骨干通信网络异常事件关联分析的不确定性分析
|
摘要
随着网络的日益普及和经济的高速发展,网络安全成为国家政治、经济、军事安全的基础保障,也成为影响人们日常生活和经济活动的重要因素。伴随着互联网的繁荣发展,同时存在的是日益严峻和复杂的网络安全形势。在这种情况下,作为网络安全领域重要研究手段的网络异常事件关联分析技术,得到了广泛的研究和应用。网络异常事件关联分析结果固有的不确定性,影响了它的实际应用效果,是该技术领域研究的突破方向和难点问题,尤其是在骨干通信网中,限于关联效率的制约,如何在既定时间容限内达到较好的关联分析效果,成为一项困难和重要的研究工作。
现有工作的研究热点集中于,如何针对网络异常事件关联分析存在的不确定性,建立有效和健壮的不确定性表示模型和不确定性推理方法,其目的在于在关联分析数据既有的不确定性基础上,尽量避免由于表示模型和推理方法的不恰当,使最终的关联分析结果变得更坏。我们的研究工作,从数据源头出发,寻找降低关联分析不确定性的可能途径。具体工作如下:
第一,为了从数据源头上降低关联分析的不确定性,分析了引起异常事件关联分析不确定性的原因,并说明了网络流量数据的分解粒度和关联分析所采用的网络参数粒度是如何影响异常事件关联分析的。
第二,采用实际的骨干网流量数据,分析在各种具体的子流数据上、在采用各种不同粒度的网络参数的情况下,骨干网异常检测和异常识别存在的不确定性。我们的研究可以帮助网络管理人员选择合适的流量分解粒度和合适的网络参数粒度,在满足骨干网关联分析的实时性要求的情况下,将关联分析结果的不确定性降低到最小的程度;通过比较在各种不同的子流数据上、在采用各种不同粒度的网络参数的情况下,骨干网异常检测和异常识别不确定性的变化情况,得出通过数据分流和采用粗细粒度结合的网络参数能有效降低它们的不确定性。
第三,提出一种使用多流多特征参数降低关联分析不确定性的思路。它考虑到了数据经分流后再进行关联分析会使得花费的时间成倍的增加,因而通过先引入细粒度参数、再进行数据分流的过程逐渐降低不确定性,使得不确定性降低到满意程度时的时间花费最少。网络管理人员可以使用这一思路,寻找合适的子流和网络参数,保证花费最少的时间将关联分析不确定性降低到可以接受的水平上。
With the growing popularization of network and rapid development of economic, secure network has become foundation of the country’s political ,economic and military security, and also has placed important impact on people’s life and commerce . Yet, while Internet develops prosperously, there’s increasingly serious and complicated secure situation; hence, as a key techniques in the field of network security, anomaly correlation has been widely researched and used. Efficiency of anomaly correlation is affected by its uncertainty, which is a difficult problem to be solved and a breakthrough to make in its filed; Especially in backbone network, it becomes a difficult and important research that how to make better correlation within requested time.
Until recently, researches focus on how to make efficient and robust representation model and reasoning method for uncertainty of anomaly correlation;they aim to not produce worse results of correlation due to inappropriate models or methods than that due to inherent uncertainty of correlation data. Yet, our work will concert on how to decrease uncertainty of anomaly correlation from its data source.
First, for reducing uncertainty of anomaly correlation from the data source,we analyze causes of the uncertainty,and illustrate how the granularity of flow split and correlation parameters influence uncertainty of anomaly correlation.
Second, using the actual backbone flow data, we analyze uncertainty of anomaly detection and identification in various specific flows and when using various kinds of correlation parameters. The analysis results can help network management personnel select appropriate flows and parameters to reduce uncertainty as much as possible while satisfying the real-time requirements. Through comparing uncertainty of anomaly detection and identification in different flows and when using different kinds of correlation parameters,it is concluded that the uncertainty can be reduced efficiently by flow split and adopting combination of different granularity of parameters.
Thirdly, we propose an idea of using multi-flows and multi-parameters to reduce the uncertainty of anomaly correlation. Considering that using data after flow split the time expense of anomaly correlation will multiply, it uses process of introducing parameters of more fine granularity firstly and then splitting flows, which can cost least time to reduce uncertainty to satisfy level. Using it, network management staff can decide adopting what flows and what parameters in anomaly correlation to reduce the uncertainty to acceptable level in least time.
