本文選題：報(bào)警關(guān)聯(lián) + 入侵場(chǎng)景��； 參考：《沈陽(yáng)航空航天大學(xué)》2014年碩士論文

【摘要】：入侵檢測(cè)系統(tǒng)在實(shí)際應(yīng)用中存在誤報(bào)率和漏報(bào)率高、報(bào)警信息孤立、海量報(bào)警信息無(wú)法及時(shí)分析等問(wèn)題。為了克服以上問(wèn)題，報(bào)警關(guān)聯(lián)技術(shù)研究發(fā)掘攻擊事件間的關(guān)聯(lián)關(guān)系、重構(gòu)攻擊者的入侵路徑，來(lái)提高報(bào)警信息的準(zhǔn)確性和可用性的。 本文分析對(duì)比了常用的報(bào)警關(guān)聯(lián)方法及其優(yōu)缺點(diǎn)，將報(bào)警關(guān)聯(lián)方法分為基于專家先驗(yàn)知識(shí)和基于數(shù)據(jù)統(tǒng)計(jì)兩類方法。基于專家知識(shí)的關(guān)聯(lián)方法可以形成完善正確的攻擊場(chǎng)景，但受漏報(bào)和誤報(bào)警的影響較大；基于數(shù)據(jù)統(tǒng)計(jì)的關(guān)聯(lián)方法可以發(fā)現(xiàn)一些新的攻擊，，但不能正確的揭示報(bào)警間的內(nèi)在聯(lián)系。 結(jié)合兩類報(bào)警關(guān)聯(lián)方法的優(yōu)點(diǎn)，本文提出了一種基于攻擊圖與報(bào)警數(shù)據(jù)相似性分析的混合報(bào)警關(guān)聯(lián)模型。該模型主要包含三個(gè)部分：報(bào)警預(yù)處理、基于攻擊圖報(bào)警關(guān)聯(lián)和基于報(bào)警數(shù)據(jù)相似性分析報(bào)警關(guān)聯(lián)。模型先通過(guò)傅里葉變換并設(shè)定規(guī)則刪除周期性的誤報(bào)警；再利用基于動(dòng)態(tài)滯留時(shí)間與多級(jí)聚合粒度的自適應(yīng)算法來(lái)刪除報(bào)警數(shù)據(jù)集中的重復(fù)報(bào)警。在去除報(bào)警數(shù)據(jù)集中的誤報(bào)警和冗余報(bào)警后，首先根據(jù)入侵攻擊的先驗(yàn)知識(shí)定義初始攻擊圖描述報(bào)警數(shù)據(jù)間的因果關(guān)系；然后用基于報(bào)警數(shù)據(jù)相似性分析方法進(jìn)行報(bào)警關(guān)聯(lián)，進(jìn)而修正初始攻擊圖的部分缺陷，完善報(bào)警關(guān)聯(lián)結(jié)果。 應(yīng)用上述模型建立原型系統(tǒng)，通過(guò)實(shí)驗(yàn)系統(tǒng)結(jié)果得出，混合關(guān)聯(lián)模型可以清晰地將報(bào)警數(shù)據(jù)集中包含的入侵路徑表現(xiàn)出來(lái)，幫助網(wǎng)絡(luò)管理員發(fā)現(xiàn)入侵者的攻擊目的，及時(shí)制定入侵響應(yīng)策略。同時(shí)模型降低了對(duì)專家先驗(yàn)知識(shí)的依賴，能夠較好的恢復(fù)攻擊圖中單個(gè)攻擊步驟的缺失。
[Abstract]:The intrusion detection system has some problems such as high false alarm rate, isolated alarm information, and large amount of alarm information can not be analyzed in time. In order to overcome the above problems, the alarm association technique is used to explore the relationship between attack events and reconstruct the attacker's intrusion path to improve the accuracy and availability of the alarm information. In this paper, the common alarm association methods and their advantages and disadvantages are analyzed and compared. The alarm association methods are divided into two types: expert priori knowledge and data statistics based methods. The association method based on expert knowledge can form a perfect and correct attack scene, but it is greatly affected by false alarm and false alarm, and some new attacks can be found by the association method based on data statistics. However, it can not correctly reveal the internal relationship between the alarm. Combining the advantages of two kinds of alarm correlation methods, this paper presents a hybrid alarm association model based on similarity analysis of attack graph and alarm data. The model consists of three parts: alarm preprocessing, alarm association based on attack graph and alarm association based on similarity analysis of alarm data. The model firstly deletes periodic false alarm by Fourier transform and sets rules, and then uses adaptive algorithm based on dynamic residence time and multi-level aggregate granularity to delete repeated alarm in alarm data set. After removing the false alarm and redundant alarm in the alarm data set, the initial attack graph is defined according to the prior knowledge of the intrusion attack to describe the causality between the alarm data, and then the alarm association is carried out based on the similarity analysis method of the alarm data. Then some defects of the initial attack graph are corrected and the alarm correlation results are improved. By using the above model to build the prototype system, the results of the experiment system show that the hybrid association model can clearly show the intrusion path contained in the alarm data set, and help the network administrator to find out the purpose of the intruder. Timely formulation of intrusion response strategy. At the same time, the model reduces the dependence on expert prior knowledge, and can recover the missing of single attack step in attack graph.
【學(xué)位授予單位】：沈陽(yáng)航空航天大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前8條

1 陳鋒;毛捍東;張維明;雷長(zhǎng)海;;攻擊圖技術(shù)研究進(jìn)展[J];計(jì)算機(jī)科學(xué);2011年11期

2 趙豹;張怡;孟源;;基于攻擊模式的反向搜索攻擊圖生成算法[J];計(jì)算機(jī)工程與科學(xué);2011年07期

3 郭帆;葉繼華;余敏;;基于IDMEF和分類的報(bào)警聚合[J];計(jì)算機(jī)應(yīng)用;2008年01期

4 陳鋒;張怡;蘇金樹(shù);韓文報(bào);;攻擊圖的兩種形式化分析[J];軟件學(xué)報(bào);2010年04期

5 姜春祥;;IDS誤報(bào)漏報(bào)率的計(jì)算和檢測(cè)方法[J];信息安全與通信保密;2006年06期

6 楊微;;淺談條件概率問(wèn)題的解題技巧[J];中國(guó)新技術(shù)新產(chǎn)品;2009年08期

7 李冬;李之棠;雷杰;;周期性誤告警去除方法研究[J];小型微型計(jì)算機(jī)系統(tǒng);2009年07期

8 段祥雯;肖楓濤;;入侵檢測(cè)警報(bào)關(guān)聯(lián)處理技術(shù)研究[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2011年07期

相關(guān)博士學(xué)位論文 前2條

1 張愛(ài)芳;基于擴(kuò)展有向圖的復(fù)合攻擊模型及檢測(cè)方法研究[D];華中科技大學(xué);2008年

2 陳鋒;基于多目標(biāo)攻擊圖的層次化網(wǎng)絡(luò)安全風(fēng)險(xiǎn)評(píng)估方法研究[D];國(guó)防科學(xué)技術(shù)大學(xué);2009年

本文編號(hào)：2037067