入侵檢測(cè)警報(bào)綜合分析方法的研究與實(shí)現(xiàn)
發(fā)布時(shí)間:2018-12-13 11:00
【摘要】:入侵檢測(cè)系統(tǒng)(Intrusion Detection System, IDS)對(duì)網(wǎng)絡(luò)傳輸進(jìn)行即時(shí)監(jiān)視,并對(duì)其中可疑傳輸發(fā)出警報(bào)。然而,在計(jì)算機(jī)網(wǎng)絡(luò)攻擊手段的日益復(fù)雜、大規(guī)模協(xié)同攻擊層出不窮的形勢(shì)下,IDS的局限性日益凸顯:警報(bào)數(shù)量巨大,漏報(bào)誤報(bào)率較高,警報(bào)層次較低,且彼此孤立。因此,現(xiàn)階段IDS較難為安全分析人員直接有效的利用,對(duì)IDS產(chǎn)生的警報(bào)數(shù)據(jù)做進(jìn)一步關(guān)聯(lián)分析顯得越來越重要。基于因果關(guān)系的警報(bào)關(guān)聯(lián)方法是其中最具代表性的方法之一。但是很多情況下,這種方法對(duì)于連續(xù)的協(xié)同攻擊,難以產(chǎn)生完整的攻擊場(chǎng)景圖,而是由于種種原因被分散為若干個(gè)子場(chǎng)景圖,此外,常見因果關(guān)聯(lián)方法無法及時(shí)處理較大規(guī)模警報(bào),因此可用性較差,無法實(shí)際部署應(yīng)用。 針對(duì)上述局限性,本文提出并實(shí)現(xiàn)一種采用攻擊策略圖的警報(bào)綜合分析方法。首先,通過分析大規(guī)模協(xié)同攻擊及入侵檢測(cè)警報(bào)數(shù)據(jù)的特點(diǎn),建立一種攻擊策略圖模型作為先驗(yàn)知識(shí)庫(kù);其次,基于上述知識(shí)庫(kù)提出并實(shí)現(xiàn)多種入侵檢測(cè)警報(bào)分析方法,主要方法涉及完整攻擊場(chǎng)景圖的重構(gòu)、入侵檢測(cè)系統(tǒng)漏報(bào)推斷以及后續(xù)警報(bào)推測(cè);然后,通過引入警報(bào)數(shù)據(jù)融合以及新型滑動(dòng)窗口機(jī)制提高警報(bào)分析效率,以保證系統(tǒng)可用性。最后,,完成系統(tǒng)的開發(fā)及測(cè)試,結(jié)果證明了方法的實(shí)際有效性和高效性。
[Abstract]:Intrusion detection system (Intrusion Detection System, IDS) monitors network transmission and alerts suspicious transmission. However, with the increasing complexity of computer network attack methods and the emergence of large-scale cooperative attacks, the limitations of IDS are increasingly prominent: large number of alerts, high false alarm rate, low alarm level, and isolated from each other. Therefore, it is difficult to use IDS directly and effectively for security analysts at this stage, and it is more and more important to further correlate the alarm data generated by IDS. The alert correlation method based on causality is one of the most representative methods. However, in many cases, it is difficult to produce a complete attack scene graph for continuous cooperative attacks, but it is scattered into several sub-scenarios for various reasons. In addition, The common causality correlation method can not deal with large scale alerts in time, so the usability is poor and the application can not be deployed in practice. In view of the above limitations, this paper proposes and implements an alarm synthesis analysis method using attack strategy graph. Firstly, by analyzing the characteristics of large-scale cooperative attacks and intrusion detection alarm data, an attack strategy graph model is established as a priori knowledge base. Secondly, a variety of intrusion detection alarm analysis methods are proposed and implemented based on the above knowledge base. The main methods involve the reconstruction of the complete attack scene diagram, the inference of the intrusion detection system underreporting and the subsequent alarm speculation. Then, the efficiency of alarm analysis is improved by introducing alarm data fusion and a new sliding window mechanism to ensure system availability. Finally, the system is developed and tested. The results show that the method is effective and efficient.
【學(xué)位授予單位】:西安電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2376427
[Abstract]:Intrusion detection system (Intrusion Detection System, IDS) monitors network transmission and alerts suspicious transmission. However, with the increasing complexity of computer network attack methods and the emergence of large-scale cooperative attacks, the limitations of IDS are increasingly prominent: large number of alerts, high false alarm rate, low alarm level, and isolated from each other. Therefore, it is difficult to use IDS directly and effectively for security analysts at this stage, and it is more and more important to further correlate the alarm data generated by IDS. The alert correlation method based on causality is one of the most representative methods. However, in many cases, it is difficult to produce a complete attack scene graph for continuous cooperative attacks, but it is scattered into several sub-scenarios for various reasons. In addition, The common causality correlation method can not deal with large scale alerts in time, so the usability is poor and the application can not be deployed in practice. In view of the above limitations, this paper proposes and implements an alarm synthesis analysis method using attack strategy graph. Firstly, by analyzing the characteristics of large-scale cooperative attacks and intrusion detection alarm data, an attack strategy graph model is established as a priori knowledge base. Secondly, a variety of intrusion detection alarm analysis methods are proposed and implemented based on the above knowledge base. The main methods involve the reconstruction of the complete attack scene diagram, the inference of the intrusion detection system underreporting and the subsequent alarm speculation. Then, the efficiency of alarm analysis is improved by introducing alarm data fusion and a new sliding window mechanism to ensure system availability. Finally, the system is developed and tested. The results show that the method is effective and efficient.
【學(xué)位授予單位】:西安電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前1條
1 馬琳茹;楊林;王建新;唐鑫;;利用模糊聚類實(shí)現(xiàn)入侵檢測(cè)告警關(guān)聯(lián)圖的重構(gòu)[J];通信學(xué)報(bào);2006年09期
本文編號(hào):2376427
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2376427.html
最近更新
教材專著