现有工作的研究热点集中于,如何针对网络异常事件关联分析存在的不确定性,建立有效和健壮的不确定性表示模型和不确定性推理方法,其目的在于在关联分析数据既有的不确定性基础上,尽量避免由于表示模型和推理方法的不恰当,使最终的关联分析结果变得更坏。我们的研究工作,从数据源头出发,寻找降低关联分析不确定性的可能途径。具体工作如下:
第一,为了从数据源头上降低关联分析的不确定性,分析了引起异常事件关联分析不确定性的原因,并说明了网络流量数据的分解粒度和关联分析所采用的网络参数粒度是如何影响异常事件关联分析的。
第二,采用实际的骨干网流量数据,分析在各种具体的子流数据上、在采用各种不同粒度的网络参数的情况下,骨干网异常检测和异常识别存在的不确定性。我们的研究可以帮助网络管理人员选择合适的流量分解粒度和合适的网络参数粒度,在满足骨干网关联分析的实时性要求的情况下,将关联分析结果的不确定性降低到最小的程度;通过比较在各种不同的子流数据上、在采用各种不同粒度的网络参数的情况下,骨干网异常检测和异常识别不确定性的变化情况,得出通过数据分流和采用粗细粒度结合的网络参数能有效降低它们的不确定性。
第三,提出一种使用多流多特征参数降低关联分析不确定性的思路。它考虑到了数据经分流后再进行关联分析会使得花费的时间成倍的增加,因而通过先引入细粒度参数、再进行数据分流的过程逐渐降低不确定性,使得不确定性降低到满意程度时的时间花费最少。网络管理人员可以使用这一思路,寻找合适的子流和网络参数,保证花费最少的时间将关联分析不确定性降低到可以接受的水平上。
With the growing popularization of network and rapid development of economic, secure network has become foundation of the country’s political ,economic and military security, and also has placed important impact on people’s life and commerce . Yet, while Internet develops prosperously, there’s increasingly serious and complicated secure situation; hence, as a key techniques in the field of network security, anomaly correlation has been widely researched and used. Efficiency of anomaly correlation is affected by its uncertainty, which is a difficult problem to be solved and a breakthrough to make in its filed; Especially in backbone network, it becomes a difficult and important research that how to make better correlation within requested time.
Until recently, researches focus on how to make efficient and robust representation model and reasoning method for uncertainty of anomaly correlation;they aim to not produce worse results of correlation due to inappropriate models or methods than that due to inherent uncertainty of correlation data. Yet, our work will concert on how to decrease uncertainty of anomaly correlation from its data source.
First, for reducing uncertainty of anomaly correlation from the data source,we analyze causes of the uncertainty,and illustrate how the granularity of flow split and correlation parameters influence uncertainty of anomaly correlation.
Second, using the actual backbone flow data, we analyze uncertainty of anomaly detection and identification in various specific flows and when using various kinds of correlation parameters. The analysis results can help network management personnel select appropriate flows and parameters to reduce uncertainty as much as possible while satisfying the real-time requirements. Through comparing uncertainty of anomaly detection and identification in different flows and when using different kinds of correlation parameters,it is concluded that the uncertainty can be reduced efficiently by flow split and adopting combination of different granularity of parameters.
Thirdly, we propose an idea of using multi-flows and multi-parameters to reduce the uncertainty of anomaly correlation. Considering that using data after flow split the time expense of anomaly correlation will multiply, it uses process of introducing parameters of more fine granularity firstly and then splitting flows, which can cost least time to reduce uncertainty to satisfy level. Using it, network management staff can decide adopting what flows and what parameters in anomaly correlation to reduce the uncertainty to acceptable level in least time.
引文
[1]陈宁.网络异常检测与溯源方法研究[D].华中科技大学,2009
[2] BAKOS G, BERK V. Early detection of Internet worm activity by metering ICMP destination unreachable activity[C]. Proceedings of the SPIE conference on Sensors, and Command, Control, Communications and Intelligence, Orlando, FL, 2002
[3] JUAN M E,PEDRO G, JESUS E D. Anomaly detection methods in wired networks: a survey and taxonomy[J]. Computer Communications, 2004, 27(16):1569-1584.
