内网环境下基于时空事件关联的攻击检测方法

孙伟; 张鹏; 何永全; 邢丽超

doi:10.11959/j.issn.1000-436x.2020001

您当前的位置：

首页 >

文章列表页 >

内网环境下基于时空事件关联的攻击检测方法

学术论文 | 更新时间：2024-06-05

- 内网环境下基于时空事件关联的攻击检测方法
- Attack detection method based on spatiotemporal event correlation in intranet environment
- 通信学报 2020年41卷第1期页码：33-41
- 作者机构：
  
  1. 北京交通大学计算机与信息技术学院，北京 100044
  2. 中国科学院信息工程研究所，北京 100093
  3. 中国科学院大学网络空间安全学院，北京 100049
- 作者简介：
  
  [ "孙伟（1980- ），男，山西忻州人，北京交通大学博士生，主要研究方向为计算机网络、信息安全和网络测量" ]
  [ "张鹏（1984- ），男，安徽淮南人，中国科学院副研究员、硕士生导师，主要研究方向为数据挖掘、网络安全" ]
  [ "何永全（1997- ），男，辽宁葫芦岛人，中国科学院大学硕士生，主要研究方向为并行计算与分布式系统" ]
  [ "邢丽超（1993- ），男，黑龙江哈尔滨人，中国科学院大学硕士生，主要研究方向为信息过滤与内容计算" ]
- 基金信息：
  
  国家重点研究发展计划基金资助项目(2016YFB0801300);国家自然科学基金资助项目(61602474);国家自然科学基金资助项目(61602467);国家自然科学基金资助项目(61702552)
- DOI：10.11959/j.issn.1000-436x.2020001
  中图分类号： TP393.1
- 网络出版日期：2020-01，
  
  纸质出版日期：2020-01-25
- 稿件说明：
移动端阅览
孙伟, 张鹏, 何永全, 等. 内网环境下基于时空事件关联的攻击检测方法[J]. 通信学报, 2020,41(1):33-41.

Wei SUN, Peng ZHANG, Yongquan HE, et al. Attack detection method based on spatiotemporal event correlation in intranet environment[J]. Journal on communications, 2020, 41(1): 33-41.
孙伟, 张鹏, 何永全, 等. 内网环境下基于时空事件关联的攻击检测方法[J]. 通信学报, 2020,41(1):33-41. DOI： 10.11959/j.issn.1000-436x.2020001.

Wei SUN, Peng ZHANG, Yongquan HE, et al. Attack detection method based on spatiotemporal event correlation in intranet environment[J]. Journal on communications, 2020, 41(1): 33-41. DOI： 10.11959/j.issn.1000-436x.2020001.

摘要

针对入侵检测系统使用单个事件作为攻击检测的特征会导致较高误报率的问题，提出了利用贝叶斯网络模型进行跨空间的事件关联和利用卡尔曼滤波器线性模型进行跨时间的事件关联的内网攻击检测方法。基于该方法实现了一个进程查询系统，该系统可以根据用户的高层过程描述来扫描和关联分布的网络事件。实验分析表明，该方法在不增加明显计算开销的情况下能够显著减少内网攻击检测的误报率。

Abstract

In view of the fact that a single event as an attack detection feature leads to a higher false positive rate

an intranet attack detection method using Bayesian network model for cross-space event correlation and Kalman filter linear model for cross-temporal event correlation was proposed.Based on the method

a process query system was implemented

which can scan and correlate distributed network events according to the user's high-level process description.Experimental analysis show that the proposed method can significantly reduce the false positive rate of intranet attack detection without increasing the computational overhead.

关键词

Keywords

references

SPRING N , MAHAJAN R , WETHERALL D . Measuring ISP topologies with rocketfuel [J ] . ACM Sigcomm Computer Communication Review , 2002 , 32 ( 4 ): 133 - 145 .

DUARTE , FELIPE S L G , SIKANSI , et al . Nmap:a novel neighborhood preservation space-filling algorithm [J ] . IEEE Transactions on Visualization ＆ Computer Graphics , 2014 , 20 ( 12 ): 2063 - 2071 .

NORWAWI N M , GHAZALI O , FAAEQ M , et al . Detection algorithm for Internet worms scanning that used user datagram protocol [J ] . International Journal of Information and Computer Security , 2019 , 11 ( 1 ): 17 - 32 .

TUNG T M , WANG C , WANG J . Understanding the behaviors of BGP-based DDoS protection services [C ] // International Conference on Network and System Security . Springer,Cham , 2018 : 463 - 473 .

LAROSE D T , LAROSE C D . Discovering knowledge in data:an introduction to data mining [M ] . John Wiley ＆ Sons , 2014 .

POOR H V . An introduction to signal detection and estimation [M ] . Springer Science ＆ Business Media , 2013 .

HOWSON C , URBACH P . Scientific reasoning:the Bayesian approach [M ] . Open Court Publishing , 2006 .

BENFERHAT S , KENAZA T , MOKHTARI A . A naive bayes approach for detecting coordinated attacks [C ] // 32nd Annual IEEE International Computer Software and Applications Conference . IEEE , 2008 : 704 - 709 .

CHANDOLA V , BANERJEE A , KUMAR V . Anomaly detection:a survey [J ] . ACM Computing Surveys (CSUR) , 2009 , 41 ( 3 ):15.

PATCHA A , PARK J M . An overview of anomaly detection techniques:existing solutions and latest technological trends [J ] . Computer Networks , 2007 , 51 ( 12 ): 3448 - 3470 .

TEMPLETON S J . Detection and analysis of cyber attacks using bio-based concepts [D ] . Pro Quest Dissertations Publishing , 2018 .

STONE L D , STREIT R L , CORWIN T L , et al . Bayesian multiple target tracking [M ] . Artech House , 2013 .

KALMAN R E . A new approach to linear filtering and prediction problems [J ] . Journal of basic Engineering , 1960 , 82 ( 1 ): 35 - 45 .

WITTEN I H , FRANK E , HALL M A , et al . Data mining:practical machine learning tools and techniques [M ] . Morgan Kaufmann , 2016 .

COHEN P , WEST S G , AIKEN L S . Applied multiple regression/correlation analysis for the behavioral sciences [M ] . Psychology Press , 2014 .

HO J W , WRIGHT M . Distributed detection of sensor worms using sequential analysis and remote software attestations [J ] . IEEE Access , 2017 , 5 : 680 - 695 .

SUN X , DAI J , LIU P , et al . Using Bayesian networks for probabilistic identification of zero-day attack paths [J ] . IEEE Transactions on Information Forensics and Security , 2018 , 13 ( 10 ): 2506 - 2521 .

JIANG G , CHEN H , UNGUREANU C , et al . Multiresolution abnormal trace detection using varied-Length $ n $-grams and automata [J ] . IEEE Transactions on Systems,Man,and Cybernetics,Part C (Applications and Reviews) , 2006 , 37 ( 1 ): 86 - 97 .

浏览量

814

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于安全联邦蒸馏GAN的工业CPS协作入侵检测系统

基于信息论的入侵检测最佳响应方案

基于混沌粒子群的IDS告警聚类算法

面向入侵检测的集成人工免疫系统

多IDS环境中基于可信度的警报关联方法研究