一种考虑攻击连续性的告警关联聚合方法OA

Existing alert correlation and aggregation methods fall short in deeply characterizing the at-tack motivation and exploring the internal logical relationship among alerts.To address the above prob-lems,an attack-continuity-based method is designed for alert correlation and aggregation in this paper.In this method,the original alert sequence is filtered from source IP to destination IP,and then the con-tinuity of neighboring malicious requests is evaluated in terms of malicious payload similarity,attacker identification,attack triggering location,and weapon platform information,based on which the original alerts are aggregated into groups.The experiments on two different types of attacks with a variety of real vulnerabilities are carried out.The results prove that the attack types can be differentiated under the premise of aggregating redundant alerts using this proposed algorithm,which can provide support for analyzing and correlating multi-step attacks.