[4] BARFORD P, KLINE J, PLONKA D. A signal analysis of network traffic anomalies[C]. Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles,France,2002:71-82.
[5] CHENG C M, KUNG H T, TAN K S. Use of Spectral Analysis in Defense Against DoS Attacks[C]. Global Telecommunications Conference. [S.l.]: IEEE Press, 2002: 2143-2148.
[6] Lakhina A, Crovella M, Diot C. Mining Anomalies Using Traffic Feature Distributions[C]. In: Proc of ACM SIGCOMM 2005. Philadelphia, Pennsylvania, USA, August 2005, 9-20.
[7] Kim S , Reddy N, Vannucci M. Detecting Traffic Anomalies Using Discrete Wavelet Transform[C]. In: IEEE/IFIP Network Operations and Management Symposium, Seoul, April 2004, 16-27
[8] Kim S, Reddy N. A Study of Analyzing Network Traffic as Images in Real-Time[C]. In: Proc of IEEE INFOCOM 2005, Miami, Florida, USA, Mar 2005, 1065-1076
[9] Alefiya Hussain, John Heidemann, Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks[C]. Proceedings of ACM SIGCOMM, 2003: 99-110
[10]杨风暴,王肖霞.D-S证据理论的冲突证据合成方法[M].北京:国防工业出版社,2010
[11] DICKERSON J E,JUSLIN J,KOUKOUSOULA O, et al. Fuzzy intrusion detection[C].Proceedings of IFSA World Congress and 20th NAFIPS International conference.Vancouve,British Columbia,2011:1506-1510
[12] LUO J,BRIDGES S. Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection[J].International Journal of Intelligence system,2000,15(8):678-703
[13]李之棠,李家春.模糊神经网络在入侵检测系统中的应用[J].小型微型计算机系统,2002,23(10):1235-1238
[14] Nahla B A, Salem B,Zied E.Navie bayes vs. decision trees in intrusion detection systems[C]. Proceedings of the 2004 ACM symposium on Applied computing.NY,USA,2004:420-424
[15] Kruegel C,Darren M, et al. Bayesian Event Classification for Intrusion Detection[C]. 19th Annual Computer Security Applications Conference, Las Vegas, Nevada,2003
[16]赵卫伟,李德毅.基于云模型的入侵检测方法[J].计算机工程与应用,2003,39(26):158-160
[17]张秋余,孙磊.基于PC-LINMAP耦合赋权及云理论的入侵检测系统[J].计算机应用,2007,27(10):2443-2445
[18]姜伟,高知新,李本喜.基于多维云模型的入侵检测[J].计算机工程,2006,32(24):155-156
[19] Yong Wang,Huihua Yang, et al.Distributed Intrusion Detection System Based On Data Fusion Method[C].Proceedings of the 5th World Congress on Intelligence Control and Automation,Hangzhou,China,2004
[20] JIAN-QIANG ZHAI,JUN-FENG TIAN,et al.Network Intrusion Early Warning Model Based On D-S Evidence THEORY[C]. Proceedings of the second International Conference On Machine Learning and Cybernetics,Xi’an,China,2003
[21] Farah Jemili,Montaceur Zaghdoud,Mohamed Ben Ahmed.Intrusion Detection based on“Hybrid”Propagation in Bayes Networks[C]. Intelligence and Security Informatics, June.2009:137-142
[22] Barbara D, N Wu, and S Jajodia.“Detecting Novel Network Intrusions Using Bayes Estimators”[C].Proceedings Of the First SIAM Int. Conference on Data Mining, , Chicago, IL,2001.
[23] Jiong Zhang,M ZelKernine. Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection[C]. IEEE International Conference on Communications, Istanbul, June.2006 : 2388-2393
[24] W.Robertson,F.Maggi,C.KruegelandG.Vigna.“Effective Anomaly Detection with Scarce Training Data”[C]. Proceedings of the Network and Distributed System Security Symposium(NDSS),SanDiego,CAUSA,February.2010.
