一种基于时序关联的多步入侵检测算法
|
摘要
随着当今网络技术的发展,网络已经成为小到个人日常生活,大到政府企业都不可缺少的重要部分。当今的网络不仅存储着各种各样的个人私密信息,同时也加载着各种重要的服务。当这些网络资源都暴露在网络中的时候,如何维持网络的正常秩序,保证网络中存取信息的安全成为一个重要的课题。
为了保证网络的安全,经过科研人员的不断努力,网络安全已经成为一个完整的独立的学科。如今的网络安全技术已经囊括了包过滤技术、蜜罐技术、日志审计技术、入侵免疫、取证技术、入侵容忍、隐私保护、网络安全态势感知、入侵防御技术(IPS)和入侵检测技术(IDS)等多个方面。从主动保护到被动防御,从威胁监测到自动恢复,多管齐下共同维护网络的安全。
虽然网络安全的级别不断提高,试图在网络上实施攻击行为,获取不法利益的也也不断增加。当前的黑客攻击软件功能不断增加和集成,使得攻击者在所需的基础知识要求不断降低,攻击准备时间不断缩短,攻击造成的影响不断增加。
多步入侵是一种新型的入侵模式。这种模式不是通过简单的一次性行为完成攻击,而是通过将多个简单的攻击行为有机的结合起来,共同实现一个完整的攻击。这样的攻击在传统的基于单步攻击的检测中是不能很明显看出来的。针对这种攻击,提出了警报关联的思想,将提取的单步攻击数据整合起来,找到完整的攻击序列,实现对攻击行为的预警和攻击者定位的目的。
当前实现警报关联的方法已经多种多样,例如采用警报间属性相似度度量、因果关系分析、场景分析和数据挖掘等方法。这些方法都能基于不同属性实现警报关联的目的。在本文中,通过引入时序的分析方法,将时间作为关联的属性。通过对时间的关联分析,完成警报之间关联。
时序分析法是经济学中广泛使用的分析手段。通过这种方法可以对采集到的数据按照时间进行建模,根据建模的结果实现数据的分析。本文对时序建模的常见方法进行了归类和分析,并例举了常见的时序分析方法。
格兰杰算法是一种基于时序的关联分析方法。将这种方法应用到警报数据的分析中可以实现警报关联的目的。为了将这种方法应用到入侵检测中,本文首先分析并给出了基于时序分析的多步攻击检测流程,将格兰杰算法与这个流程结合在一起,得出了基于格兰杰算法的多步攻击入侵检测框架。
在框架的基础上完成编码,实现了基本的算法。由于这样的算法在具体应用中对延迟警报处理上存在漏洞,对算法做出了改进。最后通过三个实验,验证了基本算法和改进算法的有效性。
在实际环境下,网络中的数据不断变化。为了适应这种变化,算法还需要在自适应性上进一步提升。所以在文章的最后,基于当前的研究,给出了基于规则和基于检验过程的改进建议。
With the development of network made an extraordinary progress. Today, the network hasplayed an indispensable part in everything, from personal daily life to the government andenterprises. It not only stores all kinds of personal private information, but also loaded with avariety of essential service. When these resources are exposed to the network, how to keep thenormal order to make sure the security of reading and writing information becomes asignificant subject.
In order to maintain the security of network, the network security has become a completeindependent discipline through continuous efforts of scientific researchers. Now thetechnologies include packet filtering, honey-pot, logging and auditing, intrusion immune,forensics, intrusion tolerance, privacy, network security situational awareness, intrusionprevention technology (IPS) and intrusion detection (IDS) and many other aspects. Fromactive protection to passive defense, from threats monitoring to automatically recovery, thereare multi-pronged work together to maintain the security of network.
Although the level of security for your network has continuously improved, the behaviorof trying to carry out an attack on network to get illegal interest is also on the increase. Thefunctions of current hacker attacks software are developed and integrated that causes theattackers need less knowledge, less preparation time and gain more impact than before.
Multistep intrusion is a new kind of intrusion patterns. Not done via a simple one-offattacks, this pattern achieves a full attack through organic combination of multiple simpleattacks. Such attacks in the traditional attack detection which based on single step are not veryclear. Hence, there comes alert correlation means that integrates the extraction of attack datafrom all single steps to find the full sequence of attacks, to enable the early warning of theattack and the position of the attacker’s.
