网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (4): 58-68.doi: 10.11959/j.issn.2096-109x.2017.00148

• 学术论文 • 上一篇    下一篇

基于因果知识发现的攻击场景重构研究

樊迪1(),刘静1,2,3,庄俊玺1,2,3,赖英旭1,2,3   

  1. 1 北京工业大学信息学部,北京 100124
    2 北京工业大学可信计算北京市重点实验室,北京 100124
    3 北京工业大学信息安全等级保护关键技术国家工程实验室,北京 100124
  • 修回日期:2017-03-06 出版日期:2017-04-01 发布日期:2017-04-14
  • 作者简介:樊迪(1992-),女,山东惠民人,北京工业大学硕士生,主要研究方向为网络安全、日志分析。|刘静(1978-),女,北京人,北京工业大学讲师,主要研究方向为网络安全、可信计算。|庄俊玺(1981-),女,河南新乡人,北京工业大学讲师,主要研究方向为网络安全、可信计算。|赖英旭(1973-),女,辽宁抚顺人,博士,北京工业大学教授,主要研究方向为网络接入控制、病毒防御技术、网络安全工程、可信计算理论及其应用。
  • 基金资助:
    北京市自然科学基金资助项目(4162006)

Research on attack scenario reconstruction method based on causal knowledge discovery

Di FAN1(),Jing LIU1,2,3,Jun-xi ZHUANG1,2,3,Ying-xu LAI1,2,3   

  1. 1 Faculty of Information Technology,Beijing University of Technology,Beijing 100124,China
    2 Beijing Key Laboratory of Trusted Computing,Beijing University of Technology,Beijing 100124,China
    3 National Engineering Laboratory for Critical Technologies of Information Security Classified Protection,Beijing University of Technology,Beijing 100124,China
  • Revised:2017-03-06 Online:2017-04-01 Published:2017-04-14
  • Supported by:
    Beijing Municipal Natural Science Foundation(4162006)

摘要:

为了从分散的告警日志中发现攻击模式、构建攻击场景,通过分析现有攻击场景重构方法,针对现有方法因果知识复杂难懂且难以自动获取的问题,提出一种基于因果知识发现的攻击场景重构方法。所提方法首先按照知识发现的过程,通过告警日志间 IP 属性的相关程度,构建攻击场景的序列集合;然后,采用时间序列建模的方式去除误告警,以精简攻击场景序列;最后,利用概率统计方法发现各告警类型间的关联关系。在DARPA 2000数据集上对方法进行了实验验证,结果表明,该方法能有效识别多步攻击模式。

关键词: 入侵检测, 告警关联, 时间序列建模, 攻击场景重构

Abstract:

In order to discover the attack pattern from the distributed alert data and construct the attack scene,a method of finding the attack scene from the alert data generated by intrusion detection system was studied.Current research suffer from the problem that causal knowledge is complex and difficult to understand and it is difficult to automatically acquire the problem.An attack scenario reconstruction method based on causal knowledge discovery was proposed.According to the process of KDD,the sequence set of attack scenes was constructed by the correlation degree of IP attributes among alert data.Time series modeling was adopted to eliminate the false positives to reduce the attack scene sequence.Finally,causal relationship between the alert data was found by using probability statistics.Experiments on the DARPA2000 intrusion scenario specific data sets show that the method can effectively identify the multi-step attack mode.

Key words: intrusion detection, alert correlation, time series modeling, attack scenario reconstruction

中图分类号: 

No Suggested Reading articles found!