网络安全协同报警分析技术研究与实现
|
摘要
在网络安全领域,网络攻击者和用户之间的矛盾无时无刻不在上演,种类繁多的工具和海量的安全信息对网络安全管理者提出了极高的要求,特别是现在综合攻击趋势的出现使得传统的单一安全管理模式难以应对。随着网络用户对智能安全管理不断增长的需求,一种新型的整体网络安全管理解决方案——统一网络安全管理已发展成为新的流行。
统一网络安全管理系统用于总体配置、调控整个网络多层面、分布式的安全系统,实现对各种网络安全资源的集中监控、统一策略管理、智能审计及多种安全功能模块之间的互动,从而有效地简化网络安全管理工作,提升网络的安全水平和可控制性、可管理性,降低用户的整体安全管理开销。在这一背景下,有两种技术被众多的实践从业者和学院研究者所提倡,即协同与关联。
同时,入侵检测系统IDS已经发展成为网络安全监控的一种重要工具。而统一网络安全管理一个显著的发展趋势则是采用以IDS为中心的关联模式。但是,传统IDS的检测机制具有细粒度、孤立性和弱的环境意识等缺点。于是,旨在协同与关联的后入侵检测技术成为研究的焦点。从这一角度看来,协同报警分析一般可以划分为三个阶段:报警聚合、报警评估和报警相关。然而,现今存在的主要问题在于如何保证安全报警的环境资产信息的综合采集与统一表达。目前,针对这一问题仍缺乏一个实践可行的有效方法,这将直接影响到统一网络安全管理的最终实现。
本文关注于网络安全协同报警分析技术,旨在报警分析过程中引入基于XML的综合网络管理技术以确保协同与关联的交互,并通过使用CIM模式扩展的OWL+SWRL安全本体来统一表达信息与知识,在此基础上,提出一个极具潜力的方法用以完善基于综合网络管理的协同报警分析技术,作为实现统一网络安全管理的重要步骤。本文同时也提供一些主要的实现细节,验证分析结果表明,提出的方法有助于降低误报率与优化攻击场景的建立。
In the field of network security, contradiction between network attackers and users goes on and on. Meanwhile, a great variety of tools and a mass of information make a high request for network security managers, especially when facing current trend of comprehensive attacks, with which traditional single security management modes fail to deal. And with increasing requirements of network users for intelligent security management, a new integrated solution for network security management, or in other words, unified network security management has become a fashion.
A unified network security management system is desired to realize centralized monitor, uniform policy management, intelligent audit and interaction among various security function modules. And in this way, it will simplify the task of network security management, improve security level, controllability and manageability of the network, as well as reduce user's overall spending for overall security management. Thus under this background, two techniques namely collaboration and correlation are adopted by more and more researchers and engineers.
At the same time, Intrusion Detection System (IDS) has evolved as an important tool for network security monitor, while a remarkable development trend of unified network security management is the adoption of an IDS-centric correlation manner. But the detection mechanisms of traditional IDSs has weaknesses including too fine grain, isolated alarming and lack of environmental consciousness. As a matter of fact, researches on post-IDS analysis become a focus, aiming in collaboration and correlation. From this point of view, collaborative alert analysis can be generally divided into three stages, which are alert aggregation, alert evaluation and alert correlation. However, the main problem existing is how to guarantee integrated collection and unified representation of context information for security alerts. And the fact is that, a practical and efficient approach is still lacking these days, which influents the realization of unified network security management.
This paper discusses issues related to collaborative alert analysis techniques for network security. And the aim of this paper is then to introduce XML-based integrated network management techniques for implementation of alert analysis in order to promote the interaction of collaboration and correlation, and with the use of security ontology by means of OWL+SWRL based on CM Schema for unified representation of information and knowledge, propose a promising approach for collaborative alert analysis techniques based on integrated network management as an important stage to realize unified network security management. Finally, some main implementation issues are also provided in this paper, and experiment results show that, proposed approach is effective in reducing the rate of false positives and optimizing the building of attack scenarios.
