基于Drools的安全事件回放研究及应用
|
摘要
规则引擎由基于规则的专家系统中的推理引擎发展而来,其应用领域已经日益广泛。
Drools是一种使用规则库来实现专家系统的Java规则引擎,属于产生式规则系统,其模式匹配过程对事实(数据)与产生式规则作匹配,推理出会产生动作的结论。优点在于可以将逻辑与应用分离,当应用程序的需求发生改变时,可以更方便的更改其逻辑层。
本文提出一种安全事件回放的分析方法,基于Drools规则引擎对安全监控系统产生的海量警报信息进行压缩,对操作(攻击)过程进行回放。首先讨论了专家系统以及Drools规则引擎的相关技术。然后在设计环节给出了安全事件回放的概念,并采用事件序列的方法进行因果关联分析以及采用泛型编程进行事件分类,建立了系统的整体通用模型和关联分析模型。研究的重点在于规则推理的详细设计策略和关键技术的解决策略,整个设计思想具有可移植性,适用于多种安全监测系统。最后,在主机监控与安全审计系统中实现了事件回放功能,移动存储监控类事件的回放结果表明,警报信息数量的压缩率在9.898%以上,并且对这类监控中可能发生的操作(攻击)过程成功地实现了事件回放。
The rule engine is developed from the inference engine in the expert system based on the rules, and is used in more and more fields.
Drools is a Java Rule Engine that uses the Rule Base to implement an Expert System and is more correctly classified as a Production Rule System. The pattern match process between the facts (data) and the production rules would infer a conclusion to generate the corresponding action. Its advantage is the ability to separate the logic and the application, the modification on the logic layer will become easier when the requirement was changed.
In this paper an approach of analyzing security events review was proposed. Based on the Drools rule engine, a large amount of alerts generated by the security detection system were compressed and the whole operation(attack) procedure was reviewed. Firstly, the related technologies about the expert system based on the rules and the Drools rule engine were discussed. Secondly, the definition of the security events review was given. And the event sequence approach was adopted in the causality correlation analysis, and the generic programming was used to classify the events. The general model and correlation analysis model were constructed. The research focused on the detailed design tactics to the rule inference and the solutions to several key technologies.The whole design was replantful and could be used in many kinds of security detection system. Finally the proposal was simulated in the host detection and security audit system. The results reviewing the movable storage equipment alerts showed that the quantity compressibility of alerts was above 9.898 % and the attack (operation) procedure was successfully achieved.
Drools是一种使用规则库来实现专家系统的Java规则引擎,属于产生式规则系统,其模式匹配过程对事实(数据)与产生式规则作匹配,推理出会产生动作的结论。优点在于可以将逻辑与应用分离,当应用程序的需求发生改变时,可以更方便的更改其逻辑层。
本文提出一种安全事件回放的分析方法,基于Drools规则引擎对安全监控系统产生的海量警报信息进行压缩,对操作(攻击)过程进行回放。首先讨论了专家系统以及Drools规则引擎的相关技术。然后在设计环节给出了安全事件回放的概念,并采用事件序列的方法进行因果关联分析以及采用泛型编程进行事件分类,建立了系统的整体通用模型和关联分析模型。研究的重点在于规则推理的详细设计策略和关键技术的解决策略,整个设计思想具有可移植性,适用于多种安全监测系统。最后,在主机监控与安全审计系统中实现了事件回放功能,移动存储监控类事件的回放结果表明,警报信息数量的压缩率在9.898%以上,并且对这类监控中可能发生的操作(攻击)过程成功地实现了事件回放。
The rule engine is developed from the inference engine in the expert system based on the rules, and is used in more and more fields.
Drools is a Java Rule Engine that uses the Rule Base to implement an Expert System and is more correctly classified as a Production Rule System. The pattern match process between the facts (data) and the production rules would infer a conclusion to generate the corresponding action. Its advantage is the ability to separate the logic and the application, the modification on the logic layer will become easier when the requirement was changed.
