摘要
入侵检测系统产生海量报警数据,造成报警关联时间长、关联结果结构复杂、难以理解。针对上述问题,提出一种基于因果关系的分层报警关联模型。该模型先根据攻击目标聚类报警,在因果关系的指导下以单步攻击作为节点构建主机层攻击路径,定义单步攻击相似度和攻击模式相似度,通过拓扑排序合并主机层攻击路径的相似节点得到攻击模式,计算攻击模式相似度实现预警,并以受害主机作为节点从空间上构建更高层面的网络层攻击场景。实验表明,分层关联结果结构简洁,有助于识别攻击策略、指导安全响应,而且先聚类后关联的方法能够有效提高报警关联效率。
Intrusion detection systems generate a great deal of alarm data,causing alerts correlation time-consuming and correlation results too complicated to understand. To solve these problems,this paper developed a hierarchical alerts correlation model based on causality. Firstly,it classified alerts according to attack target's IP address,and performed causal correlation to reconstruct attack paths taking single-step attack as node. It defined the similarity of single-step attack and similarity of attack patterns,adopted topological sorting to merge similar nodes to abstract attack pattern. And it calculated the similarity of attack patterns to predict threat. Finally,it spatially correlated attack scenarios at a higher level taking victim as node. Experimental results show that the structure of hierarchical correlation results is simple,which helps to identify attack strategy and guide security response. Moreover,clustering before correlation is clearly efficient.
引文
[1]Axelsson S.The base-rate fallacy and its implications for the intrusion detection[C]//Proc of the 6th ACM Conference on Computer and Communications Security.1999:1-7
[2]Valdes A,Skinner K.Probabilistic alert correlation[C]//Proc of the4th International Symposium on Recent Advances in Intrusion Detection.2001:54-68.
[3]Julisch K.Clustering intrusion detection alarms to support root cause analysis[J].ACM Trans on Information and System Security,2002,2(3):111-138.
[4]郭帆,叶继华,余敏.一种分布式IDS报警聚合模型的设计与实现[J].计算机应用研究,2009,26(1):325-329,333.
[5]Ning Peng,Cui Yun,Reeves D S.Constructing attack scenarios through correlation of intrusion alerts[C]//Proc of the 9th ACM Conference on Computer and Communications Security.2002:245-254.
[6]Ning Peng,Cui Yun,Reeves D S,et al.Tools and techniques for analyzing intrusion alerts[J].ACM Trans on Information and System Security,2004,7(2):274-318.
[7]Al-Mamory S O,Zhang Hongli.IDS alerts correlation using grammarbased approach[J].Journal of Computer Virology,2009,5(4):271-282.
[8]吕慧颖,彭武,王瑞梅,等.基于时空关联分析的网络实时威胁识别与评估[J].计算机研究与发展,2014,51(5):1039-1049.
[9]Lee W,Qin Xinzhou.Statistical causality analysis of INFOSEC alert data[C]//Proc of the 6th International Symposium on Recent Advances in Intrusion Detection.2003:73-93.
[10]廖年冬,熊兵,胡琦.增量挖掘实时报警关联研究[J].计算机工程与应用,2012,48(4):25-28.
[11]肖云,王选宏,彭进业,等.基于不确定性知识发现的入侵报警关联算法[J].计算机应用,2009,29(3):808-812.