【作者】 张爱芳；

【导师】 李芝棠；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2008， 博士

【摘要】 网络告警关联是立足于“网络攻击行为间的相关性必然反映在其告警信息间的某种相关性中”这一基本认知,通过对大量告警信息的综合分析,发现各种离散告警信息间的某些联系,进而识别出真实攻击行为或意图的过程。目前的关联方法绝大部分致力于提高告警质量和离线分析告警之间关系,得到的结果缺乏统一的形式化描述,无法形成有效的知识,难以直接用于攻击检测和预测。复合攻击是由多个不可分解的攻击步骤按照一定的逻辑关系组合而成的完整攻击过程。复合攻击的前后步骤之间普遍存在着的因果或逻辑关系,通过告警反映出来,使得复合攻击检测成为可能。建立合适的复合攻击形式化描述模型,并以此为基础进行复合攻击检测和后续攻击的预测,能够有效指导安全管理员及时采取针对性防御措施,防止对受保护网络造成更大的危害,这比事后的分析更有意义,更加合乎人们的期望。针对上述目标,提出了基于扩展有向图的复合攻击模型和检测方法。该方法在自动提取攻击行为抽象模式的基础上,选择扩展有向图作为表达复合攻击行为及其约束关系的模型。这样,当某个复合攻击的序列部分重现的时候,就可以根据该模型检测出复合攻击,从而达到在极具威胁的攻击步骤到来之前提前预测的目的。复合攻击特征和攻击行为抽象模式提取来自于对历史数据的分析。告警属性之间的规律性正是复合攻击行为模式的体现,一旦找到便可以作为复合攻击检测的依据,因此如何获得告警属性之间的规律成为建立模型的关键。基于频繁情节模式挖掘算法的改进思路建立在对告警数据特点分析之上:安全设备产生的告警是复杂数据类型,由多个属性组成,每个属性都对攻击模式具有约束意义。因此对告警进行序列分析时,重点考察类型属性和其它属性之间的相互关系。挖掘得到的情节模式蕴含了不同攻击行为之间的因果关系,并预示一个攻击发生伴随另外一攻击发生的可能性,而属性约束体现了攻击步骤之间的关联逻辑。实验结果表明,该方法能够揭示攻击行为之间的联系,自动形成攻击行为模式。基于扩展有向图的复合攻击模型中,节点表示告警类型,有向边表示告警类之间可能存在的因果关系,边上的约束条件体现了告警之间确实存在某种因果关联时需要满足的条件,节点的权值表示不同类型告警的严重程度。该模型能够有效表达攻击行为之间的逻辑关系,可作为复合攻击检测和匹配的框架。实时检测以扩展有向图为基础,按照向后匹配和缺项匹配的方式对告警之间的关联关系进行分析,并使用检测度和匹配度两个检测指标,来衡量复合攻击被检测到的比率、复合攻击进行到当前步骤时与整个攻击场景的匹配程度。当新的告警到来时,根据图中有向边,确定可能存在因果关联的告警集;分析集合中告警与当前告警对之间的关联关系,确定两者属于同一攻击场景的相邻两步的可能性;在此基础上计算复合攻击的检测度和匹配度,并根据得到的结果预测下一步可能发生的攻击。该方法克服了通过匹配规则建立匹配链、而匹配链随着数据增加可能指数增加的弊端,可以动态、完整地恢复攻击流程。系统采用JAVA实现。实验使用了DARPA 2000数据集和从蜜网和局域网采集到的真实数据对方法进行验证,结果显示系统对多步攻击的检测率达到93%,对多步攻击平均可以提前至少一步做出判断并将结果通知管理员。更多还原

【Abstract】 The alert correlation complies with the principles that the relationship between alerts indicates in a sense the relationship between attack actions.The correlation can be discovered by comprehensive analysis: the number of alerts can be reduced by alert aggregation, false positive can be eliminated by cross correlation with background knowledge, and logical relationship between various alert types can be disclosed by multistage attack correlation.Most approaches presented focuses on discovering correlation relationship rather than predicting attacks. In fact, it is more significant to predict the coming next step attack action than post analysis because the former can help take appropriate actions to prevent network for further compromise.To address this problem, alert correlation and multistage attack prediction based on extended directed graph is proposed,which can represent attack features and abstract patterns of the multistage attacks.Whenever a certain attack sequence matched with a part of the graph partly appears, the corresponding pattern can be recognized and the successive steps can be predicted.The extraction of attack features and abstract action patterns of multistage attack results from the analysis of historical data. The regularity between alert attributes indicates the patterns of attack actions.An alert is comprised of several attributes with different data types.The algorithm for discovery of frequent episodes in event sequences needed to be adapted for alert sequence analysis.During the mining process, more attentions are pay to the relationship between alert type attribute and other attributes.The patterns in the results represent the transient relation between various attack types.The attribute constraints represent the correlation relations. This approach can exact attack action patterns and constraints effectively, especially for automatic attack.Extended directed graph is presented to model the relations of attack actions, in which the nodes represent attack type and directed edge represent the transient relation between attack types.The newly alerts is matched with the graph.Firstly, the sets of possible alerts that satisfy constraints are collected according to the directed edges.Secondly, the correlation relationship between alert pair is judged.Thirdly,the completeness and matching degree is computed.Finally, the next attack action is predicted according to the results of the two indictors.The approaches are evaluated with DARPA 2000 data sets and live data collected from our honey net and local test network. Experiments show that the approach can effectively construct attack scenarios and can accordingly predict the attack action at least one steps ahead at an average level.The detection rate reaches to 93%.更多还原