【作者】 马琳茹；

【导师】 王建新；

【作者基本信息】 国防科学技术大学 ， 信息与通信工程， 2007， 博士

【摘要】 在网络安全防御体系中,各类安全设备实时产生大量不准确的告警信息,夹杂着误报和无关告警,真正的入侵意图淹没在大量低质量的数据中,导致难以对这些告警信息进行正确地分析和理解,同时孤立的告警信息不能准确地反映网络当前的安全状态。为解决上述问题,本文对告警信息处理若干关键技术进行研究。主要研究内容如下:1、告警信息预处理研究了告警信息规范化描述方法,扩展了IDMEF模型,并进行了二进制方式的实现;设计了一种基于正则表达式匹配的告警筛选机制,规则树匹配方法灵活方便;研究了基于多特征的告警聚合方法,提出利用告警空间特征的层次性,缩小聚合比较范围,提高处理效率。2、基于多源信息的告警校验与融合提出了一种基于谓词逻辑的告警校验方法,对告警属性与目标网络系统信息进行相关性分析,有效检测无关告警;采用模糊综合评判方法进行告警校验,提出将目标网络系统信息采集的时效性和准确性两方面因素,引入到隶属度计算中,得到更为合理的评判结果;提出了一种基于多源告警信息的可信度融合框架,通过融合不同安全设备的告警信息,提高攻击检测的准确性。3、基于告警的攻击场景构建基于攻击策略模型,提出了一种多尺度告警关联方法,通过分析告警之间的因果联系,构建不同粒度的攻击场景,利用告警类型属性在不同尺度上的抽象关系,约束告警关联的遍历空间,提高了告警关联的效率;针对告警关联图的断裂问题,提出了一种基于模糊聚类的关联图组合方法,能有效重构攻击场景。4、基于告警的安全状态评估从宏观和微观两个层面研究了基于实时告警的安全状态评估方法。在宏观层面,提出了一种基于任务的安全状态量化评估方法,给出系统在特定任务背景下面临的威胁和状态演化;在微观层面,提出了一种基于攻击场景的安全状态量化评估方法,以攻击场景为评估输入,能够从全过程的角度反映具有因果联系的一系列攻击对网络系统造成的威胁和影响。5、告警信息处理系统实现设计了一个具有构件化特点的安全管理平台原型,为告警信息处理提供数据支撑和运行环境;设计实现了事件处理模块,提出了利用分发/订阅模式进行告警事件的实时传输,采用构件化方法实现了论文研究的告警信息处理算法。更多还原

【Abstract】 In the defense system of network, different security devices will produce a large number of alerts for identifying malicious activities. However, those alerts consist of lots of wrong alerts that are either not related to malicious activity (false positives) or not representative of a successful attack (non-relevant positives). The high volume and the low quality of intrusion alerts make it a very challenging task for network system managers to understand the alerts and take appropriate actions. Furthermore, the isolated alerts can not reflect the current security state of network appropriately. To solve these problems, this dissertation does research on the several key techniques of alert information processing. The main research content in the thesis is as follows:1. Alert information pre-processAn alert normalization description method is given, which extends IDMEF data model and uses binary code to implement the IDMEF. An alert filter mechanism based on rules is designed and implemented. It is flexible and convenient to process alerts. Then, an alert clustering method for reducing data redundancy based on multi-character is presented. To improve the clustering efficiency, the method uses the hiberarchy of alert character to reduce comparing space.2. Alert verification and fusion based on multi-source informationAn alert verification method based on predicate logic is showed, which depends on the matching of alert attribute and target network system information. There are uncertain factors that influence accuracy of alert verification. One factor is the quality of the gathered information. Another factor is its timeliness. To ensure the rationality of the verifying results, an approach using fuzzy comprehensive judgement to analyze the uncertainties is given. An alert confidence fusion framework fusing information from diverse sensors is presented, which results in a decrease in false positives while achieving an improved level of detection.3. Attack scenario construction based on alertsBased on the model of attack strategy, a muli-scale alert correlation approach is put forward, which makes use of the cause-effect relationship of alerts to construct different scale attack scenarios. The approach utilizes the abstraction relationship of the attribute of alert type on different scales to restrict the searching space. The experiment results show that this approach can improve the efficiency of alert correlation evidently. In some conditions, the alert correlation graph will be split because of loss of causal information. To solve this problem, an algorithm based on fuzzy clustering is proposed to reconstruct attack scenario that uses the similarity of alert attributes to measure the cause-effect relationship of alerts.4. Security situation assessment based on alerts Developing the research on network security situation evaluation based on received alerts at macroscopical level and microcosmic level. At macroscopical level, a security situation quantitative assessment method based on mission is given, which show the threat level of attack to quantify the network security situation. At microcosmic level, a security situation quantitative assessment method based on attack scenario is advanced. Using the attack scenario as assessed object, the method provides the threat and impact of a series attack with cause relationship from whole process.5. Realization of the alert information processing systemA prototype of security management platform is designed, which has the component characteristics and provides an underlying data and running environment for the implement of alert information processing. The component event process module is designed and implemented in detail, which adopts publish/subscribe mode served to distributed system for real-time transmission of alerts.更多还原