A multi-step attack scenario mining method based on alert correlation

Abstract

Aiming at the problems of redundant alerts, a multi-step attack scenario mining method is designed based on alert correlation, which has three steps: alerts preprocessing, clustering based on attribute similarity and clustering the attack graph set to mine attack scenario. This algorithm can discover new attack model without a large amount of graph features by analyzing and studying the characteristics and intrinsic relationship of the alerts. Therefore, the full attack scenario can be fully displayed, the efficiency of security managers can be improved.