Real-time Network Attack Intention Recognition Algorithm

Transcription

1 Internatonal Journal of Securty and Its Applcatons, pp Real-tme Network Attack Intenton Recognton Algorthm Qu Hu and Wang Kun Zhengzhou Insttute of Informaton Scence and Technology, Zhengzhou, Chna Abstract Attack ntenton recognton s to reason and udge the goal of attackers accordng to attack behavor and network envronment. In order to deal wth the dynamcal character of offense-defense confrontaton, a dynamcal real-tme network attack ntenton recognton algorthm was proposed. By correlatng real-tme securty alerts and vulnerabltes, we recognzed the spread route and stage of attacks based on graph theory and probablty theory. Then we dentfed the attack ntenton and predcted the possble transton of attacks, combned wth network connectvty relatonshp. A smulaton experments for the proposed network attack ntenton recognton algorthm s performed by network examples. The expermental results show that the proposed method can be more accurately dentfy attack ntenton and fully predct the post stage of attacks. Keywords: attack ntenton; pattern recognton; network securty; mult-stage attack; state transton 1. Introducton Intruson ntenton recognton s to nterpret and udge the purpose, vson and ntenton of attackers through analyzng a large number of low-level alarm nformaton, whch s to gve a reasonable explanaton of a large number of attack data. Identfyng attack ntenton can determne the real purpose of attackers and predct the subsequent attack behavor, whch s the premse and foundaton of threat analyss and the mportant part of network securty stuaton awareness. It has become a hot topc n the feld of network securty. At the earlest, the research of ntenton recognton was carred out n the feld of artfcal ntellgence. Intenton of agent s the chosen plannng route to acheve a goal [1, 2], whch role s to gude the ratonal decson-makng and plan future behavor. Intenton recognton s the process of appercevng and reasonng ntenton of agent. In network securty feld, the research of attack ntenton recognton has ust begun. At present, exstng research s dvded nto two parts. A method bulds attack scenaro through correlatng the alarms of ntruson detecton systems, the other one enumerates all possble attack behavor by constructng attack graphs. The paper [3] correlated the alarms through modelng attack behavor. For a sngle attack behavor, the method refned the precondtons and consequences of the attack. Then the method correlated two attack behavors accordng matchng condton between prerequste of subsequent behavor and consequences of prevous acts. Thus, the method s no need to establsh attack pattern base, and t can dscover some unknown attack scenaro wth flexblty. The paper [4] automatcally generated attack strategy descrbed by attack strategy graph through alarm correlaton. The method correlated the ultra-alarm generalzed by the alarms wth same essence. The flexblty and assocate effcency of method was ncreased, and the method smplfed the analyss of attack strategy by measurng the smlarty between attack strateges to dscover the essence of the attack strateges. The paper [5] proposed a complex attack predcton method based on fuzzy hdden Markov model, dentfed attack scenaros membershp of alarms by usng stage transton matrx and fuzzy dfference ISSN: IJSIA Copyrght c 2016 SERSC

