Multi-step Attack Scenarios Mining Based on Neural Network and Bayesian Network Attack Graph

In order to find attack patterns from a large number of redundant alert logs, build multi-step attack scenarios, and eliminate the false alerts of the alert logs, this paper proposes a new multi-step attack scenario construction model, which is divided into two parts: offline mode and online mode. In the offline mode, the known real attack alert log is used to train the neural network for removing error alerts, and eventually to generate a Bayesian network attack graph by alert aggregation processing and causal association attack sequence. In the online mode, a large number of online alert logs are used to update the neural network and the Bayesian network attack graph generated by the previous offline mode, so that the iterative attack graph is more complete and accurate. In the end, we extract a variety of multi-step attack scenarios from the Bayesian network attack graph to achieve the purpose of eliminating false alerts in the redundant IDS alert logs. In order to verify the validity of the algorithm, we use the DARPA 2000 dataset to test, and the results show that the algorithm has higher accuracy.