计算机科学 ›› 2019, Vol. 46 ›› Issue (8): 64-70.doi: 10.11896/j.issn.1002-137X.2019.08.010
鲁显光, 杜学绘, 王文娟
LU Xian-guang, DU Xue-hui, WANG Wen-juan
摘要: 入侵检测系统产生的原始告警存在层次较低、相互孤立、没有关联性等不足,使得安全管理人员难以从中发现未知的、高层次的安全威胁,从而无法了解目标网络的整体安全态势。为了利用低级别告警构建攻击场景,通过分析现有的告警关联知识,针对基于数据挖掘的告警关联算法处理稀疏数据时性能较差的不足,提出了一种新的基于数据挖掘的告警关联算法。首先对现有的告警关联算法进行了分析比较;然后阐述了经典的Apriori算法和FP growth算法的机制及优缺点,并基于二维表对FP growth算法进行了改进;最后使用改进算法挖掘告警之间的关联规则,继而进行告警关联。为了验证所提方法的可行性和性能,使用Darpa数据集进行了相关的仿真测试,实验结果表明该方案可以较好地实现告警关联。
中图分类号:
[1]VALDES A,SKINNER K.Probabilistic Alert Correlation [C]∥ International Symposium on Recent Advances in Intrusion Detection.Springer-Verlag,2001:54-68. [2]GAO H S,LI Y M.An ASON Alarm Correlation Method Based on Hierarchical Attribute Similarity Clustering[J].Science Technology and Engineering,2015(6):210-214.(in Chinese) 高会生,李英敏.一种基于分层属性相似度聚类的 ASON 告警关联分析方法[J].科学技术与工程,2015(6):210-214. [3]ZHU L N,ZHANG Z C.Research on hierarchical alerts correlation based on causality[J].Application Research of Computers,2016,33(3):848-850(in Chinese) 朱丽娜,张作昌.基于因果关系的分层报警关联研究[J].计算机应用研究,2016,33(3):848-850. [4]TEMPLETON S J,LEVITT K.A requires/provides model for computer attacks[C]∥Proceedings of the 2000 workshop on New security paradigms.ACM,2001:31-38. [5]MORIN B,MÉ L,DEBAR H,et al.A logic-based model to support alert correlation in intrusion detection[J].Information Fusion,2009,10(4):285-299. [6]JAJODIA S,NOEL S,KALAPA P,et al.Cauldron mission-centric cyber situational awareness with defense in depth[C]∥MILCOM.2011:1339-1344. [7]YU D,FRINCKE D.Improving the quality of alerts and predicting intruder’s next goal with Hidden Colored Petri-Net[J].Computer Networks,2007,51(3):632-654. [8]WANG S,TANG G M,KOU G,et al.Attack path prediction method based on causal knowledge net[J].Journal on Communications,2016,37(10):188-198.(in Chinese) 王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198. [9]ZHANG J,LI X P,WANG H J,et al.Real-time alert correlation approach based on attack planning graph[J].Journal of Compu-ter Applications,2016,36(6):1538-1543.(in Chinese) 张靖,李小鹏,王衡军,等.基于攻击规划图的实时报警关联方法[J].计算机应用,2016,36(6):1538-1543. [10]NURBOL.Research on Anomaly Detection Based on Data Mi- ning and Multi-stage Intrusion Alert Correlation[D].Changchun:Jilin University,2010.(in Chinese) 努尔布力.基于数据挖掘的异常检测和多步入侵警报关联方法研究[D].长春:吉林大学,2010. [11]SONG S S.Study of Integrated alert correlation based on data mining and attack graphs[D].Shanghai:Shanghai Jiao Tong University,2009(in Chinese) 宋珊珊.基于数据挖掘及攻击图的告警综合关联研究[D].上海:上海交通大学,2009. [12]MEI H B,GONG J,ZHANG M H.Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J].Journal on Communications,2011,32(5):63-69.(in Chinese) 梅海彬,龚俭,张明华.基于警报序列聚类的多步攻击模式发现研究[J].通信学报,2011,32(5):63-69. [13]LIU J.Research on Key Technologies of Intrusion Detection and Alert Association Based on Machine Learning[D].Beijing:Beijing University of Posts and Telecommunications,2016.(in Chinese) 刘敬.基于机器学习的入侵检测和告警关联关键技术研究[D].北京:北京邮电大学,2016. [14]LI H C,WU X P.Network Intrusion Correlation Method with Differential Privacy Protection of Alerts Sequence[J].Computer Engineering,2018,487(5):134-138.(in Chinese) 李洪成,吴晓平.支持告警序列差分隐私保护的网络入侵关联方法[J].