【作者】 马洋明；

【导师】 李之棠；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2007， 博士

【摘要】 随着网络及其应用的发展,人们对网络的依赖越来越强,网络连接的资产越来越巨大;与此同时,网络安全领域所面临的挑战也日益严峻,恶意攻击所引起的安全事故时有发生,损失巨大。企业、组织为保护自己的网络系统,部署了越来越多的安全产品(如入侵检测系统、防火墙、防病毒系统等),但应用这些产品不仅远未达到人们的期望,而且还衍生了新的问题。这些安全产品产生的安全事件(各种告警、安全日志等数据)数量巨大、并伴有严重的误报或漏报,不能作为响应的直接依据。结果是,既很难从泛滥的安全事件中分析出真正的危险状态,也不能实时发现或预测攻击。当前,为解决上述问题而提出的多种关联技术尽管各有成效,但仍然存在严重不足。主要表现在以下几个方面:一是概念含混不清,缺乏全局关联视角上的考虑和定义。二是缺乏实时关联的解决方案。一些聚合方法要么离线作用,要么在线却难以确定诸多参数更不能实现有效的实时预警。三是是没有建立在较高级别安全事件基础上的实时动态定量风险评估体系和方法。因此,对巨量安全事件进行实时关联分析,有效地识别出真正的安全风险或威胁,对网络安全具有非常重要的意义。对国内外网络安全事件关联方法进行了归纳和分类,将它们概括为分类、聚合、序列关联、交叉关联和其它五大类。从全局关联视角上给出了网络安全事件关联的相关定义。网络安全事件关联也可称之为广义的入侵检测(高层次的入侵检测或后入侵检测),是针对网络安全事件处理中存在的问题而提出的一套特定的数据关联方法,它将不同空间来源和不同时间序列的安全事件与具体的网络环境结合在一起,通过分析网络安全事件之间以及安全事件与其环境之间的关系,来减少误报,弥补漏报,确认攻击。指出了网络安全事件之间存在冗余、序列、并列和环境匹配四种关系以及关联处理系统的评估问题等。深入剖析了典型的开源关联系统OSSIM,指出了其四点改进方向。这些基础性的工作为网络安全事件实时关联的系统设计奠定了理论基础。设计了网络安全事件实时关联的系统综合解决方案——NSICMS。该方案以“立足全局、积极主动、面向对象、不断优化”作为基本指导思想,以“减少安全事件数量,提高安全事件质量,实时检测和预测攻击,保护受控网络”作为基本目标。方案继承了PDR动态模型的基本思想,以“分区管理,纵深防御;可控可管,实时联动;隐藏伪装,虚实结合;不断加固,提高抵抗力”等积极主动的措施作为网络安全事件关联处理的基础,这些基础可以大大减少送往上层关联处理安全事件的数量。NSICMS是一个网络安全事件关联处理网络,它集成了针对不同安全事件关系的实时关联处理方法,如实时聚合、实时交叉关联、实时序列关联以及实时风险评估等。提出了网络安全事件实时聚合方法。该聚合方法以受控网络节点为研究对象,简化了关联的具体内容;使用缓存中节点超安全事件的表示方法,保证了实时性;使用弱队列长度代替时间窗口,弱化了时间窗口的概念,解决了常用的聚合算法中时间参数难于确定的问题。该聚合方法能实时地为后续关联处理提供高质量超安全事件,没有难于确定的参数,丢掉了“聚合率”这种非实时的概念,它的一些思想和概念是全新的,如聚合粒度的定义,以弱队列窗口代替时间窗口等。提出了安全事件序列的实时关联方法。该方法针对多步攻击提出,以实时聚合和交叉关联结果作为基础,可以提前预测攻击,发现协作的多步攻击。它使用挖掘、验证后的多步攻击模式,通过实时超安全事件匹配以实现攻击预警。该方法中的攻击场景模式挖掘算法采用全新的挖掘数据集,克服了直接从告警数据中挖掘场景带来的问题;实时超安全事件匹配预警算法克服了思维定势带来的漏预警问题。提出了实时动态定量风险评估方法。该方法以网络安全事件作为风险的诱因,以实时超安全事件风险作为基础,充分考虑了超安全事件间的序列关联关系。实时动态定量地计算节点风险便于风险消减;通过实时动态显示节点风险(不同资产等级的节点风险分开显示),为安全管理者提供了对整个受控网络中安全态势的全局实时感知能力。更多还原

