基于规则关联的安全数据采集策略生成

doi:10.11959/j.issn.2096-109x.2021085

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (5): 132-148.doi: 10.11959/j.issn.2096-109x.2021085

基于规则关联的安全数据采集策略生成

陈佩¹^,², 李凤华¹^,², 李子孚¹^,², 郭云川¹^,², 成林³

¹ 中国科学院信息工程研究所，北京 100093
² 中国科学院大学网络空间安全学院，北京 100049
³ 中国信息安全测评中心，北京 100085

修回日期:2021-02-01 出版日期:2021-10-15 发布日期:2021-10-01
作者简介:陈佩（1993− ），男，河南南阳人，中国科学院信息工程研究所硕士生，主要研究方向为网络与系统安全
李凤华（1966− ），男，湖北浠水人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为网络与系统安全、信息保护、隐私计算
李子孚（1992− ），女，内蒙古赤峰人，博士，中国科学院信息工程研究所工程师，主要研究方向为网络与系统安全、访问控制
郭云川（1977− ），男，四川营山人，博士，中国科学院信息工程研究所正高级工程师、博士生导师，主要研究方向为访问控制、网络安全
成林（1983− ），男，博士，中国信息安全测评中心助理研究员，主要研究方向为密码学、云计算、大数据
基金资助:
国家重点研发计划(2016QY06X1203);国家自然科学基金(U1836203);山东省重点研发计划（重大科技创新工程）项目(2019JZZY020127)

Using rule association to generate data collection policies

Pei CHEN¹^,², Fenghua LI¹^,², Zifu LI¹^,², Yunchuan GUO¹^,², Lin CHENG³

¹ Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
² School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
³ China Information Technology Security Evaluation Center, Beijing 100085, China

Revised:2021-02-01 Online:2021-10-15 Published:2021-10-01
Supported by:
The National Key R＆D Program of China(2016QY06X1203);The National Natural Science Foundation of China(U1836203);Shandong Provincial Key Research and Development Program(2019JZZY020127)

摘要/Abstract

摘要：

有效的安全数据采集是精准分析网络威胁的基础，当前常用的全采集、概率采集和自适应采集等采集方法，未考虑采集数据的有效性和采集数据的关联关系，消耗过多的资源，其采集收益和成本率低。针对该问题，考虑影响采集收益和成本的因素（节点特征间关系、网络拓扑关系、系统威胁状况、节点资源情况、节点相似度等），设计了一种基于规则关联的安全数据采集策略生成方法。该方法根据节点间的关联规则和系统中所发生安全事件间的关联规则，构建备选采集项，缩减数据采集范围；综合考虑采集收益和采集成本，设计最大化采集收益和最小化采集成本的多目标优化函数，基于遗传算法求解该优化函数。与常用采集方法进行比较和分析，实验结果表明所提方法12 h累计数据采集量较其他方案减少了1 000~3 000条数据记录，数据有效性较其他数据采集方案提升约4%~10%，证明了所提方法的有效性。

关键词: 策略优化生成, 多目标优化, 数据协同采集, 多关联规则挖掘

Abstract:

Collecting security-related data of devices effectively is the foundation of analyzing network threats accurately.Existing data collection methods (full data collection, sampling based data collection and adaptive data collection) do not consider the validity of the collected data and their correlation, which will consume too much collection resources, resulting in low collection yield.To address this problem, considering the factors (relationship between node attributes, network topology relationship, threat status, node resource and node similarity) that impact collection costs and benefits, a rule association method to generate collection policies was designed.In the method, two types of association rules (inter-node association rules and inter-event association rules) were adopted to generate candidate data collection items and reduced the scope of data collection.Then, a multi-objective program was designed to maximize collection benefits and minimize collection costs.Further, a genetic algorithm was designed to solve this program.Proposed method was compared with existing data collection methods.The experimental results show that the number of the collected data records of proposed method is 1 000~3 000 less than that of others per 12 hours, and the validity of the collected data of proposed method is about 4%~10% higher than others, which proves the effectiveness of the proposed method.

Key words: policy optimization generation, multi-objective optimization, collaborative data collection, multiple class-association rules mining

中图分类号:

TP393

陈佩, 李凤华, 李子孚, 郭云川, 成林. 基于规则关联的安全数据采集策略生成[J]. 网络与信息安全学报, 2021, 7(5): 132-148.

