基于告警属性聚类的攻击场景关联规则挖掘方法研究
|
摘要
针对现有攻击场景重构方法中存在关联规则挖掘不充分、攻击场景链断裂的问题,以及安全设备的误告警影响攻击场景重构准确性的现状,提出一种基于告警属性聚类的攻击场景关联规则挖掘方法。该方法能够有效挖掘攻击场景关联规则,减少攻击链断裂,还原实际的多步攻击,更好地帮助安全管理员深入理解攻击者入侵行为并掌握攻击全貌。以真实网络中的安全设备的原始告警为数据源,首先,对原始告警数据进行预处理,实现告警数据的归一化。然后,通过构建告警时间序列,利用FFT和Pearson相关系数对误告警周期特性进行分析,生成误告警过滤规则。接着,提出一种基于动态时间阈值的告警属性聚类方法,通过告警属性相似性刻画告警间相似度,并根据告警发生的时间间隔结合动态时间阈值方法更新聚类时间,对属于同一攻击场景的告警进行聚类。最后,利用Apriori频繁项挖掘算法生成攻击场景序列模式,并对具有重复攻击步骤的攻击场景序列模式进行融合生成关联规则。在四川大学校园网真实环境中进行实验,结果表明所提方法可有效缓解攻击链断裂问题和误告警的影响,相较于对比方法可有效提升生成的攻击场景关联规则的完整性。
In order to solve the problems that the association rules are not fully exploited, the attack scenario chain breaks in the existing attack scene reconstruction methods, and false alarms of security device affect the accuracy of attack scene reconstruction, an attack scenario association rule mining method based on alarm attributes similarity clustering was proposed in this paper. The method can effectively mine attack scene association rules, reduce attack chain breaks, restore actual multi-step attacks, and help the security administrator to deeply understand the attacker's intrusion behaviors and master the attack. First, the alarm data including the original alarms of security device in the real network and the data source was preprocessed and normalized. By constructing an alarm time series, the FFT and Pearson correlation coefficients were used to analyze the characteristics of the false alarm period to generate a false alarm filtering rule. Then, an alarm attributes clustering method based on dynamic time threshold was proposed. The similarity between alarms was characterized by the similarity of alarm attributes. The clustering time was updated according to the interval between alarms and the dynamic time threshold. Finally, the Apriori frequent item mining algorithm was used to generate the attack scene sequence pattern, and the attack sequences with repeated steps were merged to generate the association rules. The experiments results showed that the proposed method can effectively alleviate the impact of attack chain breaks and false alarms. Compared with the comparison methods, the integrity of the generated attack scene association rules can be effectively improved.
In order to solve the problems that the association rules are not fully exploited, the attack scenario chain breaks in the existing attack scene reconstruction methods, and false alarms of security device affect the accuracy of attack scene reconstruction, an attack scenario association rule mining method based on alarm attributes similarity clustering was proposed in this paper. The method can effectively mine attack scene association rules, reduce attack chain breaks, restore actual multi-step attacks, and help the security administrator to deeply understand the attacker's intrusion behaviors and master the attack. First, the alarm data including the original alarms of security device in the real network and the data source was preprocessed and normalized. By constructing an alarm time series, the FFT and Pearson correlation coefficients were used to analyze the characteristics of the false alarm period to generate a false alarm filtering rule. Then, an alarm attributes clustering method based on dynamic time threshold was proposed. The similarity between alarms was characterized by the similarity of alarm attributes. The clustering time was updated according to the interval between alarms and the dynamic time threshold. Finally, the Apriori frequent item mining algorithm was used to generate the attack scene sequence pattern, and the attack sequences with repeated steps were merged to generate the association rules. The experiments results showed that the proposed method can effectively alleviate the impact of attack chain breaks and false alarms. Compared with the comparison methods, the integrity of the generated attack scene association rules can be effectively improved.
引文
[1]国家计算机网络应急技术处理协调中心.CNCERT互联网安全威胁报告[EB/OL].[2019-01-20].http://www.cert.org.cn/publish/main/upload/File/CNCERT201901.pdf.
[2]Ramaki A A,Amini M,Atani R E,et al.RTECA:Real time episode correlation algorithm for multi-step attack scenarios detection[J].Computers&Security,2015,49:206-219.
[3]Navarro J,Deruyver A,Parrend P,et al.A systematic survey on multi-step attack detection[J].Computers&Security,2018,76:214-249.
[4]Wang Shuo,Tang Guangming,Kou Guang,et al.Attack path prediction method based on causal knowledge net[J].Journal on Communications,2016,37(10):188-198.[王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198.]
[5]Hu Hao,Liu Yuling,Zhang Hongqi,et al.Route prediction method for network intrusion using absorbing Markov chain[J].Journal of Computer Research and Development,2018,55(4):831-845.[胡浩,刘玉岭,张红旗,等.基于吸收Markov链的网络入侵路径预测方法[J].计算机研究与发展,2018,55(4):831-845.]
