An Approach of Discovering Causal Knowledge for Alert Correlating Based on Data Mining

The process of attackers exploiting the target facilities is always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to identify the attack scenarios is one of the challenges in many research fields, such as cyberspace security situation awareness, the detection of APT (Advanced Persistent Threat) and so on. Alert correlation analysis based on causal knowledge is one of the widely adopted methods in CEP (Complex Event Processing), which is a promising way to identify multi-step attack processes and can reconstruct attack scenarios. However, current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, we propose an approach of mining for causal knowledge automatically based on the Markov property in this paper. Firstly, the raw alert stream is clustered into several alert sets, then each set is mined in order to obtain the one step transition probability matrix based on the Markov property, and after being generated, each matrix represents a piece of causal knowledge. Then we fuse the knowledge which has overlapping steps to create the knowledge base of attack patterns. Finally the experimental results show that this approach is feasible.