【作者】 宁兴旺；

【导师】 刘培玉；

【作者基本信息】 山东师范大学 ， 通信与信息系统， 2010， 硕士

【摘要】 随着计算机应用的普及和计算机技术的飞速发展,计算机犯罪日益增多。面对这种新兴的犯罪行为,如何审计出问题并有力地打击计算机犯罪成为了一个新的课题。网络安全审计系统能有效防止敏感信息等技术资料的流失;能够有效监督工作人员在网上浏览情况,从而抵制有害信息的入侵;能够有效地对违法犯罪活动进行日志挖掘和留存整理,打击网上和内部人员犯罪活动。网络安全审计的效果好坏将直接影响到我们能否及时和准确地发现入侵或异常。本文首先研究并分析比较了目前传统的安全审计技术。目前应用于安全审计领域的技术较多,其核心普遍采用的是先验库方式。这种方式的缺点在于无法发现数据中存在的关联规则,缺乏挖掘数据背后隐藏知识的手段,存在着准确率低、检测速度慢、自适应差等问题。本文针对上述问题,所做的主要工作包括:1.设计实现了多源日志的实时采集针对单一的数据源容易造成审计分析的不准确,采用代理来实现多点分布式采集,将主机数据源和网络数据源有机地结合起来,并设计了MyOnEntryWritten函数和provider模式,将其应用在审计日志采集中,提高了审计数据的全面性和实时性。2.给出了一种较为全面的审计方式设计了以基于日志库中挖掘关联规则方法为主,并结合传统的先验库知识和数理统计方法的一种较为全面的审计方式,通过审计分析主机操作和网络通信行为是否出现异常,做出相应的响应方式。其中应用了三种规则库模式匹配方式:序列模式、时间合理性和数理统计方式,提高了审计的准确率。3.改进了传统的关联规则挖掘算法通过采用新的基于树的孩子兄弟表示法的数据结构,改进了传统的关联规则挖掘算法中频繁扫描数据库的不足,提高了算法效率;在支持度和置信度的框架下,系统中引入了另一个评价阈值——兴趣度,用来修剪无用的规则,避免生成干扰性的关联规则,优化了关联规则的评价标准;在原始数据集符号化转换为事务数据库时,通过结合实际情况,对事务数据库进行了再优化。从而较好的解决了审计规则的自动生成与更新,提高了审计效率。4.设计建立了层次化的安全防护体系通过综合应用MD5散列函数、进程守护、SSL以及HOOK API等,设计了实现了一种从最外层的用户名口令保护到最内层的磁盘日志文件保护这样一种层次化的安全防护体系,保证了审计结果的真实性和可靠性,实现了审计系统自身的安全性。同时通过实时监测操作系统的进程、内存等信息,并给予性能分析和预警报告,也在一定程度上保证了操作系统的安全性。5.设计实现了基于日志挖掘的网络安全审计系统通过系统详细设计和实现,并予以实验分析,可以发现日志挖掘技术对局域网服务器进行审计具有比较明显的优势和较强的自适应能力,同时误报率也能够达到预期效果,说明基于改进的日志挖掘技术的网络安全审计系统具有可行性,能够提高审计的效率和准确率。更多还原

【Abstract】 With the popularization of computer applications and the rapid development of computer technology, the number of computer crimes is larger day by day. In the face of the emerging crimes, how to audit and effectively combat computer crime has become a new task. Network security audit system not only could prevent the loss of technical information-sensitive information for example, and monitor the situation of staff browsing the Internet which can resist the invasion of harmful information, but effectively do log mining and retention to combat criminal activities on-line or internal staff as well.Network Security Audit results directly affect our ability to detect the intrusion or abnormality timely and accurately. The traditional security audit technology is studied and compared at first. The core technology of which is adopted in the field of security audit at present is the way of transcendental database. The disadvantage of this approach is that association rules can not be found which exist in the data, and it lack of the way of mining the hidden knowledge contained in data which has the problem of low accuracy, slow detection speed, and poor adaptability. Aiming at these problems, the major research work is as follows:1. A real-time collection of multisource log is designed and implementedFor the inaccurate audit analysis caused by single data source, agents are adopted to achieve distributed data acquisition which organically combined sources of host data and network data. The MyOnEntryWritten function and provider model is designed and applied in the audit log collection, so as to achieve the comprehensiveness and real-time of audit log.2. An overall audit approach is givenAn overall audit approach is designed which combined digging association rules based on log data mainly with traditional priori knowledge and mathematical statistics. On the basis of that, the system can audit the host operation and behavior of network traffic to find abnormal situation and make the appropriate way of responding. Three pattern matching methods of rule base are used to increase the accuracy of audit: sequential patterns, time matching and mathematical statistics.3. The traditional association rule mining algorithm is improvedBy using the new data structure which is represented by son-brother based on tree, it improve the disadvantage of scanning the database frequently in the traditional association rule mining algorithm so as to improve the algorithm efficiency. Beside the support-confidence degree framework, interest degree is introduced as an evaluation threshold to pruning useless rules avoiding generating interferential association rules so as to optimize association rules evaluation criteria. The transaction database converted from original dataset is re-optimized in the actual situation. All of these are used to achieve the automatic generation and updating of audit rules and improve audit efficiency.4. A hierarchical security system is designed and establishedA hierarchical security system is designed from the password protection of outermost user name to the innermost layer of disk log file protection by integrating the applications of MD5 hash function, process guard, SSL and HOOK API, etc. So that it can ensure the authenticity and reliability of audit results and its own security of audit system. At the same time, the system could provide process and memory information performance analysis and early warning report through real-time monitoring of operating system which to a certain extent can guarantee the security of the operating system.5. The network security audit system based on log mining is designed and implementedThrough detailed design and implementation of system, experimental analysis can be found that log mining audit system installed on the LAN server has obvious advantages and strong adaptive ability, while false positives can also achieve the desired results from which indicates that the network security audit system based on improved log mining is feasible and can improve the efficiency and accuracy of the audit.更多还原