期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于警报序列聚类的多步攻击模式发现研究 被引量:18

Research on discovering multi-step attack patterns based on clustering IDS alert sequences
下载PDF
导出
摘要 研究了从警报数据中发现多步攻击模式的方法。通过定义警报间的相似度函数来构建攻击活动序列集。采用序列比对技术,将具有相似攻击行为的序列进行聚类。基于动态规划的思想,通过抽取最长公共子序列的算法自动发现类中的多步攻击模式。该方法不需要依赖大量先验知识,设置参数少,易于实现。实验结果验证了该方法的有效性。 A method of discovering multi-step attack patterns from alert data was studied. Alert similarity function was defined to construct the set of attack activity sequences. Sequence alignment technology was used to cluster the similar attack activity sequences. Multi-step attack patterns in a cluster were automatically discovered by the longest common subsequence extraction algorithm based on the idea of dynamic programming. The proposed method didn't depend on large amounts of prior knowledge. Few configuration parameters were needed and it was easy to implement. Experimental results demonstrate the effectiveness of proposed method.
作者 梅海彬 龚俭 张明华
机构地区 东南大学计算机科学与工程学院江苏省计算机网络技术重点实验室 上海海洋大学信息学院
出处 《通信学报》 EI CSCD 北大核心 2011年第5期63-69,共7页 Journal on Communications
基金 国家重点基础研究发展计划("973"计划)基金资助项目(2009CB320505) 上海高校选拔培养优秀青年教师科研专项基金资助项目(ssc09015)~~
关键词 入侵检测 警报关联 多步攻击 聚类 intrusion detection alert correlation multi-step attack clustering
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献18

  • 1中国国家计算机网应急技术处理协调中心[EB/OL].http://www.cert.org.ch/,2010.
  • 2鲍旭华,戴英侠,冯萍慧,朱鹏飞,魏军.基于入侵意图的复合攻击检测和预测算法[J].软件学报,2005,16(12):2132-2138. 被引量:40
  • 3NING P,XU D.Learning attack strategies from intrusion alerts[A].Proceedings of the 10th ACM Conference on Computer and Communications Security[C].Washington,D C,USA,2003.200-209.
  • 4QIN X,LEE W.Statistical causality analysis of INFOSEC alert data[A].Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection[C].Pittsburgh,USA,2003.73-94.
  • 5QIN X,LEE W.Discovering novel attack strategies from INFOSEC alerts[A].Proceedings of the 9th European Symposium on Research in Computer Security[C].Sophia Antipolis,France,2004.439-456.
  • 6MAGGI F,ZANERO S.On the use of different statistical tests for alert correlation:short paper[A].Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection[C].Gold Goast,Australia,2007.167-177.
  • 7ZHU B,GHORBANI A A.Alert correlation for extracting attack strategies[J].International Journal of Network Security,2006,3(3):244-258.
  • 8ZHANG A,LI Z,LI D,et al.Discovering novel multistage attack patterns in alert streams[A].Proceedings of International Conference on Networking,Architecture,and Storage[C].Guilin,China,2007.115-121.
  • 9SADODDIN R,GHORBANI A A.An incremental frequent structure mining framework for real-time alert correlation[J].Computers & Security,2009,28(3,4):153-173.
  • 10WANG L,GHORBANI A,LI Y.Automatic multi-step attack pattern discovering[J].International Journal of Network Security,2010,10(2):142-152.

二级参考文献16

  • 1Anderson JP. Computer security threat monitoring and surveillance. Technical Report, Contract 79F26400. Fort Washington,Pennsylvania, James P. Anderson Company, 1980.
  • 2Mukherjee B, Heberlein LT, Levitt KN. Network intrusion detection. IEEE Network, 1994,8(3):26-41.
  • 3Bace RG. Intrusion Detection. Macmillan Technology Publishing, 2000.
  • 4Ilgun K, Kemmerer RA, Porras PA. State transition analysis: A rule-based intrusion detection approach. IEEE Trans, on Software Engineering, 1995,21(3):181-199.
  • 5Vigna G, Kemmerer RA. NetSTAT: A network-based intrusion detection system. Journal of Computer Security, 1999,7(1):37-71.
  • 6Porras PA, Neumann PG. EMERALD: Event monitoring enabling response to anomalouslive disturbances. In: Proc. of the 20th National Information Systems Security Conf. National Institute of Standards and Technology, 1997.353-365.
  • 7Cheung S. Lindqvist U, Fong MW. Modeling multistep cyber attacks for scenario recognition. In: Proc. of the 3rd DARPA Information Survivability Conf. and Exposition (DISCEX Ⅲ), Washington: IEEE computer Society Press. Vol I, 2003.284-292.
  • 8Cuppens F, Miège A. Alert correlation in a cooperative intrusion detection framework. In: Proc. of the 2002 IEEE Symp. on Security and Privacy (S&P 2002). 2002. 202-215.
  • 9Ning P, Xu DB, Healey CG, St. Amant RA. Building attack scenarios through integration of complementary alert correlation methods. In: Proc. of the 1 lth Annual Network and Distributed System Security Symp (NDSS 2004). 2004.97-111.
  • 10Valdes A, Skinner K. Probabilistic alert correlation. In: Lee W, Mé L, Wespi A, eds. Proc. of the 4th Int'l Symp. on Recent Advances in Intrusion Detection (RAID 2001). Davis: Springer-Verlag, 2001.

共引文献39

同被引文献130

引证文献18

二级引证文献102

通信学报
2011年 第5期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部