A multi-step attack identification and correlation method based on multi-information fusion

Abstract

With the continuous development of Internet technology, network security issues are becoming more and more complex. In order to obtain or damage user information, attackers usually need to use multiple attack steps to attack different network nodes to achieve the final goal. Currently, traditional intrusion detection mainly focuses on classifying attacks on a single piece of traffic information, and lacks the use of correlation and timing information between multi-step attack traffic to carry out multi-step attack identification and correlation research. To this end, we introduce an edge-based graph attention network to aggregate the neighbor information of flows and use a long short-term memory neural network to obtain time series information. By considering neighbor traffic and time information during the classification process, we are able to achieve accurate classification in multi-step attack scenarios. Then, based on the classification results, the sum of the number of attacks and the number of attacks is counted for each host node. Then standardize the statistical counts of internal network host nodes and external network host nodes and set thresholds to exclude low-risk nodes. Finally, a time-based depth-first traversal algorithm is used to obtain the key attack chain. However, this method may face some challenges, such as high computational complexity, the ability to handle large-scale data, and the generalization ability of the model. Experimental results show that the method we proposed is significantly better than the traditional method in terms of accuracy and recall rate for multi-step attacks, and it can effectively correlate attack steps and obtain multiple key attack chains.