基于时序分析技术的网络安全事件预测系统的研究与实现
|
摘要
在大规模网络中,随着网络攻击事件的不断增长,传统的防火墙、入侵检测系统等网络安全防护设备会产生海量的报警信息。这样使得网络管理者很难准确了解系统的安全状况并及时采取相应的措施。因此如何及时、准确地对整个网络安全态势进行评估已经成为网络安全领域的一个研究热点。网络安全态势评估分为态势的获取、理解和预测三个层次,网络安全态势预测作为网络态势评估的一个重要内容,也开始引起越来越多的关注。
基于网络安全态势预测的要求,本文将网络安全事件的出现频率这一网络安全态势的重要影响因素作为预测对象进行研究。传统的预测方法试图建立单一的全局预测模型,这与网络安全事件由于多种多样而具有的局部性和多模式性相矛盾。本文针对单一网络事件或者某一网络安全事件类型进行分析,这些事件的出现频率——即在某时间粒度区间中的数量——具有鲜明的时序特点,因而本文将基于时序分析技术的网络安全事件预测技术作为研究的主要内容。
本文的主要工作有:
1.将时序分析技术中的ARMA模型应用于网络安全事件预测。并根据小波分解对非平稳时间序列的平稳化作用,实现基于小波分解的网络安全事件预测技术。实验表明,两种模型在网络安全事件单步预测中有良好的预测精度,并且只需较小的历史数据集。
2.针对ARMA模型系列对数据平稳性要求的依赖,实现了能脱离平稳性条件要求的基于时序事件化的网络安全事件预测技术。在真实数据集的实验上的实验表明,该预测技术较ARMA预测模型和基于小波的ARMA预测有更高的精确度。同时,该模型需要较大训练知识库的支持来避免算法的退化。
3.本文设计实现了网络安全事件预测系统。该系统具有多维度和多模型的网络安全事件预测功能,并对安全预警事件进行报警,以此作为网络安全态势评估的重要依据和网络防御的重要决策支持。
With the increasing number of attacks in large-scale networks, massive event alerts have been generated by networking security infrastructures, such as firewalls, intrusion detection subsystem, etc. It brings difficulties to administrators on security and safety situation awareness, and the corresponding measures could not be taken timely. Therefore, it becomes a hot spot issue of network security research that how to evaluate the network security situation efficiently. Network security situation assessment can be categorized with three-levels: the acquisition, analysis and prediction. As an important element, network security situation prediction also begins to attract more attention.
Based on the requirements of network security situation prediction,in this thesis, we consider the frequency of security events as a necessary factor and focus on studying it.Traditional forecasting methods attempt to establish a single global prediction model, which is contradictory with the locality and multi-model nature of network security event because of its variety. In this paper ,we aim at a single network security event or a type of network security events ,and the frequence of occurrence of these events - that is ,the amount of them in a particular time - corresponds the characteristics of time series data exactly. Therefore, we use network security event prediction based on analysis technoque of time series as the main research.
The main work of this paper are:
1.We use ARMA model of time seies analysis technique to predict network security event. With the advantage of the use of wavelet to stabilize non-stationary time series ,we implement the prediction technique based on wavelet decomposition. Experiments show that both models have a high accuracy in one-step prediction of network security event with only a few history data set.
2.In order to overcome request of time stationary characteristic of series data in ARMA model, we implement a time series eventualization based prediction technique. Experiments in a real data set show that it performs more accurately than ARMA prediction model and ARMA based on wavelet decomposition prediction technique.But this model needs a larger training knowledge repository to avoid the algorithm degradation.
3.We discusses the design and realization of the network security event prediction system.the system can analyze and predict network security events in different time dimensions or event dimensions ,and give an early warning of the security event alarm, which could be the important evidence of network security situation evaluation and provide decision support for network defense.
基于网络安全态势预测的要求,本文将网络安全事件的出现频率这一网络安全态势的重要影响因素作为预测对象进行研究。传统的预测方法试图建立单一的全局预测模型,这与网络安全事件由于多种多样而具有的局部性和多模式性相矛盾。本文针对单一网络事件或者某一网络安全事件类型进行分析,这些事件的出现频率——即在某时间粒度区间中的数量——具有鲜明的时序特点,因而本文将基于时序分析技术的网络安全事件预测技术作为研究的主要内容。
本文的主要工作有:
1.将时序分析技术中的ARMA模型应用于网络安全事件预测。并根据小波分解对非平稳时间序列的平稳化作用,实现基于小波分解的网络安全事件预测技术。实验表明,两种模型在网络安全事件单步预测中有良好的预测精度,并且只需较小的历史数据集。
2.针对ARMA模型系列对数据平稳性要求的依赖,实现了能脱离平稳性条件要求的基于时序事件化的网络安全事件预测技术。在真实数据集的实验上的实验表明,该预测技术较ARMA预测模型和基于小波的ARMA预测有更高的精确度。同时,该模型需要较大训练知识库的支持来避免算法的退化。
3.本文设计实现了网络安全事件预测系统。该系统具有多维度和多模型的网络安全事件预测功能,并对安全预警事件进行报警,以此作为网络安全态势评估的重要依据和网络防御的重要决策支持。
With the increasing number of attacks in large-scale networks, massive event alerts have been generated by networking security infrastructures, such as firewalls, intrusion detection subsystem, etc. It brings difficulties to administrators on security and safety situation awareness, and the corresponding measures could not be taken timely. Therefore, it becomes a hot spot issue of network security research that how to evaluate the network security situation efficiently. Network security situation assessment can be categorized with three-levels: the acquisition, analysis and prediction. As an important element, network security situation prediction also begins to attract more attention.
