基于规则关联的安全数据采集策略生成

doi:10.11959/j.issn.2096-109x.2021085

Abstract

Abstract:

Collecting security-related data of devices effectively is the foundation of analyzing network threats accurately.Existing data collection methods (full data collection, sampling based data collection and adaptive data collection) do not consider the validity of the collected data and their correlation, which will consume too much collection resources, resulting in low collection yield.To address this problem, considering the factors (relationship between node attributes, network topology relationship, threat status, node resource and node similarity) that impact collection costs and benefits, a rule association method to generate collection policies was designed.In the method, two types of association rules (inter-node association rules and inter-event association rules) were adopted to generate candidate data collection items and reduced the scope of data collection.Then, a multi-objective program was designed to maximize collection benefits and minimize collection costs.Further, a genetic algorithm was designed to solve this program.Proposed method was compared with existing data collection methods.The experimental results show that the number of the collected data records of proposed method is 1 000~3 000 less than that of others per 12 hours, and the validity of the collected data of proposed method is about 4%~10% higher than others, which proves the effectiveness of the proposed method.

Key words: policy optimization generation, multi-objective optimization, collaborative data collection, multiple class-association rules mining

CLC Number:

TP393

Pei CHEN, Fenghua LI, Zifu LI, Yunchuan GUO, Lin CHENG. Using rule association to generate data collection policies[J]. Chinese Journal of Network and Information Security, 2021, 7(5): 132-148.

Figures/Tables 9

References 23

[1]	LIN H Q , YAN Z , CHEN Y ,et al. A survey on network security-related data collection technologies[C]// Proceedings of IEEE Access. 2018: 18345-18365.
[2]	XIE H M , YAN Z , YAO Z ,et al. Data collection for security measurement in wireless sensor networks:a survey[J]. IEEE Internet of Things Journal, 2019,6(2): 2205-2224.
[3]	ZHOU D H , YAN Z , FU Y L ,et al. A survey on network data collection[J]. Journal of Network and Computer Applications, 2018,116: 9-23.
[4]	JING X Y , YAN Z , PEDRYCZ W . Security data collection and data analytics in the Internet:a survey[J]. IEEE Communications Surveys ＆ Tutorials, 2019,21(1): 586-618.
[5]	LIU G , YAN Z , PEDRYCZ W . Data collection for attack detection and security measurement in mobile Ad Hoc networks:a survey[J]. Journal of Network and Computer Applications, 2018,105: 105-122.
[6]	庞希愚, 姜波, 仝春玲 ,等. 一种自适应数据变化规律的数据采集算法[J]. 计算机技术与发展, 2013,23(2): 157-161.
	PANG X Y , JIANG B , TONG C L ,et al. A kind of data acquisition algorithm of adaptive data change rule[J]. Computer Technology and Development, 2013,23(2): 157-161.
[7]	杨明霞, 王万良, 邵鹏飞 . 基于时间序列的自适应采样机制策略研究[J]. 计算机科学, 2015,42(7): 162-164,181.
	YANG M X , WANG W L , SHAO P F . Adaptive sampling algorithm based on TCP congestion strategy[J]. Computer Science, 2015,42(7): 162-164,181.
[8]	曾文序, 库少平, 郑浩 . 基于旋转门算法的自适应变频数据采集策略[J]. 计算机应用研究, 2018,35(3): 769-772.
	ZENG W X , KU S P , ZHENG H . Strategy of self-adaptive frequency conversion data acquisition based on swing door trending algorithm[J]. Application Research of Computers, 2018,35(3): 769-772.
[9]	LIN H Q , YAN Z , FU Y L . Adaptive security-related data collection with context awareness[J]. Journal of Network and Computer Applications, 2019,126: 88-103.
[10]	陈雷 . 基于数据聚合的无线传感器网络主动管理机制研究[D]. 长沙:湖南大学, 2011.
	CHEN L . Research of initiative management scheme for sensor networks based on data aggregation[D]. Changsha:Hunan University, 2011.
[11]	CHEN L W , PENG Y H , TSENG Y C ,et al. Cooperative sensing data collection and distribution with packet collision avoidance in mobile long-thin networks[J]. Sensors (Basel,Switzerland), 2018,18(10): 3588.
[12]	SAFARA F , SOURI A , SERRIZADEH M . Improved intrusion detection method for communication networks using association rule mining and artificial neural networks[J]. IET Communications, 2020,14(7): 1192-1197.
[13]	章坚武, 黄佳森, 周迪 . 基于模糊理论与关联规则的入侵检测模型[J]. 电信科学, 2019,35(5): 59-69.
	ZHANG J W , HUANG J S , ZHOU D . Intrusion detection model based on fuzzy theory and association rules[J]. Telecommunications Science, 2019,35(5): 59-69.
[14]	王慧, 王宇, 邵翀 . 网络入侵检测中群关联模型的设计与分析[J]. 中国人民公安大学学报(自然科学版), 2018,24(4): 74-77.
	WANG H , WANG Y , SHAO C . Design and analysis of group association model in network intrusion detection[J]. Journal of People's Public Security University of China (Science and Technology), 2018,24(4): 74-77.
[15]	HU W , LI J , CHENG J ,et al. Security monitoring of heterogeneous networks for big data based on distributed association algorithm[J]. Computer Communications, 2020,152: 206-214.
[16]	NGUYEN M T . Distributed compressive and collaborative sensing data collection in mobile sensor networks[J]. Internet of Things, 2020,9: 100156.
[17]	SHA C , SONG D D , YANG R ,et al. A type of energy-balanced tree based data collection strategy for sensor network with mobile sink[J]. IEEE Access, 2019,7: 85226-85240.
[18]	DOUDOU M , DJENOURI D , BARCELO-ORDINAS J M ,et al. Cost effective node deployment strategy for energy-balanced and delay-efficient data collection in wireless sensor networks[C]// Proceedings of 2014 IEEE Wireless Communications and Networking Conference (WCNC). 2014: 2868-2873.
[19]	SARNO R , SINAGA F , SUNGKONO K R . Anomaly detection in business processes using process mining and fuzzy association rule learning[J]. Journal of Big Data, 2020,7:5.
[20]	郭涛敏 . 基于轻量化关联规则挖掘的安全日志审计技术研究[J]. 现代电子技术, 2019,42(15): 83-85,90.
	GUO T M . Research on security log audit technology based on lightweight association rules mining[J]. Modern Electronics Technique, 2019,42(15): 83-85,90.
[21]	PAN D W , LIU D T , ZHOU J ,et al. Anomaly detection for satellite power subsystem with associated rules based on Kernel Principal Component Analysis[J]. Microelectronics Reliability, 2015,55(9/10): 2082-2086.
[22]	B?HMER K , RINDERLE-MA S , . Mining association rules for anomaly detection in dynamic process runtime behavior and explaining the root cause to users[J]. Information Systems, 2020,90: 101438
[23]	李凤华, 李子孚, 李凌 ,等. 复杂网络环境下面向威胁监测的采集策略精化方法[J]. 通信学报, 2019,40(4): 49-61.
	LI F H , LI Z F , LI L ,et al. Collection policy refining method for threat monitoring in complex network environment[J]. Journal on Communications, 2019,40(4): 49-61.

