A Network Attack Model based on Colored Petri Net

The researches have shown that not all the Petri Net machines can be used to describe attack behavior. When Petri Net machines adapted for attack behavior modeling are detecting the network, for some event of current status, if there is matching event in the model, it has only one corresponding transition; otherwise that may cause errors. Since sharing synthesis and synchronization synthesis of traditional machines cannot ensure synthetic model reserves original detection capability, we propose the novel concept for synthesis operation and colored synthetic operation. By the analysis on the relation among these operations, the ability to reserve original detection is verified. Then an improved colored judgement Petri Net machine is adopted for modeling and renewing the knowledge repository. The inductive learning method is used to extend the attack modes. It creates a four-layered concept space, which actually provides a depth-first search path for matching. To solve the problems in multi-pattern matching and incremental learning, various modes are generalized by colored operation. We also adopt the decomposition and synthesis operation to handle the pattern matching of distributed attack behavior and attack information fusion. Finally the actual cases verify that our algorithm is feasible.