CN103944919A - Wireless multi-step attack mode excavation method for WLAN - Google Patents

Wireless multi-step attack mode excavation method for WLAN Download PDF

Info

Publication number
CN103944919A
CN103944919A CN201410188633.XA CN201410188633A CN103944919A CN 103944919 A CN103944919 A CN 103944919A CN 201410188633 A CN201410188633 A CN 201410188633A CN 103944919 A CN103944919 A CN 103944919A
Authority
CN
China
Prior art keywords
attack
chain
candidate
alarm
attacks
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410188633.XA
Other languages
Chinese (zh)
Inventor
陈观林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University City College ZUCC
Original Assignee
Zhejiang University City College ZUCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University City College ZUCC filed Critical Zhejiang University City College ZUCC
Priority to CN201410188633.XA priority Critical patent/CN103944919A/en
Publication of CN103944919A publication Critical patent/CN103944919A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a wireless multi-step attack mode excavation method for WLAN. The method comprises the following steps of: 1, building a global attack library, consisting of: classifying wireless alarm according to different AP information in a WLAN environment and BSSID information of the AP, and building the global attack library based on the AP according to attributes of occurrence time; 2, building candidate attack links; 3, screening the candidate attack links; 4, correlating a multi-step attack behavior; 5, identifying a multi-step attack mode, consisting of: computing the correlation between adjacent attacks in the attack link, deleting the attack link with the correlation lower than a predetermined correlation threshold, and finally identifying the wireless multi-step attack mode. The wireless multi-step attack mode excavation method for WLAN has the advantages of being applicable to actual attack scenes of WLAN, and capable of effectively excavating the wireless multi-step attack mode and providing bases for the pre-identification of the multi-step attack intention.

