一种入侵场景构建模型——BPCRISM 被引量：3

BPCRISM:A New Intrusion Scenario Building Model

下载PDF

导出

摘要就单一传统入侵检测系统而言,其异构性和自治性使得针对同一攻击行为产生的警报,在包含内容、详略程度、不确定性等方面存在很大的差异,导致大量重复性警报涌现.而这些大量、重复的警报信息不仅影响了入侵检测系统的性能,又不能体现出完整的黑客入侵过程.为了有效地分析和处理入侵警报,提出了一种入侵场景构建模型---BPCRISM,其能够利用警报的检测时间属性的接近程度将警报关联分为两大类:警报概率关联和警报因果关联,然后给出了概率关联和因果关联的算法,并从关联的警报信息中分辩出完整的黑客攻击流程和重构出入侵场景.初步实现该模型后,使用DARPA Cy-ber Panel Program Grand Challenge ProblemRelease3.2(GCP)入侵场景模拟器进行了测试,实验结果验证了该模型的有效性. Intrusion detection system （IDS） is the new generation of security-safeguard technology followed firewall and data encryption. Aiming at the same attack, traditional intrusion detection system （IDS） produce a lot of the repeated alerts which have quite difference in content, emphasis and uncertainty, because of its heterogeneity and autonomy. But by analyzing these alerts, the performance of IDS is reduced and the integrated intrusion course and scenario cannot be obtained. In order to analyze and deal the alerts effectively and to rebuild the attack flow and the attack scenario, a new intrusion scenario building model- BPCRISM （based probability and causal relation intrusion scenario model） that combines probabilistic correlation with causal correlation is presented in this paper. The method of the alert relation can be divided into two major categories： probabilistic alert correlation and based causal relation alert correlation, and then algorithms of two alert correlation methods are given. The integrated intrusion course can be identified and the intrusion scenario is built from the correlation alerts. Realizing this model tentatively, experiments are performed by using DARPA Cyber Panel Program Grand Challenge Problem Release 3.2 （GCP）, which is an attack scenario simulator, and the effectiveness of the model is verified. This model can solve the problems a single traditional intrusion detection system brings.

作者刘玉玲杜瑞忠赵卫东蔡红云

机构地区河北大学数学与计算机学院

出处《计算机研究与发展》 EI CSCD 北大核心 2007年第4期589-597,共9页 Journal of Computer Research and Development

基金河北省自然科学基金项目(F2004000133)

关键词入侵检测警报关联入侵场景概率关联因果关联 correlation intrusion detection alert correlation intrusion scenario probabilistic correlation causal

分类号 TP393.08 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献8

1O M Dain,R K Cunningham.Building scenarios from a heterogeneous alert stream[C].In:Proc of the 2001 IEEE Workshop on Information Assurance and Security.West Point,NY:United States Military Academy,2001.231-235
2A Valdes,K Skinner.Probabilistic alert correlation[C].The 4th Int'l Symp on Recent Advances in Intrusion Detection,Davis,CA,2001
3H Debar,A Wespi.Aggregation and corretation of intrusion detection alerts[G].In:Recent Advances in Intrusion Detection,Lecture Notes in Computer Science 2212.Berlin:Springer-Verlag,2001.85-103
4Peng Ning,Yun Cui,Douglas S Reeves.Constructing attack scenarios through correlation of intrusion alerts[C].The 9th ACM Conf on Computer & Communications Security,Washington DC,2002
5A Valdes,K Skinner.Probabilistic alert correlation[C].The 4th Int'l Symp on Recent Advances in Intrusion Detection (RAID 2001),Davis,CA,2001
6D Curry,H Debar.Intrusion detection message exchange format data model and extensible markup language (XML)document type definition[OL].IETF.http://www.ietf.org/lid-abstracts.html,2003
7李辉,郑庆华,韩崇昭,管晓宏.基于多假设跟踪的入侵场景构建研究[J].通信学报,2005,26(4):70-79. 被引量：7
8DARPA Cyber Panel Program.DARPA cyber panel program grand challenge problem[OL].http://www.grandchallengeproblem.net,2003

二级参考文献11

1DENNING D. An intrusion detection model[J]. IEEE Transactions on Software Engineering, 1987,13(2): 222-232.
2HUANG M Y. WICKS T M. A large-scale distributed intrusion detection framework based on attack strategy analysis[A]. Web Proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID'98)[C]. 1998.201-210.
3DEBAR H, WESPI A. Aggregation and Correlation ofIntrusion-Detection Alerts[A]. Fourth International Symposium on Recent Advance in Intrusion erection[C]. 2001.85-103.
4PENG N, YUN C, DOUGLAS S R. Analyzing intensive intrusion alerts via correlation[A]. Fifth International Symposium on Recent Advance in Intrusion Detection[C]. 2002.74-95.
5DAIN O M, CUNNINGHAM R K. Building scenarios from a heterogeneous alert stream[A]. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security[C]. United States Military Academy, West Point, NY, 2001.5-6.
6VALDES A, SKINNER K. Probabilistic Alert correlation[A]. Fourth International Symposium on Recent Advance in Intrusion Detection[C]. 2001.54-69.
7REID D B. An algorithm for tracking multiple targets[J]. IEEE Transaction on Automatic Control, 1979, 24(6): 178-200.
8CHAM T J, REHG J M. A multiple hypothesis approach to figure tracking[A]. Computer Vision and Pattern Recognition (CVPR 99)[C].Ft Collins, CO, 1999. 239-245.
9ALBEROLA C, CYBENKO G V. Tracking with text-based messages[J]. Intelligent Systems, 1999, 14(4): 70-78.
10The Truth about False Positivs[EB/OL]. http://.www.iss.net.

