【作者】 赵文涛；

【导师】 殷建平；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2009， 博士

【摘要】 为及早发现并有效防御对网络空间的突然袭击,仅仅依靠身份认证、可信计算、防火墙、入侵检测技术等传统安全防护技术是不够的。通过监控和识别大规模的受保护网络上的入侵企图和入侵行为,基于安全态势感知的预警技术可以获得更精确的安全威胁行为描述和更全面、及时的网络安全状态估计,并试图在攻击发生或造成严重后果之前,对攻击发生的数量及时空特性进行预测,预先采取相应的防御措施来加强网络的安全。开展面向大规模网络的预警技术的研究,对于提高网络系统的应急响应能力、缓解网络攻击所造成的危害、提高系统的反击能力等具有十分重要的意义。本论文研究了基于网络安全态势感知的预警系统相关技术。研究内容包括安全预警体系结构、安全态势知识表示模型、安全态势感知中的网络测量技术、安全态势评估技术、安全预警中的主动学习技术、安全态势预警技术。本文的研究工作和成果包括：1.本文分析了预警系统的体系结构,包括组成、运行模式和工作过程,指出预警系统中对数据的处理流程是在数据、信息和知识三个层面的抽象过程。本文针对预警需求,对IDMEF数据模型进行了改进,设计了一个网络安全态势知识表示模型,定义了相关描述语言。2.研究了预警系统中态势感知器的感知方法、部署模型和优化问题。态势感知器通过主动和被动测量技术,采集网络的性能数据、拓扑数据和安全事件数据等网络态势信息。态势感知器的部署和优化是建立性能良好的预警系统必不可少的环节之一。本文研究了不同感知方法下态势感知器的部署模型和优化算法,以期达到部署尽量少的态势传感器节点,来获取尽量多的态势信息的目的。3.提出了一种新的网络路径流量测量策略COPP。在安全态势信息中,流量是描述网络性能的重要数据,也是衡量蠕虫、拒绝服务等攻击的重要指标。但在没有权限获取网络节点流量数据的条件下,如何实施有效的网络流量测量成为预警系统必须解决的问题之一。COPP充分利用探测报文的信息,结合报文对与自拥塞测量原则,通过考察报文的单向延迟及其变化规律,得到发送速率与可用带宽的关系,同时根据成为转换点的报文对其相邻报文对所受干扰的不同程度,给予相应转换带宽不同的权值,以较小的开销得到较好的测量精度。仿真实验表明,COPP与传统方法相比,在开销、精度、平稳性和网络状态变化敏感性上具有更好的特性。4.提出了一种基于网络安全态势图的态势评估方法。通过分析态势评估在军事应用领域的概念,给出了网络安全态势评估的一种定义,包括安全态势评估的问题描述、功能模型和推理框架。给出了一种基于Honeypot技术的网络安全态势评估框架,并提出了一种基于网络安全态势图的态势评估方法。该方法利用生成算法生成网络安全态势图,引入攻击可信度和攻击度的概念,结合安全态势知识库,对组合攻击实施动态评估。该方法在形式上可以完整再现攻击过程,不仅动态展现入侵对系统的安全威胁演变过程,而且可以用量化的形式预知攻击的潜在威胁。实验测试验证了该评估方法的有效性。5.面向安全态势信息获取,提出了基于委员会的误分类采样主动学习算法和基于图约束及预聚类的可伸缩主动学习算法。攻击和正常状态是安全态势信息获取的重要内容。通过入侵检测的方式获取这些状态信息的过程依赖于获取知识的质量和速度。与人工方式相比较,将机器学习引入其中具有优势。如何获得高质量的已标注历史数据是构建安全态势知识库的关键技术之一,本文利用主动学习技术减少构造入侵检测分类器所需的标注代价。采样算法是主动学习中的关键问题,由于传统采样算法的前提假设在预警系统中不一定成立,本文提出基于委员会的误分类采样算法。更进一步地,考虑到当前主动学习完全不考虑未标注样本分布的弊端,将主动学习和半监督学习相结合,提出基于图约束及预聚类的可伸缩主动学习算法。通过实验测试,证明这两种主动学习算法在达到目标正确率时所需的标注代价小于传统的随机采样、Uncertainty采样和QBC采样算法。6.面向安全态势信息获取,提出基于误分类代价最小化的代价敏感主动学习算法。采用机器学习技术获取网络安全态势信息的关键性能指标之一是误分类代价。传统的机器学习仅仅考虑分类正确率,传统主动学习仅仅考虑标注代价,基于误分类代价最小化的代价敏感主动学习算法用代价敏感算法对学习引擎进行优化,使训练出的版本空间中的假设具有低误分类代价,并且在采样时选择具有最大期望误分类代价的样本。通过实验测试,在考虑误分类代价时,证明该主动学习算法在降低到目标误分类代价时所需的标注代价小于传统的SRS、CRS和CAD采样算法。7.提出了攻击预测的分层认知模型。定义了攻击的认知过程,包括攻击步骤认知、攻击行为认知和攻击过程认知,该认知模型可以有效描述攻击,为攻击预测提供支持。8.提出了一种基于粒子群优化算法的组合预测模型。攻击预测是基于态势感知的预警技术必不可少的功能之一。本文提出的基于粒子群优化算法的组合预测模型利用加权系数对各种预测方法进行组合,集成不同来源的预测结果,从不同的侧面反映整个预测过程,力图使预测结果更加地精确。在各种预测方法加权系数的确定上,利用PSO快速全局优化的特点,可以减少试算的盲目性,提高模型预测准确性。实验结果表明,该组合预测模型与单一预测模型比较,误差更小,精度更高。最后实现了一个预警原型系统。该系统体现了上述研究成果,能够管理和控制态势感知器的工作,接受和处理态势感知器提交的数据,展示当前网络态势和预警的结果。更多还原

【Abstract】 For early discovery and defense of the assaulting to cyberspace, it’s not enough to rely on the traditional security protection technologies such as authentication、authentic computing、firewall and intrusion detection. Through supervision and recognition of the attempts and action of invasion in large scale networks, the early-warning technology of security situational awareness can acquire more accurate description of threatening actions and more overall evaluation of the network security status in time, and try to forecast the quantity and the space-time characteristic of attacks before attacks occur or result in serious consequences, so we can adopt corresponding defense measures to intensify the security of networks in advance. To launch the research of early-warning systems facing to large-scale networks is very important to improve the response capability of network systems, alleviate the damage of network attacks, and enhance the counterattack ability of network systems.The technologies related to early-warning systems based on the network security situational awareness were studied in the thesis. The contents include the architecture of early-warning systems, the model of security situational knowledge, the measure technology in security situational awareness, the active learning technology in security early-warning systems