發(fā)布時間：2018-06-18 22:25

  本文選題：報警關(guān)聯(lián) + 入侵場景��； 參考：《沈陽航空航天大學(xué)》2014年碩士論文

【摘要】：入侵檢測系統(tǒng)在實際應(yīng)用中存在誤報率和漏報率高、報警信息孤立、海量報警信息無法及時分析等問題。為了克服以上問題，報警關(guān)聯(lián)技術(shù)研究發(fā)掘攻擊事件間的關(guān)聯(lián)關(guān)系、重構(gòu)攻擊者的入侵路徑，來提高報警信息的準確性和可用性的。 本文分析對比了常用的報警關(guān)聯(lián)方法及其優(yōu)缺點，將報警關(guān)聯(lián)方法分為基于專家先驗知識和基于數(shù)據(jù)統(tǒng)計兩類方法�；趯＜抑R的關(guān)聯(lián)方法可以形成完善正確的攻擊場景，但受漏報和誤報警的影響較大；基于數(shù)據(jù)統(tǒng)計的關(guān)聯(lián)方法可以發(fā)現(xiàn)一些新的攻擊，，但不能正確的揭示報警間的內(nèi)在聯(lián)系。 結(jié)合兩類報警關(guān)聯(lián)方法的優(yōu)點，本文提出了一種基于攻擊圖與報警數(shù)據(jù)相似性分析的混合報警關(guān)聯(lián)模型。該模型主要包含三個部分：報警預(yù)處理、基于攻擊圖報警關(guān)聯(lián)和基于報警數(shù)據(jù)相似性分析報警關(guān)聯(lián)。模型先通過傅里葉變換并設(shè)定規(guī)則刪除周期性的誤報警；再利用基于動態(tài)滯留時間與多級聚合粒度的自適應(yīng)算法來刪除報警數(shù)據(jù)集中的重復(fù)報警。在去除報警數(shù)據(jù)集中的誤報警和冗余報警后，首先根據(jù)入侵攻擊的先驗知識定義初始攻擊圖描述報警數(shù)據(jù)間的因果關(guān)系；然后用基于報警數(shù)據(jù)相似性分析方法進行報警關(guān)聯(lián)，進而修正初始攻擊圖的部分缺陷，完善報警關(guān)聯(lián)結(jié)果。 應(yīng)用上述模型建立原型系統(tǒng)，通過實驗系統(tǒng)結(jié)果得出，混合關(guān)聯(lián)模型可以清晰地將報警數(shù)據(jù)集中包含的入侵路徑表現(xiàn)出來，幫助網(wǎng)絡(luò)管理員發(fā)現(xiàn)入侵者的攻擊目的，及時制定入侵響應(yīng)策略。同時模型降低了對專家先驗知識的依賴，能夠較好的恢復(fù)攻擊圖中單個攻擊步驟的缺失。
[Abstract]:The intrusion detection system has some problems such as high false alarm rate, isolated alarm information, and large amount of alarm information can not be analyzed in time. In order to overcome the above problems, the alarm association technique is used to explore the relationship between attack events and reconstruct the attacker's intrusion path to improve the accuracy and availability of the alarm information. In this paper, the common alarm association methods and their advantages and disadvantages are analyzed and compared. The alarm association methods are divided into two types: expert priori knowledge and data statistics based methods. The association method based on expert knowledge can form a perfect and correct attack scene, but it is greatly affected by false alarm and false alarm, and some new attacks can be found by the association method based on data statistics. However, it can not correctly reveal the internal relationship between the alarm. Combining the advantages of two kinds of alarm correlation methods, this paper presents a hybrid alarm association model based on similarity analysis of attack graph and alarm data. The model consists of three parts: alarm preprocessing, alarm association based on attack graph and alarm association based on similarity analysis of alarm data. The model firstly deletes periodic false alarm by Fourier transform and sets rules, and then uses adaptive algorithm based on dynamic residence time and multi-level aggregate granularity to delete repeated alarm in alarm data set. After removing the false alarm and redundant alarm in the alarm data set, the initial attack graph is defined according to the prior knowledge of the intrusion attack to describe the causality between the alarm data, and then the alarm association is carried out based on the similarity analysis method of the alarm data. Then some defects of the initial attack graph are corrected and the alarm correlation results are improved. By using the above model to build the prototype system, the results of the experiment system show that the hybrid association model can clearly show the intrusion path contained in the alarm data set, and help the network administrator to find out the purpose of the intruder. Timely formulation of intrusion response strategy. At the same time, the model reduces the dependence on expert prior knowledge, and can recover the missing of single attack step in attack graph.
【學(xué)位授予單位】：沈陽航空航天大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前8條

1 陳鋒;毛捍東;張維明;雷長海;;攻擊圖技術(shù)研究進展[J];計算機科學(xué);2011年11期

2 趙豹;張怡;孟源;;基于攻擊模式的反向搜索攻擊圖生成算法[J];計算機工程與科學(xué);2011年07期

3 郭帆;葉繼華;余敏;;基于IDMEF和分類的報警聚合[J];計算機應(yīng)用;2008年01期

4 陳鋒;張怡;蘇金樹;韓文報;;攻擊圖的兩種形式化分析[J];軟件學(xué)報;2010年04期

5 姜春祥;;IDS誤報漏報率的計算和檢測方法[J];信息安全與通信保密;2006年06期

6 楊微;;淺談條件概率問題的解題技巧[J];中國新技術(shù)新產(chǎn)品;2009年08期

7 李冬;李之棠;雷杰;;周期性誤告警去除方法研究[J];小型微型計算機系統(tǒng);2009年07期

8 段祥雯;肖楓濤;;入侵檢測警報關(guān)聯(lián)處理技術(shù)研究[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2011年07期

相關(guān)博士學(xué)位論文 前2條

1 張愛芳;基于擴展有向圖的復(fù)合攻擊模型及檢測方法研究[D];華中科技大學(xué);2008年

2 陳鋒;基于多目標攻擊圖的層次化網(wǎng)絡(luò)安全風(fēng)險評估方法研究[D];國防科學(xué)技術(shù)大學(xué);2009年

本文編號：2037067