网络态势感知中多源报警融合与态势量化评估技术研究
发布时间:2019-01-06 18:44
【摘要】:网络态势感知需要对多源安全事件态势信息进行提取、过滤、融合与抽象等处理,从而掌控网络与安全状况。数据融合和态势评估是网络态势感知的关键支撑技术。针对安全事件冗余报警和网络态势量化评估等问题,本文围绕基于模糊聚类的多源报警融合和基于攻击图的网络态势量化评估方法展开研究,主要工作有:1.在深入分析总结传统网络态势感知模型及其优缺点的基础上,提出了网络态势感知的一种多级分层黑板模型,该模型以分层方式描述网络态势感知的功能及感知过程。2.针对网络态势感知中普遍存在的大量、多源、异构、冗余安全事件报警信息难以有效聚类融合的问题,提出一种基于模糊聚类的多源报警融合方法。该方法首先将各传感器收集到的警报信息依据时间和报警类型在本地进行初步聚合,然后结合属性影响权重引入集合论中的隶属函数,利用融合隶属函数和模糊关系矩阵概念来进行关联融合,最后引入报警融合置信度进行辅助分析。由于不需要过多的先验知识,方法适应性更好,能更快关联重复报警事件,提高辨识新攻击行为序列能力,达到降低误报、漏报和重复报警的目的。实验表明,通过综合运用模糊聚类和关联结果置信度学习达到了很好的实际效果,可有效归并、融合冗余报警,对网络态势感知的应用具有技术支撑作用。3.针对网络态势难以描述和评估的问题,提出了一种基于攻击图的网络态势量化评估方法。该方法将漏洞属性分别量化为具体攻抗值,然后基于攻击图计算整个网络的脆弱性态势与报警信息产生的威胁态势进行融合,得到网络综合态势值。通过该方法计算的网络态势值既能反应单机网络状况也能反应整个网络态势,从而解决了对复杂网络态势进行统一描述的问题。4.以开源项目OSSIM为基础,设计实现了一个多源报警融合系统,并测试了多源报警融合以及评估的功能,取得了良好效果。
[Abstract]:Network situation awareness needs to extract, filter, fuse and abstract the situation information of multi-source security events, so as to control the network and security situation. Data fusion and situation assessment are the key technologies of network situational awareness. Aiming at the problems of redundant alarm of security event and quantitative evaluation of network situation, this paper focuses on the fusion of multi-source alarm based on fuzzy clustering and the quantitative evaluation method of network situation based on attack graph. The main work is as follows: 1. Based on the deep analysis and summary of the traditional network situation awareness model and its advantages and disadvantages, a multi-level hierarchical blackboard model of network situation awareness is proposed, which describes the function and process of network situation awareness in a hierarchical manner. 2. Aiming at the problem that a large number of multiple sources heterogeneous and redundant security event alarm information is difficult to cluster effectively in network situational awareness a multi-source alarm fusion method based on fuzzy clustering is proposed. In this method, the alarm information collected by each sensor is first aggregated locally according to time and alarm type, and then the membership function in set theory is introduced in combination with attribute influence weight. The concept of fusion membership function and fuzzy relation matrix is used to fuse the relationship. Finally, the confidence degree of alarm fusion is introduced to assist the analysis. Because the method does not need too much prior knowledge, the method has better adaptability, can quickly correlate repeated alarm events, improve the ability to identify new attack behavior sequences, and achieve the purpose of reducing false positives, false alarms and repeated alarms. The experimental results show that the fuzzy clustering and the confidence degree learning of the correlation result can achieve good practical effect, can be merged effectively, fuse redundant alarm, and have technical support to the application of network situation perception. 3. Aiming at the problem that it is difficult to describe and evaluate the network situation, a quantitative evaluation method based on attack graph is proposed. This method quantifies the vulnerability attributes into specific attack reactance values, and then calculates the vulnerability situation of the whole network and the threat situation generated by the alarm information based on the attack graph, and obtains the comprehensive situation value of the network. The network situation value calculated by this method can not only reflect the situation of single computer network but also the whole network situation, thus solving the problem of unified description of complex network situation. 4. Based on the open source project OSSIM, a multi-source alarm fusion system is designed and implemented, and the functions of multi-source alarm fusion and evaluation are tested, and good results are obtained.