and the attack early-warning technology. The main work and contributions of the thesis are summarized as follows:1. The architecture of early-warning system including composition, operation mode and process was analyzed in this thesis. We pointed out that the flow of data transaction in the early-warning system is the abstract process in three levels of data, information and knowledge. Aiming at the requirements of early warning, the thesis carried on an improvement to the IDMEF data model, designed a network security situational knowledge model and defined a related description language.2. The sensing method, deployment model and optimization of situational sensors in the early-warning system were studied in this thesis. Through the active and passive measurement technologies, the situational sensors collect the situational awareness information, such as the performance data, topology data, security event data, and so on. The optimized deployment of the situational sensors is one of the essential factors to create an early-warning system with fairly performance. To achieve the goal of obtaining more situational information through deploying less situational sensors as possible, the deployment model and the optimization algorithms of situational sensors under different sensing methods were studied.3. A new measuring strategy of network path traffic named COPP was proposed in this thesis. In the security situational information, traffics are the important data that describes network performance, and also the important indicative data that measures a worm and deny of service attack etc. But under the limited condition without privileges to obtain the traffic data in network nodes, how can we carry out a valid traffic measurement, becomes one of the problem has to be resolved in the early-warning system. The COPP strategy makes use of the information of detected messages, and then combines the message pairs and self-induced congestion principle. Thus through the investigation of one-way delay and variety regulation, we can obtain the relationship between the transmit rate and available bandwidth. In the same time, according to the different disturbing extent of the message to contiguous message pairs, the COPP strategy gives different weights to the corresponding conversion bandwidth, so we can obtain better measurement accuracy with less cost. The result of the simulation experiments show that COPP obtains better characteristic on the expense, accuracy, stabilization and sensitivity to the variety of network status compared to the traditional methods.4. An assessment method based on the network security situational graph was proposed. We analyzed the concept of situational assessment in the military realm, and presented the definition about network security situational assessment, including the question description, function model and reasoning framework of the assessment. We presented an assessment framework of network security situational based on honeypot, and submitted an assessment method based on the network security situational graph. The proposed method makes use of the generating algorithm to construct the network security situational graph, by introducing the concept of attack reliability and severity. Using the security situational knowledge base, the method implements the dynamic assessment to combined attacks. The method can exhibit the whole attack process, not only exhibit the process which invasion threat the target system in dynamic, but also predict the latent threat of attacks in quantity. The test on DARPA LLDOS1.0 dataset proved validity of the proposed method.5. Aiming at security situational