【作者】 马冬；

【导师】 王勇军；

【作者基本信息】 国防科学技术大学 ， 军队指挥学， 2013， 博士

【摘要】 网络威胁是指可以破坏网络系统环境安全的目标或事件威胁是潜在的攻击，很多时候二者等同，但在本文中，威胁还包括攻击意图等内涵网络威胁攻击的不断发生和网络威胁日趋复杂化给互联网络的安全造成很大的隐患，使得网络威胁的检测技术逐渐成为网络安全领域的热点研究课题网络威胁检测技术中，首先通过一定的途径获取当前可能存在网络威胁活动的相关信息，然后根据这些信息，应用多种分析融合检测技术识别并判断出网络威胁的存在近年来，国内外相关领域已经取得了一定的研究成果，但是网络威胁检测技术中的信息采集与信息关联融合阶段时间开销较大，威胁特征的关联融合方法存在局限性，威胁行为协同检测技术与威胁预测技术尚未成熟，这些都是目前网络威胁检测技术尚需解决的问题本文针对网络威胁检测中的相关问题与需求，深入研究了相关技术的发展现状，提出了威胁感知传感器的并行部署算法警报信息的关联技术威胁行为分类模型的构建和基于该模型的威胁匹配检测算法协同检测模型的构建和基于该模型的体系结构威胁预测模型的构建和基于该模型的安全态势分析方法主要贡献包括以下几个方面：一针对网络威胁信息的采集与关联问题，进行网络威胁感知传感器的并行部署研究，提出感知传感器并行部署算法SPDA（Sensor Parallel DeploymentAlgorithm）通过该算法实现快速并行部署传感器，并实现了SensorPool原型系统利用SensorPool部署传感器，通过传感器进行警报信息采集同时针对所采集的海量警报信息，提出警报频繁模式挖掘关联算法与自动时段划分警报关联算法，实现了对频繁模式进一步关联处理，并对警报误报进行过滤消除，提高了警报信息采集的正确率，并大幅减小了时间开销二针对威胁分类的通用性与威胁检测中的匹配技术问题，提出基于威胁行为分类模型与行为序列模板的网络威胁检测体系结构，包括警报信息处理模块威胁检测模块，协同检测模块威胁预测模块和网络态势分析模块通过对Snort规则库与TIAA(a Toolkit for Intrusion Alert Analysis)系统的分析，以及对当前网络威胁行为的特点分析，提出威胁行为分类模型的框架，框架包括初始分类匹配模型结构化语义模型特征匹配重用模型特征匹配自适应迭代模型阈值确定模型匹配类型模型和威胁匹配矩阵模型等模块在威胁行为分类模型的基础上，提出威胁行为序列模板的构建，对复杂攻击的检测提供了更为通用的规则库基于威胁行为分类模型与行为序列模板提出两种威胁检测的匹配算法：模式匹配算法和图匹配算法最终对威胁特征进行融合，实现对网络威胁行为的检测，并实现具有通用性的威胁行为分类模型，与准确性较高，时间开销较小的威胁匹配算法三针对网络威胁的协同检测技术，对威胁检测协同模型给出定义，并通过模型框架建模和协同机制完成对威胁检测层次协同模型——TDLC(ThreatDetection Level Collaboration)模型的构建该模型从框架结构数据结构建模过程和协同机制等四个方面详细介绍了TDLC模型，提出协同检测系统体系结构与协同构件的算法描述以僵尸网络为例提出了基于协同模型的分布式检测方法，描述了威胁检测系统中感知传感器的协同工作机理，提出了传感器的可信性问题针对复杂网络威胁，最终实现网络威胁协同检测，相比单节点威胁检测，协同检测更具有检测复杂威胁的能力，尤其对例如僵尸网络等分布式威胁检测具有更佳效果四针对网络威胁态势分析中对威胁的预测准确性差问题，提出威胁预测模型，通过对粒子群优化算法的研究进行改进，提出一种威胁重叠预测算法，对威胁趋势进行预测结果相比粒子群优化算法误差减小一半左右通过对网络安全态势进行量化评估，将网络系统分为系统级主机级服务级和攻击级针对存在的威胁进行威胁指数定义，提出对威胁指数进行量化和计算的方法对每一层级进行重要性权重比的计算，由此评判整体网络系统的安全态势引入D-S证据理论方法，实现对整体网络中出现所有威胁的可能进行评分，通过计算识别具体网络威胁的种类，判断出现威胁种类的权重比例，对网络系统的安全态势作出详细分析本文研究的相关问题是对网络威胁检测技术一次有益的总结与探究，研究成果对于网络威胁检测技术的发展具有重要的实践意义与理论价值，对网络安全领域的完善和发展起到了积极推动作用更多还原

