一种基于实体行为的应用系统协同检测模型

发布时间：2018-03-22 23:01

本文选题：协同检测　切入点：实体行为　出处：《燕山大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着移动网、传感网、物联网以及各种信息处理终端融合到以Internet为主的网络中，互联网中出现了一些新的安全性和生存性要求极高的应用系统，如电子支付系统、交通控制系统、SCADA(Supervisory Control and Data Acquisition)等。目前对这类系统的安全防护主要依靠对单点进行孤立的检测和防护，，由于单点检测系统之间缺少信息融合与共享配合，导致其信息来源和检测机制存在较严重的局限性，对比较隐蔽或协同攻击的行为检测的准确性较低，易产生误报和漏报，本文通过对国内外研究现状进行综合研究和分析，重点针对采用协同机制的多点检测技术进行研究。首先，针对传统的单点检测系统无法对协同攻击有效防护的问题，提出一种多点检测的层级协同模型。该模型将攻击行为的特征信息协同与操作序列协同结合起来，应用到了有害行为的判定中。利用系统检测层的多监控点实体行为信息聚集、管理域协同层的行为特征、操作序列信息协同分析和全局分析控制层的防护规则分发，提高了对隐含攻击和协同攻击检测的准确性。其次，针对传统的协同检测系统模型中协同检测方式单一的问题，给出了一种基于特征模式和操作序列的二进制序列化实体行为的定义，将实体行为特征和行为操作序列相似性度量引入到了行为的协同分析中，依据行为特征模式和操作序列多维度的协同机制给出协同检测算法，检测算法先对行为特征模式进行相似度判定归类，然后对行为的操作序列进行相似度判定以得到非预期行为的安全性质。最后，设计实验对本文提出的协同检测算法和现有的算法进行比较和分析，以模拟协同攻击的方式对行为的特征和操作序列进行了相似性的验证，并对今后工作做出进一步的研究和展望。
[Abstract]:With the integration of mobile network, sensor network, Internet of things and various information processing terminals into the Internet network, some new security and survivability application systems, such as electronic payment system, have emerged in the Internet. Traffic control system SCADA-Supervisory Control and Data requirements etc. At present, the security protection of this kind of system mainly depends on the isolated detection and protection of a single point, because of the lack of information fusion and sharing cooperation between the single-point detection systems. Because of the serious limitation of information source and detection mechanism, the accuracy of detection of covert or cooperative attacks is low, and the false positives and omissions are easy to occur. This paper makes a comprehensive study and analysis of the current research situation at home and abroad. This paper focuses on the research of multi-point detection based on cooperative mechanism. Firstly, aiming at the problem that the traditional single point detection system can not protect against cooperative attack effectively, a hierarchical cooperative model of multi-point detection is proposed, which combines the cooperation of characteristic information of attack behavior with the cooperation of operation sequence. It is applied to the determination of harmful behavior. It makes use of the multi-monitoring point entity behavior information aggregation of the system detection layer, the behavior characteristics of the management domain collaboration layer, the cooperative analysis of operation sequence information and the distribution of protective rules in the global analysis control layer. The accuracy of detecting implicit attack and cooperative attack is improved. Secondly, a definition of binary serialized entity behavior based on feature pattern and operation sequence is proposed to solve the problem of single cooperative detection method in traditional cooperative detection system model. The similarity measure of entity behavior feature and action sequence is introduced into the collaborative analysis of behavior, and a collaborative detection algorithm is proposed according to the multi-dimensional cooperative mechanism of behavior feature pattern and operation sequence. The detection algorithm firstly classifies the behavior feature pattern and then determines the similarity of the operation sequence of the behavior to obtain the security of the unexpected behavior. Finally, the experiments are designed to compare and analyze the proposed cooperative detection algorithm and the existing algorithms, and verify the similarity of behavior characteristics and operation sequences by simulating cooperative attacks. And make further research and prospect to the future work.
【学位授予单位】：燕山大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】