计算机科学 ›› 2019, Vol. 46 ›› Issue (5): 116-121.doi: 10.11896/j.issn.1002-137X.2019.05.018

• 信息安全 • 上一篇    下一篇

高性能网络安全告警信息的关联分析方法

付泽强, 王晓锋, 孔军   

  1. (江南大学物联网工程学院 江苏 无锡214122)
  • 收稿日期:2018-05-08 修回日期:2018-07-25 发布日期:2019-05-15
  • 作者简介:付泽强(1991-),男,硕士生,主要研究领域为网络安全、数据挖掘,E-mail:760188504@qq.com;王晓峰(1978-),男,博士,副教授,主要研究领域为网络安全、网络仿真,E-mail:wangxf@jiangnan.edu.cn(通信作者);孔 军(1974-),男,博士,副教授,主要研究领域为人工智能、机器视觉。
  • 基金资助:
    国家自然科学基金项目(61672264),国家重点研发计划项目(2016YFB0800803)资助。

High-performance Association Analysis Method for Network Security Alarm Information

FU Ze-qiang, WANG Xiao-feng, KONG Jun   

  1. (School of Internet of Things Engineering,Jiangnan University,Wuxi,Jiangsu 214122,China)
  • Received:2018-05-08 Revised:2018-07-25 Published:2019-05-15

摘要: 在网络安全防御体系中,入侵检测系统会实时产生海量冗余、错误的网络安全告警信息,因此有必要对告警信息的关联规则和序列模式进行频繁项模式挖掘,分辨正常的行为模式,筛选出真正的攻击信息。相对于Apriori和FP-growth等算法,COFI-tree算法虽然具有较大的性能优势,但仍无法满足大规模网络安全信息快速分析的需求。为此,基于COFI-tree算法,提出了一种改进的网络安全告警信息关联分析算法。该算法通过基于倒序链表的头表节点寻址方式和基于新的SD结构的频繁项处理方法,提升了COFI-tree算法的性能。基于Kddcup99数据集的实验结果表明,与传统的Cofi算法相比,该方法在基本保证准确率的同时,能大量降低计算开销,使处理时间平均缩短21%以上,解决了在海量网络告警信息下进行关联分析时速率不高的问题。

关键词: COFI-tree, 关联分析, 频繁项目集, 数据挖掘, 网络安全

Abstract: In the network security defense system,the intrusion detection system will produce massive redundancy and wrong network security warning information in real time.Therefore,it is necessary to mine frequent item patterns from association rules and sequential patterns of alert information,distinguish normal behavior patterns,and screen out real attack information.Compared with Apriori,FP-growth and other algorithms,COFI-tree algorithm possesses bigger advantages of performance ,but it still can not meet the needs offast analysis on large-scale network security information.To this end,this paper proposed an improved network security alert information association analysis algorithm based on COFI-tree algorithm.The algorithm improve the performance of COFI-tree algorithm through node addressing mode based on reverse linked list and frequent item processing method based on new SD structure.The experimental results based on Kddcup99 dataset show that this method can basically guarantee the accuracy,reduce a lot of computing overhead,shorten processing time by more than 21% on average compared with the traditional Cofi algorithm,and solve the problem of low speed in association analysis under massive network alarm information.

Key words: Association analysis, COFI-tree, Data mining, Frequent item sets, Network security

中图分类号: 

