【作者】 胡威；

【导师】 李建华；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2007， 博士

【摘要】 随着信息技术的持续发展和网络规模的日益扩大,信息安全的重要性已经得到了业内人士的普遍认同。为了保障网络信息安全,开展大规模的网络安全态势感知研究是十分必要的。相关研究对于提高我国网络系统的应急响应能力、缓解网络攻击所造成的危害、发现潜在恶意的入侵行为、提高系统的反击能力等具有十分重要的意义。网络态势感知技术作为一项新技术,具有很大的发展空间。网络安全态势感知的研究,目前尚未有严格统一的标准。但是业内人士在该领域的不懈研究,已对态势感知形成共识。网络安全态势感知包括三个阶段的处理过程,即网络安全态势觉察(Perception)、网络安全态势理解(Comprehension)和网络安全态势预测(Prediction),其通过定性或定量的网络安全态势评价体系对底层各类安全事件进行归并、关联和融合处理,并将获取的态势感知结果以可视化图形提供给网络管理人员。管理人员根据视图提供的信息判断网络当前及未来可能的安全态势发展趋势,进而做出有效应对措施。因此,使用信息融合和风险评估等技术,提高底层监测设备对事件的检测能力,并在此基础上获取准确有效的定性或定量评价体系,成为网络安全态势感知领域的重要研究方向。在网络安全态势觉察阶段,网络安全态势感知使用的安全事件或性能指标来自底层安全设备,因此其感知能力受到底层安全设备的准确性和效率的直接影响。通过考察Dempster-Shafer证据合并理论及其不确定性分配原则,将该理论身份推理方法同多个传感器检测的结果进行联合,定义主观不确定度和客观不确定度的概念,提出了传感器空间合并方案及不确定度再分配原则,达到了消除单传感器检测盲区,提升检测准确度的目的。此外,为解决以往研究中较少讨论如何在流量指标选择过程中利用特征提取方案有效地甄别异常的问题,本文引入无指导学习(Unsupervised Learning)算法对特征选择(Feature Selection)方案进行了最优评估,得出了流量统计特征能够有效地区分流量状态的结论,为检测融合方案的实现提供了理论基础。当前,网络安全态势感知多集中在面向攻击威胁的态势理解研究。态势理解方案一般采用风险指数(Risk Index)作为评价指标,通过将网络进行层次划分,利用加权融合底层元素的风险值来实现对态势感知结果的定量评价。本文的研究旨在获得更具客观性和通用性的评价结果,消除以往定量评价指标体系中加权系数分配所带有的随机性和主观性的不足。在深入分析网络层次化结构的基础上,将层次分析法(Analytic Hierarchy Process)引入网络安全态势定量评价指标体系中,将服务层、主机层和网络层与AHP中的方案层、指标层和目标层对应起来。本文定义态势元(Situation Meta)、态势权(Situation Weight)和态势基(Situation Base)概念来规范网络安全态势的定量评价指标体系。并通过实例描述了如何构建成对比较矩阵(判断矩阵),利用服务风险指数作为态势基,最终获得定量的网络安全态势感知结果的过程。仿真结果证明了方案的可行性。不同的研究组织对网络安全态势感知过程的理解不同,再加之缺少一个标准的态势信息载体和态势提取框架,使得网络安全态势理解能力无从评价,缺少规范性。Endsley态势模型是传统态势感知领域内的经典模型,具有规范的数据处理和态势提取过程,但该模型较少应用于网络安全态势领域。同时针对以往研究多集中在安全态势的定性或定量评价体系设计,较少涉及安全态势建模的现状,本文提出了基于Endsley模型的可扩展网络安全态势模型及态势提取框架。该方案将用户所关心的攻击频次、攻击时间以及空间等态势信息合并形成细粒度的多元结构,同时引入重要的知识库概念辅助态势提取,使用户可在态势模型之上进行基于时间、空间因素的二次分析,提取感兴趣的态势信息,进而辅助用户决策。该方案分别使用HoneyNet和交大校园网的数据进行评估,能够形成高效明确的态势可视图。在突出高危态势变化的同时也注重低危态势变化的细节,便于用户的分析和管理,对规范态势提取过程及安全态势建模具有一定的参考价值。完整的网络安全态势感知包括网络安全态势觉察、态势理解和态势预测,但历史研究多集中在前两阶段。由于网络入侵或攻击的强随机性和不确定性,使得以此为基础所获取的安全态势变化是一个复杂非线性过程,限制了传统预测模型的使用。本文在对网络攻击导致的态势变化过程分析中,得到了网络安全态势风险值的累加曲线具有“S”型曲线特征的论点,并对经典的灰色Verhulst模型提出改进方案。所提出的基于自适应参数(Adaptive Parameters)及等维灰数递补(Equal-Dimensions Grey Filling)灰色Verhulst模型,利用一阶累加数列的波动情况进行模型参数的动态调整。该方案还通过引入等维灰数递补方法,能够在不增加常规模型计算复杂度的情况下,克服以往预测方案不能对曲线趋势变化及时更新的不足。试验结果证明,相对于以往基于常规GM(1,1)及常规灰色Verhulst模型的预测方法,本方案有效地改善了预测精度,并且具有可推广的价值。最后本文在总结全文的基础上讨论了未来安全态势感知研究需要面对的问题,并提出了时间序列(Time Series)分析在安全态势感知中的应用思路;提出了粗糙集理论(Rough Sets Theory)在预测未来安全态势变化的思路;提出了基于多准则融合的态势预测思路。更多还原

