面向间隔告警的多步网络攻击定量关联方法被引量：2

Quantitative correlation method oriented to intervallic alerts for multi-step attack

下载PDF

导出

摘要为准确判断复杂多步攻击的意图和下一步攻击行为,需要对入侵告警进行定量关联分析。针对复杂多步攻击产生的告警在序列中经常间隔出现的实际,提出一种间隔告警定量关联方法。利用一阶马尔可夫性质建立告警关联模型,定量地表示攻击者选择不同攻击路径的可能性,利用Apriori频繁序列挖掘算法得出频繁告警2-序列的支持度,将归一化的序列支持度作为马尔可夫链的一步转移概率。利用DARPA2000真实网络数据集进行实验,实验结果表明,该方法对复杂多步攻击告警的关联准确率优于传统方法。 To help the administrators predict the intention and next actions of complex multi-step attacks,it is necessary to correlate the alerts quantitatively.Considering that the alerts generated by a complex multi-step attack occurred at intervals in the alert sequence,aquantitative correlation method for intervallic alerts was presented.The alerts correlation model was established based on one-step Markov chains,thus evaluating the likelihood that different paths would be selected by attackers.The transition probabilities of the Markov chains were calculated based on the support degrees of frequent alert sequences,and the support degrees were defined using the Apriori algorithm.An experiment based on the DARPA2000 dataset verifies that the proposed method can correlate the alerts generated by a complex multi-step attack more accurately than traditional methods.

作者李洪成王成王春雷袁峰 LI Hong-cheng;WANG Cheng;WANG Chun-lei;YUAN Feng(College of Joint Operations,National Defence University,Shijiazhuang 050000,China)

机构地区国防大学联合作战学院

出处《计算机工程与设计》北大核心 2019年第11期3073-3078,共6页 Computer Engineering and Design

基金国家自然科学基金项目(61672531)

关键词多步攻击关联间隔告警频繁序列挖掘马尔可夫性质转移概率矩阵 multi-step attack correlation intervallic alerts frequent sequence mining Markov property transition probability matrix

分类号 TP309.7 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献3

1胡浩,刘玉岭,张红旗,杨英杰,叶润国.基于吸收Markov链的网络入侵路径预测方法[J].计算机研究与发展,2018,55(4):831-845. 被引量：29
2刘敬,谷利泽,钮心忻,杨义先,李忠献.基于神经网络和遗传算法的网络安全事件分析方法[J].北京邮电大学学报,2015,38(2):50-54. 被引量：14
3冯学伟,王东霞,黄敏桓,李津.一种基于马尔可夫性质的因果知识挖掘方法[J].计算机研究与发展,2014,51(11):2493-2504. 被引量：29

二级参考文献41

1郭山清,谢立,曾英佩.入侵检测在线规则生成模型[J].计算机学报,2006,29(9):1523-1532. 被引量：14
2Schwartau W. Time Based Security: Practical and Provable Methods to Protect Enterprise and Infrastructure, Networks and Nation [M]. America: Interpaet Press, 1999.
3Bass T. Intrusion detection systems and multi sensor data fusion [J]. Communications of the ACM, 1999, 4(43) : 124- 126.
4Chien S, Chang E, Yu C, et al. Attack subplan-based attack scenario correlation [C] //Proc of the 6th Int Conf on Machine Learning and Cybernetics. Piseataway, NJ: IEEE, 2007:1881-1887.
5Liu Xiaowu, Wang Huiqiang, Lai Jibao, et al. Heterogeneous multi sensor data fusion with multi class support vector maehines Creating network security situation awareness [C] //Pr0c of the 6th Int Conf on Machine Learning and Cybernetics. Plscataway, NJ] IEEE, 2007: 2689-2694.
6Feng Xuewei, Wang Dongxia, Ma Guoqin, et al. Analyzing and correlating security events using state machine [C]//Proc of the 10th IEEE Int Conf on Computer and Information Technology. Piscataway, NJ: IEEE, 2010 2849-2854.
7Tempieton S, Levit K. A requires/provides model for computer attacks [C] //Proc of the 2000 Workshop on New Security Paradigms. New York: ACM, 2000:256-263.
8Ning P, Cui Y, Reeves D S, et al. Analyzing intensive intrusion events via correlation [C] //Proc of Recent Advances in Intrusion Detection 2002, Berlin: Springer, 2002:74-94.
9Ning P, Cui Y. Techniques and tools for analyzing intrusion alerts [J]. ACM Trans on Information and System Security, 2004, 7(2): 274-318.
10Cuppens F, Miege A. Alert correlation in a cooperative intrusion detection framework [C] //Proc of the 23rd IEEE Symp on Security and Privacy. Los Alamitos, CA: IEEE Computer Society, 2002: 202-215.