摘要
随着计算机网络技术的广泛应用,网络安全的重要性日益凸显,并已成为国家安全的重要组成部分。准确地评估网络风险是提高网络安全性的关键。传统的网络安全风险评估方法只能进行静态风险评估,不能反映实时的威胁和风险状况。
研究并实现了基于隐马尔可夫模型(HMM)的网络安全风险评估方法。该方法以入侵检测系统(IDS)告警作为输入,能够量化实时的网络风险值,有效地评估网络受到的威胁,相比传统的静态评估方法有很大优势。
解决了该方法中观测矩阵规模难以控制和模型参数值难以确定两个问题。针对第一个问题,通过评估告警的威胁度来对告警(观测事件)进行分类,以控制观测矩阵的规模。威胁评估过程中将告警与主机的漏洞、网络资产及网络环境信息结合起来,考虑攻击严重度、目标资产关键度、管理员角度因素和攻击成功概率这四个因素来评估攻击的威胁度,然后将告警按照威胁等级分成十类。针对第二个问题,利用遗传算法自动求解HMM模型中的参数矩阵,将矩阵用二进制编码表示,定义风险描述规则作为求解的优化目标,用参数自动生成代替手工设置,提高了参数设置的准确性。
使用JAVA平台实现了上述方法,并采用蜜网数据和Darpa 2000数据进行实验。实验表明所提出的方法能较好地解决基于HMM的风险评估方法中的两个问题,并且系统能够有效地反映实时的网络安全风险状况。
With the extensive applications of computer network technology, network security has become increasingly important and has been an important part of national security. The key of improving network security is How to accurately assess the risk of a network. The traditional methods in risk assessment to network security can only do static risk assessment and can’t reflect the real-time threat and risk status.
Based on the research, the Hidden Markov Model (HMM) methods of risk assessment to network security has been realized. The method takes Intrusion Detection System (IDS) alerts as input, and can quantify the risk of real-time network, and can effectively assess the threat of the network, compared with the traditional static approach has great advantages.
two issues in the traditional HMM method of risk assessment to network security, which are the difficulties of controlling parameters scale and determining parameters, have been solved. For the first one, alerts are classified by assessing the threat of them, in order to control the scale of observation matrix. In the process of assessing threat, combine IDS events with vulnerability, network assets and network environments, by assessing the attacks on four factors: the severity, Targets assets, the administrator point and probability of success, to define the threat of attacks. In accordance with the threat, the attack will be divided into ten levels. For the second problem, use genetic algorithms for auto-solving the parameters in the HMM matrix, and binary code to describe matrix, define risk described rules as the target for the optimization. The accuracy of parameters setting has been improved, by using auto-generated parameters instead of manual settings.
The above method has been realized in JAVA platform ,and experiments has been done with the use of Honeynet data and Darpa 2000 data. Experiments show that the proposed method can solve the two problems in HMM-based risk assessment methods successful, and systems can effectively reflect the real-time network security risk situation.
引文
[1]胡道元,闵京华.网络安全.第一版.北京:清华大学出版社, 2004. 1-15
[2]陈友初,信息安全风险评估的探讨与实践.广西科学院学报, 2006, 22(4): 367-369
[3]杜辉,刘霞,汪厚祥.信息安全风险评估方法研究.舰船电子工厂, 2006, 26(4): 65-69
[4]赵冬梅,张玉清,马建峰.网络安全的综合风险评估.计算机科学, 2004, 31 (7): 66-69
[5]汪楚娇,林果园.网络安全风险的模糊层次综合评估模型.武汉大学学报(理学版), 2006, 52(5): 622-626
[6] Trusted Computer System Evaluation Criteria. Department of Defense. 1985
[7] Information Technology Security Evaluation Criteria. Office for Official Publications of the European Community. 1991
[8] GB17895-1999.计算机信息系统安全保护等级划分准则. 1999
[9] BSI. BS7799-Code of Practice for Information Security Management. British Standards Institute. 1999
[10] ISO/IEC13335-2001. The International Organization for Standardization, Information Technology-guideline for the Management of IT Security. 2001
[11] Introduction to Security Risk Analysis. http://www.security-risk-analysis.com/introcob.htm
[12] Alberts, C. J., Dorofee, A. J. OCTAVE(Operationlly Critical Threat, Asset and Vulnerability Evaluation Framework)Criteria.Version2.0. Technical Report CMU/SEI-2001-TR-016. Dec, 2001. 34-56