Description

A kind of wireless multi-step attack mode excavation method towards WLAN
Technical field
The present invention relates to wireless multi-step attack mode excavation method, more specifically, it relates to a kind of wireless multi-step attack mode excavation method towards WLAN.
Background technology
Along with the develop rapidly of computer network, use the user of WLAN also increasing, be also subject to increasing attention towards the network security research of WLAN.Intrusion detection and defense technique are as the important means of network safety prevention, and in traditional cable network environment, existing comparatively ripe application for the recognition methods of network multi-step attack pattern, has also had certain research in cable network.But existing multi-step attack recognition methods mainly utilizes more than network layer packet information as recognition feature, and WLAN wireless network has comprised the packet feature below more network layers.The particularity having just because of wireless network, applies to WLAN by existing multi-step attack mode excavation method and faces many difficulties, still seldom sees the research of the wireless multi-step attack mode excavation in WLAN field at present.
Abroad carry out early for intrusion detection and the Defensive Technology Study of WLAN, industry is also released relevant wireless network intrusion detection system one after another, as the product such as Adaptive WIPS and the Snort-Wireless increasing income of the AirDefense Guard of the AirMagnet Distributed of the Wireless Scanner of ISS company, AirMagnet company, AirDefense company, Cisco company.But, these systems all have deficiency and defect separately, for example all there is wrong report to a certain degree and fail to report problem, especially limited for the detectability of network multi-step attack pattern, often can only identify simple single step attacks, cannot accurately identify the final attack intension in multi-step attack, cause carrying out in advance early warning etc.
At home, wireless security is the also ground zero of security marketplace of WLAN (wireless local area network) especially, due to the importance of network security, can not purely rely on external safety product.WLAN (wireless local area network) fast development application is at home also thing in recent years, the domestic intrusion prevention product for WLAN (wireless local area network) few, mainly contains the WLAN intruding detection system of company of CA-Jinchen and the wireless network secure Protection Product of company of Venus InfoTech etc. at present.Company of CA-Jinchen has researched and developed the WLAN intruding detection system based on distributed frame in 2004, this system synthesis utilize protocal analysis, aspect ratio to three kinds of technology of abnormality detection, can analyze wlan network flow preferably, but its research mode and object still lay particular emphasis on cable network, have some limitations in wireless network environment application, also cannot connect and carry out automatic defense illegal wireless.Company of Venus InfoTech has issued domestic first Protection Product for wireless network secure in June, 2012, can detect and comprise the multiple wireless attack modes such as rogue AP, wireless exploration, address spoofing, DoS denial of service, key crack, be a wireless network secure Protection Product that wireless invasive detects and defends that merged.But these commercially produced products are disposed complicated, expensive, can only identify equally for the single step of WLAN and attack, be difficult to find the final intention of multi-step attack behavior and give warning in advance.
Patent 200810046913.1 " online recognition method for network multi-step attack intension " provides a kind of online recognition method for network multi-step attack intension, the method is extracted the feature of the security incident warning information of receiving, carry out pattern matching according to this feature and attack generation sequence set of patterns, if the match is successful, calculating meets the degree of association of the front and back security incident warning information of pattern matching, according to the network multi-step attack relation between the comparative result record security event alarm information of the degree of association and degree of association threshold value.Patent 201010561551.7 " a kind of network multi-step attack identification and Forecasting Methodology " provides a kind of network multi-step attack identification and Forecasting Methodology, the method is converted into multi-step attack sequence by the warning in database according to attack type, and be converted into according to attack time sliding window the attack sequence that multiple length is different, generate and attack transformation frequency matrix, many attack sequences are excavated, the historical multi-step attack sequence of regeneration, mate identification and prediction multi-step attack according to historical multi-step attack sequence.These two kinds of methods mainly utilize more than network layer packet information (for example IP address, port numbers) as recognition feature, can identify the multi-step attack intension of cable network, but the attack for WLAN is often carried out in not obtaining IP address, therefore ineffective for WLAN wireless network environment, cannot accurately identify the wireless multi-step attack pattern of WLAN.
So, in the urgent need to furtheing investigate in WLAN field, analyze the multi-step attack intension identification difficult point towards WLAN, multi-step attack behavior pattern and multi-step attack recognition methods in research WLAN, to realize the automatic mining of WLAN multi-step attack pattern, thereby improve automatic defense and the pre-decision performance of WLAN invasion.
Summary of the invention
The object of the invention is to overcome deficiency of the prior art, a kind of wireless multi-step attack mode excavation method towards WLAN is provided.
This wireless multi-step attack mode excavation method towards WLAN, comprises the steps:
Step 1, structure global attack storehouse: according to the different AP information in WLAN environment, radio alarm is classified according to the BSSID information of AP (being MAC Address), and press the global attack storehouse of time of origin attribute construction based on AP;
Step 2, set up candidate and attack chain: utilize alarm time window, in conjunction with the relation between source MAC and the destination-mac address of alarm, in the global attack storehouse of different AP, set up the candidate who meets certain condition and attack chain;
