Heuristic multistep attack scenarios construction based on kill chain

Network attacks evolved from single-step and simple attacks to complex multistep attacks. Current methods of multistep attack detection usually match multistep attacks from intrusion detection systems(IDS) alarms based on the correlation between attack steps. However, IDS has false negatives and false positives, which leads to incomplete or incorrect multistep attacks. Association based on simple similarity is difficult to obtain an accurate attack cluster, while association based on prior knowledge such as attack graphs is difficult to guarantee a complete attack knowledge base. To solve the above problems, a heuristic multistep attack scenarios construction method based on the kill chain(HMASCKC) model was proposed. The attack model graph can be obtained from dual data sources and heuristic multistep attack scenarios can be obtained through graph matching. The model graph of the attack and the predicted value of the next attack are obtained by calculating the matching value. And according to the purpose of the multistep attack, the kill chain model is used to define the initial multistep attack model, which is used as the initial graph for graph matching. Experimental results show that HMASCKC model can better fit the multistep attack behavior, the effect has some advantages over the longest common subsequence(LCS) algorithm, which can close to or match the prediction error of judge evaluation of attack intension(JEAN) system. The method can make multistep attack model matching for unknown attacks, so it has some advantages in practical application.