Metrics

Recommended 0

No Suggested Reading articles found!

采集项类型	采集项名称	采集参数类型	采集参数取值范围
	命令执行记录	开关	0/1
主动探测采集类	登录记录	开关	0/1
	Web访问记录	开关	0/1
	CPU负载	频率范围	1~300
	内存负载	频率范围	1~300
定时采集类	IO负载	频率范围	1~300
	网络负载	频率范围	1~300
	用户进程MD5值	频率范围	10~1 800
	TCP记录	抽样概率	0.01~1
	UDP记录	抽样概率	0.01~1
抽样采集类
	ICMP记录	抽样概率	0.01~1
	流量应用层数据	抽样概率	0.01~1

安全事件	过程	事件特有属性
端口扫描	扫描各个端口的服务	源IP
SYN DDoS攻击	不断发送SYN连接请求	多个源IP、持续时间
SSH登录	远程SSH登录	源IP、登录账户
Web扫描	扫描Web路径	源IP、访问URL数量、持续时间
弱口令探测	多次尝试SSH登录	源IP、失败次数、持续时间
CPU占用异常	CPU占用过高，大于设定阈值	阈值、持续时间
未知用户进程运行	设立用户进程的白名单，发现未知的用户进程运行	程序MD5值
更改文件权限	执行更改文件权限的命令	命令执行账户
传输文件	执行传输文件的命令	命令执行账户
查看Linux版本	执行查看Linux版本的命令	命令执行账户
密码修改	执行密码修改的命令	命令执行账户
SQL注入	尝试进行SQL注入攻击	源IP
挖矿程序运行	执行挖矿程序	用户进程MD5值，CPU负载
数据库连接	尝试远程连接本主机的数据库	源IP
FTP文件下载	尝试下载文件	源IP
FTP远程上传	FPT上传文件	源IP、文件MD5
Telnet试探	多次尝试Telnet登录	源IP
CVE-2018-2628	构造基于WebLogic反序列化的数据包，并进行发送	源IP
CVE-2014-0457	构造基于CVE-2014-0457的数据包，并进行发送	源IP
发起SYN DDoS	运行脚本，持续向其他主机发起TCP连接，并连接失败	源IP、程序MD5值
CVE-2017-2636	基于Linux内核漏洞CVE-2017-2636进行本地提权	命令执行账户
ICMP探测	发送ICMP数据包	源IP

节点数		种群数
节点数	10	100	1 000
3	1s	9s	100 s
10	2.6 s	25.7 s	277 s
20	4.5 s	52 s	600 s

Using rule association to generate data collection policies

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 23

Related Articles 1

Metrics

Recommended 0