摘要
针对物联网原始告警数量庞大、告警语义级别低、数据孤立、关联分析薄弱所导致的误报率过高的问题,提出一种基于告警语义分析的物联网攻击行为研究方法。通过告警信息以及具体的网络环境生成蕴含脆弱连接关系、网络连接关系的网络行为攻击图,以图形化模拟物联网系统可能受到的所有攻击路径并识别系统的脆弱性;在采用聚类分析的方法对各种告警类型进行分类的基础上,采用深浅层关联分析的方法,实现攻击图知识库的构建;最后,通过在线检测告警行为,利用在线关联实时告警模型,实现过滤告警冗余、告警实时分析以及提供语义级别更高的攻击场景展现。提出的方法结合具体的网络环境构建攻击图知识库,所以在一定程度上提升了告警过滤效果和告警准确率,降低了管理者对攻击者攻击行为的检测和告警分析的难度。
To solve the problem of high false alarm rate caused by the large number of original alarms,low level of alarm semantics,isolated data and weak correlation analysis in IoT,this paper proposes a research method of IoT attack behavior based on alarm semantics analysis.Through the alarm information and specific network environment,a network behavior attack graph with vulnerable connection and network connection is generated to graphically simulate all possible attack paths and identify the vulnerability in the IoT system.Based on the classification of various alarm types via cluster analysis,the knowledge base of attack map is established with the deep and shallow correlation analysis method.Finally,through online detection of alarm behavior,online correlation real-time alarm model is used to realize the alarm redundancy filtering,analyze the real-time alarm and provide the attack scenarios with higher semantic level.The proposed method combines the specific network environment to establish the attack map knowledge base,and thus the alarm filtering effect and alarm accuracy are improved to a certain extent,and the difficulty is reduced for the mangers to detect the attack behavior from attackers and analyze the corresponding alarms.
作者
马超
MA Chao(Zhejiang E-strong Communication Technology Co.,Ltd.,Hangzhou 310013,China)
出处
《移动通信》
2020年第9期58-61,74,共5页
Mobile Communications
关键词
告警语义
攻击图知识库
概率后缀树
warning semantic
attack graph knowledge
probability suffix tree
