计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (2): 324-332.doi: 10.11896/jsjkx.220800049

• 信息安全 • 上一篇    下一篇

EHFM:一种面向多源网络攻击告警的高效层级化数据过滤方案

杨昕1, 李更新1, 李挥1,2   

  1. 1 北京大学深圳研究生院 广东 深圳 518055
    2 鹏城实验室 广东 深圳 518055
  • 收稿日期:2022-08-04 修回日期:2022-11-04 出版日期:2023-02-15 发布日期:2023-02-22
  • 通讯作者: 李挥(lih64@pkusz.edu.cn)
  • 作者简介:(yangxin2016@pku.edu.cn)
  • 基金资助:
    广东省重点领域研发计划网络信息安全(2019B010137001);国家重点研发计划(2017YFB0803204,2017YFB0803200);深圳市基础研究项目(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340)

EHFM:An Efficient Hierarchical Filtering Method for Multi-source Network Malicious Alerts

YANG Xin1, LI Gengxin1, LI Hui1,2   

  1. 1 Peking University Shenzhen Graduate School,Shenzhen,Guangdong 518055,China
    2 Peng Cheng Laboratory,Shenzhen,Guangdong 518055,China
  • Received:2022-08-04 Revised:2022-11-04 Online:2023-02-15 Published:2023-02-22
  • Supported by:
    Guangdong Province Research and Development Key Program(2019B010137001),National Key R&D Program of China(2017YFB0803204,2017YFB0803200) and Shenzhen Fundamental Research Programs(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340)

PDF (PC)

286

摘要: 在复杂网络环境中,态势感知技术根据警报数据实时捕捉多种安全要素及其引起的态势变化,对网络安全进行感知和预测,在安全建设中发挥着重大作用。然而,互联网中海量威胁日志和事件信息带来了极高的分析复杂度,甚至造成了评估和感知技术的误判问题,给安全管理带来了极大挑战。因此,警报事件的过滤起到了重要作用,并且过滤的细粒度、准确性是后续可靠安全态势评估的基础。文中提出了一个面向多源网络攻击告警的层次化数据过滤模型EHFM,并将其应用于一个安全态势感知系统中。EHFM包含5层过滤器,为多源告警日志设计了统一格式,提出了联合性能熵之差的概念,并结合模糊层次分析等方法,对大量的警报进行统一、精细、定制化的过滤,从而提升安全态势评估算法的准确性、灵活性,解决了网络攻击告警规模过大导致的安全状态误判问题。通过对上述EHFM过滤模型和态势感知系统的代码实现,该方案的可行性得到了证明。经过大量实验,结果表明,该方案能够对恶意事件进行精细的分类和过滤,有效避免外界环境因素带来的误判,在大规模网络攻击告警的场景下提升安全态势评估算法的准确性。

关键词: 安全分析, 层次化警报过滤, 多源告警, 安全态势感知, 模糊层次分析法

Abstract: Security situation awareness technology based on the alarm data plays an essential role in system protection.In the complex network environment,situation awareness systems control and predict the network security in time by capturing multiple metrics representing system situations combined with alert data.However,network security detection or protection systems ge-nerate massive and diverse alarm logs daily.Such massive threat logs and event information lead to a sharp rise in complexity and even bring some misjudgment problems.Therefore,there is a need for methods that filter the massive warning alerts with fine granularity and high accuracy to provide the basis for building subsequent reliable situation awareness systems.This paper proposes an efficient hierarchical filtering method(EHFM) for multi-source alarm data.EHFM contains five layers of filters,and the proposed hierarchical filtering structure guarantees its scalability and flexibility.Firstly,EHFM designs a unified format for multi-source alarm data to provide unified and customizable filtering.Moreover,the concept of “difference in joint performance entropy” incorporated with the fuzzy analytic hierarchy algorithm is proposed,which guarantees its robustness.These methods improve filtering accuracy by solving the problem of misjudgment caused by excessive alarm scale and external environmental factors.Then,the threat degree of malicious events to the system is classified by considering both the frequency and the impact of alerts.Finally,the classified and filtered alerts are visualized to facilitate the subsequent processing by security managers or software.Based on the proposed EHFM,a security situation awareness system is developed to verify its efficiency.The results of comprehensive experiments demonstrate that the proposed scheme filters and classifies malicious events in fine granularity and hence improves the accuracy and effectiveness of security situation awareness technology in large-scale alarm scenarios.

Key words: Security analysis, Hierarchical alarm filtering, Multi-source alerts, Security situation assessment, Fuzzy analytic hie-rarchy process

中图分类号: 

