摘要
针对入侵检测分析方法中因IDS误报漏报,无法完整还原整个攻击场景的问题,提出一种基于多源日志分析的入侵检测方法。使用PrefixSpan算法对序列化后的攻击过程序列数据进行频繁模式挖掘,构建多源攻击模式图;当网络中产生新警告时,按警告所属设备在攻击模式图中进行攻击模式匹配,匹配成功后采用可疑攻击识别算法构建可疑攻击模式图,发现新的攻击过程。实验结果表明,该方法在进行攻击场景还原时还原率高于其它方法,对未知攻击过程具有一定检测能力。
Because intrusion detection analysis can not fully restore the attack scenario construction which is caused by IDS misinformation and false report,an intrusion detection method based on the analysis of heterogeneous event log was put forward.The algorithm of PrefixSpan to make frequent patterns mining and build heterogeneous attack pattern diagrams was used.When new alert appeared,an attack pattern matching in the attack pattern diagrams based on the equipment where the alert came from was made by the computer,so as to find new attacking process.Experimental results show when restoring attack scenarios,the restoration rate of this method is higher than the other methods.Meanwhile,some unknown attacking processes can also be detected to some extent.
作者
张礼哲
顾兆军
何波
刘树发
ZHANG Li-zhe GU Zhao-jun HE Bo LIU Shu-fa(Information Technology Security Evaluation Center, Civil Aviation University of China, Tianjin 300300, China College of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China Network Security Department, Tianjin Municipal Public Security Bureau, Tianjin 300020, China)
出处
《计算机工程与设计》
北大核心
2016年第11期2909-2916,共8页
Computer Engineering and Design
基金
民航局科技基金项目(MHRD20140205
MHRD20150233)
民航局安全能力建设资金基金项目(PDSA0008)
民航安全基金项目(PESA0001)
中央高校基本科研业务费中国民航大学专项基金项目(3122013Z008
3122013C004
3122015D025)
关键词
入侵检测
多源警告
警告日志
频繁模式
攻击模式图
intrusion detection
multi-source alerts
alert log
frequent pattern
attack pattern graph
