Skip to main content
SpringerLink
Log in

Boosting performance in attack intention recognition by integrating multiple techniques

  • Research Article
  • Published:
Frontiers of Computer Science in China Aims and scope Submit manuscript

Abstract

Recognizing attack intention is crucial for security analysis. In recent years, a number of methods for attack intention recognition have been proposed. However, most of these techniques mainly focus on the alerts of an intrusion detection system and use algorithms of low efficiency that mine frequent attack patterns without reconstructing attack paths. In this paper, a novel and effective method is proposed, which integrates several techniques to identify attack intentions. Using this method, a Bayesian-based attack scenario is constructed, where frequent attack patterns are identified using an efficient data-mining algorithm based on frequent patterns. Subsequently, attack paths are rebuilt by recorrelating frequent attack patterns mined in the scenario. The experimental results demonstrate the capability of our method in rebuilding attack paths, recognizing attack intentions as well as in saving system resources. Specifically, to the best of our knowledge, the proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Yi P, Xing H, Wu Y, Cai J. Alert correlation through results tracing back to reasons. In: Proceedings of the 2009 International Conference on Communications and Mobile Computing. Kunming, 2009, 465–469

  2. Ning P, Xu D, Healey C, Amant R. Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium. 2004, 97–111

  3. Soleimani M, Ghorbani A. Critical episode mining in intrusion detection alerts. In: Proceedings of the 6th Communication Networks and Services Research Conference, Halifax, 2008, 157–164

  4. Wang L, Li Z, Li D, Lei J. Attack scenario construction with a new sequential mining technique. In: 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. 2007, 53–87

  5. Agrawal R, Srikant R. Fast Algorithms for Mining Association Rules. IBM Alamnden Research Center. 1994

  6. Han J, Pei J, Yin Y, Mao R. Mining frequent patterns without candidate generation: A frequent-pattern tree approach. Data Mining and Knowledge Discovery, 2004, 8(1): 53–87

    Article  MathSciNet  Google Scholar 

  7. Pei J, Han J, Wang W. Constraint-based sequential pattern mining: the pattern-growth methods. Journal of Intelligent Information Systems, 2007, 28(2): 133–160

    Article  Google Scholar 

  8. Cuppens F, Miege A. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. 2002, 202–215

  9. Xiao S, Zhang Y, Liu X, Gao J. Alert fusion based on cluster and correlation analysis. In: Proceedings of International Conference on Convergence and Hybrid Information Technology 2008. Gyeongbuk S. Korea, 2008, 163–168

  10. Yusof R, Selamat S R, Sahib S. Intrusion alert correlation technique analysis for heterogeneous log. IJCSNS International Journal of Computer Science and Network Security, 2008, 8(9), 132–138

    Google Scholar 

  11. Long W, Xin Y, Yang Y. Vulnerabilities analyzing model for alert correlation in distributed environment. In: Proceedings of the 2009 IITA International Conference on Services Science, Management and Engineering. Zhangjiajie, 2009, 408–411

  12. Liu Z, Wang C, Chen S. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In: Proceedings of the International Conference on Information Security and Assurance. Busan, 2008, 214–219

  13. Xu M, Wu T, Tang J. An IDS alert fusion approach based on happened before relation. In: Proceedings of 4th International Conference on Wireless Communications, Networking and Mobile Computing. Dalian, 2008, 1–4

  14. Yi P, Xing H, Wu Y, Li L. Alert correlation by a retrospective method. In: Proceedings of the 23rd international conference on Information Networking. Chiang Mai, 2009, 380–382

  15. Li Z, Lei J, Wang L, Li D. A Data mining approach to generating network attack graph for intrusion prediction. In: Proceedings of 4th International Conference on Fuzzy Systems and Knowledge Discovery. Haikou, 2007, 307–311

  16. Li Z, Zhang A, Lei J, Wang L. Real-time correlation of network security alerts. In: Proceedings of IEEE International Conference on e-Business Engineering. 2007, 73–80

  17. Li W, Tian S. Preprocessor of intrusion alerts correlation based on ontology. In: Proceedings of 2009 International Conference on Communications and Mobile Computing. Kunming, 2009, 460–464

  18. Qin X, Lee W. Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th Annual Computer Security Applications Conference. 2004, 370–379

  19. Qin X, Lee W. Statistical causality analysis of INFOSEC alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection. 2003, 73–93

  20. Ou X, Govindavajhala S, Appel A. MulVAL: A logic-based network security analyzer. In: 14th USENIX Security Symposium. Society for Industrial and Applied Mathematics. 2005, 8–8

  21. Ou X. Logic-programming approach to network security analysis. PhD thesis. Department of Computer Science. Princeton University. 2005

  22. Mei H, Gong J. Intrusion alert correlation based on D-S evidence theory. In: Proceedings of 2nd International Conference on IEEE Communications and Networking in China. Shanghai, 2007, 377–381

  23. Hofmann A, Dedinski I, Sick B, deMeer H. A novelty-driven approach to intrusion alert correlation based on distributed hash tables. In: Proceedings of 12th IEEE Symposium on Computer and Communications. Averio Portugal, 2007, 71–78

  24. Pei J, Han J, Lu H, Nishio S, Tang S, Yang D. H-mine: hyperstructure mining of frequent patterns in large database. In: Proceedings of 1st IEEE International Conference on Data Mining. 2001, 441–448

  25. Zhai Y, Ning P, Iyer P, Reeves D. Reasoning about complementary intrusion evidence. In: Proceedings of the 20th annual Computer Security Applications Conference. 2004, 39–48

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing, 100081, China

    Hao Bai & Changzhen Hu

  2. China Aerospace Engineering Consultation Center, Beijing, 100048, China

    Kunsheng Wang, Gang Zhang & Xiaochuan Jing

Authors
  1. Hao Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kunsheng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Changzhen Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xiaochuan Jing
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hao Bai.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bai, H., Wang, K., Hu, C. et al. Boosting performance in attack intention recognition by integrating multiple techniques. Front. Comput. Sci. China 5, 109–118 (2011). https://doi.org/10.1007/s11704-010-0321-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11704-010-0321-y

Keywords

Search

Navigation