Step 3, screening candidate attack chain: the candidate who sets up is attacked to chain and screen, the candidate that removal candidate attacks subchain or repetition attacks chain, improves the efficiency of follow-on attack mode excavation;
Step 4, associated multi-step attack behavior: define the radio alarm degree of correlation of wireless multi-step attack, the incidence relation between two alarms of quantitative description, for follow-up multi-step attack pattern recognition provides foundation;
Step 5, identification multi-step attack pattern: calculate and attack the degree of correlation between adjacent attack in chain, the attack chain lower than predefined degree of correlation threshold value is deleted, finally identify wireless multi-step attack pattern.
As shown in Figure 1, specific implementation step is as follows for the general structure of the method:
Step 1, structure global attack storehouse
Consider that the multi-step attack in WLAN environment is all mainly to carry out for AP access point, first this step utilizes all AP information of prior storage, according to the BSSID information of different AP and alarm time of origin, radio alarm is converted to the global attack storehouse that comprises all AP attack chains.
Definition 1AP attacks chain (AP Attack Chain).It is a series of orderly attack sequence relevant with same AP that AP attacks chain, is expressed as AP n(ac)=<at 1..., at i>, wherein, at i∈ AT attacks set, and each at isource MAC set or destination-mac address set in all comprised the MAC Address of this AP, that is: (AP n.MAC ∈ at i.SMAC) ∪ (AP n.MAC ∈ at i.DMAC), meanwhile, AP n(ac) each the attack in iall occur successively in chronological order, in the time of i<=j, ati.timestamp<=at j.timestamp.
Define 2 global attack storehouses (Global Attack Database).Global attack storehouse is the attack chain set that has comprised all AP access points in current WLAN, is expressed as D={AP 1(ac) ..., AP n(ac) }, wherein, AP n(ac) sort with the MAC Address of AP.
The alarm that comprises this MAC Address in all source MAC set or destination-mac address set is sorted according to time sequencing, just can obtain the attack chain of this AP, for simplicity, adopt the Signature ID value of attack to represent a certain attack at, wherein, Signature ID represents with integer.If comprised n AP router in WLAN, all AP are attacked to chain and sort according to the MAC Address of AP, can obtain global attack storehouse.
Step 2, set up candidate and attack chain
This step is utilized alarm time window WA to attack chain to all AP in global attack storehouse and is divided, and sets up respectively candidate and attacks chain.
Define 3 candidates and attack chain (Candidate Attack Chain).Attack chain AP for the arbitrary AP in the D of global attack storehouse n(ac), be WAP.MAC if this AP attacks the alarm time window of chain, by the attack sequence definition that meets following formula 1 for candidate attacks chain, be expressed as AP n.AC i.
a t i + j . timestamp - a t i . timestamp &le; W Ap . MAC a t i + j + 1 . timestamp - a t i . timestamp > W APMAC (formula 1)
For each AP n(ac), can utilize formula 1 that its division is obtained to multiple candidates and attack chain, the all elements that each candidate attacks in chain is positioned at same alarm time window, it should be noted that, the element number that the candidate of structure attacks in chain like this may be different, because in identical alarm time window, the alarm that may produce varying number.
The association between the alarm MAC Address of AP access point had both been considered in the foundation of attacking chain due to candidate, consider again the factor of alarm time window, in the time that a certain size alarm time window is set, the candidate who sets up like this attacks and in chain, has just comprised real wireless multi-step attack pattern.
Step 3, screening candidate attack chain
Next need that candidate is attacked to chain collection and screen, attack subchain to remove these candidates, and delete the candidate who repeats and attack chain.
Define 4 candidates and attack subchain (Candidate Attack Subchain).Attack chain AC for two given candidates 1and AC 2, AC 1=<a 1..., a n>, AC 2=<b 1..., b m>, if AC 2there is subscript i 1<i 2< ... <i n, make claim AC 1aC 2candidate attack subchain.
Definition 5 the longest candidates attack chain (Longest Candidate Attack Subchain).If some candidates attack chain AC i, it is not the subchain that any other candidate attacks chain, claims this candidate to attack chain AC ifor the longest candidate attacks chain.
Definition 6 pseudo-attack chain set (Pseudo Attack Chain Set).If candidate attacks chain set A P n.AC each element in is to grow candidate most to attack chain, and different, claims this candidate to attack chain set for the set of pseudo-attack chain, is designated as AP n.PAC.
The concrete steps that screening candidate attacks chain are as follows:
(1) first candidate is attacked to chain set A P n.AC rearrangement, calculates the length that wherein each candidate attacks chain, obtains SORT (AP by length descending from big to small n.AC);
(2) screen successively SORT (AP n.AC) each element in, belongs to any candidate before it and attacks the subchain of chain or identical with it if current candidate attacks chain, this candidate is attacked to chain from SORT (AP n.AC) in, delete;
(3) repeat this process, the AP finally obtaining n.PAC be the pseudo-chain set of attacking.
Step 4, associated multi-step attack behavior
This step is the core of the method, in an actual wireless multi-step attack scene occurring, not only has the precedence relationship of time of origin, but also have the incidence relation between other attribute between two attacks.For example, assailant cracks before the wep encryption key of AP access point in trial, tends to first residing WLAN be surveyed, and is searching after the objectives that can supply to attack, can initiate Deauthentication Flood to this target and attack, then inject and carry out wep encryption key and crack by ARP.In this complete Attack Scenarios, the MAC Address of former and later two attacks and other attribute etc. exist certain incidence relation.
The present invention proposes a concept that is applicable to the radio alarm degree of correlation of WLAN environment, with quantize mode two incidence relations between radio alarm are described, if relevance degree is larger, illustrate that the possibility that these two radio alarms belong to same wireless attack scene is higher.
