Research on the key technology of reconstructing attack scenario based on state machine

An attack activity to cyberspace will cause the security devices generating huge number of security events, it is unfeasible to analyze these events by the manual way for the security manager. After analyzing the existing algorithms of security events correlation, we propose an attack scenario reconstruction technology based on state machine. The processes of attackers intruding into the cyberspace can be restored and the more comprehensive attack scenario description information will be generated using this technology. This working lets the security manager more comfy. The state machine based attack scenario reconstruction technology processes security events using clustering analysis and causal analysis concurrently, it builds a correlation state machine in memory for every attack scenario tree which is predefined by the security manager, when security events are coming, the current state set of the correlation state machine will process them, if the condition is satisfied, the current states of the state machine will transfer, it corresponds to the developing of the multi-step attack. If one of the leaf nodes of the state machine is in its current state set, an attack scenario description information will be generated and then sent to the security manager. The correlating technology based on state machine is more timely and accurately, and at last, we use the DARPA2000 Intrusion Scenario Specific Data Sets to validate the technology, the experiment results show that it is feasible to analyze security events using the technology we proposed.