【摘要】：網(wǎng)絡(luò)態(tài)勢感知需要對多源安全事件態(tài)勢信息進(jìn)行提取、過濾、融合與抽象等處理,從而掌控網(wǎng)絡(luò)與安全狀況。數(shù)據(jù)融合和態(tài)勢評估是網(wǎng)絡(luò)態(tài)勢感知的關(guān)鍵支撐技術(shù)。針對安全事件冗余報(bào)警和網(wǎng)絡(luò)態(tài)勢量化評估等問題,本文圍繞基于模糊聚類的多源報(bào)警融合和基于攻擊圖的網(wǎng)絡(luò)態(tài)勢量化評估方法展開研究,主要工作有:1.在深入分析總結(jié)傳統(tǒng)網(wǎng)絡(luò)態(tài)勢感知模型及其優(yōu)缺點(diǎn)的基礎(chǔ)上,提出了網(wǎng)絡(luò)態(tài)勢感知的一種多級分層黑板模型,該模型以分層方式描述網(wǎng)絡(luò)態(tài)勢感知的功能及感知過程。2.針對網(wǎng)絡(luò)態(tài)勢感知中普遍存在的大量、多源、異構(gòu)、冗余安全事件報(bào)警信息難以有效聚類融合的問題,提出一種基于模糊聚類的多源報(bào)警融合方法。該方法首先將各傳感器收集到的警報(bào)信息依據(jù)時(shí)間和報(bào)警類型在本地進(jìn)行初步聚合,然后結(jié)合屬性影響權(quán)重引入集合論中的隸屬函數(shù),利用融合隸屬函數(shù)和模糊關(guān)系矩陣概念來進(jìn)行關(guān)聯(lián)融合,最后引入報(bào)警融合置信度進(jìn)行輔助分析。由于不需要過多的先驗(yàn)知識,方法適應(yīng)性更好,能更快關(guān)聯(lián)重復(fù)報(bào)警事件,提高辨識新攻擊行為序列能力,達(dá)到降低誤報(bào)、漏報(bào)和重復(fù)報(bào)警的目的。實(shí)驗(yàn)表明,通過綜合運(yùn)用模糊聚類和關(guān)聯(lián)結(jié)果置信度學(xué)習(xí)達(dá)到了很好的實(shí)際效果,可有效歸并、融合冗余報(bào)警,對網(wǎng)絡(luò)態(tài)勢感知的應(yīng)用具有技術(shù)支撐作用。3.針對網(wǎng)絡(luò)態(tài)勢難以描述和評估的問題,提出了一種基于攻擊圖的網(wǎng)絡(luò)態(tài)勢量化評估方法。該方法將漏洞屬性分別量化為具體攻抗值,然后基于攻擊圖計(jì)算整個(gè)網(wǎng)絡(luò)的脆弱性態(tài)勢與報(bào)警信息產(chǎn)生的威脅態(tài)勢進(jìn)行融合,得到網(wǎng)絡(luò)綜合態(tài)勢值。通過該方法計(jì)算的網(wǎng)絡(luò)態(tài)勢值既能反應(yīng)單機(jī)網(wǎng)絡(luò)狀況也能反應(yīng)整個(gè)網(wǎng)絡(luò)態(tài)勢,從而解決了對復(fù)雜網(wǎng)絡(luò)態(tài)勢進(jìn)行統(tǒng)一描述的問題。4.以開源項(xiàng)目OSSIM為基礎(chǔ),設(shè)計(jì)實(shí)現(xiàn)了一個(gè)多源報(bào)警融合系統(tǒng),并測試了多源報(bào)警融合以及評估的功能,取得了良好效果。
[Abstract]:Network situation awareness needs to extract, filter, fuse and abstract the situation information of multi-source security events, so as to control the network and security situation. Data fusion and situation assessment are the key technologies of network situational awareness. Aiming at the problems of redundant alarm of security event and quantitative evaluation of network situation, this paper focuses on the fusion of multi-source alarm based on fuzzy clustering and the quantitative evaluation method of network situation based on attack graph. The main work is as follows: 1. Based on the deep analysis and summary of the traditional network situation awareness model and its advantages and disadvantages, a multi-level hierarchical blackboard model of network situation awareness is proposed, which describes the function and process of network situation awareness in a hierarchical manner. 2. Aiming at the problem that a large number of multiple sources heterogeneous and redundant security event alarm information is difficult to cluster effectively in network situational awareness a multi-source alarm fusion method based on fuzzy clustering is proposed. In this method, the alarm information collected by each sensor is first aggregated locally according to time and alarm type, and then the membership function in set theory is introduced in combination with attribute influence weight. The concept of fusion membership function and fuzzy relation matrix is used to fuse the relationship. Finally, the confidence degree of alarm fusion is introduced to assist the analysis. Because the method does not need too much prior knowledge, the method has better adaptability, can quickly correlate repeated alarm events, improve the ability to identify new attack behavior sequences, and achieve the purpose of reducing false positives, false alarms and repeated alarms. The experimental results show that the fuzzy clustering and the confidence degree learning of the correlation result can achieve good practical effect, can be merged effectively, fuse redundant alarm, and have technical support to the application of network situation perception. 3. Aiming at the problem that it is difficult to describe and evaluate the network situation, a quantitative evaluation method based on attack graph is proposed. This method quantifies the vulnerability attributes into specific attack reactance values, and then calculates the vulnerability situation of the whole network and the threat situation generated by the alarm information based on the attack graph, and obtains the comprehensive situation value of the network. The network situation value calculated by this method can not only reflect the situation of single computer network but also the whole network situation, thus solving the problem of unified description of complex network situation. 4. Based on the open source project OSSIM, a multi-source alarm fusion system is designed and implemented, and the functions of multi-source alarm fusion and evaluation are tested, and good results are obtained.
【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 張帥;;對APT攻擊的檢測與防御[J];信息安全與技術(shù);2011年09期

2 李碩;戴欣;周渝霞;;網(wǎng)絡(luò)安全態(tài)勢感知研究進(jìn)展[J];計(jì)算機(jī)應(yīng)用研究;2010年09期

3 龔正虎;卓瑩;;網(wǎng)絡(luò)態(tài)勢感知研究[J];軟件學(xué)報(bào);2010年07期

4 王成飛;李文欽;王航宇;石章松;;態(tài)勢評估中基于合同網(wǎng)的黑板模型研究[J];指揮控制與仿真;2010年01期

5 章麗娟;王清賢;;基于多視圖的攻擊分類體系[J];計(jì)算機(jī)應(yīng)用研究;2010年01期

6 王鳳朝;黃樹采;韓朝超;;多傳感器信息融合及其新技術(shù)研究[J];航空計(jì)算技術(shù);2009年01期

7 孫吉貴;劉杰;趙連宇;;聚類算法研究[J];軟件學(xué)報(bào);2008年01期

8 張永錚;方濱興;遲悅;;計(jì)算機(jī)弱點(diǎn)數(shù)據(jù)庫綜述與評價(jià)[J];計(jì)算機(jī)科學(xué);2006年08期

9 張然,錢德沛,包崇明,欒鐘治;入侵檢測系統(tǒng)的數(shù)據(jù)收集機(jī)制研究[J];西安交通大學(xué)學(xué)報(bào);2003年04期

10 程岳,王寶樹;基于分級多層黑板模型的態(tài)勢估計(jì)系統(tǒng)結(jié)構(gòu)研究[J];計(jì)算機(jī)應(yīng)用研究;2002年06期

，

本文編號：2403182