Define the 7 radio alarm degrees of correlation (Wireless Alert Correlativity).The radio alarm degree of correlation is to weigh an important indicator of incidence relation between two radio alarms, for two alarm hai and ha that successively produce j, hai and ha jcomprise respectively n wireless attributes (wa 1..., wa n) and (wb 1..., wb n), define the radio alarm degree of correlation WC (ha between them i, ha j) as formula 2:
WC ( h a i , h a j ) = &Sigma; i , j = 1 n w ij WAC ( w a i , W d j ) &Sigma; i , j = 1 n w ij (formula 2)
Wherein, w ijfor the weighted value of incidence relation between two different wireless attributes, generally set in advance weighted value matrix according to expertise, WAC (wa i, wb j) be two degrees of correlation between wireless attributes.
Consider the particularity of WLAN wireless environment, choose following five main attributes and calculate the radio alarm degree of correlation: source physical address (srcMAC), target physical address (dstMAC), source IP address (srcIP), target ip address (dstIP) and target AP manufacturer (dstVendor).
Step 5, identification multi-step attack pattern
Through after the step of associated multi-step attack behavior, finally by each pseudo-adjacent alarm of attacking in chain is calculated to the degree of correlation between them, delete the attack chain that those degrees of correlation are lower, finally obtain having the attack chain of the high degree of correlation, thereby identify wireless multi-step attack pattern.
Puppet is attacked to chain set A P n.PAC the concrete identifying that each pseudo-attack chain carries out multi-step attack pattern is as follows:
(1) calculate the radio alarm degree of correlation between every a pair of adjacent alarm in pseudo-attack chain, and contrast with the degree of correlation threshold value of prior setting;
(2) if the degree of correlation calculating is less than this threshold value, delete the pseudo-attack chain of attacking these two alarms in chain, illustrate that these two alarms do not belong to the wireless multi-step attack pattern of real generation;
(3), if the degree of correlation calculating is not less than this threshold value, retain the attack chain of these two alarms, because they probably belong to the wireless multi-step attack pattern of some associations;
(4) after all adjacent alarm in puppet attack chain is carried out to the calculating of above step, what finally remain is exactly the wireless multi-step attack chain identifying, and the every a pair of adjacent alarm in this attack chain all has the higher degree of correlation.
The invention has the beneficial effects as follows: the wireless multi-step attack mode excavation method that the present invention proposes the main attribute of a kind of fusion 802.11 protocol frame, the method is according to AP facility information structure global attack storehouse, utilize alarm time window to set up candidate and attack chain, the puppet that generation comprises wireless multi-step attack pattern is attacked chain set, also define the concept of the new radio alarm degree of correlation based on WLAN feature, be used for describing two incidence relations between radio alarm, finally, by calculating the relevance degree between adjacent alarm, automatic mining goes out wireless multi-step attack pattern.The method can be applicable to the true Attack Scenarios of WLAN, can effectively excavate wireless multi-step attack pattern, can identify in advance basis is provided for multi-step attack intension.
Brief description of the drawings
Fig. 1 is the wireless multi-step attack mode excavation method overall construction drawing that the present invention proposes;
Fig. 2 is the global attack storehouse that the present invention constructs;
Fig. 3 is that the candidate based on slip alarm time window that the present invention describes attacks chain generative process;
Fig. 4 is the weighted value matrix between the wireless attributes that defines of the present invention;
Fig. 5 is the wireless association dendrogram based on physical address classification that the present invention defines;
Fig. 6 is the wireless association dendrogram based on IP address sort that the present invention defines;
Fig. 7 is the relevance degree matrix between the present invention the AP manufacturer and the destination-mac address that define;
Fig. 8 is the relevance degree matrix between the present invention the AP manufacturer and the target ip address that define;
Fig. 9 is the wireless multi-step attack pattern that the present invention excavates.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described further.Although the present invention is described in connection with preferred embodiment, should know, do not represent to limit the invention in described embodiment.On the contrary, the present invention is by alternative, modified model and the equivalent contained in the scope of the present invention that can be included in attached claims restriction.
Embodiments of the present invention relate to a kind of wireless multi-step attack mode excavation method towards WLAN.Specific implementation step is as follows:
Step 1, structure global attack storehouse
For example in WLAN, the MAC Address of certain AP is 00:B0:0C:01:3C:C0, the alarm that comprises this MAC Address in all source MAC set or destination-mac address set is sorted according to time sequencing, can obtain the attack chain of this AP, for simplicity, adopt the Signature ID value of attack to represent a certain attack at, wherein, Signature ID represents with integer.
For example certain AP is numbered 1, and its AP attacks chain and can simply be expressed as:
AP 1(ac)=<5,2,7,3,8,3,6,11,15,2,7,5>
If comprised n AP router in WLAN, all AP are attacked to chain and sort according to the MAC Address of AP, can obtain global attack storehouse, as shown in Figure 2.
Step 2, set up candidate and attack chain
Set up the thought that candidate attacks chain and adopted slip alarm time window, from the attack alarm occurring the earliest, find out first candidate who meets alarm time window considerations and attack chain, then slide backward successively in chronological order, find out next candidate and attack chain, until to last attack alarm.
Attack chain AP with AP above 1(ac)=<5,2,7,3,8,3,6,11,15,2,7,5> is example, if the value of its alarm time window WAP.MAC is set to 30 minutes, Fig. 3 has provided and utilized WAP.MAC slip to generate the process that candidate attacks chain.
In this example, finally generate following six candidates and attacked chain:
(1)AC 1<5,2,7,3,8,3>
(2)AC 2<2,7,3,8,3,6>
(3)AC 3<7,3,8,3,6>
(4)AC 4<3,8,3,6>
(5)AC 5<8,3,6,11,15,2>
(6)AC 6<3,6,11,15,2,7,5>