  • TP309
[1]LIU X R,LI B S,CHANGA N Q,et al.The Current Network Security Situation and Emergency Network Response.Engineering Sciences,2016,18(6):83-87.(in Chinese)刘欣然,李柏松,常安琪,等.当前网络安全形势与应急响应[J].中国工程科学,2016,18(6):83-87.
[2]HOFMANN A,SICK B.Online intrusion alert aggregation with generative data stream modeling[J].IEEE Transactions on Dependable and Secure Computing,2011,8(2):282-294.
[3]GANAPATHI REDDY K L,SDNIVAS K.GDS an efficient approach for online intrusion alert aggregation[J].International Journal of Computer Application,2012,2(1):13-139.
[4]单莘.一种网络告警的增量式情景规则挖掘方法[C]∥中国通信学会学术年会.2008.
[5]TIAN Z H,ZHANG Y Z,ZHANG W Z.An Adaptive Alert Correlation Method Based on Pattern Mining and Clustering Analysis[J].Journal of Computer Research and Development,2009,46(8):1304-1315.(in Chinese)田志宏,张永铮,张伟哲.基于模式挖掘和聚类分析的自适应告警关联[J].计算机研究与发展,2009,46(8):1304-1315.
[6]ZHENG Z Y,LIU Y.High performance information filteringsystem for large-scale alarm data[J].Computer Engineering and Design,2014,35(2):436-439.(in Chinese)郑哲渊,刘渊.面向大规模告警数据的高性能信息筛选系统 [J].计算机工程与设计,2014,35(2):436-439.
[7]YIN Z H,ZHANG D P,TAN M,et al.Improved Algorithm for Efficiently Mining Maximum Frequent Itemsets Based on Frequent Pattern Tree[J].Journal of University of Jinan(Science and Technology),2017,31(2):111-117.(in Chinese)尹治华,张大鹏,谭明,等.一种改进的基于FP-Tree的高效挖掘最大频繁项目集算法[J].济南大学学报(自然科学版),2017,31(2):111-117.
[8]LIU L J.Research and application of improved Apriorialgorithm[J].Computer Engineering and Design,2017,38(12):3324-3328.(in Chinese)刘丽娟.改进的Apriori算法的研究及应用[J].计算机工程与设计,2017,38(12):3324-3328.
[9]MIAO S Q,ZHENG X S.Research and Implementation of Association Analysis[J].Intelligent Computer and Applications,2018,8(2):138-139.(in Chinese)苗世强,郑晓势.关联分类算法的研究与实现[J].智能计算机与应用,2018,8(2):138-139.
[10]PASQUIER N,BASTIDE Y,TAOUIL R,et al.Discovering frequent closed itemsets for association rules[J].Lecture Notes in Computer Science,1999,1540:398-416.
[11]NIU X Z,SHE K.Mining Maximal Frequent Item Sets with Improved Algorithm of FPMAX[J].Computer Science,2013,40(12):223-227.(in Chinese)牛新征,余堃.基于FPMAX的最大频繁项目集挖掘改进算法[J].计算机科学,2013,40(12):223-227.
[12]WA′EL H,ABURUB F,ALHAWARI S.A new fast associative classification algorithm for detecting phishing websites[J].Applied Soft Computing,2016,48:729-734.
[13]WANG J M,YUAN W.Improved FP-Growth algorithm based on node table[J].Computer Engineering and Design,2018,39(1):140-145.(in Chinese)王建明,袁伟.基于节点表的FP-Growth算法改进[J].计算机工程与设计,2018,39(1):140-145.
[14]SHRIVASTAVA V K,KUMAR P,PARDASANI K R.Fp-tree and cofi based approach for mining of multiple level association tules in large databases[J].International Journal of Computer Science & Information Security,2010,7(2):248-225.
[15]WANG L,FAN X J,LIU X L,et al.Mining data associationbased on a revised FP-growth algorithm[C]∥International Conference on Machine Learning and Cybernetics.IEEE,2012:91-95.
[16]NGUYEN T,HA Q T.Novel Operations for FP-Tree DataStructure and Their Applications[M].Cham:Springer,2014.
[17]TANG W,MA J,ZENG G P.Analysis of Sample Database for Intelligence Intrusion Detection Evaluation[J].Journal of South-Central University for Nationalities(Natural Science Edition),2010,29(2):84-87.(in Chinese)唐菀,马杰,曾广平.评测智能化入侵检测方法的样本库分析[J].中南民族大学学报(自然科学版),2010,29(2):84-87.
