计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (2): 317-323.doi: 10.11896/jsjkx.191200172

• 信息安全 • 上一篇    下一篇

基于因果知识和时空关联的云平台攻击场景重构

王文娟, 杜学绘, 任志宇, 单棣斌   

  1. 中国人民解放军战略支援部队信息工程大学 郑州450001
  • 收稿日期:2019-12-30 修回日期:2020-04-23 出版日期:2021-02-15 发布日期:2021-02-04
  • 通讯作者: 王文娟(wwjhhx@sohu.com)
  • 基金资助:
    国家自然科学基金项目(61802436);国家重点研发计划课题(2016YFB050190104)

Reconstruction of Cloud Platform Attack Scenario Based on Causal Knowledge and Temporal- Spatial Correlation

WANG Wen-juan, DU Xue-hui, REN Zhi-yu, SHAN Di-bin   

  1. PLA Strategic Support Force Information Engineering University,Zhengzhou 450001,China
  • Received:2019-12-30 Revised:2020-04-23 Online:2021-02-15 Published:2021-02-04
  • About author:WANG Wen-juan,born in 1981,postgraduate,associate professor.Her main research interests include information security and cloud computing.
  • Supported by:
    The National Natural Science Foundation of China(61802436) and Natural National Key Basic Research Program of China(2016YFB050190104).

PDF (PC)

931

摘要: 云计算环境下的攻击行为逐步表现出隐蔽性强、攻击路径复杂多步等特点,即一次完整的攻击需要通过执行多个不同的攻击步骤来实现最终目的。而现有的入侵检测系统往往不具有必要的关联能力,仅能检测单步攻击或攻击片段,难以发现和识别多步攻击模式,无法还原攻击者完整的攻击渗透过程。针对这一问题,提出了基于因果知识和时空关联的攻击场景重构技术。首先,利用贝叶斯网络对因果知识进行建模,从具有IP地址相关性的告警序列中发掘出具有因果关系的攻击模式,为后续关联分析提供模板依据。然后,借助因果知识网络,从因果、时间和空间多维度上对告警进行关联分析,以发现潜在的隐藏关系,重构出高层次的攻击场景,为构建可监管、可追责的云环境提供依据和参考。

关键词: 告警关联, 攻击场景, 时空关联, 因果知识网络, 云计算

Abstract: Attack behavior in cloud computing environment gradually shows characteristics of strong concealment and complex multi-step,that is,a complete attack needs to execute some different attack steps to achieve the final goal.However,the existing intrusion detection system usually does not have the necessary ability of correlation,and can only detect single-step attack or attack fragment,so it is difficult to find and identify multi-step attack,and unable to restore attackers' attack process completely.To solve this problem,this paper proposes an attack scenario reconstruction technique based on causal knowledge and space-time correlation.Firstly,the bayesian network is used to model the causal knowledge,and the causal attack patterns are extracted from the alerts with IP address correlation,so as to provide template basis for the subsequent correlation analysis.Then,on the basis of causal knowledge network,alert correlation is conducted from the perspectives of causal,temporal and spatial dimensions to discover potential hidden relationships,and high-level attack scenarios are reconstructed to provide basis and reference for building a cloud environment that can be monitored and accountable.

Key words: Alert correlation, Attack scenario, Causal knowledge network, Cloud computing, Temporal-spatial correlation

中图分类号: 

