Abstract:The multi-step attack is one of the primary forms of the current intrusions. How to detect these attacks is an important aspect of IDS research. The correlation research to intrusion detection performs mainly on the following aspects: (1) reducing the false positives and false negatives; (2) detecting unknown attacks; (3) attack forecasting. Especially the development of the third point perhaps improves the passive detection to the active protection. Through the study on patterns of the multi-step attack, a detection and forecast algorithm is designed for multi-step attack based on intrusion intention. In this algorithm, an extended directed graph is used to show attack types and their relations, while the correlation is performed according to the method of backwards matching and absent matching. Based on the weighted summation of correlation attack’s chain and the branch’s weights on the logic graph of attack, the probability of the next attack can be computed. The effect of this algorithm includes the detection of multi-step attack, attack forecasting, detecting unknown attacks, and reducing the false alarms. This paper also presents the process of experimental and analysis result for validity of the algorithm.