统一网络安全管理系统用于总体配置、调控整个网络多层面、分布式的安全系统,实现对各种网络安全资源的集中监控、统一策略管理、智能审计及多种安全功能模块之间的互动,从而有效地简化网络安全管理工作,提升网络的安全水平和可控制性、可管理性,降低用户的整体安全管理开销。在这一背景下,有两种技术被众多的实践从业者和学院研究者所提倡,即协同与关联。
同时,入侵检测系统IDS已经发展成为网络安全监控的一种重要工具。而统一网络安全管理一个显著的发展趋势则是采用以IDS为中心的关联模式。但是,传统IDS的检测机制具有细粒度、孤立性和弱的环境意识等缺点。于是,旨在协同与关联的后入侵检测技术成为研究的焦点。从这一角度看来,协同报警分析一般可以划分为三个阶段:报警聚合、报警评估和报警相关。然而,现今存在的主要问题在于如何保证安全报警的环境资产信息的综合采集与统一表达。目前,针对这一问题仍缺乏一个实践可行的有效方法,这将直接影响到统一网络安全管理的最终实现。
本文关注于网络安全协同报警分析技术,旨在报警分析过程中引入基于XML的综合网络管理技术以确保协同与关联的交互,并通过使用CIM模式扩展的OWL+SWRL安全本体来统一表达信息与知识,在此基础上,提出一个极具潜力的方法用以完善基于综合网络管理的协同报警分析技术,作为实现统一网络安全管理的重要步骤。本文同时也提供一些主要的实现细节,验证分析结果表明,提出的方法有助于降低误报率与优化攻击场景的建立。
In the field of network security, contradiction between network attackers and users goes on and on. Meanwhile, a great variety of tools and a mass of information make a high request for network security managers, especially when facing current trend of comprehensive attacks, with which traditional single security management modes fail to deal. And with increasing requirements of network users for intelligent security management, a new integrated solution for network security management, or in other words, unified network security management has become a fashion.
A unified network security management system is desired to realize centralized monitor, uniform policy management, intelligent audit and interaction among various security function modules. And in this way, it will simplify the task of network security management, improve security level, controllability and manageability of the network, as well as reduce user's overall spending for overall security management. Thus under this background, two techniques namely collaboration and correlation are adopted by more and more researchers and engineers.
At the same time, Intrusion Detection System (IDS) has evolved as an important tool for network security monitor, while a remarkable development trend of unified network security management is the adoption of an IDS-centric correlation manner. But the detection mechanisms of traditional IDSs has weaknesses including too fine grain, isolated alarming and lack of environmental consciousness. As a matter of fact, researches on post-IDS analysis become a focus, aiming in collaboration and correlation. From this point of view, collaborative alert analysis can be generally divided into three stages, which are alert aggregation, alert evaluation and alert correlation. However, the main problem existing is how to guarantee integrated collection and unified representation of context information for security alerts. And the fact is that, a practical and efficient approach is still lacking these days, which influents the realization of unified network security management.
This paper discusses issues related to collaborative alert analysis techniques for network security. And the aim of this paper is then to introduce XML-based integrated network management techniques for implementation of alert analysis in order to promote the interaction of collaboration and correlation, and with the use of security ontology by means of OWL+SWRL based on CM Schema for unified representation of information and knowledge, propose a promising approach for collaborative alert analysis techniques based on integrated network management as an important stage to realize unified network security management. Finally, some main implementation issues are also provided in this paper, and experiment results show that, proposed approach is effective in reducing the rate of false positives and optimizing the building of attack scenarios.