In this paper an approach of analyzing security events review was proposed. Based on the Drools rule engine, a large amount of alerts generated by the security detection system were compressed and the whole operation(attack) procedure was reviewed. Firstly, the related technologies about the expert system based on the rules and the Drools rule engine were discussed. Secondly, the definition of the security events review was given. And the event sequence approach was adopted in the causality correlation analysis, and the generic programming was used to classify the events. The general model and correlation analysis model were constructed. The research focused on the detailed design tactics to the rule inference and the solutions to several key technologies.The whole design was replantful and could be used in many kinds of security detection system. Finally the proposal was simulated in the host detection and security audit system. The results reviewing the movable storage equipment alerts showed that the quantity compressibility of alerts was above 9.898 % and the attack (operation) procedure was successfully achieved.
引文
[1]陈琛,朱少芳.计算机网络安全分析研究[J].中国高新技术企业,2007,14:117,120
[2]张晓瑶.网络安全任重而道远[J].网络与信息,2007,03:73
[3]王晓程,刘恩德,谢小权.网络入侵检测系统的研究[J].计算机工程与科学,2000,22(4):30-33
[4]肖忠刚,姚楠,王宏伟,等.核物理实验数据的离线分析程序[J].原子能科学技术,2002,36(1):43-46
[5]王晓东.事件关联分析在信息安全综合预警中的运用[J].信息网络安全,2005,12:54-55
[6]Li Wang,Zhi-tang Li,Dong Li,et al.Attack scenario construction with a new sequential mining technique[CA].SNPD 2007:8th ACIS International Conference on Software Engineering,Artificial Intelligence,Networking and Parallel/Distributed Computing,2007:872-877
[7]陈晓苏,尹宏斌,肖道举.入侵检测中的事件关联分析[J].华中科技大学学报,2003,31(4):30-33
[8]Ye Nong,Li Xiaoyang,Chert Qiang,et al.Probabilistic techniques for intrusion detection based on computes audit data[J].IEEE Transactions on System,Man and Cybernetics,2001,31(4):266-274
[9]郭山清,阳雪林,曾英佩,等.安全报警事件关联算法研究[J].计算机应用,2005,25(10):2276-2279
[10]N ING P,CU I Y,REEVES DS.Analyzing intensive intrusion alertsvia correlation[A].In:Proceedings of the 5 th International Symposium on Recent Advances in Intrusion Detection[C].Zurich,Switzerland,2002
[11]Yu Dong,Frincke Deborah.Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net[JA].Elsevier,Amsterdam,1000 AE,Netherlands,2007:632-654
[12]CUPPENS F,LAMBDA OR.A language to model a database for detection of attacks[A].In:Proc.of Recent Advances in Intrusion Detection(RAID 2000)[C].2000,197-216
[13]Zhang Bin,AI-Shaer Ehab.Self-organizing monitoring agents for hierarchical event correlation[CA].18th IFIP/IEEE International Workshop on Distributed Systems:Operations and Management,DSOM 2007,2007:13-24
[14]Bao Xuhua,Dai Yingxia,Lian Yifeng,et al.Correlation determine algorithm for implied restriction[JA].Science Press,2007:2028-2035
