计算机科学 ›› 2023, Vol. 50 ›› Issue (2): 324-332.doi: 10.11896/jsjkx.220800049
杨昕1, 李更新1, 李挥1,2
YANG Xin1, LI Gengxin1, LI Hui1,2
摘要: 在复杂网络环境中,态势感知技术根据警报数据实时捕捉多种安全要素及其引起的态势变化,对网络安全进行感知和预测,在安全建设中发挥着重大作用。然而,互联网中海量威胁日志和事件信息带来了极高的分析复杂度,甚至造成了评估和感知技术的误判问题,给安全管理带来了极大挑战。因此,警报事件的过滤起到了重要作用,并且过滤的细粒度、准确性是后续可靠安全态势评估的基础。文中提出了一个面向多源网络攻击告警的层次化数据过滤模型EHFM,并将其应用于一个安全态势感知系统中。EHFM包含5层过滤器,为多源告警日志设计了统一格式,提出了联合性能熵之差的概念,并结合模糊层次分析等方法,对大量的警报进行统一、精细、定制化的过滤,从而提升安全态势评估算法的准确性、灵活性,解决了网络攻击告警规模过大导致的安全状态误判问题。通过对上述EHFM过滤模型和态势感知系统的代码实现,该方案的可行性得到了证明。经过大量实验,结果表明,该方案能够对恶意事件进行精细的分类和过滤,有效避免外界环境因素带来的误判,在大规模网络攻击告警的场景下提升安全态势评估算法的准确性。
中图分类号:
[1]LI M,HUANG W,WANG Y,et al.The study of APT attack stage model [C]// Proceedings of IEEE/ACIS 15th Interna-tional Conference on Computer and Information Science(ICIS).New York:IEEE,2016:1-5. [2]LU X,HAN J,REN Q,et al.Network threat detection based on correlation analysis of multi-platform multi-source alert data [J].Multimedia Tools and Applications,2020,79(45):33349-33363. [3]SCARFONE K,SOUPPAYA M,CODY A,et al.Technical guide to information security testing andassessment [J].NIST Special Publication,2008,800(115):2-25. [4]VAN LAARHOVEN P J M,PEDRYCZ W.A fuzzy extension of Saaty's priority theory[J].Fuzzy Sets and Systems,1983,11(1/2/3):229-241. [5]TANG Z Y,LIU H.Study on Evaluation Method of Network Security Situation under Multi-stage Large-scale Network Attack[J].Computer Science,2018,45(1):245-248. [6]BOUTABA R,XIAO J.Network management:State of the art [C]// Proceedings of IFIP World Computer Congress.Boston:Springer,2002:127-145. [7]JULISCH K.Clustering intrusion detection alarms to supportroot cause analysis[J].ACM Transactions on Information and System Security(TISSEC),2003,6(4):443-471. [8]FAOUR A,LERAY P,ETER B.A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems [C]// Proceedings of the 2nd International Conference on Information & Communication Technologies.New York:IEEE,2006:3175-3180. [9]CHEN X Z,ZHENG Q H,GUAN X H,et al.Quantitative hie-rarchical threat evaluation model for network security[J].Journal of Software,2006,17(4):885-897. [10]HE Y,HAN Y J.Research and implementation of an alarm filtering algorithm based on data fusion in NIDS[J].Science of Western China,2007,6(4):44-47. [11]RAFTOPOULOS E,EGLI M,DIMITROPOULOS X.Shedding light on log correlation in network forensics analysis [C]// Proceedings of International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin:Springer,2012:232-241. [12]YANG X,HUI Z.Intrusion detection alarm filtering technology based on ant colony clustering algorithm [C]//Proceedings of the Sixth International Conference on Intelligent Systems Design and Engineering Applications(ISDEA).New York:IEEE,2015:470-473. [13]XI R,YUN X,ZHANG Y.Quantitative assessment method of cyber threat situation based on environmental attributes [J].Software Journal,2015,26(7):1638-1649. [14]AKREMI A.Software security static analysis false alerts handling approaches [J].International Journal of Advanced Computer Science and Applications,2021,12(11):702-711. [15]HE X,WANG J,LIU J,et al.Hierarchical filtering method ofalerts based on multi-source information correlation analysis [C]//Proceedings of the 27th International Conference on Computer Communication and Networks(ICCCN).New York:IEEE,2018:1-6. [16]Forum of Incident Response and Security Teams,Common Vulnerability Scoring System SIG [EB/OL].https://www.first.org/cvss/. [17]WEBB J,AHMAD A,MAYNARD S B,et al.A SituationAwareness Model for Information Security Risk Management [J].Computers & Security,2014,44(2):1-15. [18]ABIODUN O I,JANTAN A,OMOLARA A E,et al.State-of-the-art in artificial neural network applications:A survey [J].Heliyon,2018,4(11):1-42. |
[1] | 代学俊,黄玉划,刘宁钟. 基于双伪随机变换和Feistel结构的轻量级分组密码VHF VHF:A Lightweight Block Cipher Based on Dual Pseudo-random Transformation and Feistel Structure 计算机科学, 2017, 44(2): 192-194. https://doi.org/10.11896/j.issn.1002-137X.2017.02.030 |
[2] | 丁卫涛,徐开勇. 基于软件行为的可信评价研究 Research of Trustworthiness Evaluation Model Based on Software Behavior 计算机科学, 2016, 43(1): 202-206. https://doi.org/10.11896/j.issn.1002-137X.2016.01.045 |
[3] | 司 成,张红旗,汪永伟,杨英杰. 基于本体的网络安全态势要素知识库模型研究 Research on Network Security Situational Elements Knowledge Base Model Based on Ontology 计算机科学, 2015, 42(5): 173-177. https://doi.org/10.11896/j.issn.1002-137X.2015.05.035 |
[4] | 贾 焰,王晓伟,韩伟红,李爱平,程文聪. YHSSAS:面向大规模网络的安全态势感知系统 YHSSAS: Large-scale Network Oriented Security Situational Awareness System 计算机科学, 2011, 38(2): 4-8. |
[5] | 赵峰,章勤,李敏. 基于DBN的计算系统动态安全分析模型 Novel Dynamic Security Analysis Model for Computing System Based on DBN 计算机科学, 2010, 37(2): 61-64. |
[6] | 吕镇邦,周波. 基于WOWA-FAHP的网络安全态势评估 Network Security Situation Assessment Based on WOWA-FAHP 计算机科学, 2009, 36(7): 63-67. https://doi.org/10.11896/j.issn.1002-137X.2009.07.013 |
[7] | . 一个基于双线性对的前向安全的代理签名方案 计算机科学, 2009, 36(4): 90-93. |
[8] | 陈峰,李伟华,房鼎益,陈晓江. 集成安全分析的模型驱动软件开发方法研究 Research on Integration of Safety Analysis in Model-driven Software Development 计算机科学, 2009, 36(11): 165-168. |
[9] | 胡小明 黄上腾. 两个可证明安全盲签名方案的密码学分析 计算机科学, 2008, 35(8): 98-100. |
[10] | . 基于异质多传感器融合的网络安全态势感知模型 计算机科学, 2008, 35(8): 69-73. |
[11] | 明洋 王育民. 两个代理签名方案的密码学分析 计算机科学, 2006, 33(8): 128-129. |
[12] | 朱新山 高勇 王阳生. 机器可读旅行文档的安全分析 计算机科学, 2005, 32(11): 130-133. |
[13] | 张峰 秦志光 刘锦德. 网络安全中协同攻击的威胁评估方法 计算机科学, 2004, 31(12): 55-57. |
|