It is not necessarily identical that each candidate attacks element number in chain, as AC 1, AC 2and AC 5all attack alarm by 6 and form, AC 3attack alarm by 5 and form, AC 4attack alarm by 4 and form, and AC 6attacking alarm by 7 forms.
Step 3, screening candidate attack chain
The process that screening candidate attacks chain namely generates pseudo-process of attacking chain set, attack in chain set the candidate who generates, remove all candidates and attack subchain, and the duplicate candidate who repeats is attacked to chain and delete, finally obtain its pseudo-attack chain set.
For example, the candidate who above obtains is attacked to chain set and screen, will delete two candidates and attack subchain AC 3and AC 4, finally obtain by the set of four of length descending from big to small pseudo-attack chains, as follows:
(1)AC 6<3,6,11,15,2,7,5>
(2)AC 1<5,2,7,3,8,3>
(3)AC 2<2,7,3,8,3,6>
(4)AC 5<8,3,6,11,15,2>
Step 4, associated multi-step attack behavior
Consider the particularity of WLAN wireless environment, the present invention has defined towards the weighted value matrix between five main attributes of WLAN, has following explanation about the weighted value matrix between wireless attributes:
(1) for the specification subsequent calculations radio alarm degree of correlation, the summation of all weighted values in weighted value matrix is made as to 1;
(2) due to alarm ha ithe wireless attack behavior representing is at ha jbefore the wireless attack behavior representing, occur, therefore weighted value matrix is not symmetrical matrix;
(3) if the some weighted values in weighted value matrix are 0, represent not have incidence relation between these two attributes, weighted value is larger, represents that the correlation degree between these two attributes is higher.
Fig. 4 has provided the weighted value matrix between these five attributes.
According to the definition of the radio alarm degree of correlation, the present invention has determined eight radio alarm attributes correlation functions, calculates mainly for attributes such as physical address, IP address and AP manufacturers.
These eight radio alarm attributes correlation functions are divided into following three types, and wherein i article of alarm occurs prior to j article of alarm:
(1) association between physical address: WAC (srcMACi, srcMAC j), WAC (dstMACi, srcMAC j), WAC (dstMAC i, dstMAC j);
(2) association between IP address: WAC (srcIP i, srcIP j), WAC (dstIP i, srcIP j), WAC (dstIP i, dstIP j);
(3) association between AP manufacturer and destination address: WAC (dstVendor i, dstMAC j), WAC (dstVendor i, dstIP j).
Below the relatedness computation of this three classes incidence relation is specifically described.
(1) association between physical address
For each alarm, first its physical address set to be classified, the threshold value of classification adopts 80%, and this is also the threshold value that Classification Algorithms in Data Mining adopts conventionally.Exceeded 80% if belong to the element of a certain class in object set, the property value that object set is corresponding is set to this class.
Incidence relation between physical address is the very important factor that determines the radio alarm degree of correlation, the present invention has defined the wireless association dendrogram based on physical address classification as shown in Figure 5, this wireless association dendrogram has defined classification and the degree of correlation thereof of physical address set, wherein, each node represents the classification of physical address, the factor weighted value of this node of numeric representation on node limit.
(2) association between IP address
Incidence relation between IP address is another key factor that determines the radio alarm degree of correlation, based on IP address classify and the computational methods of the degree of correlation and classification and relatedness computation method thereof based on physical address similar.
The present invention has defined the wireless association dendrogram based on IP address sort as shown in Figure 6, determines which kind of IP address belongs to.Equally, classification thresholds is also made as 80%, if represent that the element that belongs to a certain IP address class in object set exceedes 80%, the property value that object set is corresponding is set to this IP address class.
(3) association between AP manufacturer and destination address
Association between AP manufacturer and destination address comprises the association between association and AP manufacturer and the target ip address between AP manufacturer and destination-mac address, uses respectively WAC (dstVendor i, dstMAC j) and WAC (dstVendor i, dstIP j) represent.
There is corresponding incidence relation in the manufacturer of AP router and default ip address, the MAC Address of the AP router of all manufacturer production is all to obtain to the application of ieee standard association, OUI value in MAC Address has represented which producer it belongs to, therefore, between the manufacturer of AP router and MAC Address, also exist corresponding incidence relation.
The present invention has defined the relevance degree matrix between AP manufacturer and destination-mac address, target ip address, calculates the attributes correlation value between them, as shown in Figure 7.
Fig. 8 has described the relevance degree matrix between AP manufacturer and target ip address.
Step 5, identification multi-step attack pattern
The classification thresholds of above-mentioned physical address and IP address is all set to 80%, radio alarm degree of correlation threshold value setting in pseudo-attack chain between every a pair of adjacent alarm is 0.5, puppet is attacked to chain set to be identified, can identify the wireless multi-step attack pattern with the high degree of correlation, comprise that ARP+Deauthentication Flood attack cracks wep encryption key, wesside-ng cracks wep encryption key, the hijack attack of wireless router authen session and wireless router config file and steals the current common wireless multi-step attacks such as attack.
Fig. 9 has described three kinds of wireless multi-step attack patterns for BELKIIN F6D4230-4 wireless router that the method is successfully excavated, wherein, and the radio alarm degree of correlation that the numerical value between two adjacent attack alarms is them.Can find out, the degree of correlation for adjacent attack in each wireless multi-step attack pattern of wireless aps is all higher, represent really to exist obvious incidence relation between the actual multi-step attack behavior occurring, this has also verified that the wireless multi-step attack mode excavation method towards WLAN that the present invention proposes is effective.