[25] Vikas Menon,William M.Pottenger.A Higher Order Collective classifier for Detecting and Classifying Network Events[C]. Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, NJ, USA,2009
[26] [EB/OL].http//www.internet2.edu/network/.
[27]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究[J].计算机应用研究,2007,8(24):167-169
[28]刘璇,张凤荔,叶李.基于Netflow的用户行为挖掘算法设计[J].计算机应用研究,2009,2(26):713-715
[29]贾冠昕,杨波等.基于Netflow时间序列的网络异常检测[J].计算机工程与应用,2008,,44(24):128-131
[30]薛安荣,姚林,鞠时光等.离群点挖掘算法综述[J].计算机科学, 2008, 35(11).
[31]徐翔,刘建伟,罗雄麟.离群点挖掘研究[J].计算机应用研究, 2009, 26(1).
[32]郑斌祥,杜秀华,席裕庚.一种时序数据的离群数据挖掘新算法[J].控制与决策, 2002
[33] Behrouz A.Forouzan,Sophia Chung Fegan.TCP/IP协议族(第3版)[M].北京:清华大学出版社,2003.
[34] HAW KINS D. Identification of outliers[M] . London: Chapman &Hall, 1980.
[35] TAN Pang ning, STEI NBACH M, KUMAR V. Introduction to data mining[M]. Boston: Pearson Addison Wesley Education Inc, 2006
[36]程克非,张聪.基于特征加权的朴素贝叶斯分类器[J].计算机仿真,23(10):92-93
[37]张雯,张华祥.属性加权的朴素贝叶斯集成分类器[J].计算机工程与应用,2010,46(29):144-146
[38] MOORE AW, PAPAGIANNAKIK. Toward the accurate identification of network applications [C].Proceedings of the 6thInternationalWorkshop on Passive and Active Network Measurement,Berlin:Springer-Verlag,2005: 41-54.
[39]邱密,杨爱民,等.使用贝叶斯学习算法分类网络流量[J].计算机工程与应用,2010,46(25):78-81
[2] BAKOS G, BERK V. Early detection of Internet worm activity by metering ICMP destination unreachable activity[C]. Proceedings of the SPIE conference on Sensors, and Command, Control, Communications and Intelligence, Orlando, FL, 2002
[3] JUAN M E,PEDRO G, JESUS E D. Anomaly detection methods in wired networks: a survey and taxonomy[J]. Computer Communications, 2004, 27(16):1569-1584.
[4] BARFORD P, KLINE J, PLONKA D. A signal analysis of network traffic anomalies[C]. Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles,France,2002:71-82.
[5] CHENG C M, KUNG H T, TAN K S. Use of Spectral Analysis in Defense Against DoS Attacks[C]. Global Telecommunications Conference. [S.l.]: IEEE Press, 2002: 2143-2148.
[6] Lakhina A, Crovella M, Diot C. Mining Anomalies Using Traffic Feature Distributions[C]. In: Proc of ACM SIGCOMM 2005. Philadelphia, Pennsylvania, USA, August 2005, 9-20.
