【摘要】：隨著互聯(lián)網(wǎng)技術(shù)的發(fā)展和社會(huì)信息化程度的不斷提高,網(wǎng)絡(luò)逐漸成為人們生產(chǎn)、生活中不可或缺的一部分,網(wǎng)絡(luò)安全受到了越來(lái)越多的關(guān)注。各種各樣的安全產(chǎn)品被用于檢測(cè)網(wǎng)絡(luò)中的攻擊威脅,維護(hù)網(wǎng)絡(luò)的安全運(yùn)行。但這些安全手段一般只能在一定范圍內(nèi)發(fā)揮特定的作用,互相之間缺乏有效的數(shù)據(jù)融合和協(xié)同管理機(jī)制。面對(duì)眾多分散的信息,,網(wǎng)絡(luò)安全管理人員無(wú)法及時(shí)的應(yīng)對(duì)這些網(wǎng)絡(luò)攻擊威脅。.出于從整體上把握網(wǎng)絡(luò)攻擊威脅、維護(hù)網(wǎng)絡(luò)安全運(yùn)行目的,網(wǎng)絡(luò)安全威脅態(tài)勢(shì)感知技術(shù)應(yīng)運(yùn)而生,成為網(wǎng)絡(luò)安全研究中的新熱點(diǎn)�；诟鞣N網(wǎng)絡(luò)安全防護(hù)設(shè)備的報(bào)警日志進(jìn)行網(wǎng)絡(luò)安全威脅態(tài)勢(shì)感知是當(dāng)今研究的主流,主要包括入侵檢測(cè)設(shè)備、入侵防御設(shè)備、防火墻和操作系統(tǒng)等的報(bào)警日志。但大部分的研究都是對(duì)各類報(bào)警日志進(jìn)行單獨(dú)的分析和處理,不能有效利用數(shù)據(jù)之間的關(guān)聯(lián)性和互補(bǔ)性,得到的結(jié)果不能準(zhǔn)確的反映出當(dāng)前網(wǎng)絡(luò)所面臨的安全威脅。本文以多源報(bào)警日志為基礎(chǔ),從網(wǎng)絡(luò)安全威脅態(tài)勢(shì)感知模型、.威脅態(tài)勢(shì)信息獲取、威脅態(tài)勢(shì)要素分析等幾個(gè)重要方面研究網(wǎng)絡(luò)安全威脅態(tài)勢(shì)感知關(guān)鍵技術(shù),主要包括以下內(nèi)容：1.在模型研究方面,.針對(duì)現(xiàn)有網(wǎng)絡(luò)安全態(tài)勢(shì)感知模型應(yīng)用到多源報(bào)警日志上的不足,提出了基于多源報(bào)警日志的網(wǎng)絡(luò)安全威脅態(tài)勢(shì)感知模型。按照威脅態(tài)勢(shì)數(shù)據(jù)獲取、威脅態(tài)勢(shì)要素分析的主線給出了相應(yīng)的解決方案。2.在威脅態(tài)勢(shì)數(shù)據(jù)與要素分析方面,對(duì)常見網(wǎng)絡(luò)安全防護(hù)設(shè)備的工作原理和報(bào)警日志特點(diǎn)、格式進(jìn)行了深入分析,給出了相應(yīng)的處理方法,提出了威脅態(tài)勢(shì)數(shù)據(jù)標(biāo)準(zhǔn)化模型。對(duì)網(wǎng)絡(luò)攻擊的研究是威脅態(tài)勢(shì)感知工作重要方面,在深刻理解網(wǎng)絡(luò)攻擊的基礎(chǔ)上,針對(duì)當(dāng)前現(xiàn)有攻擊分類方法的不足,提出了一種以攻擊過(guò)程為導(dǎo)向的攻擊分類體系。3.在多源報(bào)警日志處理方面,采用了分步策略。首先在單源上利用報(bào)警屬性相似度的方法進(jìn)行聚合分析,得到網(wǎng)絡(luò)攻擊事件。其次,對(duì)多源攻擊事件采用改進(jìn)的D-S證據(jù)理論方法進(jìn)行數(shù)據(jù)融合,得到可信度較高的攻擊事件,作為網(wǎng)絡(luò)安全威脅態(tài)勢(shì)要素。4.在網(wǎng)絡(luò)攻擊事件關(guān)聯(lián)分析方面,提出了一種基于推理模型的網(wǎng)絡(luò)攻擊事件關(guān)聯(lián)分析方法。首先把融合之后的攻擊事件通過(guò)語(yǔ)義映射模型轉(zhuǎn)換成對(duì)應(yīng)的攻擊語(yǔ)義,其次利用推理模型得到所有可能的攻擊轉(zhuǎn)換向量,最后結(jié)合關(guān)聯(lián)分析算法得到反映攻擊行為的網(wǎng)絡(luò)攻擊場(chǎng)景圖,展示攻擊意圖,有效的指導(dǎo)網(wǎng)絡(luò)安全防護(hù)工作。最后對(duì)全文的工作進(jìn)行了總結(jié),并對(duì)基于多源報(bào)警日志進(jìn)行網(wǎng)絡(luò)安全威脅態(tài)勢(shì)感知的研究工作進(jìn)行了展望,指出了下一步的研究方向。
[Abstract]:With the development of Internet technology and the continuous improvement of social information, the network has gradually become an indispensable part of people's production and life, and more attention has been paid to network security. A variety of security products are used to detect attack threats in the network and maintain the safe operation of the network. However, these security means can only play a specific role in a certain range, and there is a lack of effective data fusion and collaborative management mechanism. In the face of a lot of scattered information, network security managers can not deal with these threats of network attacks in a timely manner. In order to grasp the threat of network attack and maintain the operation of network security as a whole, the situational awareness technology of network security threat emerges as the times require, which has become a new hot spot in the research of network security. Network security threat situational awareness based on various network security protection equipment is the mainstream of current research, including intrusion detection equipment, intrusion prevention equipment, firewall and operating system alarm log. However, most of the research is to analyze and process all kinds of alarm logs separately, which can not effectively make use of the correlation and complementarity between the data, and the results can not accurately reflect the security threats faced by the current network. This paper is based on multi-source alarm log, from the network security threat situational awareness model. The key technologies of network security threat situational awareness are studied in several important aspects, such as the acquisition of threat situation information, the analysis of threat situation elements and so on, which mainly includes the following contents: 1. In the aspect of model research,. In view of the shortcomings of the existing network security situational awareness model applied to multi-source alarm log, a network security threat situational awareness model based on multi-source alarm log is proposed. According to the acquisition of threat situation data and the main line of threat situation element analysis, the corresponding solutions are given. 2. In the aspect of threat situation data and element analysis, the working principle, alarm log characteristics and format of common network security protection equipment are deeply analyzed, the corresponding processing methods are given, and the standardization model of threat situation data is put forward. The research on network attack is an important aspect of threat situational awareness. On the basis of deeply understanding network attack, aiming at the deficiency of the existing attack classification methods, this paper puts forward a attack classification system guided by attack process. In the processing of multi-source alarm log, the step-by-step strategy is adopted. Firstly, the aggregation analysis is carried out by using the similarity method of alarm attributes on a single source, and the network attack events are obtained. Secondly, the improved D / S evidence theory method is used for data fusion of multi-source attack events, and the attack events with high credibility are obtained, which are regarded as the elements of network security threat situation. 4. In the aspect of network attack event association analysis, a network attack event association analysis method based on reasoning model is proposed. Firstly, the fusion attack event is transformed into the corresponding attack semantics through the semantic mapping model. Secondly, all the possible attack conversion vectors are obtained by using the reasoning model. Finally, the network attack scene diagram reflecting the attack behavior is obtained by combining the association analysis algorithm, which shows the attack intention and effectively guides the network security protection work. Finally, the work of this paper is summarized, and the research work of network security threat situational awareness based on multi-source alarm log is prospected, and the next research direction is pointed out.
【學(xué)位授予單位】：解放軍信息工程大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 廖年冬;熊兵;胡琦;;增量挖掘?qū)崟r(shí)報(bào)警關(guān)聯(lián)研究[J];計(jì)算機(jī)工程與應(yīng)用;2012年04期

