入侵检测系统报警关联技术研究

发布时间：2018-06-18 22:25

本文选题：报警关联 + 入侵场景　；参考：《沈阳航空航天大学》2014年硕士论文

【摘要】：入侵检测系统在实际应用中存在误报率和漏报率高、报警信息孤立、海量报警信息无法及时分析等问题。为了克服以上问题，报警关联技术研究发掘攻击事件间的关联关系、重构攻击者的入侵路径，来提高报警信息的准确性和可用性的。本文分析对比了常用的报警关联方法及其优缺点，将报警关联方法分为基于专家先验知识和基于数据统计两类方法。基于专家知识的关联方法可以形成完善正确的攻击场景，但受漏报和误报警的影响较大；基于数据统计的关联方法可以发现一些新的攻击，，但不能正确的揭示报警间的内在联系。结合两类报警关联方法的优点，本文提出了一种基于攻击图与报警数据相似性分析的混合报警关联模型。该模型主要包含三个部分：报警预处理、基于攻击图报警关联和基于报警数据相似性分析报警关联。模型先通过傅里叶变换并设定规则删除周期性的误报警；再利用基于动态滞留时间与多级聚合粒度的自适应算法来删除报警数据集中的重复报警。在去除报警数据集中的误报警和冗余报警后，首先根据入侵攻击的先验知识定义初始攻击图描述报警数据间的因果关系；然后用基于报警数据相似性分析方法进行报警关联，进而修正初始攻击图的部分缺陷，完善报警关联结果。应用上述模型建立原型系统，通过实验系统结果得出，混合关联模型可以清晰地将报警数据集中包含的入侵路径表现出来，帮助网络管理员发现入侵者的攻击目的，及时制定入侵响应策略。同时模型降低了对专家先验知识的依赖，能够较好的恢复攻击图中单个攻击步骤的缺失。
[Abstract]:The intrusion detection system has some problems such as high false alarm rate, isolated alarm information, and large amount of alarm information can not be analyzed in time. In order to overcome the above problems, the alarm association technique is used to explore the relationship between attack events and reconstruct the attacker's intrusion path to improve the accuracy and availability of the alarm information. In this paper, the common alarm association methods and their advantages and disadvantages are analyzed and compared. The alarm association methods are divided into two types: expert priori knowledge and data statistics based methods. The association method based on expert knowledge can form a perfect and correct attack scene, but it is greatly affected by false alarm and false alarm, and some new attacks can be found by the association method based on data statistics. However, it can not correctly reveal the internal relationship between the alarm. Combining the advantages of two kinds of alarm correlation methods, this paper presents a hybrid alarm association model based on similarity analysis of attack graph and alarm data. The model consists of three parts: alarm preprocessing, alarm association based on attack graph and alarm association based on similarity analysis of alarm data. The model firstly deletes periodic false alarm by Fourier transform and sets rules, and then uses adaptive algorithm based on dynamic residence time and multi-level aggregate granularity to delete repeated alarm in alarm data set. After removing the false alarm and redundant alarm in the alarm data set, the initial attack graph is defined according to the prior knowledge of the intrusion attack to describe the causality between the alarm data, and then the alarm association is carried out based on the similarity analysis method of the alarm data. Then some defects of the initial attack graph are corrected and the alarm correlation results are improved. By using the above model to build the prototype system, the results of the experiment system show that the hybrid association model can clearly show the intrusion path contained in the alarm data set, and help the network administrator to find out the purpose of the intruder. Timely formulation of intrusion response strategy. At the same time, the model reduces the dependence on expert prior knowledge, and can recover the missing of single attack step in attack graph.
【学位授予单位】：沈阳航空航天大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】