基于规则关联的安全数据采集策略生成

Using rule association to generate data collection policies

有效的安全数据采集是精准分析网络威胁的基础,当前常用的全采集、概率采集和自适应采集等采集方法,未考虑采集数据的有效性和采集数据的关联关系,消耗过多的资源,其采集收益和成本率低。针对该问题,考虑影响采集收益和成本的因素(节点特征间关系、网络拓扑关系、系统威胁状况、节点资源情况、节点相似度等),设计了一种基于规则关联的安全数据采集策略生成方法。该方法根据节点间的关联规则和系统中所发生安全事件间的关联规则,构建备选采集项,缩减数据采集范围;综合考虑采集收益和采集成本,设计最大化采集收益和最小化采集成本的多目标优化函数,基于遗传算法求解该优化函数。与常用采集方法进行比较和分析,实验结果表明所提方法12 h累计数据采集量较其他方案减少了1000~3000条数据记录,数据有效性较其他数据采集方案提升约4%~10%,证明了所提方法的有效性。

Collecting security-related data of devices effectively is the foundation of analyzing network threats accurately.Existing data collection methods(full data collection,sampling based data collection and adaptive data collection)do not consider the validity of the collected data and their correlation,which will consume too much collection resources,resulting in low collection yield.To address this problem,considering the factors(relationship between node attributes,network topology relationship,threat status,node resource and node similarity)that impact collection costs and benefits,a rule association method to generate collection policies was designed.In the method,two types of association rules(inter-node association rules and inter-event association rules)were adopted to generate candidate data collection items and reduced the scope of data collection.Then,a multi-objective program was designed to maximize collection benefits and minimize collection costs.Further,a genetic algorithm was designed to solve this program.Proposed method was compared with existing data collection methods.The experimental results show that the number of the collected data records of proposed method is 1000~3000 less than that of others per 12 hours,and the validity of the collected data of proposed method is about 4%~10%higher than others,which proves the effectiveness of the proposed method.