[7] Kim S , Reddy N, Vannucci M. Detecting Traffic Anomalies Using Discrete Wavelet Transform[C]. In: IEEE/IFIP Network Operations and Management Symposium, Seoul, April 2004, 16-27
[8] Kim S, Reddy N. A Study of Analyzing Network Traffic as Images in Real-Time[C]. In: Proc of IEEE INFOCOM 2005, Miami, Florida, USA, Mar 2005, 1065-1076
[9] Alefiya Hussain, John Heidemann, Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks[C]. Proceedings of ACM SIGCOMM, 2003: 99-110
[10]杨风暴,王肖霞.D-S证据理论的冲突证据合成方法[M].北京:国防工业出版社,2010
[11] DICKERSON J E,JUSLIN J,KOUKOUSOULA O, et al. Fuzzy intrusion detection[C].Proceedings of IFSA World Congress and 20th NAFIPS International conference.Vancouve,British Columbia,2011:1506-1510
[12] LUO J,BRIDGES S. Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection[J].International Journal of Intelligence system,2000,15(8):678-703
[13]李之棠,李家春.模糊神经网络在入侵检测系统中的应用[J].小型微型计算机系统,2002,23(10):1235-1238
[14] Nahla B A, Salem B,Zied E.Navie bayes vs. decision trees in intrusion detection systems[C]. Proceedings of the 2004 ACM symposium on Applied computing.NY,USA,2004:420-424
[15] Kruegel C,Darren M, et al. Bayesian Event Classification for Intrusion Detection[C]. 19th Annual Computer Security Applications Conference, Las Vegas, Nevada,2003
[16]赵卫伟,李德毅.基于云模型的入侵检测方法[J].计算机工程与应用,2003,39(26):158-160
[17]张秋余,孙磊.基于PC-LINMAP耦合赋权及云理论的入侵检测系统[J].计算机应用,2007,27(10):2443-2445
[18]姜伟,高知新,李本喜.基于多维云模型的入侵检测[J].计算机工程,2006,32(24):155-156
[19] Yong Wang,Huihua Yang, et al.Distributed Intrusion Detection System Based On Data Fusion Method[C].Proceedings of the 5th World Congress on Intelligence Control and Automation,Hangzhou,China,2004
[20] JIAN-QIANG ZHAI,JUN-FENG TIAN,et al.Network Intrusion Early Warning Model Based On D-S Evidence THEORY[C]. Proceedings of the second International Conference On Machine Learning and Cybernetics,Xi’an,China,2003
[21] Farah Jemili,Montaceur Zaghdoud,Mohamed Ben Ahmed.Intrusion Detection based on“Hybrid”Propagation in Bayes Networks[C]. Intelligence and Security Informatics, June.2009:137-142
[22] Barbara D, N Wu, and S Jajodia.“Detecting Novel Network Intrusions Using Bayes Estimators”[C].Proceedings Of the First SIAM Int. Conference on Data Mining, , Chicago, IL,2001.
[23] Jiong Zhang,M ZelKernine. Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection[C]. IEEE International Conference on Communications, Istanbul, June.2006 : 2388-2393
[24] W.Robertson,F.Maggi,C.KruegelandG.Vigna.“Effective Anomaly Detection with Scarce Training Data”[C]. Proceedings of the Network and Distributed System Security Symposium(NDSS),SanDiego,CAUSA,February.2010.
[25] Vikas Menon,William M.Pottenger.A Higher Order Collective classifier for Detecting and Classifying Network Events[C]. Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, NJ, USA,2009
[26] [EB/OL].http//www.internet2.edu/network/.
[27]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究[J].计算机应用研究,2007,8(24):167-169
[28]刘璇,张凤荔,叶李.基于Netflow的用户行为挖掘算法设计[J].计算机应用研究,2009,2(26):713-715
[29]贾冠昕,杨波等.基于Netflow时间序列的网络异常检测[J].计算机工程与应用,2008,,44(24):128-131
[30]薛安荣,姚林,鞠时光等.离群点挖掘算法综述[J].计算机科学, 2008, 35(11).
[31]徐翔,刘建伟,罗雄麟.离群点挖掘研究[J].计算机应用研究, 2009, 26(1).
[32]郑斌祥,杜秀华,席裕庚.一种时序数据的离群数据挖掘新算法[J].控制与决策, 2002
[33] Behrouz A.Forouzan,Sophia Chung Fegan.TCP/IP协议族(第3版)[M].北京:清华大学出版社,2003.
[34] HAW KINS D. Identification of outliers[M] . London: Chapman &Hall, 1980.
[35] TAN Pang ning, STEI NBACH M, KUMAR V. Introduction to data mining[M]. Boston: Pearson Addison Wesley Education Inc, 2006
[36]程克非,张聪.基于特征加权的朴素贝叶斯分类器[J].计算机仿真,23(10):92-93
[37]张雯,张华祥.属性加权的朴素贝叶斯集成分类器[J].计算机工程与应用,2010,46(29):144-146
[38] MOORE AW, PAPAGIANNAKIK. Toward the accurate identification of network applications [C].Proceedings of the 6thInternationalWorkshop on Passive and Active Network Measurement,Berlin:Springer-Verlag,2005: 41-54.
[39]邱密,杨爱民,等.使用贝叶斯学习算法分类网络流量[J].计算机工程与应用,2010,46(25):78-81