Claims (6)

1. towards a wireless multi-step attack mode excavation method of WLAN, it is characterized in that: comprise the steps:
Step 1, structure global attack storehouse: according to the different AP information in WLAN environment, radio alarm is classified according to the BSSID information of AP (being MAC Address), and press the global attack storehouse of time of origin attribute construction based on AP;
Step 2, set up candidate and attack chain: utilize alarm time window, in conjunction with the relation between source MAC and the destination-mac address of alarm, in the global attack storehouse of different AP, set up the candidate who meets certain condition and attack chain;
Step 3, screening candidate attack chain: the candidate who sets up is attacked to chain and screen, the candidate that removal candidate attacks subchain or repetition attacks chain, improves the efficiency of follow-on attack mode excavation;
Step 4, associated multi-step attack behavior: define the radio alarm degree of correlation of wireless multi-step attack, the incidence relation between two alarms of quantitative description, for follow-up multi-step attack pattern recognition provides foundation;
Step 5, identification multi-step attack pattern: calculate and attack the degree of correlation between adjacent attack in chain, the attack chain lower than predefined degree of correlation threshold value is deleted, finally identify wireless multi-step attack pattern.
2. the wireless multi-step attack mode excavation method towards WLAN according to claim 1, is characterized in that: described step 1 also comprises concrete steps and is:
Definition 1AP attacks chain (AP Attack Chain); It is a series of orderly attack sequence relevant with same AP that AP attacks chain, is expressed as AP n(ac)=<at 1..., at i>, wherein, at i∈ AT attacks set, and each at isource MAC set or destination-mac address set in all comprised the MAC Address of this AP, that is: (AP n.MAC ∈ at i.SMAC) ∪ (AP n.MAC ∈ at i.DMAC), meanwhile, AP n(ac) each the attack in iall occur successively in chronological order, in the time of i<=j, ati.timestamp<=at j.timestamp;
Define 2 global attack storehouses (Global Attack Database); Global attack storehouse is the attack chain set that has comprised all AP access points in current WLAN, is expressed as D={AP 1(ac) ..., AP n(ac) }, wherein, AP n(ac) sort with the MAC Address of AP;
The alarm that comprises this MAC Address in all source MAC set or destination-mac address set is sorted according to time sequencing, just can obtain the attack chain of this AP, for simplicity, adopt the Signature ID value of attack to represent a certain attack at, wherein, Signature ID represents with integer; If comprised n AP router in WLAN, all AP are attacked to chain and sort according to the MAC Address of AP, can obtain global attack storehouse.
3. the wireless multi-step attack mode excavation method towards WLAN according to claim 2, is characterized in that: described step 2 also comprises concrete steps and is:
Define 3 candidates and attack chain (Candidate Attack Chain); Attack chain AP for the arbitrary AP in the D of global attack storehouse n(ac), be WAP.MAC if this AP attacks the alarm time window of chain, by the attack sequence definition that meets following formula 1 for candidate attacks chain, be expressed as AP n.AC i;
a t i + j . timestamp - a t i . timestamp &le; W Ap . MAC a t i + j + 1 . timestamp - a t i . timestamp > W APMAC (formula 1)
For each AP n(ac), can utilize formula 1 that its division is obtained to multiple candidates and attack chain, the all elements that each candidate attacks in chain is positioned at same alarm time window, it should be noted that, the element number that the candidate of structure attacks in chain like this may be different, because in identical alarm time window, the alarm that may produce varying number; The association between the alarm MAC Address of AP access point had both been considered in the foundation of attacking chain due to candidate, consider again the factor of alarm time window, in the time that a certain size alarm time window is set, the candidate who sets up like this attacks and in chain, has just comprised real wireless multi-step attack pattern.
4. the wireless multi-step attack mode excavation method towards WLAN according to claim 3, is characterized in that: described step 3 also comprises concrete steps and is:
Define 4 candidates and attack subchain (Candidate Attack Subchain); Attack chain AC for two given candidates 1and AC 2, AC 1=<a 1..., a n>, AC 2=<b 1..., b m>, if AC 2there is subscript i 1<i 2< ... <i n, make a j= claim AC 1aC 2candidate attack subchain;
Definition 5 the longest candidates attack chain (Longest Candidate Attack Subchain); If some candidates attack chain AC i, it is not the subchain that any other candidate attacks chain, claims this candidate to attack chain AC ifor the longest candidate attacks chain;
Definition 6 pseudo-attack chain set (Pseudo Attack Chain Set); If candidate attacks chain set A P n.AC each element in is to grow candidate most to attack chain, and different, claims this candidate to attack chain set for the set of pseudo-attack chain, is designated as AP n.PAC;
The concrete steps that screening candidate attacks chain are as follows:
(1) first candidate is attacked to chain set A P n.AC rearrangement, calculates the length that wherein each candidate attacks chain, obtains SORT (AP by length descending from big to small n.AC);
(2) screen successively SORT (AP n.AC) each element in, belongs to any candidate before it and attacks the subchain of chain or identical with it if current candidate attacks chain, this candidate is attacked to chain from SORT (AP n.AC) in, delete;
(3) repeat this process, the AP finally obtaining n.PAC be the pseudo-chain set of attacking.
5. the wireless multi-step attack mode excavation method towards WLAN according to claim 4, is characterized in that: described step 4 also comprises concrete steps and is:
Define the 7 radio alarm degrees of correlation (Wireless Alert Correlativity); The radio alarm degree of correlation is to weigh an important indicator of incidence relation between two radio alarms, for two alarm ha that successively produce iand ha j, ha iand ha jcomprise respectively n wireless attributes (wa 1..., wa n) and (wb 1..., wb n), define the radio alarm degree of correlation WC (ha between them i, ha j) as formula 2:
WC ( h a i , h a j ) = &Sigma; i , j = 1 n w ij WAC ( w a i , W d j ) &Sigma; i , j = 1 n w ij (formula 2)
Wherein, w ijfor the weighted value of incidence relation between two different wireless attributes, according to setting in advance weighted value matrix, WAC (wa i, wb j) be two degrees of correlation between wireless attributes;
Consider the particularity of WLAN wireless environment, choose following five main attributes and calculate the radio alarm degree of correlation: source physical address (srcMAC), target physical address (dstMAC), source IP address (srcIP), target ip address (dstIP) and target AP manufacturer (dstVendor).
6. the wireless multi-step attack mode excavation method towards WLAN according to claim 5, is characterized in that: described step 5 also comprises concrete steps and is:
Puppet is attacked to chain set A P n.PAC the concrete identifying that each pseudo-attack chain carries out multi-step attack pattern is as follows:
(1) calculate the radio alarm degree of correlation between every a pair of adjacent alarm in pseudo-attack chain, and contrast with the degree of correlation threshold value of prior setting;
(2) if the degree of correlation calculating is less than this threshold value, delete the pseudo-attack chain of attacking these two alarms in chain, illustrate that these two alarms do not belong to the wireless multi-step attack pattern of real generation;
(3), if the degree of correlation calculating is not less than this threshold value, retain the attack chain of these two alarms, because they probably belong to the wireless multi-step attack pattern of some associations;
(4) after all adjacent alarm in puppet attack chain is carried out to the calculating of above step, what finally remain is exactly the wireless multi-step attack chain identifying, and the every a pair of adjacent alarm in this attack chain all has the higher degree of correlation.
CN201410188633.XA 2014-05-06 2014-05-06 Wireless multi-step attack mode excavation method for WLAN Pending CN103944919A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410188633.XA CN103944919A (en) 2014-05-06 2014-05-06 Wireless multi-step attack mode excavation method for WLAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410188633.XA CN103944919A (en) 2014-05-06 2014-05-06 Wireless multi-step attack mode excavation method for WLAN

