摘要
随着信息技术的快速发展,网络安全威胁造成的危害日愈严重.安全信息和事件管理(SIEM)在查找组织内部威胁,可疑行为及其它高级持续攻击(APT)中发挥了重要作用.SIEM的检测能力主要依赖于准确,可靠的关联规则.然而,传统的规则生成方式主要基于专家知识人工编写检测规则,因此成本高,效率低.本文给出了一种具备自适应能力的规则生成框架来自动生成关联规则.首先为了更好地识别未知攻击,提出一种基于单类支持向量机(OneClass SVM)的安全事件分类算法对安全事件进行有效分类,实验分类效果准确率高达97%.其次为了提高规则生成准确率,通过重新定义个体结构,交叉与变异方式,优化了基于遗传编程(GP)的规则生成算法,规则适应度高达94%.实验结果表明,本文提出的框架具备自适应能力来识别未知攻击,具备较高的检测准确率,可有效减少人工参与.同时该框架已经部署在实际生产环境中,和原系统相比可以检测更多攻击类型.
With the rapid development of information technology,enterprise and orgnizations are suffering different kinds of cyber security threats.Security Information and Event Management(SIEM)is playing an essential role in finding insider threats,suspicious behaviors or other advanced attacks based on its correlation capability.The SIEM detection capability relies on accurate and reliable correlation rule,however,traditional way of generating rule depends on human expert knowledge,which is costly and time consuming with low efficiency.In this paper,we propose an adaptive rule generation framework to generate correlation rule automatically.First,in order to identify unknown attack in a better way,we propose a security event classification algorithm based on One-Class Support Vector Machine(One-Class SVM)to classify security events effectively,and results show that classfication rate reaches as high as 97%.Secondly,for purpose of improving rule generation accuracy rate,we propose and optimize Genetice Programming(GP)rule generation algorithm by redefining individual structure,cross and mutation operation,and results show that best individual fitness reaches as high as 94%.Experiments have been performed and results show that our approach has the ability of self-adaption to identify unkown attack,a competitive threat detection accuracy rate as well as reducing human labor engagement.We also implement our approach to a real production system and more attack type could be detected compared with existing system.
作者
杜栋栋
任星彰
陈坤
叶蔚
赵文
张世琨
DU Dong-dong;REN Xing-zhang;CHEN Kun;YE Wei;ZHAO Wen;ZHANG Shi-kun(School of Electronics Engineering and Computer Science,Peking University,Beijing 100871,China;School of Software and Microelectronics,Peking University,Beijing 100871,China;National Engineering Research Center for Software Engineering,Peking University,Beijing 100871,China)
出处
《电子学报》
EI
CAS
CSCD
北大核心
2018年第8期1793-1803,共11页
Acta Electronica Sinica
基金
国家重点研发计划(No.2017YFB0802900)
北京市自然科学基金(No.4182024)
中国博士后基金(No.2017M620524)
关键词
安全事件
关联规则生成
日志管理
安全信息和事件管理(SIEM)
单类支持向量机
遗传编程
security events
correlation rule generation
log management
security information and event management(SIEM)
one-class support vector machine
generic programming
