信息工程大学学报2024,Vol.25Issue(3):292-297,6.DOI:10.3969/j.issn.1671-0673.2024.03.007
一种考虑攻击连续性的告警关联聚合方法
An Attack Continuity Based Method for Alert Correlation and Aggregation
摘要
Abstract
Existing alert correlation and aggregation methods fall short in deeply characterizing the at-tack motivation and exploring the internal logical relationship among alerts.To address the above prob-lems,an attack-continuity-based method is designed for alert correlation and aggregation in this paper.In this method,the original alert sequence is filtered from source IP to destination IP,and then the con-tinuity of neighboring malicious requests is evaluated in terms of malicious payload similarity,attacker identification,attack triggering location,and weapon platform information,based on which the original alerts are aggregated into groups.The experiments on two different types of attacks with a variety of real vulnerabilities are carried out.The results prove that the attack types can be differentiated under the premise of aggregating redundant alerts using this proposed algorithm,which can provide support for analyzing and correlating multi-step attacks.关键词
高级持续性威胁检测/告警关联/告警聚合/恶意连续性Key words
advanced persistent threat detection/alert correlation/alert aggregation/attack continuity分类
信息技术与安全科学引用本文复制引用
王文博,马海龙,韩伟涛,王程禹..一种考虑攻击连续性的告警关联聚合方法[J].信息工程大学学报,2024,25(3):292-297,6.基金项目
国家自然科学基金(62176214) (62176214)