【作者】 徐慧；

【导师】 肖德宝；

【作者基本信息】 华中师范大学 ， 计算机应用技术， 2008， 硕士

【摘要】 在网络安全领域,网络攻击者和用户之间的矛盾无时无刻不在上演,种类繁多的工具和海量的安全信息对网络安全管理者提出了极高的要求,特别是现在综合攻击趋势的出现使得传统的单一安全管理模式难以应对。随着网络用户对智能安全管理不断增长的需求,一种新型的整体网络安全管理解决方案——统一网络安全管理已发展成为新的流行。统一网络安全管理系统用于总体配置、调控整个网络多层面、分布式的安全系统,实现对各种网络安全资源的集中监控、统一策略管理、智能审计及多种安全功能模块之间的互动,从而有效地简化网络安全管理工作,提升网络的安全水平和可控制性、可管理性,降低用户的整体安全管理开销。在这一背景下,有两种技术被众多的实践从业者和学院研究者所提倡,即协同与关联。同时,入侵检测系统IDS已经发展成为网络安全监控的一种重要工具。而统一网络安全管理一个显著的发展趋势则是采用以IDS为中心的关联模式。但是,传统IDS的检测机制具有细粒度、孤立性和弱的环境意识等缺点。于是,旨在协同与关联的后入侵检测技术成为研究的焦点。从这一角度看来,协同报警分析一般可以划分为三个阶段:报警聚合、报警评估和报警相关。然而,现今存在的主要问题在于如何保证安全报警的环境资产信息的综合采集与统一表达。目前,针对这一问题仍缺乏一个实践可行的有效方法,这将直接影响到统一网络安全管理的最终实现。本文关注于网络安全协同报警分析技术,旨在报警分析过程中引入基于XML的综合网络管理技术以确保协同与关联的交互,并通过使用CIM模式扩展的OWL+SWRL安全本体来统一表达信息与知识,在此基础上,提出一个极具潜力的方法用以完善基于综合网络管理的协同报警分析技术,作为实现统一网络安全管理的重要步骤。本文同时也提供一些主要的实现细节,验证分析结果表明,提出的方法有助于降低误报率与优化攻击场景的建立。更多还原

【Abstract】 In the field of network security, contradiction between network attackers and users goes on and on. Meanwhile, a great variety of tools and a mass of information make a high request for network security managers, especially when facing current trend of comprehensive attacks, with which traditional single security management modes fail to deal. And with increasing requirements of network users for intelligent security management, a new integrated solution for network security management, or in other words, unified network security management has become a fashion.A unified network security management system is desired to realize centralized monitor, uniform policy management, intelligent audit and interaction among various security function modules. And in this way, it will simplify the task of network security management, improve security level, controllability and manageability of the network, as well as reduce user’s overall spending for overall security management. Thus under this background, two techniques namely collaboration and correlation are adopted by more and more researchers and engineers.At the same time, Intrusion Detection System (IDS) has evolved as an important tool for network security monitor, while a remarkable development trend of unified network security management is the adoption of an IDS-centric correlation manner. But the detection mechanisms of traditional IDSs has weaknesses including too fine grain, isolated alarming and lack of environmental consciousness. As a matter of fact, researches on post-IDS analysis become a focus, aiming in collaboration and correlation. From this point of view, collaborative alert analysis can be generally divided into three stages, which are alert aggregation, alert evaluation and alert correlation. However, the main problem existing is how to guarantee integrated collection and unified representation of context information for security alerts. And the fact is that, a practical and efficient approach is still lacking these days, which influents the realization of unified network security management.This paper discusses issues related to collaborative alert analysis techniques for network security. And the aim of this paper is then to introduce XML-based integrated network management techniques for implementation of alert analysis in order to promote the interaction of collaboration and correlation, and with the use of security ontology by means of OWL+SWRL based on CM Schema for unified representation of information and knowledge, propose a promising approach for collaborative alert analysis techniques based on integrated network management as an important stage to realize unified network security management. Finally, some main implementation issues are also provided in this paper, and experiment results show that, proposed approach is effective in reducing the rate of false positives and optimizing the building of attack scenarios.更多还原