Abstract: After researching the theory of the Color Petri Net(CPN) and Aiming at the problem in intrusion detection, which is named “alert tire”, a CPN attack template, which is separated by the authority that can be gained by the invader, is built in this paper. The complete process of multi-step attack is presented, according to correlate the lowly, disperse alert information in order. Limited template is used in the methods of alert correlation, and the method is simpler and easier to realize than before. Security personnel can predict and appraise the security condition of the network in the angle, which is the authority that can be gained by the invader.

Key words: Color Petri Net(CPN), multi-step attack, authority, alert correlation

摘要： 在研究彩色Petri网(CPN)理论的基础上，针对目前入侵检测的“警报疲劳”问题，构建了依据入侵者可获取的权限来划分的CPN攻击模板。通过对低级别的、离散的警报信息进行顺序关联，呈现出多步骤攻击的全过程。该关联方法仅使用有限数量的模板，与以前的方法相比更简便和易于实现。同时安全人员能够从入侵者获取攻击能力的角度来预测并评估网络的安全状况。

关键词: 彩色Petri网, 多步骤攻击, 权限, 警报关联

CLC Number: 

• TP309