网络安全态势感知关键实现技术研究
|
摘要
网络安全态势感知系统是实现网络安全监控的一种新技术,也是目前信息安全的研究热点之一。网络安全态势感知要求从全面、整体的角度审视大规模网络的安全状况,强调对网络系统中潜在的或已经出现的异常做到及时监测,并能对未来一段时间内网络的安全状况做出合理准确的预测。其中心思想是充分利用一种或几种数学方法,融合处理网络环境下的多源异构安全状态数据,生成易于理解的网络安全态势。
本文首先对网络安全态势感知在网络安全领域的应用进行了较全面研究,涵盖了网络安全态势感知的概念描述、研究现状等,并建立了分层化网络安全态势感知模型,该模型自底向上分为态势提取、态势生成和态势预测三个层面。
其次,针对态势提取层,提出了一种分布式数据融合模型,该模型采用多个分类器分类网络信息,根据各个分类器的可信度对得到的结果进行融合处理,生成网络安全态势要素。并通过实验验证了该方法的有效性。
然后,态势评估层采用层次化网络安全态势评估模型,使用统计方法对网络系统中的服务级、主机级和系统级的安全态势指数进行定量计算,从而得到不同层次相对应的安全态势值。
最后,针对态势预测层,提出了一种基于遗传算法优化BP神经网络的态势预测方法,利用遗传算法全局搜索BP神经网络的权值,并利用优化后的BP神经网络建立模型对网络安全态势进行预测。实验测试表明,该方法能够应用于网络安全态势值的预测,辅助网络管理者了解网络的变化趋势。
Network security situational awareness system (NSSAS) is a new technology to monitor network security, and it is one of the hot research domains in information security. A new perspective to observe the network security status is demanded in NSSA, it emphasizes timely detection of potential or arisen anomalies in network system, and also can forecast network security status in some time later. The main idea of NSSA is to make full use of one or several kinds of mathematical methods to fuse the multi-source heterogeneous data in the network system, and then easily understandable network security situation will be generated from a cognitive perspective.
Firstly, NSSA in network security are researched comprehensively in this thesis, including the concept description, research state, and developing direction of NSSA, and then the model of NSSA is formed primarily. The model includes three models: data fusion model, realization model of network security situation, predict model.
Secondly, the thesis presents a distributed data fusion model, it uses three classifiers to label network data, and fuses the results to get the network security situational factors depending on the rate of every classifiers differentiation. and experiment is done to check the validity of the method.
Thirdly, layered realization model of network security situation is constructed, this model makes use of statistical method for the quantitative calculation of security situation index of service level, host level and network level in networked system. Then we can get the different level security situation.
Finally, the thesis presents a method based on GA-BPNN (Genetic Algorithm-Back Propagation Neural Network) to predict the network security situation. The model makes use of GA to modify the power value of network to construct anagenesis model, then we can use the model to predict the network security situation. Experiment results show that this method can achieve perfect prediction, helping administrator to understand the current situation.
本文首先对网络安全态势感知在网络安全领域的应用进行了较全面研究,涵盖了网络安全态势感知的概念描述、研究现状等,并建立了分层化网络安全态势感知模型,该模型自底向上分为态势提取、态势生成和态势预测三个层面。
其次,针对态势提取层,提出了一种分布式数据融合模型,该模型采用多个分类器分类网络信息,根据各个分类器的可信度对得到的结果进行融合处理,生成网络安全态势要素。并通过实验验证了该方法的有效性。
然后,态势评估层采用层次化网络安全态势评估模型,使用统计方法对网络系统中的服务级、主机级和系统级的安全态势指数进行定量计算,从而得到不同层次相对应的安全态势值。
最后,针对态势预测层,提出了一种基于遗传算法优化BP神经网络的态势预测方法,利用遗传算法全局搜索BP神经网络的权值,并利用优化后的BP神经网络建立模型对网络安全态势进行预测。实验测试表明,该方法能够应用于网络安全态势值的预测,辅助网络管理者了解网络的变化趋势。
Network security situational awareness system (NSSAS) is a new technology to monitor network security, and it is one of the hot research domains in information security. A new perspective to observe the network security status is demanded in NSSA, it emphasizes timely detection of potential or arisen anomalies in network system, and also can forecast network security status in some time later. The main idea of NSSA is to make full use of one or several kinds of mathematical methods to fuse the multi-source heterogeneous data in the network system, and then easily understandable network security situation will be generated from a cognitive perspective.