[6]Gong Jian,Zang Xiaodong,Su Qi,et al.Survey of network security situation awareness[J].Journal of Software,2017,28(4):1010-1026.[龚俭,臧小东,苏琪,等.网络安全态势感知综述[J].软件学报,2017,28(4):1010-1026.]
[7]Templeton S J,Levitt K.A requires/provides model for computer attacks[C]//Proceedings of the 2000 Workshop on New Security Paradigms.New York:ACM,2001:31-38.
[8]Ning P,Cui Y,Reeves D S.Constructing attack scenarios through correlation of intrusion alerts[C]//Proceedings of the 9th ACM Conference on Computer and Communications Security.New York:ACM,2002:245-254.
[9]Morin B,MéL,Debar H,et al.A logic-based model to support alert correlation in intrusion detection[J].Information Fusion,2009,10(4):285-299.
[10]Fan Di,Liu Jing,Zhuang Junxi,et al.Research on attack scenario reconstruction method based on causal knowledge discovery[J].Chinese Journal of Network and Information Security,2017,3(4):58-68.[樊迪,刘静,庄俊玺,等.基于因果知识发现的攻击场景重构研究[J].网络与信息安全学报,2017,3(4):58-68.]
[11]Feng Xuewei,Wang Dongxia,Huang Minhuan,et al.A mining approach for causal knowledge in alert correlating based on the Markov property[J].Journal of Computer Research and Development,2014,51(11):2493-2504.[冯学伟,王东霞,黄敏桓,等.一种基于马尔可夫性质的因果知识挖掘方法[J].计算机研究与发展,2014,51(11):2493-2504.]
[12]Zhang Aifang,Li Zhitang,Li Dong,et al.Discovering novel multistage attack patterns in alert streams[C]//Proceedings of the 2007 International Conference on Networking,Architecture,and Storage(NAS 2007).Guilin:IEEE,2007:115-121.
[13]Ramaki A A,Khosravi-Farmad M,Bafghi A G,et al.Real time alert correlation and prediction using Bayesian networks[C]//Proceedings of the 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology(ISCISC).Rasht:IEEE,2015:98-103.
[14]Kavousi F,Akbari B.A Bayesian network-based approach for learning attack strategies from intrusion alerts[J].Security and Communication Networks,2014,7(5):833-853.
[15]Tian Zhihong,Zhang Yongzheng,Zhang Weizhe,et al.An adaptive alert correlation method based on pattern mining and clustering analysis[J].Journal of Computer Research and Development,2009,46(8):1304-1315.[田志宏,张永铮,张伟哲,等.基于模式挖掘和聚类分析的自适应告警关联[J].计算机研究与发展,2009,46(8):1304-1315.]
[16]Daneshgar F F,Abbaspour M.Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework[J].Security and Communication Networks,2016,9(14):2245-2260.
[17]Li Dong,Li Zhitang,Lei Jie.Research on the method of reducing false positives with periodicity[J].Journal of Chinese Computer Systems,2009,30(7):1336-1340.[李冬,李之棠,雷杰.周期性误告警去除方法研究[J].小型微型计算机系统,2009,30(7):1336-1340.]
[18]Ma Linru,Yang Lin,Wang Jianxin,et al.Using fuzzy clustering to reconstruct alert correlation graph of intrusion detection[J].Journal on Communications,2006,27(9):47-52.[马琳茹,杨林,王建新,等.利用模糊聚类实现入侵检测告警关联图的重构[J].通信学报,2006,27(9):47-52.]
[19]Valdes A,Skinner K.Probabilistic alert correlation[C]//Proceedings of the 4th International Workshop on Recent Advances in Intrusion Detection.London:Springer-Verlag,2001:54-68.
[20]Li Hongcheng,Wu Xiaoping.Multistage aggregation and correlation for network alerts based on self-extending time windows[J].Advanced Engineering Sciences,2017,49(1):206-212.[李洪成,吴晓平.基于自扩展时间窗的告警多级聚合与关联方法[J].工程科学与技术,2017,49(1):206-212.]
[21]Li Ning,Zeng Li,He Qing,et al.Parallel implementation of Apriori algorithm based on MapReduce[C]//Proceedings of the 2012 13th ACIS International Conference on Software Engineering,Artificial Intelligence,Networking and Parallel/Distributed Computing.Kyoto:IEEE,2012:236-241.
[2]Ramaki A A,Amini M,Atani R E,et al.RTECA:Real time episode correlation algorithm for multi-step attack scenarios detection[J].Computers&Security,2015,49:206-219.
[3]Navarro J,Deruyver A,Parrend P,et al.A systematic survey on multi-step attack detection[J].Computers&Security,2018,76:214-249.
