基于多源报警日志的网络安全威胁态势感知关键技术研究
发布时间:2019-07-01 10:40
【摘要】:随着互联网技术的发展和社会信息化程度的不断提高,网络逐渐成为人们生产、生活中不可或缺的一部分,网络安全受到了越来越多的关注。各种各样的安全产品被用于检测网络中的攻击威胁,维护网络的安全运行。但这些安全手段一般只能在一定范围内发挥特定的作用,互相之间缺乏有效的数据融合和协同管理机制。面对众多分散的信息,,网络安全管理人员无法及时的应对这些网络攻击威胁。.出于从整体上把握网络攻击威胁、维护网络安全运行目的,网络安全威胁态势感知技术应运而生,成为网络安全研究中的新热点。基于各种网络安全防护设备的报警日志进行网络安全威胁态势感知是当今研究的主流,主要包括入侵检测设备、入侵防御设备、防火墙和操作系统等的报警日志。但大部分的研究都是对各类报警日志进行单独的分析和处理,不能有效利用数据之间的关联性和互补性,得到的结果不能准确的反映出当前网络所面临的安全威胁。本文以多源报警日志为基础,从网络安全威胁态势感知模型、.威胁态势信息获取、威胁态势要素分析等几个重要方面研究网络安全威胁态势感知关键技术,主要包括以下内容:1.在模型研究方面,.针对现有网络安全态势感知模型应用到多源报警日志上的不足,提出了基于多源报警日志的网络安全威胁态势感知模型。按照威胁态势数据获取、威胁态势要素分析的主线给出了相应的解决方案。2.在威胁态势数据与要素分析方面,对常见网络安全防护设备的工作原理和报警日志特点、格式进行了深入分析,给出了相应的处理方法,提出了威胁态势数据标准化模型。对网络攻击的研究是威胁态势感知工作重要方面,在深刻理解网络攻击的基础上,针对当前现有攻击分类方法的不足,提出了一种以攻击过程为导向的攻击分类体系。3.在多源报警日志处理方面,采用了分步策略。首先在单源上利用报警属性相似度的方法进行聚合分析,得到网络攻击事件。其次,对多源攻击事件采用改进的D-S证据理论方法进行数据融合,得到可信度较高的攻击事件,作为网络安全威胁态势要素。4.在网络攻击事件关联分析方面,提出了一种基于推理模型的网络攻击事件关联分析方法。首先把融合之后的攻击事件通过语义映射模型转换成对应的攻击语义,其次利用推理模型得到所有可能的攻击转换向量,最后结合关联分析算法得到反映攻击行为的网络攻击场景图,展示攻击意图,有效的指导网络安全防护工作。最后对全文的工作进行了总结,并对基于多源报警日志进行网络安全威胁态势感知的研究工作进行了展望,指出了下一步的研究方向。
[Abstract]:With the development of Internet technology and the continuous improvement of social information, the network has gradually become an indispensable part of people's production and life, and more attention has been paid to network security. A variety of security products are used to detect attack threats in the network and maintain the safe operation of the network. However, these security means can only play a specific role in a certain range, and there is a lack of effective data fusion and collaborative management mechanism. In the face of a lot of scattered information, network security managers can not deal with these threats of network attacks in a timely manner. In order to grasp the threat of network attack and maintain the operation of network security as a whole, the situational awareness technology of network security threat emerges as the times require, which has become a new hot spot in the research of network security. Network security threat situational awareness based on various network security protection equipment is the mainstream of current research, including intrusion detection equipment, intrusion prevention equipment, firewall and operating system alarm log. However, most of the research is to analyze and process all kinds of alarm logs separately, which can not effectively make use of the correlation and complementarity between the data, and the results can not accurately reflect the security threats faced by the current network. This paper is based on multi-source alarm log, from the network security threat situational awareness model. The key technologies of network security threat situational awareness are studied in several important aspects, such as the acquisition of threat situation information, the analysis of threat situation elements and so on, which mainly includes the following contents: 1. In the aspect of model research,. In view of the shortcomings of the existing network security situational awareness model applied to multi-source alarm log, a network security threat situational awareness model based on multi-source alarm log is proposed. According to the acquisition of threat situation data and the main line of threat situation element analysis, the corresponding solutions are given. 2. In the aspect of threat situation data and element analysis, the working principle, alarm log characteristics and format of common network security protection equipment are deeply analyzed, the corresponding processing methods are given, and the standardization model of threat situation data is put forward. The research on network attack is an important aspect of threat situational awareness. On the basis of deeply understanding network attack, aiming at the deficiency of the existing attack classification methods, this paper puts forward a attack classification system guided by attack process. In the processing of multi-source alarm log, the step-by-step strategy is adopted. Firstly, the aggregation analysis is carried out by using the similarity method of alarm attributes on a single source, and the network attack events are obtained. Secondly, the improved D / S evidence theory method is used for data fusion of multi-source attack events, and the attack events with high credibility are obtained, which are regarded as the elements of network security threat situation. 4. In the aspect of network attack event association analysis, a network attack event association analysis method based on reasoning model is proposed. Firstly, the fusion attack event is transformed into the corresponding attack semantics through the semantic mapping model. Secondly, all the possible attack conversion vectors are obtained by using the reasoning model. Finally, the network attack scene diagram reflecting the attack behavior is obtained by combining the association analysis algorithm, which shows the attack intention and effectively guides the network security protection work. Finally, the work of this paper is summarized, and the research work of network security threat situational awareness based on multi-source alarm log is prospected, and the next research direction is pointed out.
