Research on Intrusion Recognition and Tracing under Attack and Defense Confront Environment

A new method for intrusion recognition and tracing under attack-defense confront environment is proposed in this paper. In order to do that antagonizing status and state transforming is deeply studied between attacker and defender, and all kinds of security information and knowledge are analyzed and formally described. Then based on obtained information, a safety model for attack-defense confronting is presented, from the model a safety state transition graph can be produced. The model is given a formalized description based on Expanded Finite-State Automata (EFSA), which visually describes both intruding process and defending process. The model is used to thoroughly analyze attack and defense activities and predict the subsequent safety state transitions, and also intuitively illustrates all possible routes and states during attacker´s reaching specific target. So the model can be used to trace intruding process and deduce attack intention and target, further to predict follow-up attack, which can provide a useful evidence and guidance for attack response and security decision. Finally this method is demonstrated and validated in an example network environment.