Currently associated alert has a variety of methods based on different properties of alertcorrelation purposes, such as the measurement of alert property similarity, causal analysis,scenario analysis and data mining, and other ways. In this paper, with the introduction of analysis methods of time series, we make the time as the property to achieve the associatebetween the alerts.
Time series analysis is widely used in economics. With this method you can model fordata collected in accordance with time, according to the results of modeling for data analysis.We take common methods of time series modeling for classification and analysis.
Grainger algorithm is a method based on correlation analysis of time series. Apply thismethod to the alert can achieve the purpose of alert correlation in the data analysis. In order torealize this, we first give a multi-step attack detect process, then combine the process withGrainger algorithm to come up with a multi-step attack intrusion detection framework basedon Grainger algorithm.
We complete code on the basis of the framework to implement the basic algorithm. As aresult of this algorithm exists on vulnerability in specific applications for delayed alarmhandling, we make improvements to algorithms. Finally, through three experiments, we verifythe effectiveness of the basic and improving algorithm.
In the actual environment, changing data is on the network. To accommodate this change,the algorithm also needs to improve on self-adaption further. So at the end of the article, basedon current research, we give improvement recommendations based on rules and test process.
为了保证网络的安全,经过科研人员的不断努力,网络安全已经成为一个完整的独立的学科。如今的网络安全技术已经囊括了包过滤技术、蜜罐技术、日志审计技术、入侵免疫、取证技术、入侵容忍、隐私保护、网络安全态势感知、入侵防御技术(IPS)和入侵检测技术(IDS)等多个方面。从主动保护到被动防御,从威胁监测到自动恢复,多管齐下共同维护网络的安全。
虽然网络安全的级别不断提高,试图在网络上实施攻击行为,获取不法利益的也也不断增加。当前的黑客攻击软件功能不断增加和集成,使得攻击者在所需的基础知识要求不断降低,攻击准备时间不断缩短,攻击造成的影响不断增加。
多步入侵是一种新型的入侵模式。这种模式不是通过简单的一次性行为完成攻击,而是通过将多个简单的攻击行为有机的结合起来,共同实现一个完整的攻击。这样的攻击在传统的基于单步攻击的检测中是不能很明显看出来的。针对这种攻击,提出了警报关联的思想,将提取的单步攻击数据整合起来,找到完整的攻击序列,实现对攻击行为的预警和攻击者定位的目的。
当前实现警报关联的方法已经多种多样,例如采用警报间属性相似度度量、因果关系分析、场景分析和数据挖掘等方法。这些方法都能基于不同属性实现警报关联的目的。在本文中,通过引入时序的分析方法,将时间作为关联的属性。通过对时间的关联分析,完成警报之间关联。
时序分析法是经济学中广泛使用的分析手段。通过这种方法可以对采集到的数据按照时间进行建模,根据建模的结果实现数据的分析。本文对时序建模的常见方法进行了归类和分析,并例举了常见的时序分析方法。
格兰杰算法是一种基于时序的关联分析方法。将这种方法应用到警报数据的分析中可以实现警报关联的目的。为了将这种方法应用到入侵检测中,本文首先分析并给出了基于时序分析的多步攻击检测流程,将格兰杰算法与这个流程结合在一起,得出了基于格兰杰算法的多步攻击入侵检测框架。
在框架的基础上完成编码,实现了基本的算法。由于这样的算法在具体应用中对延迟警报处理上存在漏洞,对算法做出了改进。最后通过三个实验,验证了基本算法和改进算法的有效性。
在实际环境下,网络中的数据不断变化。为了适应这种变化,算法还需要在自适应性上进一步提升。所以在文章的最后,基于当前的研究,给出了基于规则和基于检验过程的改进建议。
With the development of network made an extraordinary progress. Today, the network hasplayed an indispensable part in everything, from personal daily life to the government andenterprises. It not only stores all kinds of personal private information, but also loaded with avariety of essential service. When these resources are exposed to the network, how to keep thenormal order to make sure the security of reading and writing information becomes asignificant subject.
In order to maintain the security of network, the network security has become a completeindependent discipline through continuous efforts of scientific researchers. Now thetechnologies include packet filtering, honey-pot, logging and auditing, intrusion immune,forensics, intrusion tolerance, privacy, network security situational awareness, intrusionprevention technology (IPS) and intrusion detection (IDS) and many other aspects. Fromactive protection to passive defense, from threats monitoring to automatically recovery, thereare multi-pronged work together to maintain the security of network.
