运用警报关联的威胁行为检测技术综述

发布时间：2018-05-25 10:27

  本文选题：威胁行为检测 + 警报关联　； 参考：《国防科技大学学报》2017年05期

【摘要】：基于警报关联的网络威胁行为检测技术因其与网络上大量部署的安全产品耦合,且能充分挖掘异常事件之间的关联关系以提供场景还原证据,正成为复杂威胁行为检测的研究热点。从威胁行为和网络安全环境的特点出发,引出威胁行为检测的应用需求和分类,介绍基于警报关联的威胁行为检测的基本概念和系统模型;重点论述作为模型核心的警报关联方法,并分类介绍了各类典型算法的基本原理和特点,包括基于因果逻辑的方法、基于场景的方法、基于相似性的方法和基于数据挖掘的方法;并结合实例介绍了威胁行为检测系统的三种典型结构,即集中式结构、层次式结构和分布式结构;基于当前研究现状,提出了对未来研究趋势的一些认识。
[Abstract]:The network threat behavior detection technology based on alert association is coupled with a large number of security products deployed on the network and can fully mine the correlation between abnormal events to provide scene restore evidence. It is becoming a hotspot in the research of complex threat behavior detection. Based on the characteristics of threat behavior and network security environment, the application requirements and classification of threat behavior detection are introduced, and the basic concepts and system models of threat behavior detection based on alert association are introduced. As the core of the model, the alarm association method is discussed, and the basic principles and characteristics of various typical algorithms are introduced, including the method based on causality logic and the method based on scene. This paper introduces three typical structures of threat behavior detection system based on similarity and data mining, which are centralized structure, hierarchical structure and distributed structure. Some understanding of the future research trend is put forward.
【作者单位】： 国防科技大学计算机学院并行与分布处理重点实验室;国防科技大学计算机学院网络工程系;
【基金】：国家自然科学基金资助项目(61379052) 国家863计划资助项目(2013AA01A213) 湖南省自然科学基金杰出青年基金资助项目(14JJ1026) 高等学校博士学科点专项科研基金资助课题(20124307110015)
【分类号】：TP393.08
，

本文编号：1933097