Publications (1)

Publication Number Publication Date
CN103944919A true CN103944919A (en) 2014-07-23

Family

ID=51192403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410188633.XA Pending CN103944919A (en) 2014-05-06 2014-05-06 Wireless multi-step attack mode excavation method for WLAN

Country Status (1)

Country Link
CN (1) CN103944919A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007262A (en) * 2015-06-03 2015-10-28 浙江大学城市学院 WLAN multi-step attack intention pre-recognition method
CN105763529A (en) * 2015-12-12 2016-07-13 哈尔滨安天科技股份有限公司 Attack chain obtaining method and system in network environment
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN107528859A (en) * 2017-09-29 2017-12-29 北京神州绿盟信息安全科技股份有限公司 The defence method and equipment of a kind of ddos attack
CN108076040A (en) * 2017-10-11 2018-05-25 北京邮电大学 A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering
CN108763067A (en) * 2018-05-14 2018-11-06 南京市芯传汇电子科技有限公司 A kind of software attacks pattern association relationship analysis method
CN109167781A (en) * 2018-08-31 2019-01-08 杭州安恒信息技术股份有限公司 A kind of recognition methods of network attack chain and device based on dynamic associated analysis
CN114172709A (en) * 2021-11-30 2022-03-11 中汽创智科技有限公司 Network multi-step attack detection method, device, equipment and storage medium
CN114915544A (en) * 2022-05-18 2022-08-16 广东电网有限责任公司 Network multi-hop attack chain identification method, device, equipment and storage medium
CN115001753A (en) * 2022-05-11 2022-09-02 绿盟科技集团股份有限公司 Method and device for analyzing associated alarm, electronic equipment and storage medium
US20230275921A1 (en) * 2020-12-30 2023-08-31 T-Mobile Usa, Inc. Cybersecurity system for services of interworking wireless telecommunications networks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242278A (en) * 2008-02-18 2008-08-13 华中科技大学 Online recognition method for network multi-step attack intension
CN102438025A (en) * 2012-01-10 2012-05-02 中山大学 Indirect distributed denial of service attack defense method and system based on Web agency

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242278A (en) * 2008-02-18 2008-08-13 华中科技大学 Online recognition method for network multi-step attack intension
CN102438025A (en) * 2012-01-10 2012-05-02 中山大学 Indirect distributed denial of service attack defense method and system based on Web agency