Although the level of security for your network has continuously improved, the behaviorof trying to carry out an attack on network to get illegal interest is also on the increase. Thefunctions of current hacker attacks software are developed and integrated that causes theattackers need less knowledge, less preparation time and gain more impact than before.
Multistep intrusion is a new kind of intrusion patterns. Not done via a simple one-offattacks, this pattern achieves a full attack through organic combination of multiple simpleattacks. Such attacks in the traditional attack detection which based on single step are not veryclear. Hence, there comes alert correlation means that integrates the extraction of attack datafrom all single steps to find the full sequence of attacks, to enable the early warning of theattack and the position of the attacker’s.
Currently associated alert has a variety of methods based on different properties of alertcorrelation purposes, such as the measurement of alert property similarity, causal analysis,scenario analysis and data mining, and other ways. In this paper, with the introduction of analysis methods of time series, we make the time as the property to achieve the associatebetween the alerts.
Time series analysis is widely used in economics. With this method you can model fordata collected in accordance with time, according to the results of modeling for data analysis.We take common methods of time series modeling for classification and analysis.
Grainger algorithm is a method based on correlation analysis of time series. Apply thismethod to the alert can achieve the purpose of alert correlation in the data analysis. In order torealize this, we first give a multi-step attack detect process, then combine the process withGrainger algorithm to come up with a multi-step attack intrusion detection framework basedon Grainger algorithm.
We complete code on the basis of the framework to implement the basic algorithm. As aresult of this algorithm exists on vulnerability in specific applications for delayed alarmhandling, we make improvements to algorithms. Finally, through three experiments, we verifythe effectiveness of the basic and improving algorithm.
In the actual environment, changing data is on the network. To accommodate this change,the algorithm also needs to improve on self-adaption further. So at the end of the article, basedon current research, we give improvement recommendations based on rules and test process.
引文
[1]. James P.Anderson. Computer security threat monitoring and surveillance[M].Washington:Anderson Co,1980
[2].伏晓,谢立.安全报警关联技术研究[J].计算机科学,2010,5:9-14+29
[3]. C.W.J. Granger. Investigating causal relations by econometric methods andcross-spectral methods[M]. Econometrical,1969(34):424-428
[4]. Goldman R P, Heimerdinger W, et al. Information modeling fo rintrusionreport aggregat ion[C]. Proc. of DISCEX’01. Washington DC: IEEE ComputerSociety Pres s,2001:329-343
[5]. Abad C, Taylor J, Sengul C et al. Log correlation f or intrusion detectiona proof of concept[C]. Proc. of ACSAC2003. Washington DC: IEEE ComputerSociety Press,2003:255-264
[6]. Lee S, Chung B, Kim H. Real-time analysis of intrusion detection alertsvia correlation[M]. COMPUTERS&SECURITY,2006,3:169-183