2 Internatonal Journal of Securty and Its Applcatons method. These alarm correlaton methods can fnd attackers behavor characterstcs and analyze attack strategy, but alarm correlaton s a rebuldng process of attack behavor after attacks. Due to dentfyng ntenton after attacks, these methods can t provde support for advance guard. The methods, analyze and correlate by explotng vulnerabltes, can reasonng and predct ntruson by smulatng attacks whch securty analyss n the form of attack graphs syntheszng the network topology, vulnerablty nformaton, frewall rules and other nformaton. The paper [6] proposed applcaton model to automatcally generate attack graph. The paper [7] reduced the complexty of attack graph to easly understand usng connecton matrx clusterng technques. The paper [8] mplements polcy-based mult-host, mult-step analyss of the vulnerablty. Model representaton of network and smplfyng the attack rules can greatly reduce the tme to generate attack graph. The paper [9] analyzed network securty protecton usng attack graph. However, most of these methods whch are statc analyss can t adaptvely adust the generaton and dsplay of attack graph based on real attacks and response measures. And the study of uncertanty that the probablty of beng exploted of attacks caused by dfferent attack dffculty and hdden degree s not yet suffcent. Therefore, we proposed a dynamc real-tme network attack ntenton recognton method based on attack route graph. By correlatng real-tme network attacks and vulnerabltes, the method determnes spread routes and stages of attack based on graph theory and probablty theory, then dynamcally reasonng possble ntruson ntenton and ts probablty accordng to attack behavor characterstcs and network envronment. 2. Real-Tme Network Attack Intenton Recognton Model Attack ntenton recognton s a process of reasonng and udgng ntruders ntenton. In practce, t s very dffcult to dentfy the ntenton. Due to the complex of ntruders ntenton, t s dffcult to establsh a ntenton base to clear descrpt all ntentons of attackers. And the uncertanty of complex attacks, whch acheve an attack ntenton wth dfferent attacks combnaton and ntruson paths and exst randomness n attack process, ncrease dffcultes to ntenton recognton. Computer network s an open complex system. Achevement of ntruson ntenton not only depends on attackers themselves, but also relates specfc network envronment and protecton measures. Therefore, the ntruson ntenton acheved by attackers s lmted and predctable gven a known network envronment and protectve measures. We proposed a dynamc attack ntenton recognton model based on network attack-defense confrontaton (as shown Fgure. 1). Attack stage predcton Next Stage Predcton Attack stage recognton Attack scenaro clusterng Attack Current Stage Real-tme Attack Scenaro Database Database Attack Pattern Model Informaton fuson Attack Vulnerablty Topology nformaton statc Network connectvely Log1 Log2 Logn dynamc Fgure 1. The Framework of Real-Tme Network Attack Intenton Recognton 52 Copyrght c 2016 SERSC

3 Internatonal Journal of Securty and Its Applcatons Accordng to the recognton model, we desgn the model of network securty s as follows: 2.1 Alarm Informaton Alarm nformaton Log ncludes the alarm logs from ntruson detecton systems, frewalls, system logs and other sensors whch use a sx-tuple ( d, tm e, typ e, co n ten t, d, d ) to represent. Where d s a unque dentfer of alarm s d nformaton, tme s the generaton tme of alarm, type s the type of alarm, content s content of the alarm, d s the node generatng the alarm, d s the detecton node of the s d alarm. 2.2 Securty Event Securty event alert s the advanced alarms after nformaton fuson, whch uses a seven-tuple (d, tme, Sp, Dp, Sport, Dport, AttackType) to represent. Where d s a unque dentfer of the event, tme s the occurrence tme of the event, Sp s the attacker's source address, Dp s the attack target address, Sport s the attacker's source port, Dport s the attack destnaton port, AttackType s the attack type used by the attack. 2.3 Network Connectvty Network connectvty represents communcaton relatonshp between hosts. To protect the mportant assets of network, managers wll set up frewall access polcy to prevent the external hosts access the nternal network or only allow communcaton through specfc ports. We use a trple to descrbe the network Connectvty ( h o s t, h o s t, p r o to c o l p o r t ), where h o s t, h o s t represent connected host, protocol/port represents the communcaton protocol and port of hosts. 