基于无监督多源数据特征解析的网络威胁态势评估

doi:10.11959/j.issn.1000-436x.2020015

摘要/Abstract

摘要：

针对监督式神经网络测试网络威胁时需根据数据类别标记进行建模的局限性，提出了一种基于无监督多源数据特征解析的网络威胁态势评估方法。首先，设计了一个面向安全威胁评估的变分自动编码器-生成式对抗网络（V-G），将只包含正常网络流量的训练数据集输入V-G的网络集合层进行模型训练，并计算各层网络输出的重构误差。然后，通过输出层的三层变分自动编码器重构误差学习并获取训练异常阈值，使用包含异常网络流量的测试数据集测试分组威胁并统计每组测试的威胁发生概率。最后，根据威胁发生概率确定网络安全威胁严重度，结合威胁影响度计算威胁态势值以获取网络威胁态势。仿真实验结果表明，所提方法对网络威胁具有较强的表征能力，能够有效直观地评估网络威胁的整体态势。

关键词: 无监督, 多源数据特征解析, 变分自动编码器-生成式对抗网络, 威胁发生概率, 威胁态势评估

Abstract:

Aiming at the limitations of supervised neural network in the network threat testing task relying on data category tagging,a network threat situation evaluation method based on unsupervised multi-source data feature analysis was proposed.Firstly,a variant auto encoder-generative adversarial network (V-G) for security threat assessment was designed.The training data set containing only normal network traffic was input to the network collection layer of V-G to perform the model training,and the reconstruction error of the network output of each layer was calculated.Then,the reconstruction error learning was performed by the three-layer variation automatic encoder of the output layer,and the training abnormal threshold was obtained.The packet threat was tested by using the test data set containing the abnormal network traffic,and the probability of occurrence of the threat of each group of tests was counted.Finally,the severity of the network security threat was determined according to the probability of threat occurrence,and the threat situation value was calculated according to the threat impact to obtain the network threat situation.The simulation results show that the proposed method has strong characterization ability for network threats,and can effectively and intuitively evaluate the overall situation of network threat.

Key words: unsupervised, multi-source data feature analysis, V-G, threat probability, threat situation assessment

中图分类号:

TP309

杨宏宇,王峰岩. 基于无监督多源数据特征解析的网络威胁态势评估[J]. 通信学报, 2020, 41(2): 143-154.

Hongyu YANG,Fengyan WANG. Network threat situation assessment based on unsupervised multi-source data feature analysis[J]. Journal on Communications, 2020, 41(2): 143-154.

