基于攻击图的多源告警关联分析方法

刘威歆; 郑康锋; 武斌; 杨义先

doi:10.11959/j.issn.1000-436x.2015193

您当前的位置：

首页 >

文章列表页 >

基于攻击图的多源告警关联分析方法

学术论文 | 更新时间：2024-06-05

- 基于攻击图的多源告警关联分析方法
- Alert processing based on attack graph and multi-source analyzing
- 通信学报 2015年36卷第9期页码：135-144
- 作者机构：
  
  北京邮电大学信息安全中心，北京 100876
- 作者简介：
  
  [ "刘威歆（1987-），男，广东深圳人，北京邮电大学博士生，主要研究方向为网络攻防、入侵检测和日志分析。" ]
  [ "郑康锋（1975-），男，山东烟台人，北京邮电大学副教授，主要研究方向为网络与信息安全。" ]
  [ "武斌（1981-），男，山东泰安人，北京邮电大学讲师，主要研究方向为网络安全。" ]
  [ "杨义先（1961-），男，四川盐亭人，北京邮电大学教授、博士生导师，主要研究方向为信息安全与密码学。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61101108)
- DOI：10.11959/j.issn.1000-436x.2015193
  中图分类号： TP302
- 网络出版日期：2015-09，
  
  纸质出版日期：2015-09-25
- 稿件说明：
移动端阅览
刘威歆, 郑康锋, 武斌, 等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9):135-144.

Wei-xin LIU, Kang-feng ZHENG, Bin WU, et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on communications, 2015, 36(9): 135-144.
刘威歆, 郑康锋, 武斌, 等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9):135-144. DOI： 10.11959/j.issn.1000-436x.2015193.

Wei-xin LIU, Kang-feng ZHENG, Bin WU, et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on communications, 2015, 36(9): 135-144. DOI： 10.11959/j.issn.1000-436x.2015193.

摘要

现有基于攻击图(attack graph)的告警关联分析方法难以全面处理告警关联关系，同时，漏报推断和告警预测带来大量冗余路径误报。针对以上问题提出了基于攻击图的多源告警关联分析算法，能够综合应用图关系和阈值限制进行联动推断和预测，达到更为全面解决攻击图中的告警漏报和减少误报数量的目的。同时，将告警处理算法并行化，提出了AG-PAP告警并行处理引擎。实验表明，该方法能够提升关联分析的有效性和性能表现。

Abstract

Current attack graph-based alert correlation cannot deal with graph relation between alerts properly

and a large number of redundant attack paths may arise when trying to find out missing alerts and predict future attacks.A multi-source alert analyzing method was proposed

fully utilizing graph relation and threshold to correlate mapped alerts and eventually reduce false positive rate as well as true negative rate.To improve the speed of the algorithm

a parallel alert processing system (AG-PAP) was proposed.AG-PAP is tested on distributed environment which gets satisfied effec-tiveness and performance.

关键词

Keywords

references

VALEUR F , VIGNA G , KRUEGEL C , et al . A comprehensive ap-proach to intrusion detection alert correlation [J ] . IEEE Transactions on Dependable and Secure Computing , 2004 , 1 ( 3 ): 146 - 169 .

ROSCHKE S , CHENG F , MEINEL C . An alert correlation platform for memory-supported techniques [J ] . Concurrency and Computa-tion-practice &Experience , 2012 , 24 ( 10 ): 1123 - 1136 .

梅海彬，龚俭，张明华 . 基于警报序列聚类的多步攻击模式发现研究 [J ] . 通信学报， 2011 , 32 ( 5 ): 63 - 69 .

MEI HB , GONG J , ZHANG MH . Research on discovering multi-step attack patterns based on clustering IDS alert sequences [J ] . Journal on Communications , 2011 , 32 ( 5 ): 63 - 69 .

ROSCHKE S , CHENG F , MEINEL C . Using vulnerability informa-tion and attack graphs for intrusion detection [A ] . Information Assur-ance and Security (IAS),2010 Sixth International Conference on IEEE [C ] . 2010 . 68 - 73 .

NOEL S , JAJODIA S . Advanced vulnerability analysis and intrusion detection through predictive attack graphs [A ] . Critical Issues in C4I,Armed Forces Communications and Electronics Association (AFCEA) Solutions Series International Journal of Command and Control [C ] . 2009 .

JAJODIA S , NOEL S . Topological Vulnerability Analysis [M ] . Springer , 2010 . 139 - 154 .

OU X , BOYER W , MCQUEEN M . A scalable approach to attack graph generation [A ] . ACM [C ] . 2006 . 336 - 345 .

GONZALEZ J E , LOW Y , GU H , et al . PowerGraph:distributed graph-parallel computation on natural graphs [A ] . OSDI [C ] . 2012 , 12 ( 1 ): 2 .

WANG L , LIU A , JAJODIA S . Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts [J ] . Computer Commu-nications , 2006 , 29 ( 15 ): 2917 - 2933 .

AHMADINEJAD S H , JALILI S , ABADI M . A hybrid model for correlating alerts of known and unknown attack scenarios and up-dating attack graphs [J ] . Computer Networks , 2011 , 55 ( 9 ): 2221 - 2240 .

ROSCHKE S , CHENG F , MEINEL C . High-quality attack graph-based IDS correlation [J ] . Logic Journal of the Igpl , 2013 , 21 ( 4I ): 571 - 591 .

ROSCHKE S , CHENG F , MEINEL C . A new alert correlation algo-rithm based on attack graph [J ] . Computational Intelligence in Security for Information Systems , 2011 , 6694 : 58 - 67 .

DEAN J , GHEMAWAT S . MapReduce [J ] . Communications of the ACM , 2008 , 51 ( 1 ): 107 .

LOW Y , BICKSON D , GONZALEZ J , et al . Distributed graphlab:a framework for machine learning and data mining in the cloud [J ] . Pro-ceedings of the VLDB Endowment , 2012 , 5 ( 8 ): 716 - 727 .

MALEWICZ G , AUSTERN M H , BIK A J C , et al . Pregel:a system for large-scale graph processing [A ] . Proceedings of the 2010 ACM SIGMOD International Conference on Management of data [C ] . 2010 .

LI K , GIBSON C , HO D , et al . Assessment of machine learning algo-rithms in cloud computing frameworks [Z ] . IEEE , 2013 . 98 - 103 .

GUO Y , BICZAK M , VARBANESCU A L , et al . Towards bench-marking graph-processing platforms [A ] . The International Conference for High Performance Computing,Networking,Storage and Analy-sis [C ] . 2013 .

CHING A , KUNZ C . Giraph:large-scale graph processing infrastruc-ture on Hadoop [J ] . Hadoop Summit , 2011 , 29 ( 6 ).

LOW Y , GONZALEZ J , KYROLA A , et al . Graphlab:a new parallel framework for machine learning [A ] . UAI [C ] . 2010 . 340 - 349 .

OU X , GOVINDAVAJHALA S , APPEL A W . MulVAL:a logic- based network security analyzer [A ] . 14th USENIX Security [C ] . 2005 . 1 - 16 .

LOW Y . GraphLab:A Distributed Abstraction for Large Scale Ma-chine Learning [D ] . University of California , 2013 .

浏览量

1465

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

攻击图技术应用研究综述

基于贝叶斯攻击图的SDN入侵意图识别算法的研究

基于吸收马尔可夫链攻击图的网络攻击分析方法研究

基于攻击图的主机安全评估方法

基于贝叶斯攻击图的网络入侵意图分析模型