面向网络攻击建模的分布式过程挖掘与图分割方法

Distributed Process Mining and Graph Segmentation for Network Attack Modeling

网络攻击建模利用网络安全设备产生的日志对网络攻击行为进行建模,发现网络攻击的特点与规律,以提高应对突发网络攻击的能力.针对网络攻击建模,本文提出了一种攻击图生成方法,基于网络攻击行为与工作流的相似性,利用启发式过程挖掘算法对网络攻击行为建模,生成网络攻击图;针对网络攻击图过于复杂的问题,提出了一种攻击图分割方法,通过分离攻击分支步骤分割网络攻击图,在保留网络攻击图的基本结构的同时,将复杂网络攻击图划分为多个网络攻击子图,提高了网络攻击图的可读性;针对海量安全日志数据的网络攻击建模问题,提出了分布式攻击图生成算法以及攻击图分割方法,提高了网络攻击模型的挖掘效率.实验表明,相较于对比方法,本文提出的方法能够更完备地挖掘入侵者的攻击步骤.

Attack modeling aims to generate attack models by investigating attack behaviors recorded in intrusion alerts raised in network security devices.Attack models can help network security administrators discover an attack strategy that intruders use to compromise the network and implement a timely response to security threats.However,the state-of-the-art algorithms for attack modeling are unable to obtain a high-level or global-oriented viewof the attack strategy.To address the aforementioned issue,considering the similarity between attack behavior and workflow,we employ a heuristic process-mining algorithm to generate the initial attack graph.Although the initial attack graphs generated by the heuristic process mining algorithm are complete,they are extremely complex for manual analysis.To improve their readability,we propose a graph segmentation algorithm to split a complex attack graph into multiple subgraphs while preserving the original structure.Furthermore,to handle massive volume alert data,we propose a distributed attack graph generation algorithm based on Hadoop MapReduce and a distributed attack graph segmentation algorithm based on Spark GraphX.Additionally,we conduct comprehensive experiments to validate the performance of the proposed algorithms.The experimental results demonstrate that the proposed algorithms achieve considerable improvement over comparative algorithms in terms of accuracy and efficiency.