Pei CHEN, Fenghua LI, Zifu LI, Yunchuan GUO, Lin CHENG. Using rule association to generate data collection policies[J]. Chinese Journal of Network and Information Security, 2021, 7(5): 132-148.

图/表 9

图1

图2

表1

表2

图3

图4

表3

图5

图6

参考文献 23

[1]	LIN H Q , YAN Z , CHEN Y ,et al. A survey on network security-related data collection technologies[C]// Proceedings of IEEE Access. 2018: 18345-18365.
[2]	XIE H M , YAN Z , YAO Z ,et al. Data collection for security measurement in wireless sensor networks:a survey[J]. IEEE Internet of Things Journal, 2019,6(2): 2205-2224.
[3]	ZHOU D H , YAN Z , FU Y L ,et al. A survey on network data collection[J]. Journal of Network and Computer Applications, 2018,116: 9-23.
[4]	JING X Y , YAN Z , PEDRYCZ W . Security data collection and data analytics in the Internet:a survey[J]. IEEE Communications Surveys ＆ Tutorials, 2019,21(1): 586-618.
[5]	LIU G , YAN Z , PEDRYCZ W . Data collection for attack detection and security measurement in mobile Ad Hoc networks:a survey[J]. Journal of Network and Computer Applications, 2018,105: 105-122.
[6]	庞希愚, 姜波, 仝春玲 ,等. 一种自适应数据变化规律的数据采集算法[J]. 计算机技术与发展, 2013,23(2): 157-161.
	PANG X Y , JIANG B , TONG C L ,et al. A kind of data acquisition algorithm of adaptive data change rule[J]. Computer Technology and Development, 2013,23(2): 157-161.
[7]	杨明霞, 王万良, 邵鹏飞 . 基于时间序列的自适应采样机制策略研究[J]. 计算机科学, 2015,42(7): 162-164,181.
	YANG M X , WANG W L , SHAO P F . Adaptive sampling algorithm based on TCP congestion strategy[J]. Computer Science, 2015,42(7): 162-164,181.
[8]	曾文序, 库少平, 郑浩 . 基于旋转门算法的自适应变频数据采集策略[J]. 计算机应用研究, 2018,35(3): 769-772.
	ZENG W X , KU S P , ZHENG H . Strategy of self-adaptive frequency conversion data acquisition based on swing door trending algorithm[J]. Application Research of Computers, 2018,35(3): 769-772.
[9]	LIN H Q , YAN Z , FU Y L . Adaptive security-related data collection with context awareness[J]. Journal of Network and Computer Applications, 2019,126: 88-103.
[10]	陈雷 . 基于数据聚合的无线传感器网络主动管理机制研究[D]. 长沙:湖南大学, 2011.
	CHEN L . Research of initiative management scheme for sensor networks based on data aggregation[D]. Changsha:Hunan University, 2011.
[11]	CHEN L W , PENG Y H , TSENG Y C ,et al. Cooperative sensing data collection and distribution with packet collision avoidance in mobile long-thin networks[J]. Sensors (Basel,Switzerland), 2018,18(10): 3588.
[12]	SAFARA F , SOURI A , SERRIZADEH M . Improved intrusion detection method for communication networks using association rule mining and artificial neural networks[J]. IET Communications, 2020,14(7): 1192-1197.
[13]	章坚武, 黄佳森, 周迪 . 基于模糊理论与关联规则的入侵检测模型[J]. 电信科学, 2019,35(5): 59-69.
	ZHANG J W , HUANG J S , ZHOU D . Intrusion detection model based on fuzzy theory and association rules[J]. Telecommunications Science, 2019,35(5): 59-69.
[14]	王慧, 王宇, 邵翀 . 网络入侵检测中群关联模型的设计与分析[J]. 中国人民公安大学学报(自然科学版), 2018,24(4): 74-77.
	WANG H , WANG Y , SHAO C . Design and analysis of group association model in network intrusion detection[J]. Journal of People's Public Security University of China (Science and Technology), 2018,24(4): 74-77.
[15]	HU W , LI J , CHENG J ,et al. Security monitoring of heterogeneous networks for big data based on distributed association algorithm[J]. Computer Communications, 2020,152: 206-214.
[16]	NGUYEN M T . Distributed compressive and collaborative sensing data collection in mobile sensor networks[J]. Internet of Things, 2020,9: 100156.
[17]	SHA C , SONG D D , YANG R ,et al. A type of energy-balanced tree based data collection strategy for sensor network with mobile sink[J]. IEEE Access, 2019,7: 85226-85240.
[18]	DOUDOU M , DJENOURI D , BARCELO-ORDINAS J M ,et al. Cost effective node deployment strategy for energy-balanced and delay-efficient data collection in wireless sensor networks[C]// Proceedings of 2014 IEEE Wireless Communications and Networking Conference (WCNC). 2014: 2868-2873.
[19]	SARNO R , SINAGA F , SUNGKONO K R . Anomaly detection in business processes using process mining and fuzzy association rule learning[J]. Journal of Big Data, 2020,7:5.
[20]	郭涛敏 . 基于轻量化关联规则挖掘的安全日志审计技术研究[J]. 现代电子技术, 2019,42(15): 83-85,90.
	GUO T M . Research on security log audit technology based on lightweight association rules mining[J]. Modern Electronics Technique, 2019,42(15): 83-85,90.
[21]	PAN D W , LIU D T , ZHOU J ,et al. Anomaly detection for satellite power subsystem with associated rules based on Kernel Principal Component Analysis[J]. Microelectronics Reliability, 2015,55(9/10): 2082-2086.
[22]	B?HMER K , RINDERLE-MA S , . Mining association rules for anomaly detection in dynamic process runtime behavior and explaining the root cause to users[J]. Information Systems, 2020,90: 101438
[23]	李凤华, 李子孚, 李凌 ,等. 复杂网络环境下面向威胁监测的采集策略精化方法[J]. 通信学报, 2019,40(4): 49-61.
	LI F H , LI Z F , LI L ,et al. Collection policy refining method for threat monitoring in complex network environment[J]. Journal on Communications, 2019,40(4): 49-61.