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
陈观林: "分布式无线入侵防御系统预先决策引擎研究", 《电信科学》 *
陈观林: "无线局域网入侵防御系统的研究和设计", 《计算机应用系统》 *
陈观林: "面向WLAN的分布式无线多步攻击模式挖掘方法研究", 《电信科学》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007262B (en) * 2015-06-03 2017-12-22 浙江大学城市学院 The advance recognition methods of WLAN multi-step attack intensions
CN105007262A (en) * 2015-06-03 2015-10-28 浙江大学城市学院 WLAN multi-step attack intention pre-recognition method
CN105763529A (en) * 2015-12-12 2016-07-13 哈尔滨安天科技股份有限公司 Attack chain obtaining method and system in network environment
CN106899435B (en) * 2017-02-21 2019-10-29 浙江大学城市学院 A kind of complex attack recognition methods towards wireless invasive detection system
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN107528859A (en) * 2017-09-29 2017-12-29 北京神州绿盟信息安全科技股份有限公司 The defence method and equipment of a kind of ddos attack
CN107528859B (en) * 2017-09-29 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Defense method and device for DDoS attack
CN108076040A (en) * 2017-10-11 2018-05-25 北京邮电大学 A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering
CN108763067B (en) * 2018-05-14 2022-03-22 南京芯传汇电子科技有限公司 Software attack mode incidence relation analysis method
CN108763067A (en) * 2018-05-14 2018-11-06 南京市芯传汇电子科技有限公司 A kind of software attacks pattern association relationship analysis method
CN109167781A (en) * 2018-08-31 2019-01-08 杭州安恒信息技术股份有限公司 A kind of recognition methods of network attack chain and device based on dynamic associated analysis
CN109167781B (en) * 2018-08-31 2021-02-26 杭州安恒信息技术股份有限公司 Network attack chain identification method and device based on dynamic correlation analysis
US20230275921A1 (en) * 2020-12-30 2023-08-31 T-Mobile Usa, Inc. Cybersecurity system for services of interworking wireless telecommunications networks
US12113825B2 (en) * 2020-12-30 2024-10-08 T-Mobile Usa, Inc. Cybersecurity system for services of interworking wireless telecommunications networks
CN114172709A (en) * 2021-11-30 2022-03-11 中汽创智科技有限公司 Network multi-step attack detection method, device, equipment and storage medium
CN114172709B (en) * 2021-11-30 2024-05-24 中汽创智科技有限公司 Network multi-step attack detection method, device, equipment and storage medium
CN115001753A (en) * 2022-05-11 2022-09-02 绿盟科技集团股份有限公司 Method and device for analyzing associated alarm, electronic equipment and storage medium
CN115001753B (en) * 2022-05-11 2023-06-09 绿盟科技集团股份有限公司 Method and device for analyzing associated alarms, electronic equipment and storage medium
CN114915544A (en) * 2022-05-18 2022-08-16 广东电网有限责任公司 Network multi-hop attack chain identification method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN103944919A (en) Wireless multi-step attack mode excavation method for WLAN
Paudel et al. Detecting dos attack in smart home iot devices using a graph-based approach
CN104811452A (en) Data mining based intrusion detection system with self-learning and classified early warning functions
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN109600363A (en) A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method
CN103581186A (en) Network security situation awareness method and system
CN103441982A (en) Intrusion alarm analyzing method based on relative entropy
CN105208037A (en) DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection
Menon et al. Anomaly detection in smart grid traffic data for home area network
Amiri et al. Intrusion detection systems in MANET: a review
Vilela et al. A dataset for evaluating intrusion detection systems in IEEE 802.11 wireless networks
CN104601553A (en) Internet-of-things tampering invasion detection method in combination with abnormal monitoring
CN103957203A (en) Network security defense system
Khatun et al. Malicious nodes detection based on artificial neural network in IoT environments
CN104009870A (en) WLAN wireless intrusion alarm aggregation method
Latif et al. Analyzing feasibility for deploying very fast decision tree for DDoS attack detection in cloud-assisted WBAN
Wazid Hybrid anomaly detection using K-means clustering in wireless sensor networks
Rong et al. A novel intrusion detection algorithm for wireless sensor networks
Ramalingam et al. An effective social internet of things (SIoT) model for malicious node detection in wireless sensor networks
CN105142149A (en) RSS-based WLAN spoofing attack detection method
Hoque et al. An alert analysis approach to DDoS attack detection
Presekal et al. Cyber Forensic Analysis for Operational Technology Using Graph-Based Deep Learning
Kumar et al. Novel anomaly detection and classification schemes for Machine-to-Machine uplink
Nicheporuk et al. A System for Detecting Anomalies and Identifying Smart Home Devices Using Collective Communication.
Cheng et al. Evidence-Based Federated Learning for Set-Valued Classification of Industrial IoT DDos Attack Traffic.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140723