Based on the requirements of network security situation prediction,in this thesis, we consider the frequency of security events as a necessary factor and focus on studying it.Traditional forecasting methods attempt to establish a single global prediction model, which is contradictory with the locality and multi-model nature of network security event because of its variety. In this paper ,we aim at a single network security event or a type of network security events ,and the frequence of occurrence of these events - that is ,the amount of them in a particular time - corresponds the characteristics of time series data exactly. Therefore, we use network security event prediction based on analysis technoque of time series as the main research.
The main work of this paper are:
1.We use ARMA model of time seies analysis technique to predict network security event. With the advantage of the use of wavelet to stabilize non-stationary time series ,we implement the prediction technique based on wavelet decomposition. Experiments show that both models have a high accuracy in one-step prediction of network security event with only a few history data set.
2.In order to overcome request of time stationary characteristic of series data in ARMA model, we implement a time series eventualization based prediction technique. Experiments in a real data set show that it performs more accurately than ARMA prediction model and ARMA based on wavelet decomposition prediction technique.But this model needs a larger training knowledge repository to avoid the algorithm degradation.
3.We discusses the design and realization of the network security event prediction system.the system can analyze and predict network security events in different time dimensions or event dimensions ,and give an early warning of the security event alarm, which could be the important evidence of network security situation evaluation and provide decision support for network defense.
引文
[1] CNNIC.第23次中国互联网发展报告.http://research.cnnic.cn/html/1242971184d494.html.
[2] CNCERT/CC.2007年网络安全工作报告.http://www.cert.org.cn/articles/docs/common/2008040823865.shtml.
[3] Mica R. Endsley. Toward a Theory of Situation Awareness in Dynamic Systems. Human Factors Journal. 1995,37(1):32~64.
[4] Tim Bass, Dave Gruber. A glimpse into the future of id. Special Issue Intrusion Detection. The USENIX Association Magazine,September 2005. http://www.usenix.org/publications/ login/1999-9/features/future.html.
[5] GEP.Box,GM.Jenkis,GC.Reinsel.Time Series Analysis: Forecasting and Control. reviseded, Holden Day , SanFrancisco, 1978.
[6] Engel.Autoregressive Conditional Heteroskedasticity with Estimates of the Variance of U.K.Inflations. Econometrical,1982, (50):987~1008.
[7] Bollerslew Tim, Generalized Journal of Econometrics,1986(32):Autoregressive Conditional Heteroskedasticity.307~327.
[8] H.Tong.Threshold models in Non-Liner Time series Analysis, Lecture Notes in statistics,springer-Verlag.1983:45~47.
[9] Granger C.W.J, Anderson A.P. An Introduction to Biliner Time Series Models. Gottingen Vanderdaoeek and Ruprecht,1987,(4):13~15.
[10] Granger C.W, J.Morris O. Time series Modleing and Interpretation.The Royal Statistical society,1976,series A:139,246~57.
[11] Hamilton J.D. A new approach to the Economic Analysis of Nonstationary Time series and the Business Cycles.Econometrica,1989,(5):39~70.
[12] Kuan C.M, White.H,Artificial Neural Networks:An econometric Prespective (with disscution). Econometrica Reviews,1994,(13):1~143.
[13] Granger C.W.J, Newbold spurious Regressions in Econometric. Econometrics, 1974,(2):111~120.
[14] Phillips P.C.B. Understanding spurious Regressions in Econometrics Econometrics,1986,(33):311~340.
[15] SargarJ.D, Bhargava.A.S. Testing Residuals from least squares Regerssion from being Generates by the Gaussian Random Walk. Econometrics,1983,(51):153~174.
[16] Stephane G..Mallat. A theory for multiresolution signal decomposition : The wavelet representation. IEEE Tran on Pattern Analysis and Machine Intelligence,1989,11(7):674~693.
[17]安鸿志,陈兆国,杜金观,潘一民.时间序列分析及其应用.北京:科学出版社,1983.
[18]何书元.应用时间序列分析.北京:北京大学出版社,2003.
[19]吴怀宇.时间序列分析与综合.武汉:武汉大学出版,2004.
[20]邹柏贤,刘强,基于ARMA模型的网络流量预测.计算机研究与发展,2002,39(12):12.
[21]洪飞,吴志美.基于小波的多尺度网络流量预测模型.计算机学报,2006,29(1):166~170.
[22]王振龙.时间序列分析.北京:中国统计出版社,2006,8.72~80.
[23]张数京,齐立心.时间序列分析简明教程.北京:清华大学出版社,2003.