Firstly, NSSA in network security are researched comprehensively in this thesis, including the concept description, research state, and developing direction of NSSA, and then the model of NSSA is formed primarily. The model includes three models: data fusion model, realization model of network security situation, predict model.
Secondly, the thesis presents a distributed data fusion model, it uses three classifiers to label network data, and fuses the results to get the network security situational factors depending on the rate of every classifiers differentiation. and experiment is done to check the validity of the method.
Thirdly, layered realization model of network security situation is constructed, this model makes use of statistical method for the quantitative calculation of security situation index of service level, host level and network level in networked system. Then we can get the different level security situation.
Finally, the thesis presents a method based on GA-BPNN (Genetic Algorithm-Back Propagation Neural Network) to predict the network security situation. The model makes use of GA to modify the power value of network to construct anagenesis model, then we can use the model to predict the network security situation. Experiment results show that this method can achieve perfect prediction, helping administrator to understand the current situation.
引文
[1] Tim Bass, Dave Gruber. a glimpse into the future of id. Special Issue Intrusion Detection, The USENIX Association Magazine, September 2005.http://www.usenix.org/publications/login/1999-9/features/future.html
[2] Greg Cole, Natasha Bulashova, William Yurcik. Geographical NetFlows Visualization for Network Situational Awareness: NaukaNet Administrative Data Analysis System (NADAS). http://www.ncassr.org/projects/sift/papers/NADAS.pdf
[3] Kiran Lakkaraju, Yifan Li, Xiaoxin Yin, William Yurcik. NVisionIP and VisFlowConnect: Two Interactive Tools for Visualizing Network Flow for Security. http://www.ncassr.org/ projects /sift
[4] Stephen Lau. The Spinning Cube of Potential Doom. Communications of The ACM.2004,47(6):25-26P
[5] Stephen G. Batsell, Nageswara S. Rao, Mallikarjun Shankar. Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security. http://www.ioc.ornl.gov/pro- jects/documents/containment.pdf
[6] Jason Shifflet. A Technique Independent Fusion Model for Network Intrusion Detection. Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics, University of Denison, 2005. America: Denison University Pr,2003(1):13-19P
[7] Christopher J. Matheus, Mieczyslaw M. Kokar, Kenneth Baclawski. A Core Ontology for Situation Awareness. http://www.ece.neu.edu/groups/scs/kokar/publications/Fusion03.pdf
[8] Stephen Lau. The spinning cube of potential doom. Communications of the ACM. 2004,47(6):25-26P
[9] Bill Yurcik. Security Incident Fusion Tools (SIFT) Research Project.http://www. projects.ncassr. org/sift
[10]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报.2006,17(4):885-897页
[11]胡华平等.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报.2003,25(1):21-25页
[12]陈朝阳,胡乐群,万鹤群.基于遗传算法的神经网络经济预测模型的建立预测.1997,16(1):68-70页
[13]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究.计算机应用研究.2007,24(1):167-169页
[14]梁颖,王慧强,赖积保.一种基于粗糙集理论的网络安全态势感知方法.计算机科学.2007,34(8):95-97页
[15]王慧强,赖积保,朱亮,梁颖.网络态势感知系统研究综述.计算机科学.2006,33(101:5-9页