2 唐湘滟;朱幸輝;盛立新;陳曉珍;程杰仁;;基于IDMEF的信息安全事件標(biāo)準(zhǔn)化模型研究[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2011年05期

3 韋勇;連一峰;馮登國(guó);;基于信息融合的網(wǎng)絡(luò)安全態(tài)勢(shì)評(píng)估模型[J];計(jì)算機(jī)研究與發(fā)展;2009年03期

4 劉海軍;許丹;周一宇;姜文利;;基于D-S證據(jù)理論多傳感器信息融合的輻射源及平臺(tái)識(shí)別[J];信號(hào)處理;2009年02期

5 王慧強(qiáng);賴積保;胡明明;梁穎;;網(wǎng)絡(luò)安全態(tài)勢(shì)感知關(guān)鍵實(shí)現(xiàn)技術(shù)研究[J];武漢大學(xué)學(xué)報(bào)(信息科學(xué)版);2008年10期

6 劉玉玲;杜瑞忠;趙衛(wèi)東;蔡紅云;;一種入侵場(chǎng)景構(gòu)建模型——BPCRISM[J];計(jì)算機(jī)研究與發(fā)展;2007年04期

7 王新昌;楊艷;劉育楠;;一種基于局域網(wǎng)絡(luò)監(jiān)控日志的安全審計(jì)系統(tǒng)[J];計(jì)算機(jī)應(yīng)用;2007年02期

8 黃藝海;胡君;;日志審計(jì)系統(tǒng)設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)工程;2006年22期

9 諸葛建偉;韓心慧;葉志遠(yuǎn);鄒維;;基于擴(kuò)展目標(biāo)規(guī)劃圖的網(wǎng)絡(luò)攻擊規(guī)劃識(shí)別算法[J];計(jì)算機(jī)學(xué)報(bào);2006年08期

10 陳秀真;鄭慶華;管曉宏;林晨光;;層次化網(wǎng)絡(luò)安全威脅態(tài)勢(shì)量化評(píng)估方法[J];軟件學(xué)報(bào);2006年04期

相關(guān)碩士學(xué)位論文 前1條

1 李晨e，

本文編號(hào)：2508405