引文
[1]J.Yu et al.TRINETR:An Architecture for Collaborative Intrusion Detection and Knowledge-based Alert Evaluation.Advanced Engineering Informatics,2005.19:93-101
[2]B.Morin,LudovicM'e,H.Debar,M.Ducass'e.M2D2:A Formal Data Model for IDS Alert Correlation.Proceeding of 5~(th)International Workshop on the Recent Advances in Intrusion Detection,2002.115-137
[3]穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述.计算机研究与发展,2006.43(1):1-8
[4]穆成坡,黄厚宽,田盛丰,林友芳,秦远辉.基于模糊综合评判的入侵检测报警信息处理.计算机研究与发展,2005.42(10):1679-1685
[5]C.Kruegel,W.Robertson,G.Vigna.Using Alert Verification to Identify Successful Intrusion Attempts.Practice in Information Processing and Communication(PIK),2004.27(4):220-228
[6]R.Gula.Correlating IDS Alerts with Vulnerability Information.Tenable Network Security Report,2007
[7]F.Massicotte,M.Couture,L.Briand,Y.Labiche.Context-Based Intrusion Detection Using Snort,Nessus and Bugtraq Databases.Proceeding of 3~(rd)Annual Conference on Privacy,Security and Trust(PST),2005
[8]邢苏霄,龚俭.基于协同的安全事件确认.通讯学报,2006.27(11A):92-97
[9]F.Cuppens,R.Ortalo.LAMBDA:A Language to Model a Database for Detection of Attacks.Proceeding of 3~(rd)International Workshop on the Recent Advances in Intrusion Detection,2000.197-216
[10]F.Cuppens,A.Miege.Alert Correlation in a Cooperative Intrusion Detection Framework.Proceeding of IEEE Symposium on Security and Privacy,2002.202-215
[11]F.Cuppens.Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts.Proceeding of 4~(th)Conference on Security and Network Architectures,2005
[12]S.Eckmann,G.Vigna,R.Kemmerer.STATL:An Attack Language for State-based Intrusion Detection.Journal of Computer Security,2002.10(1/2):71-104
[13]F.Valeur,G.Vigna,C.Kruegel,A.Kemmerer.A Comprehensive Approach to Intrusion Detection Alert Correlation.IEEE Transactions on Dependable and Secure Computing,2004.1(3):146-169
[14]P.Ning,Y.Cui,S.Reeves,D.Xu.Techniques and Tools for Analyzing Intrusion Alerts.ACM Transactions on Information and System Security,2004.7(2):274-318
[15]史简,郭山清,谢立.统一网络安全管理平台的研究与实现.计算机应用研究,2006.23(9):92-94,97
[16]M.Nicolett,A.T.Williams,P.E.Proctor.Magic Quadrant for Security Information and Event Management,1H06:Gartner RAS Core Research Note G00139431,2006
[17]网络安全管理技术综述.http://www.seores.com/edu/122/8413.html
[18]联想网御安全管理平台产品白皮书.联想网御科技(北京)有限公司,2005
[19]P.E.Proctor.Process Development and Tool Selection for Security Event Log Analysis.Gartner Research Note G00129322,2005
[20]2007年全球IT开销走势:安全市场最为火爆.http://www.enet.com.cn/article/2007/0109/A20070109384317.shtml
[21]M.Nicolett,K.M.Kavanagh.Magic Quadrant for Security Information and Event Management,1Q07.Gartner RAS Core Research Note G00147559,2007
[22]R.Stiennonl.Intrusion Detection Is Dead.Long-live Intrusion Prevention!.Gartner Research Report,2003
[23]H.Debar,D.Curry,B.Feinstein.The Intrusion Detection Message Exchange Format(IDMEF).RFC4765,2007
[24]M.Wood,M.Erlinger.Intrusion Detection Message Exchange Requirements.RFC4766,20O7
[25]Common Intrusion Detection Framework(CIDF).http://gost.isi.edu/cidf/
