Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (2): 324-332.doi: 10.11896/jsjkx.220800049

• Information Security • Previous Articles     Next Articles

EHFM:An Efficient Hierarchical Filtering Method for Multi-source Network Malicious Alerts

YANG Xin1, LI Gengxin1, LI Hui1,2   

  1. 1 Peking University Shenzhen Graduate School,Shenzhen,Guangdong 518055,China
    2 Peng Cheng Laboratory,Shenzhen,Guangdong 518055,China
  • Received:2022-08-04 Revised:2022-11-04 Online:2023-02-15 Published:2023-02-22
  • Supported by:
    Guangdong Province Research and Development Key Program(2019B010137001),National Key R&D Program of China(2017YFB0803204,2017YFB0803200) and Shenzhen Fundamental Research Programs(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340)

PDF (PC)

319

Abstract: Security situation awareness technology based on the alarm data plays an essential role in system protection.In the complex network environment,situation awareness systems control and predict the network security in time by capturing multiple metrics representing system situations combined with alert data.However,network security detection or protection systems ge-nerate massive and diverse alarm logs daily.Such massive threat logs and event information lead to a sharp rise in complexity and even bring some misjudgment problems.Therefore,there is a need for methods that filter the massive warning alerts with fine granularity and high accuracy to provide the basis for building subsequent reliable situation awareness systems.This paper proposes an efficient hierarchical filtering method(EHFM) for multi-source alarm data.EHFM contains five layers of filters,and the proposed hierarchical filtering structure guarantees its scalability and flexibility.Firstly,EHFM designs a unified format for multi-source alarm data to provide unified and customizable filtering.Moreover,the concept of “difference in joint performance entropy” incorporated with the fuzzy analytic hierarchy algorithm is proposed,which guarantees its robustness.These methods improve filtering accuracy by solving the problem of misjudgment caused by excessive alarm scale and external environmental factors.Then,the threat degree of malicious events to the system is classified by considering both the frequency and the impact of alerts.Finally,the classified and filtered alerts are visualized to facilitate the subsequent processing by security managers or software.Based on the proposed EHFM,a security situation awareness system is developed to verify its efficiency.The results of comprehensive experiments demonstrate that the proposed scheme filters and classifies malicious events in fine granularity and hence improves the accuracy and effectiveness of security situation awareness technology in large-scale alarm scenarios.

Key words: Security analysis, Hierarchical alarm filtering, Multi-source alerts, Security situation assessment, Fuzzy analytic hie-rarchy process

CLC Number: 