[16]梁颖.基于数据融合的网络安全态势定量感知方法研究.哈尔滨工程大学硕士学位论文.2007:12-14页
[17]杨国胜,窦丽华.数据融合及其应用.兵器工业出版社.2004:1-2页
[18]James Llinas,Christopher Bowman,Alan Steinberg,Ed Waltz.Revisiting the JDL Data Fusion Model Ⅱ.http://www.fusion 2004.foi.se/papers/IF04-1218.pdf
[19]Tim Bass.Intrusion Detection System and Multisensor Data Fusion:Creating Cyberspace Situational Awareness.Communications of the ACM.2000,43(4):99-105P
[20]Remco C.de Boer.A Generic Architecture for Fusion-Based Intrusion Detection Systems[dissertation].Erasmus University Rotterdam,Holand:Rotterdam School of Economics,2002
[21]Christos Siaterlis,Basil Maglaris.Towards Multisensor Data Fusion for DoS detection.Nicosia,Cyprus.2004,3:439-446P
[22]J.Salerno,M.Hinman,D.Boulware.Building A Framework For Situation Awareness.http://www.fusion 2004.foi.se/papers/IF04 -0219.pdf
[23]潘泉,于昕,程咏梅,张洪才.信息融合理论的基本方法与进展.自动化学报.2003,29(4):599-615页
[24]韩崇昭,朱洪艳,段战胜等.多源信息融合.清华大学出版社.2003:4-8页,11-12页
[25]Roman,J.Jameel,A.Backpropagation and recurrent neural networks in financial analysis of multiple stock market returns.System Sciences,1996:454-460P
[26]刘云生,游安.一种可行的时态数据库索引技术.计算机应用研究.2006,23(10):63-65页
[27]汤庸.时态数据库导论.北京:北京大学出版社.2004:13-144页
[28]孙宇峰.基于MATLAB的模糊聚类分析及应用.韶关学院学报.自然科学.2006,27(9):1-4页
[29]夏阳,陆余良,孙乐昌.多传感器网络信息数据融合技术研究.计算机工程与科学.2005,27(2):25-28页
[30]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法.软件学报.2006,17(4):885-897页
[31]孙宁.网络化系统安全态势评估设计及态势融合模型研究.兰州理工大学硕士学位论文.2007:18-20页
[32]Kumer S.Classification and Detection of Computer Intrusions.Ph.D.Thesis,Purdue University,WestLafayette,Indiana,1995-08
[33]Martin Roesch,Chris Green.Snort Users Manual.http://www.snort.org/docs/snortman-ja.pdf,2006
[34]Arulampalarn G,Bouzerdoum A.A generalized feedforward neural network architecture for classification and regression.Neural Networks.2003,16(5-6):561-568P
[35]商琳,王金根,姚望舒,陈世福.一种基于多进化神经网络的分类方法.软件学报.2005,16(9):1577-1583页
[36]李敏强等.遗传算法与神经网络的结合.系统工程理论与实践.1999,19(2):65-69页
[37]Enrique Alba,Francisco Chicano.Training Neural Networks with GA Hybrid Algorithm.In:Proc of the Genetic and Evolutionary Computation Conference,LNCS3102.Berlin:Springer.2004,852-863P
[38]李宁,谢振华,谢俊元,陈世福.SEFNN:一种基于结构进化的前馈神经网络设计算法.计算机研究与发展.2006,43(10):1713-1718页
[39]李人厚.智能控制理论和方法.西安电子科技大学出版社.1999:23-25页
[40]孟样泽,刘新勇,车海平,袁著扯.基于遗传算法的模糊神经网络股市建模与预测.信息与控制.1997(10):388-392页
[41]Kyoung-jae Kim,Ingoo Hart.Genetic Algorithms Approach to Feature Discrimination in Artificial Neural Networks for the Prediction of Stork Price Index[1].Expert Systems with Applications.2000,19:125-132P
[2] Greg Cole, Natasha Bulashova, William Yurcik. Geographical NetFlows Visualization for Network Situational Awareness: NaukaNet Administrative Data Analysis System (NADAS). http://www.ncassr.org/projects/sift/papers/NADAS.pdf
[3] Kiran Lakkaraju, Yifan Li, Xiaoxin Yin, William Yurcik. NVisionIP and VisFlowConnect: Two Interactive Tools for Visualizing Network Flow for Security. http://www.ncassr.org/ projects /sift
[4] Stephen Lau. The Spinning Cube of Potential Doom. Communications of The ACM.2004,47(6):25-26P
[5] Stephen G. Batsell, Nageswara S. Rao, Mallikarjun Shankar. Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security. http://www.ioc.ornl.gov/pro- jects/documents/containment.pdf
[6] Jason Shifflet. A Technique Independent Fusion Model for Network Intrusion Detection. Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics, University of Denison, 2005. America: Denison University Pr,2003(1):13-19P