【学位授予单位】:解放军信息工程大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
[Abstract]:With the development of Internet technology and the continuous improvement of social information, the network has gradually become an indispensable part of people's production and life, and more attention has been paid to network security. A variety of security products are used to detect attack threats in the network and maintain the safe operation of the network. However, these security means can only play a specific role in a certain range, and there is a lack of effective data fusion and collaborative management mechanism. In the face of a lot of scattered information, network security managers can not deal with these threats of network attacks in a timely manner. In order to grasp the threat of network attack and maintain the operation of network security as a whole, the situational awareness technology of network security threat emerges as the times require, which has become a new hot spot in the research of network security. Network security threat situational awareness based on various network security protection equipment is the mainstream of current research, including intrusion detection equipment, intrusion prevention equipment, firewall and operating system alarm log. However, most of the research is to analyze and process all kinds of alarm logs separately, which can not effectively make use of the correlation and complementarity between the data, and the results can not accurately reflect the security threats faced by the current network. This paper is based on multi-source alarm log, from the network security threat situational awareness model. The key technologies of network security threat situational awareness are studied in several important aspects, such as the acquisition of threat situation information, the analysis of threat situation elements and so on, which mainly includes the following contents: 1. In the aspect of model research,. In view of the shortcomings of the existing network security situational awareness model applied to multi-source alarm log, a network security threat situational awareness model based on multi-source alarm log is proposed. According to the acquisition of threat situation data and the main line of threat situation element analysis, the corresponding solutions are given. 2. In the aspect of threat situation data and element analysis, the working principle, alarm log characteristics and format of common network security protection equipment are deeply analyzed, the corresponding processing methods are given, and the standardization model of threat situation data is put forward. The research on network attack is an important aspect of threat situational awareness. On the basis of deeply understanding network attack, aiming at the deficiency of the existing attack classification methods, this paper puts forward a attack classification system guided by attack process. In the processing of multi-source alarm log, the step-by-step strategy is adopted. Firstly, the aggregation analysis is carried out by using the similarity method of alarm attributes on a single source, and the network attack events are obtained. Secondly, the improved D / S evidence theory method is used for data fusion of multi-source attack events, and the attack events with high credibility are obtained, which are regarded as the elements of network security threat situation. 4. In the aspect of network attack event association analysis, a network attack event association analysis method based on reasoning model is proposed. Firstly, the fusion attack event is transformed into the corresponding attack semantics through the semantic mapping model. Secondly, all the possible attack conversion vectors are obtained by using the reasoning model. Finally, the network attack scene diagram reflecting the attack behavior is obtained by combining the association analysis algorithm, which shows the attack intention and effectively guides the network security protection work. Finally, the work of this paper is summarized, and the research work of network security threat situational awareness based on multi-source alarm log is prospected, and the next research direction is pointed out.
【学位授予单位】:解放军信息工程大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 廖年冬;熊兵;胡琦;;增量挖掘实时报警关联研究[J];计算机工程与应用;2012年04期
2 唐湘滟;朱幸辉;盛立新;陈晓珍;程杰仁;;基于IDMEF的信息安全事件标准化模型研究[J];网络安全技术与应用;2011年05期
3 韦勇;连一峰;冯登国;;基于信息融合的网络安全态势评估模型[J];计算机研究与发展;2009年03期
4 刘海军;许丹;周一宇;姜文利;;基于D-S证据理论多传感器信息融合的辐射源及平台识别[J];信号处理;2009年02期
5 王慧强;赖积保;胡明明;梁颖;;网络安全态势感知关键实现技术研究[J];武汉大学学报(信息科学版);2008年10期
6 刘玉玲;杜瑞忠;赵卫东;蔡红云;;一种入侵场景构建模型——BPCRISM[J];计算机研究与发展;2007年04期
7 王新昌;杨艳;刘育楠;;一种基于局域网络监控日志的安全审计系统[J];计算机应用;2007年02期
8 黄艺海;胡君;;日志审计系统设计与实现[J];计算机工程;2006年22期
9 诸葛建伟;韩心慧;叶志远;邹维;;基于扩展目标规划图的网络攻击规划识别算法[J];计算机学报;2006年08期
10 陈秀真;郑庆华;管晓宏;林晨光;;层次化网络安全威胁态势量化评估方法[J];软件学报;2006年04期
相关硕士学位论文 前1条
1 李晨e,
本文编号:2508405
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2508405.html