  • TP393
[1]LI M,HUANG W,WANG Y,et al.The study of APT attack stage model [C]// Proceedings of IEEE/ACIS 15th Interna-tional Conference on Computer and Information Science(ICIS).New York:IEEE,2016:1-5.
[2]LU X,HAN J,REN Q,et al.Network threat detection based on correlation analysis of multi-platform multi-source alert data [J].Multimedia Tools and Applications,2020,79(45):33349-33363.
[3]SCARFONE K,SOUPPAYA M,CODY A,et al.Technical guide to information security testing andassessment [J].NIST Special Publication,2008,800(115):2-25.
[4]VAN LAARHOVEN P J M,PEDRYCZ W.A fuzzy extension of Saaty's priority theory[J].Fuzzy Sets and Systems,1983,11(1/2/3):229-241.
[5]TANG Z Y,LIU H.Study on Evaluation Method of Network Security Situation under Multi-stage Large-scale Network Attack[J].Computer Science,2018,45(1):245-248.
[6]BOUTABA R,XIAO J.Network management:State of the art [C]// Proceedings of IFIP World Computer Congress.Boston:Springer,2002:127-145.
[7]JULISCH K.Clustering intrusion detection alarms to supportroot cause analysis[J].ACM Transactions on Information and System Security(TISSEC),2003,6(4):443-471.
[8]FAOUR A,LERAY P,ETER B.A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems [C]// Proceedings of the 2nd International Conference on Information & Communication Technologies.New York:IEEE,2006:3175-3180.
[9]CHEN X Z,ZHENG Q H,GUAN X H,et al.Quantitative hie-rarchical threat evaluation model for network security[J].Journal of Software,2006,17(4):885-897.
[10]HE Y,HAN Y J.Research and implementation of an alarm filtering algorithm based on data fusion in NIDS[J].Science of Western China,2007,6(4):44-47.
[11]RAFTOPOULOS E,EGLI M,DIMITROPOULOS X.Shedding light on log correlation in network forensics analysis [C]// Proceedings of International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin:Springer,2012:232-241.
[12]YANG X,HUI Z.Intrusion detection alarm filtering technology based on ant colony clustering algorithm [C]//Proceedings of the Sixth International Conference on Intelligent Systems Design and Engineering Applications(ISDEA).New York:IEEE,2015:470-473.
[13]XI R,YUN X,ZHANG Y.Quantitative assessment method of cyber threat situation based on environmental attributes [J].Software Journal,2015,26(7):1638-1649.
[14]AKREMI A.Software security static analysis false alerts handling approaches [J].International Journal of Advanced Computer Science and Applications,2021,12(11):702-711.
[15]HE X,WANG J,LIU J,et al.Hierarchical filtering method ofalerts based on multi-source information correlation analysis [C]//Proceedings of the 27th International Conference on Computer Communication and Networks(ICCCN).New York:IEEE,2018:1-6.
[16]Forum of Incident Response and Security Teams,Common Vulnerability Scoring System SIG [EB/OL].https://www.first.org/cvss/.
[17]WEBB J,AHMAD A,MAYNARD S B,et al.A SituationAwareness Model for Information Security Risk Management [J].Computers & Security,2014,44(2):1-15.
[18]ABIODUN O I,JANTAN A,OMOLARA A E,et al.State-of-the-art in artificial neural network applications:A survey [J].Heliyon,2018,4(11):1-42.
[1] YE Sheng-nan, CHEN Jian-hua. Security Analysis and Improvement of Strongly Secure Certificateless Digital Signature Scheme [J]. Computer Science, 2021, 48(10): 272-277.
[2] DING Qing-yang, WANG Xiu-li, ZHU Jian-ming and SONG Biao. Information Security Framework Based on Blockchain for Cyber-physics System [J]. Computer Science, 2018, 45(2): 32-39.
[3] MA Yuan-yuan, CHEN Zhe, WANG Chen, FEI Jia-xuan and HUANG Xiu-li. Security Analysis Model of Power Intelligent Unit Transmission Protocols [J]. Computer Science, 2016, 43(Z11): 329-337.
[4] . Prediction Method for Network Security Situation Based on Elman Neural Network [J]. Computer Science, 2012, 39(6): 61-63.
[5] WANG Chang-da,HUA Ming-hui,ZHOU Cong-hua,SONG Xiang-mei,JU Shi-guang. Security Analysis of Access Control Policy Based on Predicate Abstract and Verification Space Division [J]. Computer Science, 2011, 38(10): 55-59.
[6] ZHAO Feng,ZHANG Qin,LI Min. Novel Dynamic Security Analysis Model for Computing System Based on DBN [J]. Computer Science, 2010, 37(2): 61-64.
[7] . [J]. Computer Science, 2009, 36(4): 90-93.
[8] YAN Xue-xiong, WANG Qing-xian (Institute of Information Engineering, Information Engineering University, Zhengzhou 450002, China). [J]. Computer Science, 2009, 36(4): 42-46.
[9] HU Xiao-ming HUANG Shang-teng (Department of Computer Seienee and Engineering, Shanghai Jiaotong Univ. , Shanghai 200240, China). [J]. Computer Science, 2008, 35(8): 98-100.
[10] MING Yang ,WANG Yu-Min (State Key Lab. of Integrated Service Networks, Xidian Univ. Xi'an 710071). [J]. Computer Science, 2006, 33(8): 128-129.
[11] JIANG Zheng-Tao,HAO Yan-Hua,WANG Yu-Min (National Key Lab. of Integrated Service Networks, Xidian Univ. , Xi'an 710071). [J]. Computer Science, 2005, 32(9): 68-69.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.