入侵检测警报综合分析方法的研究与实现
发布时间:2018-12-13 11:00
【摘要】:入侵检测系统(Intrusion Detection System, IDS)对网络传输进行即时监视,并对其中可疑传输发出警报。然而,在计算机网络攻击手段的日益复杂、大规模协同攻击层出不穷的形势下,IDS的局限性日益凸显:警报数量巨大,漏报误报率较高,警报层次较低,且彼此孤立。因此,现阶段IDS较难为安全分析人员直接有效的利用,对IDS产生的警报数据做进一步关联分析显得越来越重要。基于因果关系的警报关联方法是其中最具代表性的方法之一。但是很多情况下,这种方法对于连续的协同攻击,难以产生完整的攻击场景图,而是由于种种原因被分散为若干个子场景图,此外,常见因果关联方法无法及时处理较大规模警报,因此可用性较差,无法实际部署应用。 针对上述局限性,本文提出并实现一种采用攻击策略图的警报综合分析方法。首先,通过分析大规模协同攻击及入侵检测警报数据的特点,建立一种攻击策略图模型作为先验知识库;其次,基于上述知识库提出并实现多种入侵检测警报分析方法,主要方法涉及完整攻击场景图的重构、入侵检测系统漏报推断以及后续警报推测;然后,通过引入警报数据融合以及新型滑动窗口机制提高警报分析效率,以保证系统可用性。最后,,完成系统的开发及测试,结果证明了方法的实际有效性和高效性。
[Abstract]:Intrusion detection system (Intrusion Detection System, IDS) monitors network transmission and alerts suspicious transmission. However, with the increasing complexity of computer network attack methods and the emergence of large-scale cooperative attacks, the limitations of IDS are increasingly prominent: large number of alerts, high false alarm rate, low alarm level, and isolated from each other. Therefore, it is difficult to use IDS directly and effectively for security analysts at this stage, and it is more and more important to further correlate the alarm data generated by IDS. The alert correlation method based on causality is one of the most representative methods. However, in many cases, it is difficult to produce a complete attack scene graph for continuous cooperative attacks, but it is scattered into several sub-scenarios for various reasons. In addition, The common causality correlation method can not deal with large scale alerts in time, so the usability is poor and the application can not be deployed in practice. In view of the above limitations, this paper proposes and implements an alarm synthesis analysis method using attack strategy graph. Firstly, by analyzing the characteristics of large-scale cooperative attacks and intrusion detection alarm data, an attack strategy graph model is established as a priori knowledge base. Secondly, a variety of intrusion detection alarm analysis methods are proposed and implemented based on the above knowledge base. The main methods involve the reconstruction of the complete attack scene diagram, the inference of the intrusion detection system underreporting and the subsequent alarm speculation. Then, the efficiency of alarm analysis is improved by introducing alarm data fusion and a new sliding window mechanism to ensure system availability. Finally, the system is developed and tested. The results show that the method is effective and efficient.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2376427
[Abstract]:Intrusion detection system (Intrusion Detection System, IDS) monitors network transmission and alerts suspicious transmission. However, with the increasing complexity of computer network attack methods and the emergence of large-scale cooperative attacks, the limitations of IDS are increasingly prominent: large number of alerts, high false alarm rate, low alarm level, and isolated from each other. Therefore, it is difficult to use IDS directly and effectively for security analysts at this stage, and it is more and more important to further correlate the alarm data generated by IDS. The alert correlation method based on causality is one of the most representative methods. However, in many cases, it is difficult to produce a complete attack scene graph for continuous cooperative attacks, but it is scattered into several sub-scenarios for various reasons. In addition, The common causality correlation method can not deal with large scale alerts in time, so the usability is poor and the application can not be deployed in practice. In view of the above limitations, this paper proposes and implements an alarm synthesis analysis method using attack strategy graph. Firstly, by analyzing the characteristics of large-scale cooperative attacks and intrusion detection alarm data, an attack strategy graph model is established as a priori knowledge base. Secondly, a variety of intrusion detection alarm analysis methods are proposed and implemented based on the above knowledge base. The main methods involve the reconstruction of the complete attack scene diagram, the inference of the intrusion detection system underreporting and the subsequent alarm speculation. Then, the efficiency of alarm analysis is improved by introducing alarm data fusion and a new sliding window mechanism to ensure system availability. Finally, the system is developed and tested. The results show that the method is effective and efficient.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前1条
1 马琳茹;杨林;王建新;唐鑫;;利用模糊聚类实现入侵检测告警关联图的重构[J];通信学报;2006年09期
本文编号:2376427
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2376427.html
