An Approach on Detecting Attack Based on Causality in Network Behavior

An SNMP MIB oriented approach based on two-tier GCT is presented in this paper in order to detect attack before the security of target was damaged. According to the abnormal behavior constructed on target, GCT is executed first to find preliminary attacking variables which has whole causality with abnormal variable in network behavior. Depending on behavior features extracted from abnormal behavior, GCT is executed again to recognize attacking variable which has local causality with abnormal variable in local behavior. The causality between attacking and abnormal variable is used to build rules, with which attack can be detected on attacker. udpOutDatagrams was recognized as attacking variable successfully and detecting results was obtained well in experiment where Trin00 UDP Flood was selected to attack. The final results showed that the approach with two-tier GCT was proved to detect attack early, which has great effect on blocking the pervasion of attacking procedure to target.