[13] Ortalo, R., DESWARTE, Y., KAANICHE, M. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans on Software Engineering. 1999, 25(5): 633-650
[14] CORAS. IST-2000-25031. http://www.nr.no/eoras. 2003
[15] Ammann, P., Wijesekera, D., Kaushik, S. Scalable, Graph-based Network Vulnerability Analysis. in: Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002): 2002
[16]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究.通信学报. 2006, 26(12): 100-109
[17]张永铮,迟悦.用于评估网络信息系统的风险传播模型.软件学报. 2007, 18(1): 137-145
[18]肖道举,杨素娟,周开锋等.网络安全评估模型研究.华中科技大学学报(自然科学版). 2002, 30(4): 37-39
[19]冯登国,张阳,张玉清.信息安全风险评估综述.通信学报. 2004, 25(7): 10-18
[20]李涛.网络安全概论.北京:电子工业出版社, 2004. 45-78
[21]李涛.基于免疫的网络安全风险检测.中国科学E辑. 2005, 35(8): 798-816
[22] OSSIM, Open Source Security Information Management, http://www.ossim.net/
[23]李辉,郑庆华,韩崇昭.基于多假设跟踪的入侵场景构建研究.通信学报. 2005, 26(4): 70-79
[24]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报. 2006, 17(4): 885-897
[25] Wing, J. M., Manadhata. Measuring a System's Attack Surface. in: 13th USENIX Security Symposium. San Diego, CA: 2004. 456-469
[26] Jonsson, E., Olovsson, T. An Empirical Model of the Security Intrusion Process. Computer Assurance. Gaithersburg: 1996. 176-186
[27] Jonsson, E., Olovsson, T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering. April 1997 23(4): 235-245
[28] Gehani, A., Kedem, G., Rheostat. Real-time Risk Management. in: the 7thInternational Symposium on Recent Advances in Intrusion Detection(RAID 2004): 2004. 156-174
[29] Arnes, A., Valeur, F., Vigna, G., Kemmerer, R. A. Using Hidden Markov Models to Evaluate the Risk of Intrusions. in: Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2006): Springer-Verlag, vol. LNCS, 2006. 145-164
[30] Arnes, A., Sallhammar, K., Haslum, K., Brekne, T., et al. Real-time risk assessment with network sensors and intrusion detection systems. in: International Conference on Computational Intelligence and Security (CIS 2005): 2005. 189-209
[31] Haslum, K., Arnes, A. Multisensor real-time risk assessment using continuous-time hidden Markov models,. in: the International Conference on Computational Intelligence and Security (CIS): 2006. 694-703
[32]梅海彬,龚俭.一种基于时间序列面向预警的警报分析方法.计算机科学. 2007, 34(12): 68-72
[33] L.E.Baum and T. Petrie, Statistical inference for probabilistic functions of finite state Markov chains. Ann. Math. Stat.,1966. 37: 1554-1563
[34] L.E.Baum. A maximization technique occuring in the statistical analysis of probabilistic function of Markov Chains. Ann. Math. Stat., 1970. 41: 164-171
[35] L.Rabiner, A tutorial on hidden markov modles and selected applications in speech recognition. preceedings of the IEEE Vol.77, February, 1989. 257-286
[36] Introduction to Hidden Markov Models. http://www.comp.leeds.ac.uk/roger/HiddenMarkovModels/html_dev/hidden_patterns/s2_pg1.html, 2007
[37] MIT Lincoln Lab. 2000 Darpa Intrusion Detection Scenario Specific Data Sets. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html
[38] Roesch, M. and C. Green, Snort users manual, snort release 2.0.0.http://www.snort.org/docs/SnortUsersManual.pdf, 2003
[39] Roesch, M. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX LISA’99 Conference. 1999
[40] Holsopplea, J., S.J. Yanga, and M. Suditb. TANDI: Threat Assessment of Network Data and Information. in Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2006. 2006: Proc. of SPIE Vol. 6242
[41]刘莘.蜜网技术综述.中国科技信息, 2008, 25(3): 82-83
[42]李文剑.蜜网技术的研究与应用.网络安全技术与应用, 2006, 31(9): 48-50
[43]徐娜.蜜网系统建设及发展趋势研究.信息网络安全, 2007, 33(9): 35-36