计算机工程,2018,487(5):134-138. [15]AGRAWAL R,IMIELIN'SKI T,SWAMI A.Mining association rules between sets of items in large databases[C]∥Acm Sigmod Record.ACM,1993,22(2):207-216. [16]HAN J,PEI J,YIN Y.Mining frequent patterns without candidate generation[C]∥ACM Sigmod Record.ACM,2000,29(2):1-12. [17]LU X,DU X,WANG W.An Alert Aggregation Algorithm Based on K-means and Genetic Algorithm[C]∥IOP Conference Series:Materials Science and Engineering.IOP Publishing,2018,435(1):012031. [18]LU X,DU X,WANG W.Network IDS Duplicate Alarm Reduction Using Improved SNM Algorithm[C]∥2018 IEEE 3rd International Conference on Image,Vision and Computing (ICIVC).IEEE,2018:767-774. |
[1] | 王馨彤, 王璇, 孙知信. 基于多尺度记忆残差网络的网络流量异常检测模型 Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network 计算机科学, 2022, 49(8): 314-322. https://doi.org/10.11896/jsjkx.220200011 |
[2] | 周志豪, 陈磊, 伍翔, 丘东亮, 梁广升, 曾凡巧. 基于SMOTE-SDSAE-SVM的车载CAN总线入侵检测算法 SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm 计算机科学, 2022, 49(6A): 562-570. https://doi.org/10.11896/jsjkx.210700106 |
[3] | 曹扬晨, 朱国胜, 孙文和, 吴善超. 未知网络攻击识别关键技术研究 Study on Key Technologies of Unknown Network Attack Identification 计算机科学, 2022, 49(6A): 581-587. https://doi.org/10.11896/jsjkx.210400044 |
[4] | 魏辉, 陈泽茂, 张立强. 一种基于顺序和频率模式的系统调用轨迹异常检测框架 Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns 计算机科学, 2022, 49(6): 350-355. https://doi.org/10.11896/jsjkx.210500031 |
[5] | 张师鹏, 李永忠. 基于降噪自编码器和三支决策的入侵检测方法 Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions 计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059 |
[6] | 李思颖, 徐杨, 王欣, 赵若成. 基于关联分析的铁路旅客同行预测方法 Railway Passenger Co-travel Prediction Based on Association Analysis 计算机科学, 2021, 48(9): 95-102. https://doi.org/10.11896/jsjkx.200700097 |
[7] | 孙林, 平国楼, 叶晓俊. 基于本地化差分隐私的键值数据关联分析 Correlation Analysis for Key-Value Data with Local Differential Privacy 计算机科学, 2021, 48(8): 278-283. https://doi.org/10.11896/jsjkx.201200122 |
[8] | 李贝贝, 宋佳芮, 杜卿芸, 何俊江. DRL-IDS:基于深度强化学习的工业物联网入侵检测系统 DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things 计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021 |
[9] | 程希, 曹晓梅. 基于信息携带的SQL注入攻击检测方法 SQL Injection Attack Detection Method Based on Information Carrying 计算机科学, 2021, 48(7): 70-76. https://doi.org/10.11896/jsjkx.200600010 |
[10] | 曹扬晨, 朱国胜, 祁小云, 邹洁. 基于随机森林的入侵检测分类研究 Research on Intrusion Detection Classification Based on Random Forest 计算机科学, 2021, 48(6A): 459-463. https://doi.org/10.11896/jsjkx.200600161 |
[11] | 俞建业, 戚湧, 王宝茁. 基于Spark的车联网分布式组合深度学习入侵检测方法 Distributed Combination Deep Learning Intrusion Detection Method for Internet of Vehicles Based on Spark 计算机科学, 2021, 48(6A): 518-523. https://doi.org/10.11896/jsjkx.200700129 |
[12] | 孙明玮, 司维超, 董琪. 基于多维度数据的网络服务质量的综合评估研究 Research on Comprehensive Evaluation of Network Quality of Service Based on Multidimensional Data 计算机科学, 2021, 48(6A): 246-249. https://doi.org/10.11896/jsjkx.200900131 |
[13] | 贾琳, 杨超, 宋玲玲, 程镇, 李琲珺. 改进的否定选择算法及其在入侵检测中的应用 Improved Negative Selection Algorithm and Its Application in Intrusion Detection 计算机科学, 2021, 48(6): 324-331. https://doi.org/10.11896/jsjkx.200400033 |
[14] | 王颖颖, 常俊, 武浩, 周详, 彭予. 基于WiFi-CSI的入侵检测方法 Intrusion Detection Method Based on WiFi-CSI 计算机科学, 2021, 48(6): 343-348. https://doi.org/10.11896/jsjkx.200700006 |
[15] | 刘全明, 李尹楠, 郭婷, 李岩纬. 基于Borderline-SMOTE和双Attention的入侵检测方法 Intrusion Detection Method Based on Borderline-SMOTE and Double Attention 计算机科学, 2021, 48(3): 327-332. https://doi.org/10.11896/jsjkx.200600025 |
|