基于攻击链和网络流量检测的威胁情报分析研究

发布时间：2018-05-29 12:16

本文选题：威胁情报分析 + 攻击链　；参考：《计算机应用研究》2017年06期

【摘要】：以特征检测为主的传统安全产品越来越难以有效检测新型威胁。针对现有方法检测威胁攻击的不足,进行了一种基于攻击链结合网络异常流量检测的威胁情报分析方法研究,通过对获取的威胁信息进行分析,将提取出的情报以机器可读的格式实现共享,达到协同防御。该方法首先对网络中的异常流量进行检测,分析流量特征及其之间的关系,以熵值序列链的形式参比网络攻击链的模式;对每个异常时间点分类统计特征项,进行支持度计数,挖掘特征之间频繁项集模式;再结合攻击链各阶段的特点,还原攻击过程。仿真结果表明,该方法可以有效地检测网络中的异常流量,提取威胁情报指标。
[Abstract]:Traditional security products based on feature detection are becoming more and more difficult to detect new threats effectively. Aiming at the shortcomings of the existing methods to detect threat attacks, a threat intelligence analysis method based on attack chain and network abnormal traffic detection is studied, and the obtained threat information is analyzed. The extracted information is shared in a machine-readable format to achieve cooperative defense. The method firstly detects the abnormal traffic in the network, analyzes the traffic characteristics and their relationships, compares the pattern of the network attack chain in the form of entropy sequence chain, and counts the support degree of the statistical feature items classified at each outlier point in time. Mining frequent itemset patterns among features and restoring attack process by combining the characteristics of each stage of attack chain. The simulation results show that this method can effectively detect the abnormal traffic in the network and extract the threat intelligence index.
【作者单位】：中国民航大学计算机科学与技术学院;中国民航大学信息安全测评中心;
【基金】：民航局科技资助项目(MHRD20140205,MHRD20150233);民航局安全能力建设资金资助项目(PDSA0008) 中央高校基本科研业务费中国民航大学专项项目(3122013Z008,3122013C004,3122015D025) 中国民航大学科研启动资助项目(2013QD24X)
【分类号】：TP393.08

【参考文献】