2.4 Vulnerablty Explotng Relatonshp Vulnerablty explotng relatonshp represents dependency attacks wth vulnerabltes, whch s successful nvason probablty of an attack explotng the specfc vulnerablty. We use a trple to descrbe the vulnerablty explotng relatonshp (a tta c k, v u ls, p ( e )), where atta ck represents types of attacks, v u ls represents types of vulnerabltes, p ( e) represents the successful nvason probablty when a tta c k explots v u ls. Calculatng the dependency attacks wth vulnerabltes s an mportant research drecton n the feld of nformaton securty, whch requres analyss of a large number of attack data, and combned wth pror knowledge of network securty experts. We calculate p ( e ) by referencng CVSS [10] (Common Vulnerablty Scorng System). VS (Vulnerablty Scores) can be got based on CVSS, whch ranges from 0 to 10. When VS = 0, t ndcates that the attack could not explot the vulnerablty; when VS = 10, t ndcates nvason wll be successful. In ths paper, a smple converson defnes as p ( e ) V S Attack Intenton Stage Transton Model We use ( s, s ) to descrbe attack ntent stage transton,, s s S the stage sets of attacks, s, s represent prevous and post stage, s p r e ( s ), where S represents, s p o s t ( s ). To complete a network attack, attackers need carry out multple attacks whch become attack pattern accordng wth causalty. Copyrght c 2016 SERSC 53

4 Internatonal Journal of Securty and Its Applcatons We use a trple s ( A ( s ), E ( s ), s ) to descrbe each attack stage. Where represents the types of attacks needed to complete the stage; A s a a a ( ), 1 2 n E s e e e ( ), 1 2 m represents the dependency between attacks, whch unquely determned by the ordered par of attacks (, ) a a e n. If successful nvason of an attack ntenton need all of the two attacks must be successful, the dependency of two attacks s parallel relatonshp, e=1; f successful nvason of an attack ntenton ust need any one of two attacks, the dependence of two attacks s select relatonshp, e=0; s represents the stage of attack ntenton. The attack pattern base can be generated from known network attack mode based on the model. Fgure. 2 s an nstance of a state transton dagram of an attacks ntenton. fpng strobe pnger Address probe netcat Port scan logn logn nmap png nmap sacn Fgure 2. Attack Intenton Stage Transton Dagram 3. Real-Tme Attack Intenton Identfcaton and Predcton 3.1 Informaton Fuson Currently a large number of securty sensors are deployed n the network, alarm nformaton from ntruson detecton systems, frewalls, vrus detecton systems and other sensng devces reflect the dfferent levels of securty status. However, the data format s chaotc, and there s a lot of redundancy and false postves, whch cannot be appled drectly to the network securty analyss. Currently, there are some algorthms [11-13] to fuse alarm nformaton. Use the proposed algorthm n [11] for data to fuse alarm nformaton and get more accurate attack probablty p(a), so that the alarm nformaton from dfferent sensors complementary and mutually confrmed, more accurate nformaton about attack can be obtaned. Attack success depends on attack technques and ts envronment confguraton and vulnerablty nformaton of the nvason network, ust when the envronment confguraton and vulnerablty nformaton of ntruson network can be exploted by ths attack, t can be successful nvason. So successful nvason probablty p(ac) wll be calculatng based on the explot relatonshp of vulnerabltes (a tta c k, v u ls, p ( e )). p ( a ) p ( e ), v lu s V lu s p ( a c ) 0, o th e r w s e Where p(a) s the nvason probablty, v lu s s the vulnerabltes explotng by the attack, p ( e ) s the probablty of successful nvason when the attack explotng the dependng vulnerablty, by the attack. v lu s 3.2 Attack Scenaro Clusterng V lu s means nvason host exsts vulnerabltes depended Due to network may be attacked by many ntruders n a same perod of tme, t needs cluster the securty event nto dfferent attack scenaros to dentfy ntruson ntenton of each attackers. We dvde each new receved alert nto attack scenaro based on a quanttatve alarm correlaton method. In a same mult-step attack, snce the ntruson ntenton and target s very clear, the property of securty event caused by attack steps exst some correlaton. For example, f (1) 54 Copyrght c 2016 SERSC