[7]. Zhou Jingmin, Heckman Mark, Reynolds Brennen. Modeling network intrusiondetection alerts for correlation[C].10th ACM Symposium on Access ControlModels and Technologies,Stockholm, SWEDEN,JUN01-03,2005
[8]. Debar H, Wespi A. Aggregation and correlation of intrusion detectionalerts[C]. Proc. of RAID2001. Heidelberg: Springer Berlin,2001:85-103
[9]. Autrel F, Cuppens F. Using an intrusion detection alert similarityoperator to aggregate and fuse alerts[C]. Proc. of SAR2005.2005:1-10
[10]. Qin X, Lee W. Statistical causality analysis of INFOSEC alert data [C].Proc. of RA ID2003. Heidelberg: Springer Berlin,2003:73-93
[11]. Li Zhitang, Zhang Aifang, Lei Jie. Real-time correlation of networksecurity alerts[C]. IEEE International Conference on e-BusinessEngineering,Hong Kong, PEOPLES R CHINA,OCT24-26,2007
[12]. Xu D, Peng Ning. Alert correlation through triggering events and commonresources[C]. Proc. of ACSAC04. Washington D C: IE EE Computer SocietyPress,2004:360-369
[13]. DAPAR2000数据集.[P/OL].http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000/LLS_DDOS_1.0.html
[14]. Valdes A, Skinner K. Probabilisic alert correlation[C]. Proc. of RA ID2001. Heidelberg: Springer Berlin,2001:54-68
[15]. Treinen J J, Thurimella R. A framework for the application of associationrule mining in large intrusion detection infrastructures[C]. Pr oc. ofR A ID2006. Heidelberg: Springer Berlin,2006:1-18
[16]. Templeton S J, Levitt K. A requires/provides model for computer attacks[C].Proc. of NSPW2000. New York: A CM Press,2000:31-38
[17]. Zhou J, Heckman M, Reynolds B, et al. Modeling net work intrusion detectionalerts for correlation[J]. ACM Transactions on Information and SystemSecurity,2007,10(1):1-13
[18]. Noel S, Robertson E, Jajodia S. Correlating intrusion events and buildingattack scenarios through attack graph distances[C]. Proc. of A CSAC2004.Washington DC: IEEE Computer Society Press,2004:350-359
[19]. J.Han,J.Pei,and Y.Yin. Mining Frequent patterns without candidategeneration[C]. In Proc.2000ACM-SIGMOD Int Conf. Management ofData(SIGMOD'00):1-12
[20]. Locatelli F E, Gaspary L P, Melchior s C, et al. Spotting intrusionscenarios from firewall logs through a case based reasoning approach[C].Proc. of DSOM2004. Heidelberg: Springer Berlin,2004:196-207
[21].王炳雪.时间序列模糊关联规则的挖掘[J].计算机工程与应用,2004,12:177-179
[22]. G Zhang, E B Patuwo, M Y H u. Forecasting with Artificial Neural Networks:The State of the Art[J]. Int. J. Forecast ing,1988,14:35-62
[23]. I G in zburg, D Horn. Combined Neural Networks for Time Series Analysis[J].Adv. Neu ral In.f Process. Systems,1994,6:224-231
[24]. D K Wedding, H K J Cios. Time Series Forecasting by CombiningRBF Networks,Certainty Factors and the Box Jenkins Model[J]. Neurocomputing,1996,10:149-168
[25]. Wang XZ, Smith K, Hyndman R. Characteristic-based clustering for timeseries data[J]. DATA MINING AND KNOWLEDGE DISCOVERY,2006,13(3):335-364
[26].郭卫霞.黑客攻击机制与防范[J].安徽电子信息职业技术学院学报,2005,05:102-104
[27].张建忠,徐敬东,边涛,吴功宜.分布式可扩展网络诱骗系统研究[J].计算机应用,2003, S2:129-130
[28].苏炜.基于Agent的分布式入侵检测系统[D].北京:北京工业大学,2003.
[29].闫政.基于用户模型的入侵检测系统研究[J].中小企业管理与科技(上旬刊),2010,12:290
[30].周远.校园网基于移动代理的入侵检测系统的研究与实现[D].湖南:国防科学技术大学,2010.
[31].马菊芳.基于Linux的主机入侵检测系统设计[D].河北:河北科技大学,2009.
[32].陈传钩.基于模式匹配的入侵检测研究[D].河北:燕山大学,2006.
[33].朱国强.基于程序行为分析的入侵检测系统的设计与实现[D].湖南:国防科学技术大学,2005.
[34].卫瑜,曾凡平,蒋凡.基于相似度分析的分布式拒绝服务攻击检测系统[J].计算机辅助工程,2005,02:63-67
[35].陈实.货运量预测方法及应用研究[D].湖北:武汉理工大学,2008.