采集项类型	采集项名称	采集参数类型	采集参数取值范围
	命令执行记录	开关	0/1
主动探测采集类	登录记录	开关	0/1
	Web访问记录	开关	0/1
	CPU负载	频率范围	1~300
	内存负载	频率范围	1~300
定时采集类	IO负载	频率范围	1~300
	网络负载	频率范围	1~300
	用户进程MD5值	频率范围	10~1 800
	TCP记录	抽样概率	0.01~1
	UDP记录	抽样概率	0.01~1
抽样采集类
	ICMP记录	抽样概率	0.01~1
	流量应用层数据	抽样概率	0.01~1

安全事件	过程	事件特有属性
端口扫描	扫描各个端口的服务	源IP
SYN DDoS攻击	不断发送SYN连接请求	多个源IP、持续时间
SSH登录	远程SSH登录	源IP、登录账户
Web扫描	扫描Web路径	源IP、访问URL数量、持续时间
弱口令探测	多次尝试SSH登录	源IP、失败次数、持续时间
CPU占用异常	CPU占用过高，大于设定阈值	阈值、持续时间
未知用户进程运行	设立用户进程的白名单，发现未知的用户进程运行	程序MD5值
更改文件权限	执行更改文件权限的命令	命令执行账户
传输文件	执行传输文件的命令	命令执行账户
查看Linux版本	执行查看Linux版本的命令	命令执行账户
密码修改	执行密码修改的命令	命令执行账户
SQL注入	尝试进行SQL注入攻击	源IP
挖矿程序运行	执行挖矿程序	用户进程MD5值，CPU负载
数据库连接	尝试远程连接本主机的数据库	源IP
FTP文件下载	尝试下载文件	源IP
FTP远程上传	FPT上传文件	源IP、文件MD5
Telnet试探	多次尝试Telnet登录	源IP
CVE-2018-2628	构造基于WebLogic反序列化的数据包，并进行发送	源IP
CVE-2014-0457	构造基于CVE-2014-0457的数据包，并进行发送	源IP
发起SYN DDoS	运行脚本，持续向其他主机发起TCP连接，并连接失败	源IP、程序MD5值
CVE-2017-2636	基于Linux内核漏洞CVE-2017-2636进行本地提权	命令执行账户
ICMP探测	发送ICMP数据包	源IP

节点数		种群数
节点数	10	100	1 000
3	1s	9s	100 s
10	2.6 s	25.7 s	277 s
20	4.5 s	52 s	600 s

基于规则关联的安全数据采集策略生成

Using rule association to generate data collection policies

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 23

相关文章 1

Metrics

推荐阅读 0