5 Internatonal Journal of Securty and Its Applcatons an attacker wants to scan vulnerablty of network, the attacker must frst IPSweep scannng. The source IP addresses of alarm caused by two attacks are same, and ther occurrence tme exsts context-related. Therefore, the attack correlaton degree s defned manly decded by assocaton of property. Defnton. 1. Attack Correlaton Degree. The Attack Correlaton Degree, cor(a,b), represents the possblty of the two attacks, a and b, belongng to the same attack scenaro. In ths paper, we regard several attrbutes of the attack, such as IP address, port, tmestamp, attack style and etc., as the bass to calculate the attack correlaton degree. The Attack Correlaton Degree Functon s defned as follow: n k k k k 1 k 1 n c o r ( a, b ) F e a tu re ( a, b ) (2) th Where F ea tu re ( a, b ) represents the correlaton degree among the attrbute k and k k represents the weght. The two parameters can be selected accordng to Reference [14]. When the system receves a new securty event, we calculate attack correlaton degree between the alert wth every saved attack scenaros. If there are many correlaton degree exceed the pre-set threshold, then put the alert nto the attack scenaro wth largest correlaton degree. If all correlaton degree doesn t exceed the pre-set threshold, consder the securty ncdent as a new attack scenaro. 3.3 Real-Tme Attack Stage Recognton Algorthm Defnton. 2. State Functon. Ths functon, bool(s), s used to dentfy whether the attack stage s occurred. If the attack stage has occurred, bool(s) equals to true; otherwse, bool(s) equals to false. Defnton. 3. Transference Watng Wndow. The ntruson of a network attack always carres n a perod. If the next attack stage doesn t occur after a long tme, the ntruson wll fal due to the attacker s ablty can t explot the network vulnerabltes. Thus a Transfer Watng Wndow s necessary to udge whether the attack s success. Mostly, an attack perod s 2h, so we set the Transference Watng Wndow =2h. The method clustered real-tme alerts nto dfferent attack scenes based on attack correlaton degree, and assocated the alerts wth attack pattern base. We summarze 3 knds of typcal scene (shown as Fgure. 3). S1 S2 S3 S1 S2 S3 S1 S2 S1 (a) Normal transferrng (b) Skpped transferrng (c) Repeated transferrng Fgure 3. State Transferrng Scenes Fgure. 3(a) shows the normal transferrng, whch the prevous state and the post state of an attack ntenton can occur sequentally. In Fgure. 3(b), the state transfers from S1 to S3 wthout dscoverng S2, whch we call t as skpped transferrng. Actually t s the most common scene n a real network due to the hgh false negatve rate exstng n the ntruson detecton equpment caused by the dfference between detecton strateges and characters of ntruson. As shown n Fgure. 3(c), the repeated transferrng represents the scene that some state occurs repeatedly, lke S1. Ths s always because the alert data s delayed whle transmsson or the clocks n dfferent securty sensors are asynchronous. Based on the above analyss, the Real-Tme Attack Stage Recognton Algorthm can be descrbed n the followng. Algorthm. 1. Real-Tme Attack Stage Recognton Algorthm Input: fuson securty events Output: the ntenton of attacker; the current attack phase Copyrght c 2016 SERSC 55

