内网环境下基于时空事件关联的攻击检测方法

doi:10.11959/j.issn.1000-436x.2020001

通信学报 ›› 2020, Vol. 41 ›› Issue (1): 33-41.doi: 10.11959/j.issn.1000-436x.2020001

内网环境下基于时空事件关联的攻击检测方法

孙伟^1,²,张鹏²,何永全^2,³,邢丽超^2,³

¹ 北京交通大学计算机与信息技术学院，北京 100044
² 中国科学院信息工程研究所，北京 100093
³ 中国科学院大学网络空间安全学院，北京 100049

修回日期:2019-07-08 出版日期:2020-01-25 发布日期:2020-02-11
作者简介:孙伟（1980- ），男，山西忻州人，北京交通大学博士生，主要研究方向为计算机网络、信息安全和网络测量|张鹏（1984- ），男，安徽淮南人，中国科学院副研究员、硕士生导师，主要研究方向为数据挖掘、网络安全|何永全（1997- ），男，辽宁葫芦岛人，中国科学院大学硕士生，主要研究方向为并行计算与分布式系统|邢丽超（1993- ），男，黑龙江哈尔滨人，中国科学院大学硕士生，主要研究方向为信息过滤与内容计算
基金资助:
国家重点研究发展计划基金资助项目(2016YFB0801300);国家自然科学基金资助项目(61602474);国家自然科学基金资助项目(61602467);国家自然科学基金资助项目(61702552)

Attack detection method based on spatiotemporal event correlation in intranet environment

Wei SUN^1,²,Peng ZHANG²,Yongquan HE^2,³,Lichao XING^2,³

¹ School of Computer and Information Technology,Beijing Jiaotong University,Beijing 100044,China
² Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
³ School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China

Revised:2019-07-08 Online:2020-01-25 Published:2020-02-11
Supported by:
The National Key Research and Development Program of China(2016YFB0801300);The National Natural Science Foundation of China(61602474);The National Natural Science Foundation of China(61602467);The National Natural Science Foundation of China(61702552)

摘要/Abstract

摘要：

针对入侵检测系统使用单个事件作为攻击检测的特征会导致较高误报率的问题，提出了利用贝叶斯网络模型进行跨空间的事件关联和利用卡尔曼滤波器线性模型进行跨时间的事件关联的内网攻击检测方法。基于该方法实现了一个进程查询系统，该系统可以根据用户的高层过程描述来扫描和关联分布的网络事件。实验分析表明，该方法在不增加明显计算开销的情况下能够显著减少内网攻击检测的误报率。

关键词: 时空事件, 内网攻击检测, 进程查询, 入侵检测系统

Abstract:

In view of the fact that a single event as an attack detection feature leads to a higher false positive rate,an intranet attack detection method using Bayesian network model for cross-space event correlation and Kalman filter linear model for cross-temporal event correlation was proposed.Based on the method,a process query system was implemented,which can scan and correlate distributed network events according to the user's high-level process description.Experimental analysis show that the proposed method can significantly reduce the false positive rate of intranet attack detection without increasing the computational overhead.

Key words: spatiotemporal event, intranet attack detection, process query, intrusion detection system

中图分类号:

TP393.1

孙伟,张鹏,何永全,邢丽超. 内网环境下基于时空事件关联的攻击检测方法[J]. 通信学报, 2020, 41(1): 33-41.

Wei SUN,Peng ZHANG,Yongquan HE,Lichao XING. Attack detection method based on spatiotemporal event correlation in intranet environment[J]. Journal on Communications, 2020, 41(1): 33-41.