【Abstract】 With the development of network and its application, people are becoming more and more reliable to network and the capital connected to network incredibly increased as well. Meanwhile network security field confronts demanding challenges and security accidents resulted from vicious attacks have accounted for tremendous losses. In order to protect company and organization network, security application devices such as IDS (intrusion detection system), firewalls and AVS (anti-virus system) have been deployed; however, the effect is far from expectation and novel problems are brought about. Security events generated by these security devices, such as various alert data and security audit data, appear in huge volumes and are accompanied by serious intrusion false positives and fasle negatives, which disables it for direct knowledge for attack responses. Ultimately it is hardly possible to identify a real dangerous situation among overwhelming security events or to discover and predict any attack in a real-time way.At present although different correlation technologies which aim at solving these issues above are somehow effective, serious deficiencies still exist. First, conceptions are indefinite, lacking of considerations or definitions from a holistic correlative angle of view. Second, there is lack of an effective real-time correlation method. Some aggregation methods either work off-line or are unable to confirm parameters while working on-line, let alone effective real-time alert. Third, there is no real-time dynamic quantitative risk evaluation system which is based on relative high grade security event. Thus, it is significant in network security field to analyze huge security event through a real-time correlative method and to effectively recognize genuine security risk and threat.In this paper, network security event correlation methods are concluded and classified into five categories: classification correlation, aggregation correlation, sequence correlation, cross correlation and other correlation. Relevant conceptions in network security event correlation are defined from a holistic correlative angle of view. Network security event correlation can be called broad sense intrusion detection, i.e. high level intrusion detection or post intrusion detection. It is a specific data correlation method targeting at problems in network security event treatment in which transverse security event, i.e. from different sources and lengthwise security event, i.e. with temporal sequence relation, are integrated with specific network environment. Relationships among network security event and relationships between security event and environment are analyzed to reduce intrusion false positive, discover miss detection and confirm attack. There are four main types of relationships concerning security event, namely, abundance, sequence, coordination and environment match. The existence significance of correlation system is pointed out and typical OSSIM is under deep analysis. These fundamental works provide the theoretical basis for a real-time correlation design of network security event.A systematical design of security event correlation system is proposed, namely NSICMS, which is based on a holistic view characterized by initiative, object-orientation and ever-updating and it aims at reducing quantity of security event, improving quality of security event, operating real-time detection and attack-prediction, and protecting controlled network. NCICMS inherits basic ideas of PDR dynamic model and makes several active strategies powerful basis of network security event correlation, reducing quantity of security event at upper correlation level. NSICMS is a security event correlation network consisting of different servers and real-time correlation methods for security event of different relationships, such as aggregation correlation, cross correlation, sequence correlation and risk evaluation.Network security event real-time aggregation method is proposed which targets at node in controlled network. It simplifies specific correlation content, adopts the expression of node super security event in cache guaranteeing property of being real-time and replaces time window with weak alignment length diminishing concept of time window so as to solve the indefiniteness of time parameter in normal aggregation arithmetic. This aggregation method is able to provide high-quality super security event for succeeding correlation in a real-time way without difficult parameters or ideas of aggregation rate. Several ideas and conceptions are brand new, for example, definition of aggregation granularity and replacement of time window with weak alignment window.A real-time correlation method of security event sequence is proposed. Aiming at correlating multi-stage attacks, this method is based on real-time aggregation and cross correlation results. It is able to predict attacks and to discover cooperative multi-stage attacks. It uses reliable multi-stage attack patterns obtained after mining and validation. Real time hyper security event is matched to realize attack alert. The attacking scene pattern mining arithmetic adopts brand new mining data collection, avoiding problems out of direct mining scene from alert data. Real-time hyper security event match alert arithmetic overcomes the problem of missing alerts caused by stereotype.A real-time dynamic risk evaluation method is proposed. It treats security events as inducements for the risk, considers real-time hyper security event risk as foundation and calculates node risk in a real-time dynamic quantitative way for the sake of risk reduction. Node risk is displayed in real-time dynamic way where nodes of different capital grades and categories are presented separately, offering security managers a real-time holistic sensibility of security situation in controlled network.更多还原