6 Internatonal Journal of Securty and Its Applcatons Begn Step 1: Calculate the attack correlaton degree, cor(a,b), between the real-tme alerts and the current state of the generated attack scene, s. Then cluster the alerts nto dfferent attack scenes accordng to the attack correlaton degree. Step 2: By analyzng the correlaton between alerts n each attack scene and the generated attack pattern base ( A ( s ), E ( s ), s ), search for the attack stage s, and record the current tme t. Step 3: If the prevous state of s s the current state n the attack scene, whch can be descrbed by the equaton s p re ( s ), and then we regard ths type of scene as normal transferrng. Add s nto the attack scene, set the parameter bool(s) =true, update the current state s s and the state occurrng tme t t. Then turn to Step7. Step 4: If the functon bool(s) =true, the scene belongs to repeated transferrng. We dscard ths attack state and turn to Step7. Step 5: If the prevous state of s s not the current state n the attack scene, whch state functon bool(pre(s)) =false. Search the attack pattern base, f s s several steps latter than the current state, then we regard ths type of scene as repeated transferrng. Under ths stuaton, we add s as well as the states between s and s nto the attack scene, set the functon bool(s) =true and update the current state, s s, as well as the state occurrng tme, t t. Then turn to Step7. If s sn t latter than the current state, then turn to Step6. Step 6: If s sn t latter than the current state, ths stuaton dedcates ths attack pattern haven t been occurred. We label ths attack path as a new attack path and add t nto the attack pattern base. Set bool(s) =true, update the current state, s s, as well as the state occurrng tme, t t. Then turn to Step1. Step 7: Assocated the attack scene and the attack pattern base, we can get the attack ntenton set {G1, G2,, Gn}. The attack technology and stage of attack patterns can possbly be the same, so we can recognze several attack ntentons accordng to the generated attack scene (as shown n Fgure. 4.). After updatng the current state, we udge whether s s on the path of a recognzed attack ntenton. If yes, then s p a th and keep ths attack ntenton. Otherwse we have to delete the attack ntenton. Step 8: Check the tme of state transferrng of all attack scenes, f t t, then delete the attack scene and turn to Step1. End G1 S1 S2 S3 path1 path2 pathn G2 Gn Fgure 4. Attack Intenton Reorganzaton Calculatng attack phase achevement probablty p(s) utlzes real-tme detectng attack behavor Alert and dependency relatonshp of attacks ( A ( s ), E ( s ), s ), based on establshng attack pattern base. 56 Copyrght c 2016 SERSC

7 Internatonal Journal of Securty and Its Applcatons p ( a c ) p ( a c ) p ( a c ) p ( a c ), e 0 n p( s) p ( a c ) p ( a c ), e 1 n (3) Where p ( a c ) and p ( a c ) are the attack success probablty of A lter and A lte r, e 0 means t s possble to acheve the ntenton of the attack when all of attack have n succeed, e 1 n means t s possble to acheve the ntenton of the attack when any one of the attacks has succeed. 3.4 Real-Tme Attack Stage Predcton Algorthm Defnton. 4. Mnmum Vulnerabltes Set Needed n Attack Stage. In ths paper we descrbe ths set as M n V u ls M n V u ls v u ls & v u ls & v u ls k l.ths set represents the essental vulnerabltes whch attackers explot to acheve a certan attack phase. The attacker perhaps utlze varous attack method to acheve the am, thus ths set contans more than one element. Defnton. 5. Accessble Host, whch means the set of hosts whch can be used to carry out the post ntruson. Ths set ncludes the host whch exst the current attack state as well as the hosts that connect wth t. Defnton. 6. Explotable Vulnerabltes Set. Ths concept means the vulnerabltes of accessble hosts that can be exploted by the attacker. In ths paper we descrbe ths set as E xp lo tv u ls, whch sn t equal to all vulnerabltes exsted n the accessble hosts because of the lmtaton of protocol and port. The host whch exstng the current attack state, can explot all vulnerabltes n t, whch means E xp lo tv u ls V u ls ; whle other hosts can generate the explotable vulnerabltes set accordng to the connectvely relatonshp ( h o s t, h o s t, p r o to c o l p o r t ). Defnton. 