【Abstract】 The network threats undermine the security of the network system environmentgoals or event. The threat is a potential attack, often both equivalent, but in this article,threats including attacks intention connotation. The frequent cyber threats give a greatrising harm to Internet security, which has led Cyber Threat Detection to become a hottopic recently. Cyber threat detection, firstly gathers potential cyber threat activityinformation in various ways, then uses multiple analyzing, grouping and detectingtechniques to identify the cyber threats based on the threat signatures in the gatheredinformation, and finally determines the threat classification, threat level and theorigination and destination of threat. In recent, there are a lot of efforts have been giveninto this field. However, there are still some problems to be solved in the aspects ofsynergistic association analysis and system architecture, regarding to cyber threatinformation gathering and grouping, signature extraction and merge, threat behaviordetermination and detection.Addressing the problems and requirements in cyber threat detection, thisdissertation firstly reviews the state of the art of cyber threat detection techniques, andthen gives efforts on threat sensor parallel deployment algorithm, alert informationassociation technique, threat classification model and its threat behavior detectingalgorithm, synergistic detecting model and its architecture, threat prediction model anda security situation analyzing algorithm based on it. The major contributions of thisdissertation can be summarized as follows:1. A Sensor Parallel Deployment Algorithm (SPDA) for cyber threat informationgathering is proposed, and a SensorPool prototype system is implemented. Theproposed algorithm can achieve a fast parallel deployment of threat sensor. Using theSensorPool to deploy sensors is propitious to fast and effectively utilize networkresource to carry out security defense, and to improve the flexibility and effectiveness ofdeployment. Compared with the most popular Virtual Honeynets and Potemkindeployment algorithms, the time cost of the proposed SPDA is reduced dramatically,and the more deploying nodes, the more parallelism can be achieved, so the less timecost. Meanwhile, an association algorithm for alert frequency pattern mining andautomatic alert time dividing is proposed, which further processes the frequency pattern,and filters the false alarms. The time cost is reduced to1/60of the original algorithmwhile keeping more than95%accuracy of the original algorithm.2. A cyber threat detecting architecture based on threat classification and behaviorsequence template is proposed, which includes alter information process module, threatdetection module, synergistic detection module, threat prediction module and networksituation analysis module. By analyzing the Snort rule database, TIAA (a Toolkit for Intrusion Alert Analysis) system, and the feature of current cyber threat behavior, athreat classification framework is proposed, which includes initial classificationmatching model, structural semantics model, feature match reuse model, feature matchadaptive iteration model, threshold determining model, match classification model andthreat matching matrix model, etc. Specially, a detailed introduction is given to theconstruction method of the two most important modules, i.e., the initial classificationmatching model and the threat matching matrix model. Based on the threatclassification model, a construction method of threat behavior sequence template isproposed, which converts the threats in the rule database into sequences instead ofelements, providing a more flexible rule database to complex attack detection. Based onthe threat classification model and sequence template, two threat detection matchingalgorithms are proposed: pattern matching algorithm and graph matching algorithm, inorder to merge threat features and cyber threat behavior. Experimental results indicatethat the time cost of these two algorithms reduces above50%compared with the classicCupid and S-Match algorithms. The average time cost of graph matching algorithm isabout65%of pattern matching algorithm. The more graph nodes in the template and themore complex of threat detection, the smaller is the ratio of time cost of graph matchingalgorithm relative to the time cost of pattern matching algorithm.3. We define the threat synergistic detection model and constructs a ThreatDetection Layer Cooperation-TDLC model through model framework, modeling andsynergistic mechanisms. The TDLC model is introduced in details in four layers: modelframework, modeling process, data structure and synergistic mechanism. Base on themodel, a cyber-threat synergistic detecting system and its architecture is proposed, andthe design objective, architecture, logic structure, physical structure and work principleare explained in detail. Considering the current mainstream threats, i.e., botnet andDDoS attach, a distributed detection method based on synergistic model is proposed.The synergistic detection on botnet attack is built upon a synergistic sensing model. Thecooperation mechanism of threat sensors for threat detection is explained afterwards.Addressing the creditability problem that the deployed threat sensor nodes might betaken over by attackers, the malicious sensor that determining method based on trustmeasurement is proposed; addressing the synergistic detection on DDoS attack, a trafficstatus snapshot prediction algorithm, a fine-grain exception detection algorithm and amalicious IP address extraction algorithm is proposed. Experimental results indicate that,compared with the recently proposed traffic exception detection algorithm based oncomentropy and subspace method, the proposed detection algorithm can effectivelyhandle the DDoS attacks based on botnet. The detection algorithm proposed in thisdissertation has a relative high precision at the initial stage of threats; however, thedetection precision approaches the same value for both algorithms as the ratio of DDoStraffic in the background traffic increases. 4. We propose a threat prediction recognition model as the threat predictionframework. By improving the particle swarm optimization algorithm, an overlapprediction algorithm based on prediction model is proposed, and a threat predictionmodel is constructed to predict the threat trends. The prediction error by predictionmodel is about a half of the error by the particle swarm optimization model, whichsufficiently proves the accuracy and robustness of the prediction model. According tothe quantitative evaluation on the network security situation, the network can beclassified as system level, host level, service level and attack level.(We) define thethreat index for the existing threats, and propose a quantitative computation method forthreat index.(We) further calculate the importance weight for every level, and use it toevaluate the security situation for the entire network. We introduce a D-S evidencereasoning method to grade the possibilities of all the threats occurred in the network. Byidentifying the specific cyber threat class,(sth.) determines the weight ratios of all thethreat occurred in one day, and then makes a detailed analysis on the network securitysituation.This dissertation serves as an instructive practice and exploration on the cyberthreat detection techniques. The results have a theoretical and practical value onpromoting the cyber threat detection research, and it is an affirmative promotion on theperfection and development of network security.更多还原