Quantitative Evaluation Approach for Real-time Risk Based on Attack Event Correlating

The alarms of Intrusion Detective System (IDS) are correlated and analyzed dynamically in a certain interval of time according to the relevant characteristics of real-time alarms. On this basis, a quantitative evaluation approach for real time risk is proposed. Firstly, considering the influence of the strength of security measures and vulnerabilities to attacking results, the attacking success probability algorithm is proposed. Secondly, the attacking threat degree algorithm is proposed, and it can better reflect the difference of threat degree between continuous multi-step attacks and multiple isolated attacks. Finally, the risk situation graph of network nodes is achieved by the weighted sum of each node risk situation value. To verify the validity of the method, a testing platform is built. Experiments show that the method can improve the accuracy of evaluation results, and will help to optimize the safety strategy.