7. Explotable Rato of Vulnerablty. Ths parameter, Av, descrbes the stuaton whether the explotable vulnerabltes can satsfy the requrement of the followng ntruson. If yes, whch means M n V u ls E xp lo tv u ls, every vulnerabltes n ths host can be used by the attacker. Detaled descrpton s shown n the followng: 1, M n V u ls { M n V u ls }, M n V u ls { E x p lo tv u ls } Av 0, o th e r w s e Because the ablty of attacker s unknown, we suppose that the attacker can utlze all knds of attack technologes; n the mean tme we suppose that the attacker choose the next target wth equal probablty. The detaled process of the Real-Tme Attack Stage Predcton Algorthm s descrbed as the followng. Algorthm. 2. Real-Tme Attack Stage Predcton Algorthm Input: the current attack path p a th ; the recognzed attack ntenton set {G1,G2,,Gn} Output: the post attack stage; the post ntruson hosts. Begn Step 1: Watng for the attack path that s updatng. If the attack path turns nto the current attack path s, turn to Step 2. Otherwse repeat ths step. Step 2: Search for the accessble hosts accordng to the attack-exsted host and the connected relatonshp. Step 3: On the bass of the connected relatonshp ( h o s t, h o s t, p r o to c o l p o r t ), generate the explotable vulnerabltes sets of all accessble hosts E xp lo tv u ls. Step 4: In accordance wth the attack pattern base, search for the mnmum vulnerabltes set needed n the ost ntruson M n V u ls. Copyrght c 2016 SERSC 57

8 Internatonal Journal of Securty and Its Applcatons Step 5: Calculate every utlzaton rato of vulnerablty n each accessble host. If A v 1, h o st can become the followng goal n the ntruson; otherwse h o st s naccessble n the followng attack phase. End For each dentfed attack ntenton G of attack path p a th, the nvason hosts h o st of k next attack phase wll be got wth real-tme attack phase predcton algorthm. Under ablty of attackers s unknown, we assume that the attackers have a strong ablty to mplement all the exstng methods to complete ther ntentons. Gven the each group requred mnmum vulnerablty of attack phase M n V u ls v u ls & v u ls & v u ls n avalable vulnerabltes set, we have H p ( n s ) p ( e ) h x h x y z (5) Where H s number of vulnerablty n the mnmum vulnerablty group, p ( e) s x nvason access probablty of vulnerabltes to the correspondng attack. Gven all of the avalable vulnerabltes set, we have (6) p ( n s ) 1 1 p n s h 4. Expermental Analyss In order to verfy the feasblty and effectveness of the model and algorthm, we buld an expermental network, the network topology as shown n Fgure. 5. The network conssts of a frewall, a Web server, a Mall server, a SQL server, two ntruson detecton systems, and an attack host. The frewall polcy parts network nto two subnets. Web server, Mall server and IDS1 dstrbuted n DMZ Zone, SQL server and IDS2 dstrbuted n Trusted Zone. Internet Mall Server IDS DMZ Zone Attacker Frewall Trusted Zone Web Server IDS SQL Server Fgure 5. The Network Topology The frewall has a strong set of polces (shown n table I) to prevent remote access to SQL server. In partcular, all machnes n DMZ Zone passvely receve servce requests and only respond to the sender as needed. In order to accommodate Web servce s transactons, the web server s allowed to send SQL queres to the SQL server. The frewall polcy s network connectvely relatonshp too. Table 1. Lst of Frewall Polcy From host To host Protocol/port Remote Mal server IMAP(143)&SMTP(25) machne Web server HTTP(80) Web server SQL Server SQL(1433) 58 Copyrght c 2016 SERSC