[24]邹柏贤,姚志强.一种网络流量平稳化方法.通信学报,2004,25(8):14~23.
[25]程振源.时间序列分析:历史回顾与未来展望.统计与决策,2002.9.
[26]徐科,徐金梧,班晓娟.基于小波的某些非平稳时间序列预测方法.电子学报,2001,29(4):566~568.
[27] X Lian, L Chen. Efficient Similarity Search over Future Stream Time Series. TKDE 20(1),2008.
[28] Lin J, Keogh E J, Lonardi S, Chiu B Y. A symbolic representation of time series, with implications for streaming algorithms.The 8th ACM SIGMOD Workshop on Research Issues in Data Mining and Knowledge Discovery,San Diego, California. June 13, 2003: 2~11.
[29]钟清流,蔡自兴.基于统计特征的时序数据符号化算法.计算机学报.31(10),2008,1857~1864.
[30]陈当阳,贾素玲.时态数据的趋势序列分析及其子序列匹配算法研究.计算机研究与发展.44(3),2007,516~520.
[2] CNCERT/CC.2007年网络安全工作报告.http://www.cert.org.cn/articles/docs/common/2008040823865.shtml.
[3] Mica R. Endsley. Toward a Theory of Situation Awareness in Dynamic Systems. Human Factors Journal. 1995,37(1):32~64.
[4] Tim Bass, Dave Gruber. A glimpse into the future of id. Special Issue Intrusion Detection. The USENIX Association Magazine,September 2005. http://www.usenix.org/publications/ login/1999-9/features/future.html.
[5] GEP.Box,GM.Jenkis,GC.Reinsel.Time Series Analysis: Forecasting and Control. reviseded, Holden Day , SanFrancisco, 1978.
[6] Engel.Autoregressive Conditional Heteroskedasticity with Estimates of the Variance of U.K.Inflations. Econometrical,1982, (50):987~1008.
[7] Bollerslew Tim, Generalized Journal of Econometrics,1986(32):Autoregressive Conditional Heteroskedasticity.307~327.
[8] H.Tong.Threshold models in Non-Liner Time series Analysis, Lecture Notes in statistics,springer-Verlag.1983:45~47.
[9] Granger C.W.J, Anderson A.P. An Introduction to Biliner Time Series Models. Gottingen Vanderdaoeek and Ruprecht,1987,(4):13~15.
[10] Granger C.W, J.Morris O. Time series Modleing and Interpretation.The Royal Statistical society,1976,series A:139,246~57.
[11] Hamilton J.D. A new approach to the Economic Analysis of Nonstationary Time series and the Business Cycles.Econometrica,1989,(5):39~70.
[12] Kuan C.M, White.H,Artificial Neural Networks:An econometric Prespective (with disscution). Econometrica Reviews,1994,(13):1~143.
[13] Granger C.W.J, Newbold spurious Regressions in Econometric. Econometrics, 1974,(2):111~120.
[14] Phillips P.C.B. Understanding spurious Regressions in Econometrics Econometrics,1986,(33):311~340.
[15] SargarJ.D, Bhargava.A.S. Testing Residuals from least squares Regerssion from being Generates by the Gaussian Random Walk. Econometrics,1983,(51):153~174.
[16] Stephane G..Mallat. A theory for multiresolution signal decomposition : The wavelet representation. IEEE Tran on Pattern Analysis and Machine Intelligence,1989,11(7):674~693.
[17]安鸿志,陈兆国,杜金观,潘一民.时间序列分析及其应用.北京:科学出版社,1983.
[18]何书元.应用时间序列分析.北京:北京大学出版社,2003.
[19]吴怀宇.时间序列分析与综合.武汉:武汉大学出版,2004.
[20]邹柏贤,刘强,基于ARMA模型的网络流量预测.计算机研究与发展,2002,39(12):12.
[21]洪飞,吴志美.基于小波的多尺度网络流量预测模型.计算机学报,2006,29(1):166~170.
[22]王振龙.时间序列分析.北京:中国统计出版社,2006,8.72~80.
[23]张数京,齐立心.时间序列分析简明教程.北京:清华大学出版社,2003.
[24]邹柏贤,姚志强.一种网络流量平稳化方法.通信学报,2004,25(8):14~23.
[25]程振源.时间序列分析:历史回顾与未来展望.统计与决策,2002.9.
[26]徐科,徐金梧,班晓娟.基于小波的某些非平稳时间序列预测方法.电子学报,2001,29(4):566~568.
[27] X Lian, L Chen. Efficient Similarity Search over Future Stream Time Series. TKDE 20(1),2008.
[28] Lin J, Keogh E J, Lonardi S, Chiu B Y. A symbolic representation of time series, with implications for streaming algorithms.The 8th ACM SIGMOD Workshop on Research Issues in Data Mining and Knowledge Discovery,San Diego, California. June 13, 2003: 2~11.
[29]钟清流,蔡自兴.基于统计特征的时序数据符号化算法.计算机学报.31(10),2008,1857~1864.
[30]陈当阳,贾素玲.时态数据的趋势序列分析及其子序列匹配算法研究.计算机研究与发展.44(3),2007,516~520.