[7] Christopher J. Matheus, Mieczyslaw M. Kokar, Kenneth Baclawski. A Core Ontology for Situation Awareness. http://www.ece.neu.edu/groups/scs/kokar/publications/Fusion03.pdf
[8] Stephen Lau. The spinning cube of potential doom. Communications of the ACM. 2004,47(6):25-26P
[9] Bill Yurcik. Security Incident Fusion Tools (SIFT) Research Project.http://www. projects.ncassr. org/sift
[10]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报.2006,17(4):885-897页
[11]胡华平等.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报.2003,25(1):21-25页
[12]陈朝阳,胡乐群,万鹤群.基于遗传算法的神经网络经济预测模型的建立预测.1997,16(1):68-70页
[13]赖积保,王慧强,金爽.基于Netflow的网络安全态势感知系统研究.计算机应用研究.2007,24(1):167-169页
[14]梁颖,王慧强,赖积保.一种基于粗糙集理论的网络安全态势感知方法.计算机科学.2007,34(8):95-97页
[15]王慧强,赖积保,朱亮,梁颖.网络态势感知系统研究综述.计算机科学.2006,33(101:5-9页
[16]梁颖.基于数据融合的网络安全态势定量感知方法研究.哈尔滨工程大学硕士学位论文.2007:12-14页
[17]杨国胜,窦丽华.数据融合及其应用.兵器工业出版社.2004:1-2页
[18]James Llinas,Christopher Bowman,Alan Steinberg,Ed Waltz.Revisiting the JDL Data Fusion Model Ⅱ.http://www.fusion 2004.foi.se/papers/IF04-1218.pdf
[19]Tim Bass.Intrusion Detection System and Multisensor Data Fusion:Creating Cyberspace Situational Awareness.Communications of the ACM.2000,43(4):99-105P
[20]Remco C.de Boer.A Generic Architecture for Fusion-Based Intrusion Detection Systems[dissertation].Erasmus University Rotterdam,Holand:Rotterdam School of Economics,2002
[21]Christos Siaterlis,Basil Maglaris.Towards Multisensor Data Fusion for DoS detection.Nicosia,Cyprus.2004,3:439-446P
[22]J.Salerno,M.Hinman,D.Boulware.Building A Framework For Situation Awareness.http://www.fusion 2004.foi.se/papers/IF04 -0219.pdf
[23]潘泉,于昕,程咏梅,张洪才.信息融合理论的基本方法与进展.自动化学报.2003,29(4):599-615页
[24]韩崇昭,朱洪艳,段战胜等.多源信息融合.清华大学出版社.2003:4-8页,11-12页
[25]Roman,J.Jameel,A.Backpropagation and recurrent neural networks in financial analysis of multiple stock market returns.System Sciences,1996:454-460P
[26]刘云生,游安.一种可行的时态数据库索引技术.计算机应用研究.2006,23(10):63-65页
[27]汤庸.时态数据库导论.北京:北京大学出版社.2004:13-144页
[28]孙宇峰.基于MATLAB的模糊聚类分析及应用.韶关学院学报.自然科学.2006,27(9):1-4页
[29]夏阳,陆余良,孙乐昌.多传感器网络信息数据融合技术研究.计算机工程与科学.2005,27(2):25-28页
[30]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法.软件学报.2006,17(4):885-897页
[31]孙宁.网络化系统安全态势评估设计及态势融合模型研究.兰州理工大学硕士学位论文.2007:18-20页
[32]Kumer S.Classification and Detection of Computer Intrusions.Ph.D.Thesis,Purdue University,WestLafayette,Indiana,1995-08
[33]Martin Roesch,Chris Green.Snort Users Manual.http://www.snort.org/docs/snortman-ja.pdf,2006
[34]Arulampalarn G,Bouzerdoum A.A generalized feedforward neural network architecture for classification and regression.Neural Networks.2003,16(5-6):561-568P
[35]商琳,王金根,姚望舒,陈世福.一种基于多进化神经网络的分类方法.软件学报.2005,16(9):1577-1583页
[36]李敏强等.遗传算法与神经网络的结合.系统工程理论与实践.1999,19(2):65-69页
[37]Enrique Alba,Francisco Chicano.Training Neural Networks with GA Hybrid Algorithm.In:Proc of the Genetic and Evolutionary Computation Conference,LNCS3102.Berlin:Springer.2004,852-863P
[38]李宁,谢振华,谢俊元,陈世福.SEFNN:一种基于结构进化的前馈神经网络设计算法.计算机研究与发展.2006,43(10):1713-1718页
[39]李人厚.智能控制理论和方法.西安电子科技大学出版社.1999:23-25页
[40]孟样泽,刘新勇,车海平,袁著扯.基于遗传算法的模糊神经网络股市建模与预测.信息与控制.1997(10):388-392页
[41]Kyoung-jae Kim,Ingoo Hart.Genetic Algorithms Approach to Feature Discrimination in Artificial Neural Networks for the Prediction of Stork Price Index[1].Expert Systems with Applications.2000,19:125-132P