[18]ZHANG X Y,ZENG H S,JIA L.Research of intrusion detection system dataset-KDD CUP99[J].Computer Engineering and Design,2010,31(22):4809-4812.(in Chinese)张新有,曾华燊,贾磊.入侵检测数据集 KDD CUP99 研究[J].计算机工程与设计,2010,31(22):4809-4812.
LI F W,ZHENG B,ZHU J,et al.A method of network security situation prediction based on AC-RBF neural network.Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2014,26(5):576-581.(in Chinses)李方伟,郑波,朱江,等.一种基于AC-RBF神经网络的网络安全态势预测方法.重庆邮电大学学报(自然科学版),2014,26(5):576-581.
[1] 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠.
基于战术关联的网络安全风险评估框架
Network Security Risk Assessment Framework Based on Tactical Correlation
计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171
[2] 王磊, 李晓宇.
基于随机洋葱路由的LBS移动隐私保护方案
LBS Mobile Privacy Protection Scheme Based on Random Onion Routing
计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077
[3] 黎嵘繁, 钟婷, 吴劲, 周帆, 匡平.
基于时空注意力克里金的边坡形变数据插值方法
Spatio-Temporal Attention-based Kriging for Land Deformation Data Interpolation
计算机科学, 2022, 49(8): 33-39. https://doi.org/10.11896/jsjkx.210600161
[4] 赵冬梅, 吴亚星, 张红斌.
基于IPSO-BiLSTM的网络安全态势预测
Network Security Situation Prediction Based on IPSO-BiLSTM
计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103
[5] 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏.
基于网络媒体的非线性动力学信息传播模型
Nonlinear Dynamics Information Dissemination Model Based on Network Media
计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043
[6] 陶礼靖, 邱菡, 朱俊虎, 李航天.
面向网络安全训练评估的受训者行为描述模型
Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment
计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048
[7] 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓.
一种可快速迁移的领域知识图谱构建方法
Fast and Transmissible Domain Knowledge Graph Construction Method
计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018
[8] 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳.
基于进化神经网络的电力信息网安全态势量化方法
Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network
计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151
[9] 么晓明, 丁世昌, 赵涛, 黄宏, 罗家德, 傅晓明.
大数据驱动的社会经济地位分析研究综述
Big Data-driven Based Socioeconomic Status Analysis:A Survey
计算机科学, 2022, 49(4): 80-87. https://doi.org/10.11896/jsjkx.211100014
[10] 孔钰婷, 谭富祥, 赵鑫, 张正航, 白璐, 钱育蓉.
基于差分隐私的K-means算法优化研究综述
Review of K-means Algorithm Optimization Based on Differential Privacy
计算机科学, 2022, 49(2): 162-173. https://doi.org/10.11896/jsjkx.201200008
[11] 马董, 李新源, 陈红梅, 肖清.
星型高影响的空间co-location模式挖掘
Mining Spatial co-location Patterns with Star High Influence
计算机科学, 2022, 49(1): 166-174. https://doi.org/10.11896/jsjkx.201000186
[12] 张亚迪, 孙悦, 刘锋, 朱二周.
结合密度参数与中心替换的改进K-means算法及新聚类有效性指标研究
Study on Density Parameter and Center-Replacement Combined K-means and New Clustering Validity Index
计算机科学, 2022, 49(1): 121-132. https://doi.org/10.11896/jsjkx.201100148
[13] 李思颖, 徐杨, 王欣, 赵若成.
基于关联分析的铁路旅客同行预测方法
Railway Passenger Co-travel Prediction Based on Association Analysis
计算机科学, 2021, 48(9): 95-102. https://doi.org/10.11896/jsjkx.200700097
[14] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[15] 孙林, 平国楼, 叶晓俊.
基于本地化差分隐私的键值数据关联分析
Correlation Analysis for Key-Value Data with Local Differential Privacy
计算机科学, 2021, 48(8): 278-283. https://doi.org/10.11896/jsjkx.201200122
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!