蜜网的攻击行为分析研究

发布时间：2018-05-21 18:37

本文选题：蜜网 + 告警分析　；参考：《北京邮电大学》2014年硕士论文

【摘要】：随着计算机网络日趋复杂和规模的扩大,网络安全问题更加严峻,攻击技术也由简单攻击发展为复杂攻击,如组合式攻击、自动脚本攻击和协同攻击,传统网络安全防护已不能满足需要,迫切需要新的理论和研究方法。蜜网是一种主动防御工具,是一种专门设计用来让人攻击的网络,能够捕获攻击者的攻击数据和恶意代码并分析攻击行为,为安全防护提供依据,在一定程度上改变了网络攻防不平衡的局面。如何对蜜网捕获的攻击数据进行整理和融合,分析出其中蕴含的攻击工具、方法、技术和动机是蜜网技术研究中的难点。蜜网在短时间内会产生大量原始告警,原始告警语义级别低,告警间是孤立的,包含大量误报、漏报和冗余告警,不能提供给用户直观有效的信息。多步骤和综合化的攻击手段也使蜜网告警分析难度加大,传统的蜜网告警分析中在发现多步骤攻击的告警之间的关联规则方面需要大量的历史数据,训练周期长,而且往往忽略网络的具体环境,产生许多与目标网络不符的告警。攻击图技术能够预先识别系统网络的脆弱性和脆弱性之间的关联关系,从攻击者的角度以图形化的形式模拟一个系统可能受到的所有攻击路径,能够有效弥补传统告警分析中的不足,适用于描述多阶段多步骤的网络攻击。因此本文将攻击图技术应用到蜜网告警分析中,提出了攻击事件图的概念,并设计了一种基于攻击图的蜜网攻击行为分析模型。该模型分为攻击事件图的构建和攻击模式的挖掘两个阶段。在攻击事件图构建阶段,细化了关联的细节,不仅仅是简单地将告警信息和系统脆弱性信息结合起来,解决了攻击场景的划分问题；攻击模式挖掘阶段在生成攻击事件图的基础上,提取出具有代表性的攻击行为模式,进一步完善攻击行为模式知识库。在以上研究的基础上,本文还给出了蜜网攻击行为分析系统的设计与实现,实验数据表明该研究方法能够有效地提取攻击事件、还原攻击场景。
[Abstract]:With the increasing complexity and scale of computer network, the network security problem becomes more serious, and the attack technology is developed from simple attack to complex attack, such as combination attack, automatic script attack and cooperative attack. Traditional network security protection can not meet the needs of the urgent need for new theories and research methods. Honeynet is an active defense tool. It is a network specially designed to make people attack. It can capture attacker's attack data and malicious code and analyze the attack behavior to provide the basis for security protection. To some extent has changed the network attack and defense imbalance situation. How to collate and fuse the attack data captured by Honeynet, and analyze the attack tools, methods, techniques and motives contained therein are the difficulties in the research of Honeynet technology. Honeynet will produce a large number of original alarms in a short period of time. The original warning semantic level is low, the alarm room is isolated, including a large number of false positives, false alarms and redundant alarms, which can not provide users with intuitive and effective information. The multi-step and comprehensive attack means also increase the difficulty of Honeynet alarm analysis. In traditional Honeynet alarm analysis, a large amount of historical data is needed to discover the association rules between multi-step attacks, and the training period is long. And often ignore the specific environment of the network, resulting in a lot of alarm does not conform to the target network. Attack graph technology can pre-identify the vulnerability of the system network and the relationship between vulnerability, from the perspective of an attacker in the form of graphical simulation of a system may be subjected to all attack paths, It can effectively remedy the shortcomings of traditional alarm analysis and can be used to describe multi-stage and multi-step network attacks. Therefore, this paper applies attack graph technology to Honeynet alarm analysis, puts forward the concept of attack event graph, and designs a Honeynet attack behavior analysis model based on attack graph. The model is divided into two stages: the construction of attack event graph and the mining of attack pattern. In the phase of constructing the attack event graph, the details of the association are refined, not only the alarm information and the system vulnerability information are simply combined, but also the problem of the partition of the attack scene is solved. In the stage of attack pattern mining, the representative attack behavior pattern is extracted on the basis of generating attack event graph, and the knowledge base of attack behavior pattern is further improved. Based on the above research, the design and implementation of Honeynet attack behavior analysis system are presented. The experimental data show that the proposed method can effectively extract attack events and restore attack scenes.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】