9 Internatonal Journal of Securty and Its Applcatons Through the network vulnerablty scannng, the vulnerabltes of hosts are gven n Table II. Table 2. Lst of Vulnerabltes n Network Host Vulnerablty CVE# SQL Server SQL Inecton (V1) CVE Remote code executon n Mal server SMTP (V2) CVE Error message nformaton CVE leakage (V3) CVE Squd port scan vulnerablty (V4) Web server IIS vulnerablty n WebDAV server (V5) CVE To steal the data from SQL server, attacker must get the root prvlege of SQL server. The attacker frst searched for vald hosts of the network through IPsweep address scannng, and attacker found Web server and Mall server. Then attacker scanned the ports of vald hosts, and dscovered Web server s communcaton port s 80. The attacker obtaned user permssons of Web server explotng CVE , then obtaned the root prvlege of SQL server explotng CVE through SQL protocol. We collected the alarm data of IDS and frewall, as well as the securty audt logs of hosts. Then the attack stage transton dagram (shown n Fgure. 6.) can be got wth the attack ntenton recognton algorthm proposed n Secton 3. Attack predcton path Attack practcal path Attacker Address scan Web server Address scan Mal server Port scan Web server Port scan Mal server V2 Authentcaton bypass Web server V2 User access Web server V1 Root access Web server V5 Root access Mal server Fgure 6. Attack Stage Transton Dagram Then, calculatng the stage occurrence and stage transton stuaton of network attack (shown n Table III) s accordng to the dentfed attack stage transton dagrams, combned wth ntruson detecton alarm data and audt logs. Where host and p(s) n stage occurrence stuaton (host, p(s)) mean the attacked host of stage and attack stage achevement probablty; host, post(s) and p(ns) n stage transton stuaton (host, post(s), p(ns)) mean the attacked host of next stage, next attack stage and attack stage transton probablty. Table 3. Lst of Attack Stage Stuaton Attack stage Stage occurrence stuaton Stage transton stuaton Address scan (Mal, 0.98) (Mal, port scan, 1) (Web, 0.98) (Web, port scan, 1) Port scan (Mal, 0.96) (Mal, root access, 0.98) (Web, 0.95) (Web, user access, 0.96) Copyrght c 2016 SERSC 59

10 Internatonal Journal of Securty and Its Applcatons User access prvlege Root access prvlege (Web, Authentcaton bypass, 0.96) (Web, 0.93) (SQL, root access, 0.94) (SQL, 0.93) From Fgure. 6 and table. 4 can be seen that the proposed method can accurately predct as well as constantly update attack ntenton and targets n advance. Then we analyze the performance of proposed algorthm. 1) Tme complexty. Algorthm. 1. scanned every securty events once to match the pattern n the attack pattern base. The number of attack patterns, m, as well as the number of stages n every pattern s steady. The algorthm starts only when a new attack s occurred, so the tme complexty of Algorthm. 1. s O(mn). Algorthm. 2. searched for the possble attack ntentons n all accessble hosts, whle the number of accessble hosts and the number of possble attack ntentons s steady. The tme complexty of Algorthm. 2 s O(kl). 2) Storage sze. AG Algorthm, proposed n paper [6], requres lstng all states n the n network, whch the tme complexty s O ( 2 ). In paper [15], EDG Algorthm mproves the scale by smplfyng twce to elmnate the loops. TSTG Algorthm, proposed n paper [16], avods the above problems by lftng the authorty and assocated analyzng the attack. But t s hard to deal wth the large network. In ths paper, the proposed stage recognton algorthm based on the attack ntenton dvdes attacks nto dfferent scenes rather than enumerate all states. We also avod the redundancy of attack state and attack lnk by recognzng every attack ntenton. The scale of the proposed algorthm s polynomal. And t mproves the comprehenson of the attack scene by the recognton of attack ntenton. In the meantme, t avods the appearance of loop through dscussng the possble state transferrng scenes to weaken the nfluence of false postve and repeated alert. TABLE IV compares the above algorthms n the network wth 3 hosts and 5 vulnerabltes. 