智能化威胁信息溯源关键技术研究

发布时间：2018-04-20 13:42

本文选题：网络安全 + 威胁溯源　；参考：《北京交通大学》2014年硕士论文

【摘要】：摘要：随着信息技术的迅速发展,基于互联网的网络威胁给人们的社会生活带来了重大挑战,为了给威胁信息溯源提供一些有效的思路和有益的参考,本文提出了一种基于入侵检测系统报警信息和rootkit的威胁溯源方法和基于SVM的入侵检测系统报警信息过滤方法,具体如下。 (1)基于入侵检测系统和rootkit的威胁溯源方法。本文研究了威胁信息溯源中的网络数据获取技术、威胁行为检测技术和P溯源技术,分析了现有威胁溯源方法的不足,提出了一种基于入侵检测系统报警信息和rootkit的威胁溯源方法。威胁溯源的关键是对攻击包的发现、记录和分析,在该方法中入侵检测系统负责发现和记录“肉鸡”向受害者发送的攻击包,rootkit通过对“肉鸡”进程以及会话的监控来获取攻击者和“肉鸡”之间的通信数据,并将监控结果及时回传给威胁分析服务器。威胁分析人员对威胁分析服务器上的数据进行时空相似性分析和知识库关联分析,并根据分析结果判断攻击者的真实位置。 (2)基于SVM的入侵检测系统报警信息过滤方法。本文提出的威胁溯源方法面临着一个技术难题,即现有入侵检测系统普遍存在的误警率过高问题。为了解决该难题,本文对入侵检测系统的报警过滤问题进行了分析研究,提出了一种利用支持向量机算法对入侵检测系统的报警信息进行过滤的方法。SVM分类器利用少数的支持向量来决定分类决策函数,解决了报警过滤时存在的小样本问题；由于计算的复杂度取决于支持向量的个数,与报警数据的维数无关,解决了高维数据计算时存在的维数灾难问题；利用核函数将原输入空间的线性不可分数据映射为高维空间中的线性可分数据,解决了报警数据在原输入空间非线性的问题。基于SVM的入侵检测系统报警信息过滤方法由模型训练和数据预测两部分组成。模型训练包括解析命令行参数,读取训练样本,选择合适的惩罚系数、核函数和核参数,统计样本种类和每类样本的数量,训练数据分组,利用序列最小优化算法求解C-SVM分类器模型。数据预测包括读取报警数据和根据模型训练得出的C-SVM分类器模型计算报警数据的决策值。理论分析和实验数据表明：在合理选择核函数、核参数和训练数据集的情况下,该方法可有效降低入侵检测系统的误警率。本论文的工作得到了国家自然科学基金(No.61172072,61271308)、北京市自然科学基金(No.4112045)、高等教育博士点基金(No.W11C100030)、北京科技计划(No.Z121100000312024)和北京市教育委员会学科建设与研究生建设项目等课题的支持。图29幅,表13个,参考文献68篇。
[Abstract]:Absrtact: with the rapid development of information technology, Internet-based network threats have brought great challenges to people's social life, in order to provide some effective ideas and useful references for the traceability of threat information. This paper presents a threat traceability method based on intrusion detection system (IDS) alarm information and rootkit and an intrusion detection system alarm information filtering method based on SVM. 1) threat traceability method based on intrusion detection system and rootkit. In this paper, the network data acquisition technology, threat behavior detection technology and P traceability technology in the traceability of threat information are studied, and the shortcomings of the existing threat traceability methods are analyzed. A threat traceability method based on intrusion detection system (IDS) alarm information and rootkit is proposed. The key to traceability of threats is the discovery, recording and analysis of attack packets, In this method, the intrusion Detection system (IDS) is responsible for detecting and recording the attack packets sent by the "broiler" to the victim. The rootkit can obtain the communication data between the attacker and the "broiler" by monitoring the process and session of the "broiler". The monitoring results are sent back to the threat analysis server in time. Threat analysts perform spatio-temporal similarity analysis and knowledge base association analysis of the data on the threat analysis server, and determine the real location of the attacker based on the analysis results. 2) the alarm information filtering method of intrusion detection system based on SVM. The threat traceability method presented in this paper is faced with a technical problem, that is, the problem of high false alarm rate in existing intrusion detection systems. In order to solve this problem, the alarm filtering problem of intrusion detection system is analyzed and studied in this paper. This paper presents a method of filtering the alarm information of intrusion detection system by using support vector machine algorithm. SVM classifier uses a few support vectors to decide the classification decision function, which solves the problem of small sample in alarm filtering. Because the complexity of computation depends on the number of support vectors and is independent of the dimension of alarm data, the problem of dimensionality disaster in the computation of high-dimensional data is solved. The kernel function is used to map the linear inseparable data of the original input space to the linear separable data in the high-dimensional space, which solves the problem of the nonlinearity of the alarm data in the original input space. The alarm information filtering method of intrusion detection system based on SVM consists of two parts: model training and data prediction. Model training includes parsing command-line parameters, reading training samples, selecting appropriate penalty coefficients, kernel functions and kernel parameters, counting the sample types and the number of each type of samples, training data grouping. The C-SVM classifier model is solved by using the sequence minimum optimization algorithm. The data prediction includes reading the alarm data and calculating the decision value of the alarm data based on the C-SVM classifier model trained by the model. Theoretical analysis and experimental data show that this method can effectively reduce the false alarm rate of intrusion detection system under the condition of reasonable selection of kernel function, kernel parameters and training data set. The work of this thesis has been supported by the National Natural Science Foundation of China No. 61172072C61271308, the Natural Science Foundation of Beijing No. 4112045, the doctoral Program of higher Education No. W11C100030, the Science and Technology Plan of Beijing No. Z121100000312024) and the Project of discipline Construction and Postgraduate Construction of Beijing Education Commission. There are 29 figures, 13 tables and 68 references.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】