步骤实现最终目的，如何掌握攻击活动的全貌、重建攻击场景是网络安全态势感知等诸多研究领域面临的主要难题之一.基于因果知识的告警关联分析是复杂事件处理(complex event processing, CEP)技术的主要方法之一，它为识别多步攻击过程、重建攻击场景提供了较好的技术途径.针对告警关联分析中因果知识难以自动获得这一问题，提出了一种基于马尔可夫性质的因果知识挖掘方法.该方法利用马尔可夫链模型对因果知识进行建模，以真实网络中的原始告警流为数据源：首先通过对地址相关的告警事件进行聚类，得到相关性类簇；然后再基于马尔可夫链的无后效性，挖掘各个类簇中不同攻击类型间的一步转移概率矩阵，得到因果知识，并对具有重复步骤的因果知识进行匹配融合，构建因果知识库；最后对所提出的因果知识挖掘方法进行了实验验证和对比分析.结果表明，该方法是可行的.

A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property

The processes of attackers exploiting target network facilities are always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to form the complete picture of attacks or identify the attack scenarios is one of the main challenges in many research fields, such as cyberspace security situation awareness. Alerts correlation analysis based on causal knowledge is one of the main methods of the CEP (complex event processing) technology, which is a promising way to identify the multi-step attack process and reconstruct attack scenarios. Current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, a causal knowledge mining method based on the Markov property is proposed in this paper. Firstly, the raw alert streams are clustered by address to produce alert cluster sets; then the one step transition probability matrix between different attack types in each cluster set is mined based on the Markov property, and the knowledge with the same steps is fused; finally the knowledge base is created. The experimental results show that this method is feasible.