共引文献6

1王琢,范九伦.基于隐马尔可夫模型的入侵场景构建[J].计算机应用研究,2009,26(10):3933-3937.
2王琢,范九伦,刘建华.入侵检测系统报警信息聚合方法的改进[J].计算机工程与应用,2010,46(7):107-109. 被引量：1
3杨昊,努尔布力,徐欢,胡亮.一种基于入侵场景的可视化呈现系统[J].小型微型计算机系统,2010,31(10):2059-2064. 被引量：1
4贾美娟,孔靓,邵国强.三维可视化安全态势感知技术研究[J].大庆师范学院学报,2010,30(6):19-22.
5朱丽娜,张作昌,冯力.层次化网络安全威胁态势评估技术研究[J].计算机应用研究,2011,28(11):4303-4306. 被引量：13
6何钦宝.试析大规模网络安全防卫技术[J].决策与信息,2015(30):232-232.

同被引文献16

1刘欣然.网络攻击分类技术综述[J].通信学报,2004,25(7):30-36. 被引量：36
2李军,景宁,孙茂印.多比例尺下的三维GIS细节层次可视化技术[J].计算机科学,2000,27(9):82-86. 被引量：5
3李辉,郑庆华,韩崇昭,管晓宏.基于多假设跟踪的入侵场景构建研究[J].通信学报,2005,26(4):70-79. 被引量：7
4杨嵘,张国清,韦卫,李仰耀.基于NetFlow流量分析的网络攻击行为发现[J].计算机工程,2005,31(13):137-139. 被引量：27
5鲍旭华,戴英侠,冯萍慧,朱鹏飞,魏军.基于入侵意图的复合攻击检测和预测算法[J].软件学报,2005,16(12):2132-2138. 被引量：40
6穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述[J].计算机研究与发展,2006,43(1):1-8. 被引量：70
7田俊峰,赵卫东,杜瑞忠,蔡红云.新的入侵检测数据融合模型——IDSFP[J].通信学报,2006,27(6):115-120. 被引量：15
8诸葛建伟,韩心慧,叶志远,邹维.基于扩展目标规划图的网络攻击规划识别算法[J].计算机学报,2006,29(8):1356-1366. 被引量：17
9NING Peng, CUI Yun, REEVES D S. Constructing attack scenarios through correlation of intrusion alerts[ C]//Proc of the 9th ACM Conference on Computer & Communication Security. 2002.
10CHIEN S H,CHANG E H,YU C Y, et al. A subplan based attack scenario correkation[ C ]//Proc of the 6th International Conference on Machine Learning and Cybernetics. 2007.

引证文献3

1王琢,范九伦.基于隐马尔可夫模型的入侵场景构建[J].计算机应用研究,2009,26(10):3933-3937.
2王琢,范九伦,刘建华.入侵检测系统报警信息聚合方法的改进[J].计算机工程与应用,2010,46(7):107-109. 被引量：1
3李振兴,李光程,郭乃文,卢文静.网络安全态势系统可视化的设计[J].信息与电脑,2016,28(10):25-26. 被引量：2

二级引证文献3

1黄金垒,王衡军,郁滨.一种基于凝聚度的报警处理算法[J].系统仿真学报,2017,29(4):859-864. 被引量：2
2胡亮青.网络安全数据可视化与自动告警系统研究[J].大众科技,2017,19(4):5-7.
3于普漪,褚智广,滕征岑,赵轶,汪霞.面向特定网络安全事件响应的态势评估方法[J].计算机应用与软件,2018,35(10):323-328. 被引量：3

1李金明.多传感器数据关联优化探讨[J].兰州石化职业技术学院学报,2015,15(2):29-31. 被引量：4
2朱梦影,徐蕾.基于攻击图与报警相似性的混合报警关联模型[J].计算机应用,2014,34(1):108-112. 被引量：4
3王琢,范九伦.基于隐马尔可夫模型的入侵场景构建[J].计算机应用研究,2009,26(10):3933-3937.
4刘皓,肖萍,马雪飞.基于日志分析的SQL注入攻击检测与防范[J].警察技术,2015,0(2):55-58.
5王在富.浅析APT攻击检测与防护策略[J].无线互联科技,2014,11(3):120-121. 被引量：2
6SG Systems公司发布最新入侵报警无线可视验证系统[J].中国安防,2012(4):106-106.
7无人喝彩.善用Gmail邮件过滤器[J].电脑迷,2005,0(11):80-80.
8杨昊,努尔布力,徐欢,胡亮.一种基于入侵场景的可视化呈现系统[J].小型微型计算机系统,2010,31(10):2059-2064. 被引量：1
9郭帆,涂风涛,余敏.基于报警序列的入侵场景自动构建[J].计算机应用,2009,29(8):2223-2226. 被引量：3
10施群山,蓝朝桢,梁静,卢万杰,王栋.空间目标多尺度表达模型及方法[J].系统仿真学报,2016,28(9):2235-2245. 被引量：4

计算机研究与发展

2007年第4期

浏览历史

内容加载中请稍等...