A Detection Algorithm for Multi-Step Attack Based on CTPN

As a matter of fact, most attacks are not single attack action. They are multi-step attacks which are composed by a set of attack actions. How to detect multi-step attack is an important aspect of IDS research. The traditional methods of modeling attack scenario is mainly based on special attack actions. It needs to build a large number of attack models, so that the process is very complex and the models are difficult to maintain. What’s more, the detection efficiency is low. In this paper, the authors analyze the insufficiency of the traditional method.Through the study on patterns of the multi-step attack, a detecting and forecasting algorithm based on intrusion intention for multi-step attack is designed. This algorithm give an improvement and expansion of traditional attack modeling method that using Petri Nets. The authors use CTPN to model multi-step attack, and correlate alert records based on it. The method can not only detect multi-step attack, but also forecast the attack which will happen. The algorithm in this paper is more simple and utility than those old methods. In the same time, the experimental results prove the validity of our algorithm.