【作者】 雷杰；

【导师】 李芝棠；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2008， 博士

【摘要】 日益严峻的网络安全形势给传统的网络安全技术带来了挑战。现有的检测工具只能根据有限信息产生告警,并且告警数量巨大、质量低下,难以从中获知事件的威胁程度和系统的安全状态。而传统的安全评估方法只是静态评估,也不能反映实时风险。这使得网络操作员很难借助现有技术来感知实时网络安全态势,因而难以根据现实网络状况做出决策,造成防御、检测、响应和分析四大环节严重脱节,安全事件响应严重滞后的现状。近年来,源于战场态势感知领域的威胁与态势评估技术的引入为解决网络安全态势感知问题提供了新的思路。网络安全威胁与态势评估指:采用信息融合方法处理检测工具产生的实时网络安全数据,对攻击威胁程度和实时网络安全状态进行评估,给出直观有效的安全态势报告,并对未来安全状况做出合理预测。本文对威胁评估、态势评估和态势预测方法分别进行了研究。攻击威胁程度的影响因素可归纳为攻击破坏性、环境、成功率、统计、关联和效果六类。构造一种威胁评估框架,分六个阶段:严重度评估、环境评估、可信度评估、统计评估、关联评估和效果评估。对各阶段的方法进行了阐述,并在设计的SATA系统(Security Alert and Threat Analysis)中实现了相关方法。严重度评估采用危害度分级和CVSS漏洞评价方法;环境评估通过设定资产值和优先级实现;可信度评估使用贝叶斯网络;统计评估采用告警频度统计和周期型误报警统计识别方法;关联评估使用告警关联语言;效果评估则采用定性的攻击效果评估方法。态势评估使用隐马尔科夫模型(HMM)。解决了观测事件分类和模型参数配置问题。采用威胁评估结果对告警分类,提高了事件分类的准确性。采用遗传算法优化HMM参数,建立网络安全态势评估结果的定量评价机制来确定优化目标,使用蜜网数据建立了评价规则集。比较实验表明,该方法是有效的。归纳出决定网络安全态势可预测性的五个特点:1)攻击之间具有因果关系;2)不同攻击能作为未来攻击证据出现的可能性不同;3)通常,未来攻击与“证据”具有相同属性;4)攻击意图具有可推测性;5)证据与安全状态走势之间具有联系。设计了以“提取证据”为核心的预测方法。用攻击序列模式和攻击的“预测率”从告警中提取证据。提出“预测率”指标表示攻击可作为未来攻击的证据出现的可能性大小,作为选择证据的依据。修改序列模式挖掘的AprioriAll算法,使其从历史告警中挖掘攻击序列模式时能计算预测率。选择预测率较高的告警序列作为证据。然后构建证据与安全走势之间的HMM来预测安全态势。基于DARPA数据集的实验表明该方法是有效的。更多还原

【Abstract】 The traditional network security techniques have shown their drawbacks in the increasingly complex and severe network security environment. The intrusion detection tools can only deliver alerts on limited knowledge of attacks, while the alert stream is always poor in quality and can easily be over-whelming, which makes it very hard to know how much threat the detected attacks pose to the network and which security states the hosts are in. Meanwhile, the traditional security assessment approaches can not assess the real time security situation. These problems make the security operators very difficult to know the current security threat and situation by the traditional security tools.Network security threat and situation assessment aims to extract knowledge of current security threat and situation from raw security data reported by traditional security tools, through the techniques of data fusion, and predict the future security situation based on historical security information and the present attacks. This paper studied the approaches of threat assessment, situation assessment and situation prediction.The threat of a network attack is determined by six aspects of factor: attack severity, attack environment, probability to succeed, statistical factors, correlation factors and attack effect. Based on this conclusion, a framework to threat assessment is proposed, which comprises of six steps. The approaches of every step are introduced in the paper and implemented in SATA (Security Alert and Threat Analysis) system. The approach of qualitative attack hazard gradation and the CVSS mechanism are used in severity assessment. The values of assets and security policies are set to evaluate the environmental factors. The Bayesian Network is used to calculate the reliability of the alerts. In statistical assessment, a novel approach is proposed to find the periodicity of alerts based on time series analysis techniques. A language of alert correlation is implemented in the system. And an experiment of qualitative attack effect assessment is introduced.HMM (Hidden Markov Model) is used to assess the network security situation. The problems of observation event classification and parameter configuration lying in the approach are solved. To the first problem, the result of threat assessment is used to classify the alerts based on their threat scores, which can limit the scale of the Obs matrix of HMM and improve the accuracy of observation classification. To the latter, the genetic programming algorithm is used. A mechanism of quantitatively evaluating the fitness of situation assessment result is proposed. A set of risk description rules are defined and the matching degree between the result of situation assessment and rules is calculated, which determines the fitness of the result. The honey net alerts are used to construct risk description rule set. The comparative tests validated the effectiveness of the approach.Five characteristics of the network situation prediction problem are defined: 1) there is relationship of causality between the future attacks and the past attacks; 2) the possibility of different attack types to have following attacks are different; 3)the evidence of future attacks can reflect important information of future attacks by itself; 4) the attack plan can be recognized based on the accumulation of evidence; 5)there is relationship between the evidence of future attacks and the trend of network situation. Based on the characteristics, an approach to situation prediction is proposed.First, the evidence of future attacks is extracted from IDS alerts according to the attack sequence patterns and the predictability of attack types. The predictability of attack types represents the possibility of the attacks to be the evidence of future attacks. The attack sequence patterns are generated by a data mining algorithm. The AprioriAll algorithm is modified so that it can calculate the probability of sequence patterns occurring in the opening or middle of other sequence patterns, which determined the predictability of the attack sequences. Then the future security situation can be predicted based on the evidence. D-S evidence theory is used for plan recognition, and the HMM model between the evidence and the trend of security situation is constructed to predict the probability distribution of future security states. The experiment with DARPA data sets shows the effectiveness of the approach.更多还原