[15]吴蔚.利用告警关联分析技术实现网络故障定位[J].科技经济市,2007,10:5-6
[16]Liu Yuling,Du Ruizhong,Zhao Weidong,et al.BPCRISM:A new intrusion scenario building model[JA].Science Press,2007:589-597
[17]Mu Chengpo,Huang Houkuan,Tian Shengfeng.Survey of intrusion-detection alert aggregation and correlation techniques[JA].Science Press,2006:1-8
[18]贾泽露,刘耀林.ALCGEIS知识获取与推理机设计[J].地球信息科学,2006,8(1):67-72
[19]透明.了解Java规则引擎[J].程序员,2004,11:92-96
[20]庞伟止,金瑞琪,王成武.一种规则引擎的实现方法[J].哈尔滨工程大学学报,2005,26(3):385-389
[21]刘承洋,黄志军,徐红贤.基于产生式规则知识系统的设计与实现[J].计算机与数字工程,2000,28(6):30-32,29
[22]陈朝东,黄国兴,鲍钰.基于加权产生式规则知识库的不一致性和冗余性研究[J].计算机科学,2000,08:67-69,62
[23]吴信东,邹燕.专家系统技术[M].北京:电子工业出版社,1988
[24]徐毅,范会敏,姚伟.基于产生式规则的煤性—炉型耦合专家系统的设计与研究[J].热力发电,2007,06:64-66
[25]邓天鹏,韩艳.基于产生式规则专家系统在结构损伤诊断中的应用[J].河南理工大学学报(白然科学版),2007,26(2):202-206
[26]JOSEPH GIARRATANO,GARY RILEY.专家系统原理与编程[M].印鉴,译.北京:机械工业出版社,2000
[27]Alex Toussaint.Java rule engine API specification[M].JCP final review,2003,5-7.22-28
[28]师艳辉,庄越挺,施坚强.基于JAVA的业务规则管理系统设计利开发[J].计算机应用与软件,2006,23(1):15-16,19
[29]王璐玮,尹朝庆,葛守飞.基于Java规则引擎的汽车发动机故障诊断专家系统研究与开发[J].交通与计算机,2005,23(5):30-34
[30]孙勇强,邓咏梅,李续武.基于EJB的业务规则引擎的设计和实现[J].计算机工程,2005,31(20):220-222
[31]FORGY C L.Rete:a fast Algorithm for the many pattern/many object pattern match problem[J].Artificial Intelligence,1982:17-37
[32]张渊,夏清国.基于RETE算法的Java规则引擎[J].科学技术与工程,2006,6(11):1548-1550
[33]尤俊欣,饶若楠,詹晓峰.基于规则引擎的Web框架[J1.计算机应用与软件,2007,24(2):4-5,22
[34]朱先飞.Drools在电信网络开通系统中的应用及其改造[J].广东通信技术,2007,11:6-8,41
[35]黄皞,潘正运,梁冰,等.业务规则引擎Ilog JRules.工作引擎的工作机制分析[J].微计算机信息,2006,22(8-3):112-114,48
[36]王玉.基于JAVA业务规则管理技术的研究[J].科技信息(学术研究),2007,09:162-163
[37]刘伟.Java规则引擎-Drools的介绍及应用[J].微计算机应用,2005,26(6):717-721
[38]Mark Proctor,Michael Neale,Peter Lin,et al.Drools Documentation[EB/OL].http://downloads.jboss.com/drools/docs/3.0.6/html/index.html,2006.11.28
[39]徐文胜.泛型编程与JAVA实现[J].江西师范大学学报(自然科学版),2007,31(5):471-474
[40]龚俭,梅海彬,丁勇,等.多特征关联的入侵事件冗余消除[J].东南大学学报,2005,35(3):366-371
[2]张晓瑶.网络安全任重而道远[J].网络与信息,2007,03:73
[3]王晓程,刘恩德,谢小权.网络入侵检测系统的研究[J].计算机工程与科学,2000,22(4):30-33
[4]肖忠刚,姚楠,王宏伟,等.核物理实验数据的离线分析程序[J].原子能科学技术,2002,36(1):43-46
[5]王晓东.事件关联分析在信息安全综合预警中的运用[J].信息网络安全,2005,12:54-55
[6]Li Wang,Zhi-tang Li,Dong Li,et al.Attack scenario construction with a new sequential mining technique[CA].SNPD 2007:8th ACIS International Conference on Software Engineering,Artificial Intelligence,Networking and Parallel/Distributed Computing,2007:872-877
[7]陈晓苏,尹宏斌,肖道举.入侵检测中的事件关联分析[J].华中科技大学学报,2003,31(4):30-33
[8]Ye Nong,Li Xiaoyang,Chert Qiang,et al.Probabilistic techniques for intrusion detection based on computes audit data[J].IEEE Transactions on System,Man and Cybernetics,2001,31(4):266-274
[9]郭山清,阳雪林,曾英佩,等.安全报警事件关联算法研究[J].计算机应用,2005,25(10):2276-2279