【Abstract】 With the rapid development of the information technologies and the prevalence of internet, the researchers have agreed on the importance of information security. To protect the information and infrastructure, large-scale investigation on Network Situational Awareness (NSA) is very necessary, which can improve the emergency response capability, reduce the damage of the network attacks, find the underlying malicious activities and enhance the counterattack ability.As an emerging and promising technique, though a unified standard has not been formed presently, some common knowledge has achieved. The acquirement of NSA is such a process: merging, combining and fusing the low level security events, extracting the interesting information and providing the visualization results. Based on the visual analysis, the current status and trend of real network security situation can be obtained and then some effective measures can be taken. Hence, using data fusion to enhance the detection performance of low-level equipments and obtaining accurate and effective situation evaluation system become the important research direction.The index system of NSA originates from the fusion of security events captured by multiple intrusion detection (ID) systems, and the ability of NSA is influenced by the accuracy and efficiency of the ID. By investigating on the Dempster-Shafer Evidence Theory widely applied in event detection, the uncertainty assignment rule and the evidence combination theory, combining the identity reasoning with detection results from multi-sensor, introducing the definitions of the Subjective Uncertainty and Objective Uncertainty, the spatial combination rule and the uncertainty reassignment rule are proposed to eliminate the blind zone and improve the detection accuracy. Furthermore, to solve the issues about how to distinguish the anomaly in the selection of flow index, Unsupervised Learning is introduced to perform the optimal evaluation of feature selection and conclude that the flow statistics features can differentiate the flow status. The evaluation provides the theoretical basis for the proposed fusion detection method.The research on NSA focuses on the real-time security situation evaluation. The risk index is usually adopted as the evaluation index, and the scheme is implemented by the division of the network hierarchy, simple weighted coefficients and the fusion of the low-level risk. The purpose is to acquire objective and general evaluation results and eliminate the deficiency exist in the assignment of weighted coefficients. On the basis of the deep analysis of the network hierarchy, Analytic Hierarchy Process is employed in the whole situation analysis, which makes the service level, host level and network level correspond to scheme level, index level and target level of AHP, respectively. Several concepts such as Situation Meta, Situation Weight and Situation Base are introduced to standardize the situation evaluation. The process can be summarized in using an example how to construct the pairwise matrix, adopting the risk index of service as situation base, and achieving the evaluation results. The simulated results prove the scheme feasible, and the scheme can be extended.Different understandings on the Network Security Situation (NSS) among research organizations and the absence of the NSA standard lead to the diversity in the acquirement of NSA. As a classical model in the conventional SA field, Endsley situation model is provided with standard data processing and situation extraction, whereas the model is seldom employed in the NSS. At the same time, the earlier research focuses on the framework design of the situation evaluation without involving in NSS modeling. The NSS model and situation exaction framework based on Endsley model is proposed, which combines incident frequency, incident time and incident space together and form the fine-grained multi-dimensions structure. Three important knowledge bases, denoted as situation extraction assistance, can be employed to implement secondary analysis over temporal factor and spatial factor, to extract the interesting information and to aid decisions. By evaluating the scheme based on the data captured in HoneyNet and SJTU campus network, an effective and explicit visual graphics can be obtained for the convenience of analysis and management, especially emphases the details of lower severity attacks while highlighting the situation variation of higher severity attacks.The whole NSA can be divided into three phases: situation perception (event detection), situation evaluation and situation prediction, but the earlier research mainly concentrates on the former two phases. The strong randomicity and uncertainty of the network intrusions and attacks make the acquired situation variation a complicated non-linear process and restrict the employment of conventional models. The conventional grey Verhulst model is improved on the viewpoint that the 1-AGO curve of the situation risk value is characteristic of S type curve. In the proposed grey Verhulst model with adaptive parameters and equal-dimensions grey filling, the parameters are adjusted dynamically by virtue of the 1-AGO curve variation. Without increasing the computation complexity,the equal-dimensions grey filling method is adopted to overcome the defect of real-time update corresponding to curve tendency in the conventional prediction schemes. The simulation results prove that the precision is efficiently improved compared with the traditional GM (1, 1) and grey Verhulst model.Finally, on the basis of the summarization of the research work, the further development about the NSA is discussed. We present the application of Time Series Analysis in the future research on the NSA, and propose that Rough Sets Theory can be used to predict the future situation variation qualitatively.更多还原