基于多维频繁序列挖掘的攻击轨迹识别方法
|
摘要
针对传统攻击轨迹识别方法处理时序数据效率较低且无法全面反映告警各维属性变化规律的不足,首先基于前缀-投影思想,设计了不产生候选集的频繁告警属性序列挖掘算法;然后,利用时间窗分割全局攻击类型序列和全局攻击目标序列,挖掘出网络中频繁攻击行为序列和频繁攻击目标序列,并利用目的IP分割全局攻击类型序列,挖掘出针对单个主机的组合攻击模式,进而全面识别网络和主机上的攻击轨迹;最后,在典型分布式拒绝服务攻击场景LLDoS1.0inside的流量数据集中验证了以上方法的有效性。
The traditional recognizing methods for attack paths are inefficient to deal with temporal data and unable to reflect the regulation of each attribute of the alerts comprehensively.To solve this problem,a recognizing method for attack paths is proposed based on frequent sequences and multidimensional correlation.Firstly,based on the thought of prefix-shadow,a method for mining frequent alert attribute sequences is designed without using candidate sets.Then,the overall attack type sequences and the overall attack target sequences are segmented by time windows,thus mining the frequent attack action sequences and frequent attack target sequences.The overall attack type sequences are cut apart by destination IP,thus mining the patterns of combined attacks aiming at a single host.So the attack paths on both the networks and the hosts can be recognized comprehensively.Finally,an experiment on LLDoS1.0 traffic data set shows that the proposed method is effective.
The traditional recognizing methods for attack paths are inefficient to deal with temporal data and unable to reflect the regulation of each attribute of the alerts comprehensively.To solve this problem,a recognizing method for attack paths is proposed based on frequent sequences and multidimensional correlation.Firstly,based on the thought of prefix-shadow,a method for mining frequent alert attribute sequences is designed without using candidate sets.Then,the overall attack type sequences and the overall attack target sequences are segmented by time windows,thus mining the frequent attack action sequences and frequent attack target sequences.The overall attack type sequences are cut apart by destination IP,thus mining the patterns of combined attacks aiming at a single host.So the attack paths on both the networks and the hosts can be recognized comprehensively.Finally,an experiment on LLDoS1.0 traffic data set shows that the proposed method is effective.
引文
[1]张小松,牛伟纳,杨国武,等.基于树型结构的APT攻击预测方法[J].电子科技大学学报,2016,45(4):582-588.ZHANG Xiao-song,NIU Wei-na,YANG Guowu,et al.Method for APT prediction based on tree structure[J].Journal of University of Electronic Science and Technology of China,2016,45(4):582-588.(in Chinese)
[2]张瑜,刘庆忠,李涛,等.基于危险理论的APT攻击实时响应模型[J].四川大学学报:工程科学版,2015,47(4):83-90.ZHANG Yu,LIU Qing-zhong,LI Tao,et al.Danger theory based real-time response model for APT attacks[J].Journal of Sichuan University:Engineering Science Edition,2015,47(4):83-90.(in Chinese)
[3]ALI A R,MORTEZA A,REZA E A.RTECA:Real time episode correlation algorithm for multistep attack scenarios detection[J].Computer&Security,2015,49:206-219.
[4]刘敬,谷利泽,钮心忻,等.基于神经网络和遗传算法的网络安全事件分析方法[J].北京邮电大学学报,2015,38(2):50-54.LIU Jing,GU Li-ze,NIU Xin-xin,et al.Network security events analyze method based on neural networks and genetic algorithm[J].Journal of Beijing University of Posts and Telecommunications,2015,38(2):50-54.(in Chinese)
[5]NING P,CUI Y,REEVES D S,et al.Techniques and tools for analyzing intrusion alerts[J].ACM Transactions on Information and System Security,2004,7(2):274-318.