图/表 20

图1

图3

图2

表1

图4

表2

图5

表3

图6

图7

图8

表4

表5

图9

图10

表6

图11

表7

图12

图13

参考文献 12

[1]	YANG M , JIANG R , GAO T L ,et al. Research on cloud computing security risk assessment based on information entropy and Markov chain[J]. International Journal of Network Security, 2018,20(4): 664-673.
[2]	WANG H , CHEN Z , FENG X ,et al. Research on network security situation assessment and quantification method based on analytic hierarchy process[J]. Wireless Personal Communications, 2018,102(2): 1401-1420.
[3]	SALLAM H . Cyber security risk assessment using multi fuzzy inference system[J]. International Journal of Engineering and Innovative Technology, 2015,4(8): 13-19.
[4]	文志诚, 陈志刚, 唐军 . 基于信息融合的网络安全态势量化评估方法[J]. 北京航空航天大学学报, 2016,42(8): 1593-1602.
	WEN Z C , CHEN Z G , TANG J . Network security situation quantitative evaluation method based on information fusion[J]. Journal of Beijing University of Aeronautics and Astronautics, 2016,42(8): 1593-1602.
[5]	FENG W , WU Y , FAN Y . A new method for the prediction of network security situations based on recurrent neural network with gated recurrent unit[J]. International Journal of Intelligent Computing and Cybernetics, 2018,11(4): 511-525.
[6]	HE F , ZHANG Y , LIU D ,et al. Mixed wavelet-based neural network model for cyber security situation prediction using modwt and hurst exponent analysis[C]// International Conference on Network and System Security. Springer-Verlag, 2017: 99-111.
[7]	DOERSCH C . Tutorial on variational autoencoders[J]. arXiv Preprint arXiv:1606.05908, 2016.
[8]	GOODFELLOW I J , POUGET-ABADIE J , MIRZA M .et al. Generative adversarial nets[C]// The 27th International Conference on Neural Information Processing Systems. MIT Press, 2014: 1-9.
[9]	LAENG E , MORPURGO C . An uncertainty inequality involving L1 norms[J]. Proceedings of the American Mathematical Society, 1999,127(12): 3565-3572.
[10]	MELL P , SCARFONE K , ROMANOSKY S . Common vulnerability scoring system[J]. IEEE Security and Privacy Magazine, 2012,4(6): 85-89.
[11]	唐成华, 余顺争 . 一种基于似然 BP 的网络安全态势预测方法[J]. 计算机科学, 2009,36(11): 97-100.
	TANG C H , YU S Z . A network security situation prediction method based on likelihood BP[J]. Computer Science, 2009,36(11): 97-100.
[12]	赖智全 . 基于混合优化RBF神经网络的网络安全态势预测模型[D]. 兰州:兰州大学, 2017.
	LAI Z Q . Network security situation prediction model based on hybrid optimization RBF neural network[D]. Lanzhou:Lanzhou University, 2017.

无监督网络模型	优点	缺点
VAE	与AE和GAN相比，VAE在编码过程中通过对原始样本添加高斯噪声，使编码器能够更好地学习数据的先验分布，样本生成多样性更好	在度量生成样本与原始样本的相似度时，只能通过误差函数对数据元素间的相似度误差进行粗略计算，可能导致样本匹配的准确度降低
GAN	GAN 对生成样本与原始样本进行误差度量时，重构误差由参数化后的GAN 的判别器决定，由于判别器为神经网络，其进行误差度量时是特征（语义）层面的，而不是简单的数据元素相似度误差计算，而 VAE进行误差度量时，直接计算两者数据元素之间的KL散度和损失函数值，较简单，相比而言GAN的判别标准更高	生成器对真实样本分布的拟合不易收敛到一个较好的结果，且容易导致生成样本的多样性减少或者陷入模式坍塌（MC,model collapse）

数据集	数据量/条	类别/种	流量数据来源
HTTP CSIC 2010	61 000	16	Web应用程序
ADFA-LD	5 925	6	Linux主机异常
ISOT	1 675 424	19	混合僵尸网络
UNSW-NB15	257 673	10	DDoS匿名攻击

攻击类型	编号	态势指标
	1	文件泄露
Web攻击	2	XSS漏洞
	3	参数篡改
	4	拒绝用户访问
DDoS匿名流量攻击	5	渗透攻击
	6	非法系统访问
	7	暴力破解
主机异常检测流量	8	后门攻击
	9	服务器攻击
	10	传输的数据分组数量
混合僵尸网络流量	11	平均有效载荷长度
	12	连接持续时间

威胁严重度	概率区间	说明
安全	0.00～0.20	网络运行稳定正常，没有超出正常认知的恶意行为或具有严重威胁的安全漏洞被发现
低危	0.21～0.40	网络运行受到轻微影响，有少量威胁的安全漏洞被发现
中危	0.41～0.60	网络运行受到一定影响，有较高威胁级别的安全漏洞被发现
高危	0.61～0.80	网络运行受到较大影响，Web 攻击、非法访问等活动增加，多种威胁类型被发现
超危	0.81～1.00	网络运行受到严重影响，有大量异常攻击行为和威胁级别很高的安全漏洞被发现

影响度	概率区间		影响指标
影响度	概率区间	机密性（C）	完整性（I）	可用性（A）
无影响	0.00～0.40	0	0	0
低影响	0.41～0.80	0.22	0.22	0.22
高影响	0.80～1.00	0.56	0.56	0.56