[26]J.Mahalati.Facilitating Alert Correlation Using Resource Trees.Master Thesis,2005
[27]F.Strauss,T.Klie.Towards XML Oriented Internet Management. Proceeding of IFIP/IEEE International Symposium on Integrated Network Management(IM 2003),2003.505-518
128]F.Strauss,T.Klie.Integrating SNMP Agents with XML-based Management Systems.IEEE Communications Magazine,2004.42(7):76-83
[29]R.Enns,ed.NETCONF Configuration Protocol.RFC4741,2006
[30]M.Wasserman,T.Goddard.Using the NETCONF Configuration Protocol over Secure SHell(SSH).RFC4742,2006
[31]T.Goddard.Using NETCONF over the Simple Object Access Protocol(SOAP).RFC4743,2006
[32]E.Lear,K.Crozier.Using the NETCONF Protocol over the Blocks Extensible Exchange Protocol(BEEP).RFC4744,2006
[33]E.Ort.Service-Oriented Architecture and Web Services:Concepts,Technologies,and Tools.http://java.sun.com/developer/technicalArticles/WebServices/soa2
[34]B.Tsoumas,D.Gritzalis.Towards an Ontology-based Security Management.Proceeding of 20~(th)International Conference on Advanced Information Networking and Applications,2006.985-992
[35]T.Berners-Lee et al.The Semantic Web.Scientific American,2001
[36]宋炜,张铭.语义网简明教程.北京:高等教育出版社,2004
[37]T.R.Gruber.A Translation Appoach to Portable Ontologies.Knowledge Acquisition,1993.5(2):199-120
[38]P.F.Patel-Schneider,P.Hayes,I.Horrocks.OWL Web Ontology Language Semantics and Abstract Syntax.W3C Recommendation,2004
[39]I.Horrocks et al.SWRL:A Semantic Web Rule Language Combining OWL and RuleML.W3C Member Submission,2004
[40]A.Pras et al.Key Research Challenges in Network Management.IEEE Communications Magazine,2007.45(10):104-110
[41]J.E.Lopez de Vergara,Y.A.Villagra,J.I.Asensio,J.Berrocal.Ontologies:Giving Semantics to Network Management Models.IEEE Network,2003.17(3):15-21
[42]Protege-OWL Editors.http://protege.stanford.edu/
[43]N.Noy,D.McGuiness.Ontology Development 101:A Guide to Creating Your First Ontology.Stanford Knowledge Systems Laboratory Technical Report KSL-01-05,2001
[44]C.Holsapple,K.Joshi.A Collaborative Approach to Ontology Design.Communication of the ACM,2002.45(2):42-47
[45].S.Quirolgico,A.Assis,A.Westerinen,M.Baskey,E.Stokes.Toward a Formal Common Information Model Ontology.Proceeding of WISE 2004Information Workshops,LNCS 3307,2004.11-21
[46]GraphViz-Graph Visualization Software.http://www.graphviz.org/
[47]Nessus Vulnerability Scanner.http://www.nessus.org/nessus/
[48]Bugtraq Vulnerability Database.http://www.securityfocus.com/
[49]CVE-Common Vulnerabilities and Exposures.http://cve.mitre.org/
[50]卢继军,黄刘生,吴树峰.基于攻击树的网络攻击建模方法.计算机工程与应用,2003.39(27):160-163
[51]J.Sloten J,A.Pras,M.Sinderen.On the Standardisation of Web Service Management Operations.Proceeding of 10~(th)Open European Summer School (EUNICE 2004)and IFIP WG 6.3 Workshop,2004.143-150
[52]G.Pavlou,P.Flegkas,S.Gouveris,A.Liotta.On Management Technologies and the Potential of Web Services.IEEE Communication Magazine,2004.42(7):58-66
[53]Snort.http://www.snort.org/
[54]RealSecure.http://www.iss.net/
[55]Linconln Laboratory DARPA Dataset 2000.http://www.11.mit.edu/IST/ideval/data/2000/2000_data_index.html