[6]冯学伟,王东霞,黄敏桓,等.一种基于马尔可夫性质的因果知识挖掘方法[J].计算机研究与发展,2014,51(11):2493-2504.FENG Xue-wei,WANG Dong-xia,HUANG Minheng,et al.A mining approach for causal knowledge in alert correlating based on the Markov property[J].Journal of Computer Research and development,2014,51(11):2493-2504.(in Chinese)
[7]马进,金茂菁,杨永丽,等.基于序列模式挖掘的隐私保护多步攻击关联算法[J].清华大学学报:自然科学版,2012,52(10):1427-1434.MA Jin,JIN Mao-ning,YANG Yong-li,et al.Privacy-preserving sequential step mining algorithm for multi-step attack correlation[J].Journal of Tsinghua University:Sci.&Tech,2012,52(10):1427-1434.(in Chinese)
[8]王乐.数据流模式挖掘算法及应用研究[D].大连:大连理工大学,2013.
[9]谢欢.大数据挖掘中的并行算法研究及应用[D].成都:电子科技大学,2015.
[10]王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198.WANG Shuo,TANG Guang-ming,KOU Guang,et al.Attack path prediction method based on causal knowledge net[J].Journal of Communication,2016,37(10):188-198.(in Chinese)
[11]MODAMMAD G,ABBAS G B.E-correlator:An entropy-based alert correlation system[J].Security and Communication Networks,2015,8(5):822-836.
[12]贾哲.分布式环境中信息挖掘与隐私保护相关技术研究[D].北京:北京邮电大学,2012.
[2]张瑜,刘庆忠,李涛,等.基于危险理论的APT攻击实时响应模型[J].四川大学学报:工程科学版,2015,47(4):83-90.ZHANG Yu,LIU Qing-zhong,LI Tao,et al.Danger theory based real-time response model for APT attacks[J].Journal of Sichuan University:Engineering Science Edition,2015,47(4):83-90.(in Chinese)
[3]ALI A R,MORTEZA A,REZA E A.RTECA:Real time episode correlation algorithm for multistep attack scenarios detection[J].Computer&Security,2015,49:206-219.
[4]刘敬,谷利泽,钮心忻,等.基于神经网络和遗传算法的网络安全事件分析方法[J].北京邮电大学学报,2015,38(2):50-54.LIU Jing,GU Li-ze,NIU Xin-xin,et al.Network security events analyze method based on neural networks and genetic algorithm[J].Journal of Beijing University of Posts and Telecommunications,2015,38(2):50-54.(in Chinese)
[5]NING P,CUI Y,REEVES D S,et al.Techniques and tools for analyzing intrusion alerts[J].ACM Transactions on Information and System Security,2004,7(2):274-318.
[6]冯学伟,王东霞,黄敏桓,等.一种基于马尔可夫性质的因果知识挖掘方法[J].计算机研究与发展,2014,51(11):2493-2504.FENG Xue-wei,WANG Dong-xia,HUANG Minheng,et al.A mining approach for causal knowledge in alert correlating based on the Markov property[J].Journal of Computer Research and development,2014,51(11):2493-2504.(in Chinese)
[7]马进,金茂菁,杨永丽,等.基于序列模式挖掘的隐私保护多步攻击关联算法[J].清华大学学报:自然科学版,2012,52(10):1427-1434.MA Jin,JIN Mao-ning,YANG Yong-li,et al.Privacy-preserving sequential step mining algorithm for multi-step attack correlation[J].Journal of Tsinghua University:Sci.&Tech,2012,52(10):1427-1434.(in Chinese)
[8]王乐.数据流模式挖掘算法及应用研究[D].大连:大连理工大学,2013.
[9]谢欢.大数据挖掘中的并行算法研究及应用[D].成都:电子科技大学,2015.
[10]王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198.WANG Shuo,TANG Guang-ming,KOU Guang,et al.Attack path prediction method based on causal knowledge net[J].Journal of Communication,2016,37(10):188-198.(in Chinese)
[11]MODAMMAD G,ABBAS G B.E-correlator:An entropy-based alert correlation system[J].Security and Communication Networks,2015,8(5):822-836.
[12]贾哲.分布式环境中信息挖掘与隐私保护相关技术研究[D].北京:北京邮电大学,2012.