5. Conclusons Table 4. Comparson of Algorthms Algorthm AG EDG TSTG Ths paper nodes edges granularty exponental polynomal polynomal polynomal loop no yes no no Based on the bass of artfcal ntellgence ntenton recognton, we proposed a dynamc real-tme network attack ntenton recognton algorthm. By correlatng realtme securty alerts and vulnerabltes, we found the spread route and stage of attacks based on graph theory and probablty theory. Then we dentfed the attack ntenton and predcted the possble transton of attacks, combned wth network connectvty relatonshp. A smulaton experments for the proposed network attack ntenton recognton algorthm s performed by network examples. The expermental results show that the proposed method can be more accurately dentfy attack ntenton and fully predct the post stage of attacks. Due to attackers always use decepton, concealment or other means to conceal ther behavor and ntenton, there s dfferent between attackdefense ntenton recognton wth ntenton recognton n artfcal ntellgence feld. So the ntruson ntenton recognton needs further research. 60 Copyrght c 2016 SERSC

11 Internatonal Journal of Securty and Its Applcatons References [1] K. A. Tahboub, Intellgent human-machne nteracton based on dynamc Bayesan networks probablstc ntenton recognton, Journal of Intellgent and Robotc Systems. no.45, (2006), pp [2] X. Cha, Q. Yang, Multple-goal recognton form low-level sgnals. Proceedngs of the 20th Natonal Conference on Artfcal Intellgence, Pttsburgh, Pennsylvana, (2005), pp [3] F. Cuppens, F. Autrel, A. Mege, S. Benferhat, Recognzng malcous ntenton n an ntruson detecton process. Proceedngs of the 2nd Internatonal Conference on Hybrd Intellgent Systems, (2002); Santago, Chle. [4] P. Nng, D. Xu, Learnng attack strateges from ntruson alerts, Proceedngs of the 10th ACM Conference on Computer and Communcatons Securty, (2003); Washngton, DC, USA. [5] Z. Yanxue, Z. Dongme, L. Jnxng. Approach to forecastng mult-stage attack based on fuzzy hdden markov model. Electroncs Optcs & Control, (2015), no. 22, pp [6] O. Sheyner, J. Hanes, S. Jha, R Lppmann, Automated Generaton and Analyss of Attack Graphs. Proceedngs of the 2002 IEEE Symp on Securty and Prvacy, (2002) May 12-15; Berkeley, Calforna, USA [7] S.Noel, S. Jaoda, Understandng complex network attack graphs through clustered adacency matrces. Proceedngs of the 21st Annual Computer Securty Applcatons Conference, (2005) December 5-9; Tucson, AZ, USA. [8] X. Ou, S. Govndavahala A. W., Apple. MulVAL: A logc-based network securty analyzer. Proceedngs of the 14th Usenx securty Symp. (2005) August 1 5; Baltmore, MD. [9] M. Alhomd, M Reed. Attack graph-based rsk assessment and optmzaton approach. Internatonal Journal of Network Securty & Applcatons., no. 6., (2014), pp [10] M. Schffman, Common Vulnerablty Scorng System (CVSS), html (2011). [11] W. Yong, L. Yfeng, F. Dengguo. A Network Securty Stuatonal Awareness Model Based on Informaton Fuson. Journal of Computer Research and Development. no. 46, (2009), pp [12] Q. Pel, Y. Yang, Study on Applcaton of Honeypot n Network Securty. Journal of Harbn Unversty of Scence and Technology. 14, (2009) [13] Q. Pel, S. Png, Research and Implementaton of Intruson Detecton System Merged Scanner Technque. Journal of Harbn Unversty of Scence and Technology, no. 14, (2009), pp [14] F. Kavous, B. Akbar, Automatc learnng of attack behavor patterns usng Bayesan networks. 6th Internatonal Symposum on Telecommuncatons, (2012) November 6-8; Tehran, IRAN. [15] S. Noel, Jaoda, O Berry B, S Jacobs M. Effcent mnmum-cost network hardenng va explot dependency graphs. Proc of the 19th Annual Computer Securty Applcatons Conference, CA: IEEE Computer Socety, (2003) December 8-12; Las Vegas, Nevada, USA. [16] Lv Huyng, P. Wu, W. Rume, W. Je. A Real-tme Network Threat Recognton and Assessment Method Based on Assocaton Analyss of Tme and Space. Journal of Computer Research and Development. 51, (2014), pp Copyrght c 2016 SERSC 61

12 Internatonal Journal of Securty and Its Applcatons 62 Copyrght c 2016 SERSC