  • TP393
[1]LI M,HUANG W,WANG Y,et al.The study of APT attack stage model [C]// Proceedings of IEEE/ACIS 15th Interna-tional Conference on Computer and Information Science(ICIS).New York:IEEE,2016:1-5.
[2]LU X,HAN J,REN Q,et al.Network threat detection based on correlation analysis of multi-platform multi-source alert data [J].Multimedia Tools and Applications,2020,79(45):33349-33363.
[3]SCARFONE K,SOUPPAYA M,CODY A,et al.Technical guide to information security testing andassessment [J].NIST Special Publication,2008,800(115):2-25.
[4]VAN LAARHOVEN P J M,PEDRYCZ W.A fuzzy extension of Saaty's priority theory[J].Fuzzy Sets and Systems,1983,11(1/2/3):229-241.
[5]TANG Z Y,LIU H.Study on Evaluation Method of Network Security Situation under Multi-stage Large-scale Network Attack[J].Computer Science,2018,45(1):245-248.
[6]BOUTABA R,XIAO J.Network management:State of the art [C]// Proceedings of IFIP World Computer Congress.Boston:Springer,2002:127-145.
[7]JULISCH K.Clustering intrusion detection alarms to supportroot cause analysis[J].ACM Transactions on Information and System Security(TISSEC),2003,6(4):443-471.
[8]FAOUR A,LERAY P,ETER B.A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems [C]// Proceedings of the 2nd International Conference on Information & Communication Technologies.New York:IEEE,2006:3175-3180.
[9]CHEN X Z,ZHENG Q H,GUAN X H,et al.Quantitative hie-rarchical threat evaluation model for network security[J].Journal of Software,2006,17(4):885-897.
[10]HE Y,HAN Y J.Research and implementation of an alarm filtering algorithm based on data fusion in NIDS[J].Science of Western China,2007,6(4):44-47.
[11]RAFTOPOULOS E,EGLI M,DIMITROPOULOS X.Shedding light on log correlation in network forensics analysis [C]// Proceedings of International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin:Springer,2012:232-241.
[12]YANG X,HUI Z.Intrusion detection alarm filtering technology based on ant colony clustering algorithm [C]//Proceedings of the Sixth International Conference on Intelligent Systems Design and Engineering Applications(ISDEA).New York:IEEE,2015:470-473.
[13]XI R,YUN X,ZHANG Y.Quantitative assessment method of cyber threat situation based on environmental attributes [J].Software Journal,2015,26(7):1638-1649.
[14]AKREMI A.Software security static analysis false alerts handling approaches [J].International Journal of Advanced Computer Science and Applications,2021,12(11):702-711.
[15]HE X,WANG J,LIU J,et al.Hierarchical filtering method ofalerts based on multi-source information correlation analysis [C]//Proceedings of the 27th International Conference on Computer Communication and Networks(ICCCN).New York:IEEE,2018:1-6.
[16]Forum of Incident Response and Security Teams,Common Vulnerability Scoring System SIG [EB/OL].https://www.first.org/cvss/.
[17]WEBB J,AHMAD A,MAYNARD S B,et al.A SituationAwareness Model for Information Security Risk Management [J].Computers & Security,2014,44(2):1-15.
[18]ABIODUN O I,JANTAN A,OMOLARA A E,et al.State-of-the-art in artificial neural network applications:A survey [J].Heliyon,2018,4(11):1-42.
[1] 代学俊,黄玉划,刘宁钟.
基于双伪随机变换和Feistel结构的轻量级分组密码VHF
VHF:A Lightweight Block Cipher Based on Dual Pseudo-random Transformation and Feistel Structure
计算机科学, 2017, 44(2): 192-194. https://doi.org/10.11896/j.issn.1002-137X.2017.02.030
[2] 丁卫涛,徐开勇.
基于软件行为的可信评价研究
Research of Trustworthiness Evaluation Model Based on Software Behavior
计算机科学, 2016, 43(1): 202-206. https://doi.org/10.11896/j.issn.1002-137X.2016.01.045
[3] 司 成,张红旗,汪永伟,杨英杰.
基于本体的网络安全态势要素知识库模型研究
Research on Network Security Situational Elements Knowledge Base Model Based on Ontology
计算机科学, 2015, 42(5): 173-177. https://doi.org/10.11896/j.issn.1002-137X.2015.05.035
[4] 贾 焰,王晓伟,韩伟红,李爱平,程文聪.
YHSSAS:面向大规模网络的安全态势感知系统
YHSSAS: Large-scale Network Oriented Security Situational Awareness System
计算机科学, 2011, 38(2): 4-8.
[5] 赵峰,章勤,李敏.
基于DBN的计算系统动态安全分析模型
Novel Dynamic Security Analysis Model for Computing System Based on DBN
计算机科学, 2010, 37(2): 61-64.
[6] 吕镇邦,周波.
基于WOWA-FAHP的网络安全态势评估
Network Security Situation Assessment Based on WOWA-FAHP
计算机科学, 2009, 36(7): 63-67. https://doi.org/10.11896/j.issn.1002-137X.2009.07.013
[7] .
一个基于双线性对的前向安全的代理签名方案

计算机科学, 2009, 36(4): 90-93.
[8] 陈峰,李伟华,房鼎益,陈晓江.
集成安全分析的模型驱动软件开发方法研究
Research on Integration of Safety Analysis in Model-driven Software Development
计算机科学, 2009, 36(11): 165-168.
[9] 胡小明 黄上腾.
两个可证明安全盲签名方案的密码学分析

计算机科学, 2008, 35(8): 98-100.
[10] .
基于异质多传感器融合的网络安全态势感知模型

计算机科学, 2008, 35(8): 69-73.
[11] 明洋 王育民.
两个代理签名方案的密码学分析

计算机科学, 2006, 33(8): 128-129.
[12] 朱新山 高勇 王阳生.
机器可读旅行文档的安全分析

计算机科学, 2005, 32(11): 130-133.
[13] 张峰 秦志光 刘锦德.
网络安全中协同攻击的威胁评估方法

计算机科学, 2004, 31(12): 55-57.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发