[2].伏晓,谢立.安全报警关联技术研究[J].计算机科学,2010,5:9-14+29
[3]. C.W.J. Granger. Investigating causal relations by econometric methods andcross-spectral methods[M]. Econometrical,1969(34):424-428
[4]. Goldman R P, Heimerdinger W, et al. Information modeling fo rintrusionreport aggregat ion[C]. Proc. of DISCEX’01. Washington DC: IEEE ComputerSociety Pres s,2001:329-343
[5]. Abad C, Taylor J, Sengul C et al. Log correlation f or intrusion detectiona proof of concept[C]. Proc. of ACSAC2003. Washington DC: IEEE ComputerSociety Press,2003:255-264
[6]. Lee S, Chung B, Kim H. Real-time analysis of intrusion detection alertsvia correlation[M]. COMPUTERS&SECURITY,2006,3:169-183
[7]. Zhou Jingmin, Heckman Mark, Reynolds Brennen. Modeling network intrusiondetection alerts for correlation[C].10th ACM Symposium on Access ControlModels and Technologies,Stockholm, SWEDEN,JUN01-03,2005
[8]. Debar H, Wespi A. Aggregation and correlation of intrusion detectionalerts[C]. Proc. of RAID2001. Heidelberg: Springer Berlin,2001:85-103
[9]. Autrel F, Cuppens F. Using an intrusion detection alert similarityoperator to aggregate and fuse alerts[C]. Proc. of SAR2005.2005:1-10
[10]. Qin X, Lee W. Statistical causality analysis of INFOSEC alert data [C].Proc. of RA ID2003. Heidelberg: Springer Berlin,2003:73-93
[11]. Li Zhitang, Zhang Aifang, Lei Jie. Real-time correlation of networksecurity alerts[C]. IEEE International Conference on e-BusinessEngineering,Hong Kong, PEOPLES R CHINA,OCT24-26,2007
[12]. Xu D, Peng Ning. Alert correlation through triggering events and commonresources[C]. Proc. of ACSAC04. Washington D C: IE EE Computer SocietyPress,2004:360-369
[13]. DAPAR2000数据集.[P/OL].http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000/LLS_DDOS_1.0.html
[14]. Valdes A, Skinner K. Probabilisic alert correlation[C]. Proc. of RA ID2001. Heidelberg: Springer Berlin,2001:54-68
[15]. Treinen J J, Thurimella R. A framework for the application of associationrule mining in large intrusion detection infrastructures[C]. Pr oc. ofR A ID2006. Heidelberg: Springer Berlin,2006:1-18
[16]. Templeton S J, Levitt K. A requires/provides model for computer attacks[C].Proc. of NSPW2000. New York: A CM Press,2000:31-38
[17]. Zhou J, Heckman M, Reynolds B, et al. Modeling net work intrusion detectionalerts for correlation[J]. ACM Transactions on Information and SystemSecurity,2007,10(1):1-13
[18]. Noel S, Robertson E, Jajodia S. Correlating intrusion events and buildingattack scenarios through attack graph distances[C]. Proc. of A CSAC2004.Washington DC: IEEE Computer Society Press,2004:350-359
[19]. J.Han,J.Pei,and Y.Yin. Mining Frequent patterns without candidategeneration[C]. In Proc.2000ACM-SIGMOD Int Conf. Management ofData(SIGMOD'00):1-12
[20]. Locatelli F E, Gaspary L P, Melchior s C, et al. Spotting intrusionscenarios from firewall logs through a case based reasoning approach[C].Proc. of DSOM2004. Heidelberg: Springer Berlin,2004:196-207
[21].王炳雪.时间序列模糊关联规则的挖掘[J].计算机工程与应用,2004,12:177-179
[22]. G Zhang, E B Patuwo, M Y H u. Forecasting with Artificial Neural Networks:The State of the Art[J]. Int. J. Forecast ing,1988,14:35-62
[23]. I G in zburg, D Horn. Combined Neural Networks for Time Series Analysis[J].Adv. Neu ral In.f Process. Systems,1994,6:224-231
[24]. D K Wedding, H K J Cios. Time Series Forecasting by CombiningRBF Networks,Certainty Factors and the Box Jenkins Model[J]. Neurocomputing,1996,10:149-168
[25]. Wang XZ, Smith K, Hyndman R. Characteristic-based clustering for timeseries data[J]. DATA MINING AND KNOWLEDGE DISCOVERY,2006,13(3):335-364
[26].郭卫霞.黑客攻击机制与防范[J].安徽电子信息职业技术学院学报,2005,05:102-104
[27].张建忠,徐敬东,边涛,吴功宜.分布式可扩展网络诱骗系统研究[J].计算机应用,2003, S2:129-130
[28].苏炜.基于Agent的分布式入侵检测系统[D].北京:北京工业大学,2003.
[29].闫政.基于用户模型的入侵检测系统研究[J].中小企业管理与科技(上旬刊),2010,12:290
[30].周远.校园网基于移动代理的入侵检测系统的研究与实现[D].湖南:国防科学技术大学,2010.
[31].马菊芳.基于Linux的主机入侵检测系统设计[D].河北:河北科技大学,2009.
[32].陈传钩.基于模式匹配的入侵检测研究[D].河北:燕山大学,2006.
[33].朱国强.基于程序行为分析的入侵检测系统的设计与实现[D].湖南:国防科学技术大学,2005.
[34].卫瑜,曾凡平,蒋凡.基于相似度分析的分布式拒绝服务攻击检测系统[J].计算机辅助工程,2005,02:63-67
[35].陈实.货运量预测方法及应用研究[D].湖北:武汉理工大学,2008.