Alerts of intrusion detection system are numerous, complex, and difficult to analyze. Alert correlation of multi-step attack is one of the solutions to this problem. Intelligence planning is an important research area of artificial intelligence, and always used in fields problems. Intelligence planning is used to deal with multi-step attack recognition in this work. A multi-step attack planning domain description model is proposed, in order to describe the attack knowledge base, and based on knowledge representation. The model is described with PDDL (Planning domain definition language). Experiments with DARPA 2000 dataset showed the model proposed can recognize multi-step attacks effectively, and is available and practical.

• 出版日期2013-7
• 单位吉林大学; 新疆大学