Multi-step attack scenarios mining based on neural network and Bayesian network

• 1、School of Cyberspace Security, Beijing University of Posts and Telecommunications

Abstract：Attack patterns are generated from a large number of redundant alert log, and multi-step attack scenarios are built to eliminate false alert in the alert log. In this paper, we propose a new multi-step attack scenario construction model, which is divided into two parts: offline mode and online mode. In the offline mode, the known real attack alert log is used to train the neural network for removing error alert, and Eventually to generate a Bayesian network attack graph by alert aggregation processing and causal association attack sequence. In the online mode, a large number of online alert log is used to update the neural network and the Bayesian network attack graph generated by the previous offline mode, so that the iterative attack graph is more complete and accurate. In the end, we extracted a variety of multi-step attack scenarios from the Bayesian network attack graph to achieve the purpose of eliminating false alerts in the redundant IDS alert logs. In order to verify the validity of the algorithm, we used the DARPA 2000 dataset to test, and the results show that the algorithm has higher accuracy.

Keywords： Information security technology IDS log analysis neural network causal association analysis