本文選題：蜜網(wǎng) + 告警分析��； 參考：《北京郵電大學(xué)》2014年碩士論文

【摘要】：隨著計(jì)算機(jī)網(wǎng)絡(luò)日趨復(fù)雜和規(guī)模的擴(kuò)大,網(wǎng)絡(luò)安全問題更加嚴(yán)峻,攻擊技術(shù)也由簡單攻擊發(fā)展為復(fù)雜攻擊,如組合式攻擊、自動(dòng)腳本攻擊和協(xié)同攻擊,傳統(tǒng)網(wǎng)絡(luò)安全防護(hù)已不能滿足需要,迫切需要新的理論和研究方法。 蜜網(wǎng)是一種主動(dòng)防御工具,是一種專門設(shè)計(jì)用來讓人攻擊的網(wǎng)絡(luò),能夠捕獲攻擊者的攻擊數(shù)據(jù)和惡意代碼并分析攻擊行為,為安全防護(hù)提供依據(jù),在一定程度上改變了網(wǎng)絡(luò)攻防不平衡的局面。如何對蜜網(wǎng)捕獲的攻擊數(shù)據(jù)進(jìn)行整理和融合,分析出其中蘊(yùn)含的攻擊工具、方法、技術(shù)和動(dòng)機(jī)是蜜網(wǎng)技術(shù)研究中的難點(diǎn)。蜜網(wǎng)在短時(shí)間內(nèi)會(huì)產(chǎn)生大量原始告警,原始告警語義級別低,告警間是孤立的,包含大量誤報(bào)、漏報(bào)和冗余告警,不能提供給用戶直觀有效的信息。多步驟和綜合化的攻擊手段也使蜜網(wǎng)告警分析難度加大,傳統(tǒng)的蜜網(wǎng)告警分析中在發(fā)現(xiàn)多步驟攻擊的告警之間的關(guān)聯(lián)規(guī)則方面需要大量的歷史數(shù)據(jù),訓(xùn)練周期長,而且往往忽略網(wǎng)絡(luò)的具體環(huán)境,產(chǎn)生許多與目標(biāo)網(wǎng)絡(luò)不符的告警。 攻擊圖技術(shù)能夠預(yù)先識別系統(tǒng)網(wǎng)絡(luò)的脆弱性和脆弱性之間的關(guān)聯(lián)關(guān)系,從攻擊者的角度以圖形化的形式模擬一個(gè)系統(tǒng)可能受到的所有攻擊路徑,能夠有效彌補(bǔ)傳統(tǒng)告警分析中的不足,適用于描述多階段多步驟的網(wǎng)絡(luò)攻擊。因此本文將攻擊圖技術(shù)應(yīng)用到蜜網(wǎng)告警分析中,提出了攻擊事件圖的概念,并設(shè)計(jì)了一種基于攻擊圖的蜜網(wǎng)攻擊行為分析模型。該模型分為攻擊事件圖的構(gòu)建和攻擊模式的挖掘兩個(gè)階段。在攻擊事件圖構(gòu)建階段,細(xì)化了關(guān)聯(lián)的細(xì)節(jié),不僅僅是簡單地將告警信息和系統(tǒng)脆弱性信息結(jié)合起來,解決了攻擊場景的劃分問題；攻擊模式挖掘階段在生成攻擊事件圖的基礎(chǔ)上,提取出具有代表性的攻擊行為模式,進(jìn)一步完善攻擊行為模式知識庫。 在以上研究的基礎(chǔ)上,本文還給出了蜜網(wǎng)攻擊行為分析系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn),實(shí)驗(yàn)數(shù)據(jù)表明該研究方法能夠有效地提取攻擊事件、還原攻擊場景。
[Abstract]:With the increasing complexity and scale of computer network, the network security problem becomes more serious, and the attack technology is developed from simple attack to complex attack, such as combination attack, automatic script attack and cooperative attack. Traditional network security protection can not meet the needs of the urgent need for new theories and research methods. Honeynet is an active defense tool. It is a network specially designed to make people attack. It can capture attacker's attack data and malicious code and analyze the attack behavior to provide the basis for security protection. To some extent has changed the network attack and defense imbalance situation. How to collate and fuse the attack data captured by Honeynet, and analyze the attack tools, methods, techniques and motives contained therein are the difficulties in the research of Honeynet technology. Honeynet will produce a large number of original alarms in a short period of time. The original warning semantic level is low, the alarm room is isolated, including a large number of false positives, false alarms and redundant alarms, which can not provide users with intuitive and effective information. The multi-step and comprehensive attack means also increase the difficulty of Honeynet alarm analysis. In traditional Honeynet alarm analysis, a large amount of historical data is needed to discover the association rules between multi-step attacks, and the training period is long. And often ignore the specific environment of the network, resulting in a lot of alarm does not conform to the target network. Attack graph technology can pre-identify the vulnerability of the system network and the relationship between vulnerability, from the perspective of an attacker in the form of graphical simulation of a system may be subjected to all attack paths, It can effectively remedy the shortcomings of traditional alarm analysis and can be used to describe multi-stage and multi-step network attacks. Therefore, this paper applies attack graph technology to Honeynet alarm analysis, puts forward the concept of attack event graph, and designs a Honeynet attack behavior analysis model based on attack graph. The model is divided into two stages: the construction of attack event graph and the mining of attack pattern. In the phase of constructing the attack event graph, the details of the association are refined, not only the alarm information and the system vulnerability information are simply combined, but also the problem of the partition of the attack scene is solved. In the stage of attack pattern mining, the representative attack behavior pattern is extracted on the basis of generating attack event graph, and the knowledge base of attack behavior pattern is further improved. Based on the above research, the design and implementation of Honeynet attack behavior analysis system are presented. The experimental data show that the proposed method can effectively extract attack events and restore attack scenes.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 武斌;鄭康鋒;楊義先;;Honeynet中的告警日志分析[J];北京郵電大學(xué)學(xué)報(bào);2008年06期

2 李先通;李建中;高宏;;一種高效頻繁子圖挖掘算法[J];軟件學(xué)報(bào);2007年10期

3 方濱興;;網(wǎng)絡(luò)安全國家需求與863的技術(shù)對策(節(jié)選)[J];信息網(wǎng)絡(luò)安全;2007年05期

，

本文編號：1920307