[10]N ING P,CU I Y,REEVES DS.Analyzing intensive intrusion alertsvia correlation[A].In:Proceedings of the 5 th International Symposium on Recent Advances in Intrusion Detection[C].Zurich,Switzerland,2002
[11]Yu Dong,Frincke Deborah.Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net[JA].Elsevier,Amsterdam,1000 AE,Netherlands,2007:632-654
[12]CUPPENS F,LAMBDA OR.A language to model a database for detection of attacks[A].In:Proc.of Recent Advances in Intrusion Detection(RAID 2000)[C].2000,197-216
[13]Zhang Bin,AI-Shaer Ehab.Self-organizing monitoring agents for hierarchical event correlation[CA].18th IFIP/IEEE International Workshop on Distributed Systems:Operations and Management,DSOM 2007,2007:13-24
[14]Bao Xuhua,Dai Yingxia,Lian Yifeng,et al.Correlation determine algorithm for implied restriction[JA].Science Press,2007:2028-2035
[15]吴蔚.利用告警关联分析技术实现网络故障定位[J].科技经济市,2007,10:5-6
[16]Liu Yuling,Du Ruizhong,Zhao Weidong,et al.BPCRISM:A new intrusion scenario building model[JA].Science Press,2007:589-597
[17]Mu Chengpo,Huang Houkuan,Tian Shengfeng.Survey of intrusion-detection alert aggregation and correlation techniques[JA].Science Press,2006:1-8
[18]贾泽露,刘耀林.ALCGEIS知识获取与推理机设计[J].地球信息科学,2006,8(1):67-72
[19]透明.了解Java规则引擎[J].程序员,2004,11:92-96
[20]庞伟止,金瑞琪,王成武.一种规则引擎的实现方法[J].哈尔滨工程大学学报,2005,26(3):385-389
[21]刘承洋,黄志军,徐红贤.基于产生式规则知识系统的设计与实现[J].计算机与数字工程,2000,28(6):30-32,29
[22]陈朝东,黄国兴,鲍钰.基于加权产生式规则知识库的不一致性和冗余性研究[J].计算机科学,2000,08:67-69,62
[23]吴信东,邹燕.专家系统技术[M].北京:电子工业出版社,1988
[24]徐毅,范会敏,姚伟.基于产生式规则的煤性—炉型耦合专家系统的设计与研究[J].热力发电,2007,06:64-66
[25]邓天鹏,韩艳.基于产生式规则专家系统在结构损伤诊断中的应用[J].河南理工大学学报(白然科学版),2007,26(2):202-206
[26]JOSEPH GIARRATANO,GARY RILEY.专家系统原理与编程[M].印鉴,译.北京:机械工业出版社,2000
[27]Alex Toussaint.Java rule engine API specification[M].JCP final review,2003,5-7.22-28
[28]师艳辉,庄越挺,施坚强.基于JAVA的业务规则管理系统设计利开发[J].计算机应用与软件,2006,23(1):15-16,19
[29]王璐玮,尹朝庆,葛守飞.基于Java规则引擎的汽车发动机故障诊断专家系统研究与开发[J].交通与计算机,2005,23(5):30-34
[30]孙勇强,邓咏梅,李续武.基于EJB的业务规则引擎的设计和实现[J].计算机工程,2005,31(20):220-222
[31]FORGY C L.Rete:a fast Algorithm for the many pattern/many object pattern match problem[J].Artificial Intelligence,1982:17-37
[32]张渊,夏清国.基于RETE算法的Java规则引擎[J].科学技术与工程,2006,6(11):1548-1550
[33]尤俊欣,饶若楠,詹晓峰.基于规则引擎的Web框架[J1.计算机应用与软件,2007,24(2):4-5,22
[34]朱先飞.Drools在电信网络开通系统中的应用及其改造[J].广东通信技术,2007,11:6-8,41
[35]黄皞,潘正运,梁冰,等.业务规则引擎Ilog JRules.工作引擎的工作机制分析[J].微计算机信息,2006,22(8-3):112-114,48
[36]王玉.基于JAVA业务规则管理技术的研究[J].科技信息(学术研究),2007,09:162-163
[37]刘伟.Java规则引擎-Drools的介绍及应用[J].微计算机应用,2005,26(6):717-721
[38]Mark Proctor,Michael Neale,Peter Lin,et al.Drools Documentation[EB/OL].http://downloads.jboss.com/drools/docs/3.0.6/html/index.html,2006.11.28
[39]徐文胜.泛型编程与JAVA实现[J].江西师范大学学报(自然科学版),2007,31(5):471-474
[40]龚俭,梅海彬,丁勇,等.多特征关联的入侵事件冗余消除[J].东南大学学报,2005,35(3):366-371