一种通用可扩展的在线警报关联方法

发布时间：2018-02-20 03:47

本文关键词： 警报关联因果逻辑关联图划分可扩展性低开销　出处：《计算机研究与发展》2015年S2期 　论文类型：期刊论文

【摘要】：大规模网络环境下,多样化网络攻击类型产生的高速警报数据流,对警报关联方法的通用性、实时性以及系统开销控制提出了很高的要求.目前警报关联技术相关研究多是基于集中式结构的算法设计,难以满足实时性的要求;而已有少数分布式警报关联系统未深入考虑负载均衡和系统开销控制.为此,提出了一种通用可扩展的在线警报关联方法CACDS(causal alert correlation on distributed system).CACDS在分布式流处理环境中采用"分派-汇聚"机制作为在线警报关联的基本框架.基于该框架,CACDS采用因果逻辑方法进行关联分析,松弛匹配警报之间的前因后果,能够对各种不同攻击类型进行有效检测.为了充分利用分布式环境下各节点资源,提出一种混合式关联图划分技术,以不同警报类型引起的计算开销和系统开销为依据,警报被映射至不同的关联进程中以实现并行警报关联,保证了系统实时性和低开销.基于Storm平台的原型系统实验表明,与其他方法相比,CACDS具有更好的可扩展性、更高的吞吐率和更低的系统开销.
[Abstract]:The large-scale network environment, high alert data stream generated by the diversification of network attack types, general of alert correlation, real-time control and system cost to a very high demand. The related research of alert correlation technology is designed based on the structure of the centralized algorithm, it is difficult to meet the real-time requirements; only a few distributed alarm relational system is not thorough consideration load balancing and system control. Therefore, we propose a general online alert correlation method can be extended to CACDS (causal alert correlation on distributed system.CACDS) in a distributed stream processing environment using "allocating convergence mechanism" as the basic framework of online alert correlation. Based on this framework, using CACDS causality the logic method of correlation analysis between the relaxation matching alarm can effectively check on antecedents and consequences, various types of attacks Test. In order to make full use of resources of each node in distributed environment, put forward a hybrid graph partitioning technique, computation overhead and system in different types of alarm caused by the alarm as the basis, are mapped to different associations in the process to achieve a parallel alert correlation, to ensure the system real-time and low cost. The experiment indicates that the prototype system based on the Storm platform, compared with other methods, CACDS has better scalability, overhead higher throughput and lower.

【作者单位】：并行与分布处理国家重点实验室(国防科学技术大学计算机学院);
【基金】：国家自然科学基金项目(61379052) 国家“八六三”高技术研究发展计划基金项目(2013AA01A213) 湖南省自然科学杰出青年基金项目(14JJ1026) 教育部高等学校博士学科点专项科研基金项目(20124307110015)
【分类号】：TP393.08

【相似文献】