Analyzing and Correlating Security Events Using State Machine

It is unfeasible to analyze the security events by the manual way for the security manager, because the number of the events is huge and the information contained in the events is meaningless. After analyzing the existing algorithms of security events correlation, we propose an attack scenario reconstruction technology based on state machine. The processes of attackers intruding into the cyberspace can be restored and the more comprehensive attack scenario description information will be generated using this technology. This working lets the security manager more comfy. The state machine based attack scenario reconstruction technology processes security events using clustering analysis and causal analysis concurrently, it builds a correlation state machine in memory for every attack scenario tree which is predefined by the security manager, when security events are coming, the certain state machines will process them, if the condition is satisfied, an attack scenario description information will be generated and then sent to the security manager. The correlating technology based on state machine is more timely and accurately, and at last, we use the DARPA2000 Intrusion Scenario Specific Data Sets to validate the technology, the experiment results show that it is feasible to analyze security events using the technology we proposed.