【摘要】：網(wǎng)絡(luò)態(tài)勢(shì)感知需要對(duì)多源安全事件態(tài)勢(shì)信息進(jìn)行提取、過濾、融合與抽象等處理,從而掌控網(wǎng)絡(luò)與安全狀況。數(shù)據(jù)融合和態(tài)勢(shì)評(píng)估是網(wǎng)絡(luò)態(tài)勢(shì)感知的關(guān)鍵支撐技術(shù)。針對(duì)安全事件冗余報(bào)警和網(wǎng)絡(luò)態(tài)勢(shì)量化評(píng)估等問題,本文圍繞基于模糊聚類的多源報(bào)警融合和基于攻擊圖的網(wǎng)絡(luò)態(tài)勢(shì)量化評(píng)估方法展開研究,主要工作有:1.在深入分析總結(jié)傳統(tǒng)網(wǎng)絡(luò)態(tài)勢(shì)感知模型及其優(yōu)缺點(diǎn)的基礎(chǔ)上,提出了網(wǎng)絡(luò)態(tài)勢(shì)感知的一種多級(jí)分層黑板模型,該模型以分層方式描述網(wǎng)絡(luò)態(tài)勢(shì)感知的功能及感知過程。2.針對(duì)網(wǎng)絡(luò)態(tài)勢(shì)感知中普遍存在的大量、多源、異構(gòu)、冗余安全事件報(bào)警信息難以有效聚類融合的問題,提出一種基于模糊聚類的多源報(bào)警融合方法。該方法首先將各傳感器收集到的警報(bào)信息依據(jù)時(shí)間和報(bào)警類型在本地進(jìn)行初步聚合,然后結(jié)合屬性影響權(quán)重引入集合論中的隸屬函數(shù),利用融合隸屬函數(shù)和模糊關(guān)系矩陣概念來進(jìn)行關(guān)聯(lián)融合,最后引入報(bào)警融合置信度進(jìn)行輔助分析。由于不需要過多的先驗(yàn)知識(shí),方法適應(yīng)性更好,能更快關(guān)聯(lián)重復(fù)報(bào)警事件,提高辨識(shí)新攻擊行為序列能力,達(dá)到降低誤報(bào)、漏報(bào)和重復(fù)報(bào)警的目的。實(shí)驗(yàn)表明,通過綜合運(yùn)用模糊聚類和關(guān)聯(lián)結(jié)果置信度學(xué)習(xí)達(dá)到了很好的實(shí)際效果,可有效歸并、融合冗余報(bào)警,對(duì)網(wǎng)絡(luò)態(tài)勢(shì)感知的應(yīng)用具有技術(shù)支撐作用。3.針對(duì)網(wǎng)絡(luò)態(tài)勢(shì)難以描述和評(píng)估的問題,提出了一種基于攻擊圖的網(wǎng)絡(luò)態(tài)勢(shì)量化評(píng)估方法。該方法將漏洞屬性分別量化為具體攻抗值,然后基于攻擊圖計(jì)算整個(gè)網(wǎng)絡(luò)的脆弱性態(tài)勢(shì)與報(bào)警信息產(chǎn)生的威脅態(tài)勢(shì)進(jìn)行融合,得到網(wǎng)絡(luò)綜合態(tài)勢(shì)值。通過該方法計(jì)算的網(wǎng)絡(luò)態(tài)勢(shì)值既能反應(yīng)單機(jī)網(wǎng)絡(luò)狀況也能反應(yīng)整個(gè)網(wǎng)絡(luò)態(tài)勢(shì),從而解決了對(duì)復(fù)雜網(wǎng)絡(luò)態(tài)勢(shì)進(jìn)行統(tǒng)一描述的問題。4.以開源項(xiàng)目OSSIM為基礎(chǔ),設(shè)計(jì)實(shí)現(xiàn)了一個(gè)多源報(bào)警融合系統(tǒng),并測(cè)試了多源報(bào)警融合以及評(píng)估的功能,取得了良好效果。
[Abstract]:Network situation awareness needs to extract, filter, fuse and abstract the situation information of multi-source security events, so as to control the network and security situation. Data fusion and situation assessment are the key technologies of network situational awareness. Aiming at the problems of redundant alarm of security event and quantitative evaluation of network situation, this paper focuses on the fusion of multi-source alarm based on fuzzy clustering and the quantitative evaluation method of network situation based on attack graph. The main work is as follows: 1. Based on the deep analysis and summary of the traditional network situation awareness model and its advantages and disadvantages, a multi-level hierarchical blackboard model of network situation awareness is proposed, which describes the function and process of network situation awareness in a hierarchical manner. 2. Aiming at the problem that a large number of multiple sources heterogeneous and redundant security event alarm information is difficult to cluster effectively in network situational awareness a multi-source alarm fusion method based on fuzzy clustering is proposed. In this method, the alarm information collected by each sensor is first aggregated locally according to time and alarm type, and then the membership function in set theory is introduced in combination with attribute influence weight. The concept of fusion membership function and fuzzy relation matrix is used to fuse the relationship. Finally, the confidence degree of alarm fusion is introduced to assist the analysis. Because the method does not need too much prior knowledge, the method has better adaptability, can quickly correlate repeated alarm events, improve the ability to identify new attack behavior sequences, and achieve the purpose of reducing false positives, false alarms and repeated alarms. The experimental results show that the fuzzy clustering and the confidence degree learning of the correlation result can achieve good practical effect, can be merged effectively, fuse redundant alarm, and have technical support to the application of network situation perception. 3. Aiming at the problem that it is difficult to describe and evaluate the network situation, a quantitative evaluation method based on attack graph is proposed. This method quantifies the vulnerability attributes into specific attack reactance values, and then calculates the vulnerability situation of the whole network and the threat situation generated by the alarm information based on the attack graph, and obtains the comprehensive situation value of the network. The network situation value calculated by this method can not only reflect the situation of single computer network but also the whole network situation, thus solving the problem of unified description of complex network situation. 4. Based on the open source project OSSIM, a multi-source alarm fusion system is designed and implemented, and the functions of multi-source alarm fusion and evaluation are tested, and good results are obtained.
【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 張帥;;對(duì)APT攻擊的檢測(cè)與防御[J];信息安全與技術(shù);2011年09期

