面向诱捕网络安全事件流的可视分析技术

发布时间：2018-05-03 10:53

本文选题：蜜罐 + 诱饵文档　；参考：《北京邮电大学》2014年硕士论文

【摘要】：随着信息技术与网络技术的快速发展,人类社会已经走进信息时代,而信息安全是这一新时代下的重要话题。面对日益严重的内部威胁,以防火墙、IDS等防御产品为主的被动防御体系表现不佳。而以蜜罐、蜜网、诱捕文档等诱捕资源为主的主动防御体系,成为防御内部威胁的有效手段。面对诱捕网络中产生的大量安全日志信息,如何将这些分散的信息及时地汇总、分析是目前诱捕网络安全事件分析领域亟待解决的问题。针对以上问题,本文面向诱捕网络产生的大量安全事件进行可视分析技术研究,设计并实现了一个诱捕网络安全事件可视分析平台,具体工作如下： (1)针对诱捕网络安全事件多样性的特点,本文给出了诱捕网络安全事件统一形式化描述方法,该方法将诱捕网络安全事件定义为公有属性与扩展属性的集合,有效地解决了诱捕网络安全事件异构问题。 (2)在数据存储层,本文使用可扩展数据库很好地解决不同安全事件扩展属性的存储问题,设计并实现了诱捕网络安全事件的统一存储模型,并为诱捕网络安全事件的扩展属性提供数据访问接口,该接口提供自动生成数据库SQL的支持,并且使用缓存机制,可以大大提高数据库的访问效率。 (3)针对诱捕网络中蜜罐分布式部署的特点,本文设计了基于发布／订阅机制的数据收集框架。该框架可以将各个蜜罐捕获的安全日志信息实时地收集到后端服务器。 (4)设计并实现了面向诱捕网络安全事件流的可视分析平台,该平台对实时监控诱捕网络安全事件提供支持,并提供友好的安全事件分析界面。通过实际的案例分析,该平台可以帮助分析人员发现和理解攻击者的攻击方法以及攻击意图。
[Abstract]:With the rapid development of information technology and network technology, human society has entered the information age, and information security is an important topic in this new era. In the face of increasingly serious internal threats, passive defense systems, such as firewall IDS and other defense products, perform poorly. The active defense system with honeypot, honey net, entrapment document and other entrapment resources has become an effective means to defend the internal threat. In the face of a large amount of security log information generated in entrapment network, how to collect these scattered information in time and analyze them is an urgent problem to be solved in the field of trapping network security event analysis. Aiming at the above problems, this paper studies the visual analysis technology of a large number of security events generated by entrapment network, and designs and implements a visual analysis platform for trapping network security events. The specific work is as follows: 1) in view of the diversity of entrapment network security events, this paper presents a unified formal description method of entrapment network security events, which defines trapping network security events as a set of public attributes and extended attributes. It effectively solves the heterogeneous problem of trapping network security events. In the data storage layer, the scalable database is used to solve the storage problem of different security event extension attributes, and the unified storage model of trapping network security events is designed and implemented. It also provides a data access interface for the extended attributes of entrapment network security events. The interface provides the support of automatically generating database SQL and using cache mechanism can greatly improve the efficiency of database access. According to the characteristics of honeypot distributed deployment in trapping network, this paper designs a data collection framework based on publish / subscribe mechanism. The security log information captured by each honeypot can be collected to the back-end server in real time. A visual analysis platform for trapping network security event flow is designed and implemented. The platform supports real-time monitoring of trapping network security events and provides a friendly security event analysis interface. Through practical case analysis, the platform can help analysts to discover and understand the attack method and intention of the attacker.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】