information acquisition, a misclassification sampling active learning algorithm based on committee and a scalable active learning algorithm based on graph constraints and pre-clustering were proposed. Attacking and normal state are important content in security situational information acquisition. The process of constructing network security situational knowledge base depends on the quality and speed of knowledge acquisition. Compared with human participation, machine learning has advantages on knowledge acquisition. To attain labeled history data with high quality is a key technology for network security situational information acquisition. In the thesis, active learning is employed to reduce the labeling cost. Instances selection algorithm is a key problem in active learning. As the assumption may not be true in early-warning systems, a committee-based misclassification instances selection algorithm was proposed. Moreover, considering the current machine learning methods ignore the distribution of unlabeled instances, we combine active learning and semi-supervised learning and then propose a scalable active learning algorithm based on graph constraints and pre-clustering. The experiment shows that these two proposed algorithm can achieve the target accuracy with fewer labeling cost than traditional random sampling, Uncertainty sampling and QBC sampling algorithms.6. Aiming at security situational information acquisition, a cost-sensitive active learning algorithm base on misclassification cost minimization was proposed. Misclassification cost is a key criterion for network security situational acquisition using machine learning. Traditional machine learning methods only focus on accuracy and traditional active learning methods only concentrate on labeling cost. The proposed cost-sensitive active learning algorithm optimizes the learning engine with cost-sensitive method for low cost hypotheses in the version space. Furthermore, it tends to select the instances with the largest expected misclassification cost for labeling. The experiment shows that when considering misclassification cost, the proposed active learning algorithm costs less labeling than SRS, CRS and CAD algorithm when obtains the target misclassification cost.7. A hierarchy recognition model of attack forecasting was defined in this thesis. The recognition of attacks, including step recognition, action recognition and process recognition of attacks were defined in the thesis. The proposed recognition model can describe attacks effectively and support attack anticipation.8. A combination prediction model based on particle swarm based learning algorithms was proposed in the thesis. We analyzed several traditional methods of prediction and proposed a combination prediction model. In this model, weight-coefficients are given to every prediction method and the predicting results are integrated to reflect the whole predicting process from different aspects to make the predicting results more exact. The PSO global optimization is used to get the weight-coefficients, which can reduce the blindness of testing computation and raise the precision of prediction of the model. The experiment of Santa Fe test datasets showed that the combination prediction model obtains less errors and higher accuracy compared to single prediction models.An early-warning prototype system was implemented. The system reflects the above research results, can regulate and control the operation of situational sensors. Moreover, the system can accept and transact the data provided by situational sensors, and then display current network situation and early-warning results.更多还原