2 李碩;戴欣;周渝霞;;網(wǎng)絡(luò)安全態(tài)勢(shì)感知研究進(jìn)展[J];計(jì)算機(jī)應(yīng)用研究;2010年09期

3 龔正虎;卓瑩;;網(wǎng)絡(luò)態(tài)勢(shì)感知研究[J];軟件學(xué)報(bào);2010年07期

4 王成飛;李文欽;王航宇;石章松;;態(tài)勢(shì)評(píng)估中基于合同網(wǎng)的黑板模型研究[J];指揮控制與仿真;2010年01期

5 章麗娟;王清賢;;基于多視圖的攻擊分類體系[J];計(jì)算機(jī)應(yīng)用研究;2010年01期

6 王鳳朝;黃樹采;韓朝超;;多傳感器信息融合及其新技術(shù)研究[J];航空計(jì)算技術(shù);2009年01期

7 孫吉貴;劉杰;趙連宇;;聚類算法研究[J];軟件學(xué)報(bào);2008年01期

8 張永錚;方濱興;遲悅;;計(jì)算機(jī)弱點(diǎn)數(shù)據(jù)庫綜述與評(píng)價(jià)[J];計(jì)算機(jī)科學(xué);2006年08期

9 張然,錢德沛,包崇明,欒鐘治;入侵檢測(cè)系統(tǒng)的數(shù)據(jù)收集機(jī)制研究[J];西安交通大學(xué)學(xué)報(bào);2003年04期

10 程岳,王寶樹;基于分級(jí)多層黑板模型的態(tài)勢(shì)估計(jì)系統(tǒng)結(jié)構(gòu)研究[J];計(jì)算機(jī)應(yīng)用研究;2002年06期

，

本文編號(hào)：2403182