[56]Treasure Hunt Dataset.http://www.cs.ucsb.edu/~vigna/treasurehunt/index.html
[2]B.Morin,LudovicM'e,H.Debar,M.Ducass'e.M2D2:A Formal Data Model for IDS Alert Correlation.Proceeding of 5~(th)International Workshop on the Recent Advances in Intrusion Detection,2002.115-137
[3]穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述.计算机研究与发展,2006.43(1):1-8
[4]穆成坡,黄厚宽,田盛丰,林友芳,秦远辉.基于模糊综合评判的入侵检测报警信息处理.计算机研究与发展,2005.42(10):1679-1685
[5]C.Kruegel,W.Robertson,G.Vigna.Using Alert Verification to Identify Successful Intrusion Attempts.Practice in Information Processing and Communication(PIK),2004.27(4):220-228
[6]R.Gula.Correlating IDS Alerts with Vulnerability Information.Tenable Network Security Report,2007
[7]F.Massicotte,M.Couture,L.Briand,Y.Labiche.Context-Based Intrusion Detection Using Snort,Nessus and Bugtraq Databases.Proceeding of 3~(rd)Annual Conference on Privacy,Security and Trust(PST),2005
[8]邢苏霄,龚俭.基于协同的安全事件确认.通讯学报,2006.27(11A):92-97
[9]F.Cuppens,R.Ortalo.LAMBDA:A Language to Model a Database for Detection of Attacks.Proceeding of 3~(rd)International Workshop on the Recent Advances in Intrusion Detection,2000.197-216
[10]F.Cuppens,A.Miege.Alert Correlation in a Cooperative Intrusion Detection Framework.Proceeding of IEEE Symposium on Security and Privacy,2002.202-215
[11]F.Cuppens.Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts.Proceeding of 4~(th)Conference on Security and Network Architectures,2005
[12]S.Eckmann,G.Vigna,R.Kemmerer.STATL:An Attack Language for State-based Intrusion Detection.Journal of Computer Security,2002.10(1/2):71-104
[13]F.Valeur,G.Vigna,C.Kruegel,A.Kemmerer.A Comprehensive Approach to Intrusion Detection Alert Correlation.IEEE Transactions on Dependable and Secure Computing,2004.1(3):146-169
[14]P.Ning,Y.Cui,S.Reeves,D.Xu.Techniques and Tools for Analyzing Intrusion Alerts.ACM Transactions on Information and System Security,2004.7(2):274-318
[15]史简,郭山清,谢立.统一网络安全管理平台的研究与实现.计算机应用研究,2006.23(9):92-94,97
[16]M.Nicolett,A.T.Williams,P.E.Proctor.Magic Quadrant for Security Information and Event Management,1H06:Gartner RAS Core Research Note G00139431,2006
[17]网络安全管理技术综述.http://www.seores.com/edu/122/8413.html
[18]联想网御安全管理平台产品白皮书.联想网御科技(北京)有限公司,2005
[19]P.E.Proctor.Process Development and Tool Selection for Security Event Log Analysis.Gartner Research Note G00129322,2005
[20]2007年全球IT开销走势:安全市场最为火爆.http://www.enet.com.cn/article/2007/0109/A20070109384317.shtml
[21]M.Nicolett,K.M.Kavanagh.Magic Quadrant for Security Information and Event Management,1Q07.Gartner RAS Core Research Note G00147559,2007
[22]R.Stiennonl.Intrusion Detection Is Dead.Long-live Intrusion Prevention!.Gartner Research Report,2003
[23]H.Debar,D.Curry,B.Feinstein.The Intrusion Detection Message Exchange Format(IDMEF).RFC4765,2007
[24]M.Wood,M.Erlinger.Intrusion Detection Message Exchange Requirements.RFC4766,20O7
[25]Common Intrusion Detection Framework(CIDF).http://gost.isi.edu/cidf/
[26]J.Mahalati.Facilitating Alert Correlation Using Resource Trees.Master Thesis,2005