  • TP309
[1] PETER M M,TIMOTHY G.The NIST Definition of Cloud Computing[M].National Institute of Standard & Technology,2011.
[2] The Notorious Nine:Cloud Computing Top Threats in 2013[EB/OL].http://www.cloudsecurityalliance.org/group/top-threats.
[3] CHEN X J,FANG B X,TAN Q F.Inferring attack intent ofmalicious insider based on probabilistic attack graph model[J].Chinese Journal of Computer,2014,34(1):62-72.
[4] WANG L.Study on Method of network multi-stage attack plan recognition[D].Wuhan:Huazhong University of Science and Technology,2007.
[5] PENG N,YUN C,DOUGLAS S.R Constructing attack scena-rios through correlation of intrusion alerts[C]//ACM Symposium on Computer and Communications Security.Washington,DC,United States,2002:245-254.
[6] WANG L,GHORBANI A A,LI Y.Automatic multi-step attack pattern discovering[J].International Journal of Network Security,2010,10(2):142-152.
[7] MEI H B,GONG J,ZHANG M H.Research on discoveringmulti-step attack patterns based on clustering IDS alert sequences[J].Journal on Communications,2011,32(5):63-69.
[8] GE L,JI X S,JIANG T.Association rules and its implementation in Map-Reduce[J].Journal of Electronics & Information Technology,2014,36(08):1831-1837.
[9] LU X G,DU X H,WANG W J.Alert correlation algorithmbased on improved FP growth[J].Computer Science,2019,46(8):64-70.
[10] STEVEN J T,KARL L.A requires/provides model for compu-ter attacks[C]//Proc.of the 2000 Workshop on New Security Paradigms.New York:ACM,2000:256-263.
[11] NING P.TIAA:A visual toolkit for intrusion alert analysis[M].North Carolina State University at Raleigh,2003.
[12] ZHANG J,LI X P,WANG H J.Real-time alert correlation approach based on attack planning graph[J].Journal of Computer Applications,2016(6):1538-1543.
[13] WANG S,TANG G,KOU G.An attack graph generation me-thod based on heuristic searching strategy[C]//IEEE International Conference on Computer & Communications.IEEE,2017.
[14] KAYNAR K,SIVRIKAYA F.Distributed attack graph generation[J].IEEE Transactions on Dependable and Secure Computing,2016,13(5):519-532.
[15] FENG X W,WANG D X,HUANG M H.A Mining Approach for Causal Knowledge in Alert Correlating Based on the Markov Property[J].Journal of Computer Research and Development,2014,51(11):2493-2504.
[16] LIU W X,ZENG K F,WU B.Alert processing based on attack graph and multi-source analyzing[J].Journal on Communications,2015,36(9):135-144.
[17] LYU H Y,PENG W,WANG R M.A Real-time NetworkThreat Recognition and Assessment Method based on Association Analysis of Time and Space[J].Journal of Computer Research and Development,2014,51(5):1039-1049.
[18] XIE P,LI J H,OU X,et al.Using bayesian networks for cyber security analysis[C]//Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks.Chicago,IL,USA,IEEE,2010.
[19] CUI J S,GUO C,CHEN L.Establishing process-level defense-in-depth framework for software defined networks[J].Journal of Software,2014,25(10):2251-2265.
[1] 高诗尧, 陈燕俐, 许玉岚.
云环境下基于属性的多关键字可搜索加密方案
Expressive Attribute-based Searchable Encryption Scheme in Cloud Computing
计算机科学, 2022, 49(3): 313-321. https://doi.org/10.11896/jsjkx.201100214
[2] 王政, 姜春茂.
一种基于三支决策的云任务调度优化算法
Cloud Task Scheduling Algorithm Based on Three-way Decisions
计算机科学, 2021, 48(6A): 420-426. https://doi.org/10.11896/jsjkx.201000023
[3] 潘瑞杰, 王高才, 黄珩逸.
云计算下基于动态用户信任度的属性访问控制
Attribute Access Control Based on Dynamic User Trust in Cloud Computing
计算机科学, 2021, 48(5): 313-319. https://doi.org/10.11896/jsjkx.200400013
[4] 陈玉平, 刘波, 林伟伟, 程慧雯.
云边协同综述
Survey of Cloud-edge Collaboration
计算机科学, 2021, 48(3): 259-268. https://doi.org/10.11896/jsjkx.201000109
[5] 蒋慧敏, 蒋哲远.
企业云服务体系结构的参考模型与开发方法
Reference Model and Development Methodology for Enterprise Cloud Service Architecture
计算机科学, 2021, 48(2): 13-22. https://doi.org/10.11896/jsjkx.200300044
[6] 毛瀚宇, 聂铁铮, 申德荣, 于戈, 徐石成, 何光宇.
区块链即服务平台关键技术及发展综述
Survey on Key Techniques and Development of Blockchain as a Service Platform
计算机科学, 2021, 48(11): 4-11. https://doi.org/10.11896/jsjkx.210500159
[7] 王勤, 魏立斐, 刘纪海, 张蕾.
基于云服务器辅助的多方隐私交集计算协议
Private Set Intersection Protocols Among Multi-party with Cloud Server Aided
计算机科学, 2021, 48(10): 301-307. https://doi.org/10.11896/jsjkx.210300308
[8] 张恺琪, 涂志莹, 初佃辉, 李春山.
基于排队论的服务资源可用性相关研究综述
Survey on Service Resource Availability Forecast Based on Queuing Theory
计算机科学, 2021, 48(1): 26-33. https://doi.org/10.11896/jsjkx.200900211
[9] 雷阳, 姜瑛.
云计算环境下关联节点的异常判断
Anomaly Judgment of Directly Associated Nodes Under Cloud Computing Environment
计算机科学, 2021, 48(1): 295-300. https://doi.org/10.11896/jsjkx.191200186
[10] 徐蕴琪, 黄荷, 金钟.
容器技术在科学计算中的应用研究
Application Research on Container Technology in Scientific Computing
计算机科学, 2021, 48(1): 319-325. https://doi.org/10.11896/jsjkx.191100111
[11] 李彦, 申德荣, 聂铁铮, 寇月.
面向加密云数据的多关键字语义搜索方法
Multi-keyword Semantic Search Scheme for Encrypted Cloud Data
计算机科学, 2020, 47(9): 318-323. https://doi.org/10.11896/jsjkx.190800139
[12] 马潇潇, 黄艳.
大属性可公开追踪的密文策略属性基加密方案
Publicly Traceable Accountable Ciphertext Policy Attribute Based Encryption Scheme Supporting Large Universe
计算机科学, 2020, 47(6A): 420-423. https://doi.org/10.11896/JsJkx.190700131
[13] 梁俊斌, 张敏, 蒋婵.
社交传感云安全研究进展
Research Progress of Social Sensor Cloud Security
计算机科学, 2020, 47(6): 276-283. https://doi.org/10.11896/jsjkx.190400116
[14] 金小敏, 滑文强.
移动云计算中面向能耗优化的资源管理
Energy Optimization Oriented Resource Management in Mobile Cloud Computing
计算机科学, 2020, 47(6): 247-251. https://doi.org/10.11896/jsjkx.190400020
[15] 孙敏, 陈中雄, 叶侨楠.
云环境下基于HEDSM的工作流调度策略
Workflow Scheduling Strategy Based on HEDSM Under Cloud Environment
计算机科学, 2020, 47(6): 252-259. https://doi.org/10.11896/jsjkx.190400047
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发