[4]Wang Shuo,Tang Guangming,Kou Guang,et al.Attack path prediction method based on causal knowledge net[J].Journal on Communications,2016,37(10):188-198.[王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198.]
[5]Hu Hao,Liu Yuling,Zhang Hongqi,et al.Route prediction method for network intrusion using absorbing Markov chain[J].Journal of Computer Research and Development,2018,55(4):831-845.[胡浩,刘玉岭,张红旗,等.基于吸收Markov链的网络入侵路径预测方法[J].计算机研究与发展,2018,55(4):831-845.]
[6]Gong Jian,Zang Xiaodong,Su Qi,et al.Survey of network security situation awareness[J].Journal of Software,2017,28(4):1010-1026.[龚俭,臧小东,苏琪,等.网络安全态势感知综述[J].软件学报,2017,28(4):1010-1026.]
[7]Templeton S J,Levitt K.A requires/provides model for computer attacks[C]//Proceedings of the 2000 Workshop on New Security Paradigms.New York:ACM,2001:31-38.
[8]Ning P,Cui Y,Reeves D S.Constructing attack scenarios through correlation of intrusion alerts[C]//Proceedings of the 9th ACM Conference on Computer and Communications Security.New York:ACM,2002:245-254.
[9]Morin B,MéL,Debar H,et al.A logic-based model to support alert correlation in intrusion detection[J].Information Fusion,2009,10(4):285-299.
[10]Fan Di,Liu Jing,Zhuang Junxi,et al.Research on attack scenario reconstruction method based on causal knowledge discovery[J].Chinese Journal of Network and Information Security,2017,3(4):58-68.[樊迪,刘静,庄俊玺,等.基于因果知识发现的攻击场景重构研究[J].网络与信息安全学报,2017,3(4):58-68.]
[11]Feng Xuewei,Wang Dongxia,Huang Minhuan,et al.A mining approach for causal knowledge in alert correlating based on the Markov property[J].Journal of Computer Research and Development,2014,51(11):2493-2504.[冯学伟,王东霞,黄敏桓,等.一种基于马尔可夫性质的因果知识挖掘方法[J].计算机研究与发展,2014,51(11):2493-2504.]
[12]Zhang Aifang,Li Zhitang,Li Dong,et al.Discovering novel multistage attack patterns in alert streams[C]//Proceedings of the 2007 International Conference on Networking,Architecture,and Storage(NAS 2007).Guilin:IEEE,2007:115-121.
[13]Ramaki A A,Khosravi-Farmad M,Bafghi A G,et al.Real time alert correlation and prediction using Bayesian networks[C]//Proceedings of the 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology(ISCISC).Rasht:IEEE,2015:98-103.
[14]Kavousi F,Akbari B.A Bayesian network-based approach for learning attack strategies from intrusion alerts[J].Security and Communication Networks,2014,7(5):833-853.
[15]Tian Zhihong,Zhang Yongzheng,Zhang Weizhe,et al.An adaptive alert correlation method based on pattern mining and clustering analysis[J].Journal of Computer Research and Development,2009,46(8):1304-1315.[田志宏,张永铮,张伟哲,等.基于模式挖掘和聚类分析的自适应告警关联[J].计算机研究与发展,2009,46(8):1304-1315.]
[16]Daneshgar F F,Abbaspour M.Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework[J].Security and Communication Networks,2016,9(14):2245-2260.
[17]Li Dong,Li Zhitang,Lei Jie.Research on the method of reducing false positives with periodicity[J].Journal of Chinese Computer Systems,2009,30(7):1336-1340.[李冬,李之棠,雷杰.周期性误告警去除方法研究[J].小型微型计算机系统,2009,30(7):1336-1340.]
[18]Ma Linru,Yang Lin,Wang Jianxin,et al.Using fuzzy clustering to reconstruct alert correlation graph of intrusion detection[J].Journal on Communications,2006,27(9):47-52.[马琳茹,杨林,王建新,等.利用模糊聚类实现入侵检测告警关联图的重构[J].通信学报,2006,27(9):47-52.]
[19]Valdes A,Skinner K.Probabilistic alert correlation[C]//Proceedings of the 4th International Workshop on Recent Advances in Intrusion Detection.London:Springer-Verlag,2001:54-68.
[20]Li Hongcheng,Wu Xiaoping.Multistage aggregation and correlation for network alerts based on self-extending time windows[J].Advanced Engineering Sciences,2017,49(1):206-212.[李洪成,吴晓平.基于自扩展时间窗的告警多级聚合与关联方法[J].工程科学与技术,2017,49(1):206-212.]
[21]Li Ning,Zeng Li,He Qing,et al.Parallel implementation of Apriori algorithm based on MapReduce[C]//Proceedings of the 2012 13th ACIS International Conference on Software Engineering,Artificial Intelligence,Networking and Parallel/Distributed Computing.Kyoto:IEEE,2012:236-241.