A method of discovering multi-step attack patterns from alert data was studied. Alert similarity function was defined to construct the set of attack activity sequences. Sequence alignment technology was used to cluster the similar attack activity sequences. Multi-step attack patterns in a cluster were automatically discovered by the longest common subsequence extraction algorithm based on the idea of dynamic programming. The proposed method didn't depend on large amounts of prior knowledge. Few configuration parameters were needed and it was easy to implement. Experimental results demonstrate the effectiveness of proposed method.%研究了从警报数据中发现多步攻击模式的方法.通过定义警报间的相似度函数来构建攻击活动序列集.采用序列比对技术,将具有相似攻击行为的序列进行聚类.基于动态规划的思想,通过抽取最长公共子序列的算法自动发现类中的多步攻击模式.该方法不需要依赖大量先验知识,设置参数少,易于实现.实验结果验证了该方法的有效性.
展开▼