[27]F.Strauss,T.Klie.Towards XML Oriented Internet Management. Proceeding of IFIP/IEEE International Symposium on Integrated Network Management(IM 2003),2003.505-518
128]F.Strauss,T.Klie.Integrating SNMP Agents with XML-based Management Systems.IEEE Communications Magazine,2004.42(7):76-83
[29]R.Enns,ed.NETCONF Configuration Protocol.RFC4741,2006
[30]M.Wasserman,T.Goddard.Using the NETCONF Configuration Protocol over Secure SHell(SSH).RFC4742,2006
[31]T.Goddard.Using NETCONF over the Simple Object Access Protocol(SOAP).RFC4743,2006
[32]E.Lear,K.Crozier.Using the NETCONF Protocol over the Blocks Extensible Exchange Protocol(BEEP).RFC4744,2006
[33]E.Ort.Service-Oriented Architecture and Web Services:Concepts,Technologies,and Tools.http://java.sun.com/developer/technicalArticles/WebServices/soa2
[34]B.Tsoumas,D.Gritzalis.Towards an Ontology-based Security Management.Proceeding of 20~(th)International Conference on Advanced Information Networking and Applications,2006.985-992
[35]T.Berners-Lee et al.The Semantic Web.Scientific American,2001
[36]宋炜,张铭.语义网简明教程.北京:高等教育出版社,2004
[37]T.R.Gruber.A Translation Appoach to Portable Ontologies.Knowledge Acquisition,1993.5(2):199-120
[38]P.F.Patel-Schneider,P.Hayes,I.Horrocks.OWL Web Ontology Language Semantics and Abstract Syntax.W3C Recommendation,2004
[39]I.Horrocks et al.SWRL:A Semantic Web Rule Language Combining OWL and RuleML.W3C Member Submission,2004
[40]A.Pras et al.Key Research Challenges in Network Management.IEEE Communications Magazine,2007.45(10):104-110
[41]J.E.Lopez de Vergara,Y.A.Villagra,J.I.Asensio,J.Berrocal.Ontologies:Giving Semantics to Network Management Models.IEEE Network,2003.17(3):15-21
[42]Protege-OWL Editors.http://protege.stanford.edu/
[43]N.Noy,D.McGuiness.Ontology Development 101:A Guide to Creating Your First Ontology.Stanford Knowledge Systems Laboratory Technical Report KSL-01-05,2001
[44]C.Holsapple,K.Joshi.A Collaborative Approach to Ontology Design.Communication of the ACM,2002.45(2):42-47
[45].S.Quirolgico,A.Assis,A.Westerinen,M.Baskey,E.Stokes.Toward a Formal Common Information Model Ontology.Proceeding of WISE 2004Information Workshops,LNCS 3307,2004.11-21
[46]GraphViz-Graph Visualization Software.http://www.graphviz.org/
[47]Nessus Vulnerability Scanner.http://www.nessus.org/nessus/
[48]Bugtraq Vulnerability Database.http://www.securityfocus.com/
[49]CVE-Common Vulnerabilities and Exposures.http://cve.mitre.org/
[50]卢继军,黄刘生,吴树峰.基于攻击树的网络攻击建模方法.计算机工程与应用,2003.39(27):160-163
[51]J.Sloten J,A.Pras,M.Sinderen.On the Standardisation of Web Service Management Operations.Proceeding of 10~(th)Open European Summer School (EUNICE 2004)and IFIP WG 6.3 Workshop,2004.143-150
[52]G.Pavlou,P.Flegkas,S.Gouveris,A.Liotta.On Management Technologies and the Potential of Web Services.IEEE Communication Magazine,2004.42(7):58-66
[53]Snort.http://www.snort.org/
[54]RealSecure.http://www.iss.net/
[55]Linconln Laboratory DARPA Dataset 2000.http://www.11.mit.edu/IST/ideval/data/2000/2000_data_index.html
[56]Treasure Hunt Dataset.http://www.cs.ucsb.edu/~vigna/treasurehunt/index.html