Most attacks on the Internet are progressive attacks and exploit multiple nodes. Traditional Intrusion Detection Systems (IDS) cannot detect the original attack node, making it difficult to block the attack at its source. This paper focuses on using IDS’ alerts corresponding to abnormal traffic to correlate attacks detected by the IDS, reconstruct multi-step attack scenarios and discover attack chains. Due to many false positives in the information provided by IDS, accurate reconstruction of the attack scenario and extraction of the most critical attack chain is challenging. Therefore, we propose a method to reconstruct multi-step attack scenarios in the network based on multiple information fusion of attack time, risk assessment and attack node information. First, we propose a Convolution and Agent Decision Tree Network (CTnet), a convolutional neural network that evaluates the attacks detected by the IDS and gives an alert with an attack risk assessment. Then, we reconstruct the weighted attack scenario by applying Graph-based Fusion Module (GM) on the captured attacks’ risk assessment and time information. Finally, we extract the high-risk attack chain by Depth First Search with Time and Weight (TW-DFS) algorithm. The experimental results show that the proposed method can accurately reconstruct multi-step attack scenarios and trace them back to the original host. It can help administrators to deploy security measures more effectively to ensure the overall security of the network.

Internet 上的大多数攻击都是渐进式攻击，并且会利用多个节点。传统入侵检测系统（IDS）无法检测到原始攻击节点，难以从源头阻断攻击。本文着重利用IDS异常流量对应的告警关联IDS检测到的攻击，重构多步攻击场景，发现攻击链。由于IDS提供的信息存在很多误报，准确重构攻击场景和提取最关键的攻击链具有挑战性。因此，我们提出了一种基于攻击时间、风险评估和攻击节点信息的多重信息融合来重构网络中多步攻击场景的方法。首先，我们提出了一个卷积和代理决策树网络（CTnet），一个卷积神经网络，用于评估 IDS 检测到的攻击，并通过攻击风险评估发出警报。然后，我们通过对捕获的攻击的风险评估和时间信息应用基于图的融合模块（GM）来重建加权攻击场景。最后，我们通过具有时间和权重的深度优先搜索（TW-DFS）算法提取高风险攻击链。实验结果表明，所提出的方法能够准确重构多步攻击场景并追溯到原始主机。它可以帮助管理员更有效地部署安全措施，以确保网络的整体安全。我们通过对捕获的攻击的风险评估和时间信息应用基于图的融合模块 (GM) 来重建加权攻击场景。最后，我们通过具有时间和权重的深度优先搜索（TW-DFS）算法提取高风险攻击链。实验结果表明，所提出的方法能够准确重构多步攻击场景并追溯到原始主机。它可以帮助管理员更有效地部署安全措施，以确保网络的整体安全。我们通过对捕获的攻击的风险评估和时间信息应用基于图的融合模块 (GM) 来重建加权攻击场景。最后，我们通过具有时间和权重的深度优先搜索（TW-DFS）算法提取高风险攻击链。实验结果表明，所提出的方法能够准确重构多步攻击场景并追溯到原始主机。它可以帮助管理员更有效地部署安全措施，以确保网络的整体安全。实验结果表明，所提出的方法能够准确重构多步攻击场景并追溯到原始主机。它可以帮助管理员更有效地部署安全措施，以确保网络的整体安全。实验结果表明，所提出的方法能够准确重构多步攻击场景并追溯到原始主机。它可以帮助管理员更有效地部署安全措施，以确保网络的整体安全。