【学位授予单位】:国防科学技术大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2403182
[Abstract]:Network situation awareness needs to extract, filter, fuse and abstract the situation information of multi-source security events, so as to control the network and security situation. Data fusion and situation assessment are the key technologies of network situational awareness. Aiming at the problems of redundant alarm of security event and quantitative evaluation of network situation, this paper focuses on the fusion of multi-source alarm based on fuzzy clustering and the quantitative evaluation method of network situation based on attack graph. The main work is as follows: 1. Based on the deep analysis and summary of the traditional network situation awareness model and its advantages and disadvantages, a multi-level hierarchical blackboard model of network situation awareness is proposed, which describes the function and process of network situation awareness in a hierarchical manner. 2. Aiming at the problem that a large number of multiple sources heterogeneous and redundant security event alarm information is difficult to cluster effectively in network situational awareness a multi-source alarm fusion method based on fuzzy clustering is proposed. In this method, the alarm information collected by each sensor is first aggregated locally according to time and alarm type, and then the membership function in set theory is introduced in combination with attribute influence weight. The concept of fusion membership function and fuzzy relation matrix is used to fuse the relationship. Finally, the confidence degree of alarm fusion is introduced to assist the analysis. Because the method does not need too much prior knowledge, the method has better adaptability, can quickly correlate repeated alarm events, improve the ability to identify new attack behavior sequences, and achieve the purpose of reducing false positives, false alarms and repeated alarms. The experimental results show that the fuzzy clustering and the confidence degree learning of the correlation result can achieve good practical effect, can be merged effectively, fuse redundant alarm, and have technical support to the application of network situation perception. 3. Aiming at the problem that it is difficult to describe and evaluate the network situation, a quantitative evaluation method based on attack graph is proposed. This method quantifies the vulnerability attributes into specific attack reactance values, and then calculates the vulnerability situation of the whole network and the threat situation generated by the alarm information based on the attack graph, and obtains the comprehensive situation value of the network. The network situation value calculated by this method can not only reflect the situation of single computer network but also the whole network situation, thus solving the problem of unified description of complex network situation. 4. Based on the open source project OSSIM, a multi-source alarm fusion system is designed and implemented, and the functions of multi-source alarm fusion and evaluation are tested, and good results are obtained.
【学位授予单位】:国防科学技术大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 张帅;;对APT攻击的检测与防御[J];信息安全与技术;2011年09期
2 李硕;戴欣;周渝霞;;网络安全态势感知研究进展[J];计算机应用研究;2010年09期
3 龚正虎;卓莹;;网络态势感知研究[J];软件学报;2010年07期
4 王成飞;李文钦;王航宇;石章松;;态势评估中基于合同网的黑板模型研究[J];指挥控制与仿真;2010年01期
5 章丽娟;王清贤;;基于多视图的攻击分类体系[J];计算机应用研究;2010年01期
6 王凤朝;黄树采;韩朝超;;多传感器信息融合及其新技术研究[J];航空计算技术;2009年01期
7 孙吉贵;刘杰;赵连宇;;聚类算法研究[J];软件学报;2008年01期
8 张永铮;方滨兴;迟悦;;计算机弱点数据库综述与评价[J];计算机科学;2006年08期
9 张然,钱德沛,包崇明,栾钟治;入侵检测系统的数据收集机制研究[J];西安交通大学学报;2003年04期
10 程岳,王宝树;基于分级多层黑板模型的态势估计系统结构研究[J];计算机应用研究;2002年06期
,本文编号:2403182
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2403182.html