图/表 9

图1

图2

表1

图3

图4

图5

图6

表2

表3

参考文献 18

[1]	SPRING N , MAHAJAN R , WETHERALL D . Measuring ISP topologies with rocketfuel[J]. ACM Sigcomm Computer Communication Review, 2002,32(4): 133-145.
[2]	DUARTE , FELIPE S L G , SIKANSI ,et al. Nmap:a novel neighborhood preservation space-filling algorithm[J]. IEEE Transactions on Visualization ＆ Computer Graphics, 2014,20(12): 2063-2071.
[3]	NORWAWI N M , GHAZALI O , FAAEQ M ,et al. Detection algorithm for Internet worms scanning that used user datagram protocol[J]. International Journal of Information and Computer Security, 2019,11(1): 17-32.
[4]	TUNG T M , WANG C , WANG J . Understanding the behaviors of BGP-based DDoS protection services[C]// International Conference on Network and System Security. Springer,Cham, 2018: 463-473.
[5]	LAROSE D T , LAROSE C D . Discovering knowledge in data:an introduction to data mining[M]. John Wiley ＆ Sons, 2014.
[6]	POOR H V . An introduction to signal detection and estimation[M]. Springer Science ＆ Business Media, 2013.
[7]	HOWSON C , URBACH P . Scientific reasoning:the Bayesian approach[M]. Open Court Publishing, 2006.
[8]	BENFERHAT S , KENAZA T , MOKHTARI A . A naive bayes approach for detecting coordinated attacks[C]// 32nd Annual IEEE International Computer Software and Applications Conference. IEEE, 2008: 704-709.
[9]	CHANDOLA V , BANERJEE A , KUMAR V . Anomaly detection:a survey[J]. ACM Computing Surveys (CSUR), 2009,41(3):15.
[10]	PATCHA A , PARK J M . An overview of anomaly detection techniques:existing solutions and latest technological trends[J]. Computer Networks, 2007,51(12): 3448-3470.
[11]	TEMPLETON S J . Detection and analysis of cyber attacks using bio-based concepts[D]. Pro Quest Dissertations Publishing, 2018.
[12]	STONE L D , STREIT R L , CORWIN T L ,et al. Bayesian multiple target tracking[M]. Artech House, 2013.
[13]	KALMAN R E . A new approach to linear filtering and prediction problems[J]. Journal of basic Engineering, 1960,82(1): 35-45.
[14]	WITTEN I H , FRANK E , HALL M A ,et al. Data mining:practical machine learning tools and techniques[M]. Morgan Kaufmann, 2016.
[15]	COHEN P , WEST S G , AIKEN L S . Applied multiple regression/correlation analysis for the behavioral sciences[M]. Psychology Press, 2014.
[16]	HO J W , WRIGHT M . Distributed detection of sensor worms using sequential analysis and remote software attestations[J]. IEEE Access, 2017,5: 680-695.
[17]	SUN X , DAI J , LIU P ,et al. Using Bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018,13(10): 2506-2521.
[18]	JIANG G , CHEN H , UNGUREANU C ,et al. Multiresolution abnormal trace detection using varied-Length $ n $-grams and automata[J]. IEEE Transactions on Systems,Man,and Cybernetics,Part C (Applications and Reviews), 2006,37(1): 86-97.

观测空间		攻击场景
观测空间	s₁	s₂	s₃
o₁	1	0	0
o₂	0	1	0
o₃	1	1	0
o₄	0	0	1

资源	host₁	host₂	host₃	host₄
PROC.MEM	0	0	22	0
PROC.CPU	0	1	1	0
SYS.MEM	0	0	7	0
SYS.CPU	12	20	11	2
Snort	3	2	3	4

方法	误报率	漏报率
基于专家知识的方法	0.008 3	0.025 0
基于数据挖掘的方法	0.006 6	0.003 3

内网环境下基于时空事件关联的攻击检测方法

Attack detection method based on spatiotemporal event correlation in intranet environment

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 18

相关文章 6

Metrics

推荐阅读 0

[1]	田有亮,吴雨龙,李秋贤. 基于信息论的入侵检测最佳响应方案[J]. 通信学报, 2020, 41(7): 121-130.
[2]	胥小波,蒋琴琴,郑康锋,武斌,杨义先. 基于混沌粒子群的IDS告警聚类算法[J]. 通信学报, 2013, 34(3): 105-110.
[3]	陈岳兵,冯超,张权,唐朝京. 面向入侵检测的集成人工免疫系统[J]. 通信学报, 2012, 33(2): 125-131.
[4]	梅海彬,龚俭. 多IDS环境中基于可信度的警报关联方法研究[J]. 通信学报, 2011, 32(4): 138-146.
[5]	孙美凤,龚俭,杨望. 基于特征的入侵检测系统的评估新方法[J]. 通信学报, 2007, 28(11): 6-14.
[6]	朱有产,熊伟,静永文,高亚彬. 基于Rough Set理论的综合分类器设计与实现[J]. 通信学报, 2006, 27(11A): 63-67.