基于攻击规划图的实时报警关联方法

doi:10.11772/j.issn.1001-9081.2016.06.1538

计算机应用 ›› 2016, Vol. 36 ›› Issue (6): 1538-1543.DOI: 10.11772/j.issn.1001-9081.2016.06.1538

基于攻击规划图的实时报警关联方法

张靖, 李小鹏, 王衡军, 李俊全, 郁滨

信息工程大学密码工程学院, 郑州 450001

收稿日期:2015-11-23 修回日期:2016-02-26 出版日期:2016-06-10 发布日期:2016-06-08
通讯作者: 张靖
作者简介:张靖(1991-),男,安徽滁州人,硕士研究生,主要研究方向:仿真、信息安全;李小鹏(1980-),男,陕西三原人,讲师,硕士,主要研究方向:信息安全;王衡军(1973-),男,湖南衡阳人,副教授,博士,主要研究方向:人工智能、信息安全;李俊全(1965-),男,河北涿州人,教授,博士生导师,博士,主要研究方向:密码学、信息安全;郁滨(1964-),男,河南郑州人,教授,博士生导师,博士,主要研究方向:信息安全、无线通信、系统工程。
基金资助:
信息保障技术重点实验室开放基金资助项目(20151014)。

Real-time alert correlation approach based on attack planning graph

ZHANG Jing, LI Xiaopeng, WANG Hengjun, LI Junquan, YU Bin

College of Cryptography Engineering, Information Engineering University, Zhengzhou Henan 450001, China

Received:2015-11-23 Revised:2016-02-26 Online:2016-06-10 Published:2016-06-08
Supported by:
This work is partially supported by the National Key Laboratory Foundation of Information Security Support Technologies (20151014).

摘要/Abstract

摘要： 针对报警因果关联分析方法存在无法及时处理大规模报警且攻击场景图分裂的不足,提出一种基于攻击规划图(APG)的实时报警关联方法。该方法首先给出APG和攻击规划树(APT)的定义;其次,根据先验知识构建APG模型,并提出基于APG的实时报警关联方法,重建攻击场景;最后,结合报警推断完善攻击场景和预测攻击。实验结果表明,该方法能够有效地处理大规模报警和重建攻击场景,具有较好的实时性,可应用于分析入侵攻击意图和指导入侵响应。

关键词: 报警关联, 因果关系, 攻击规划图, 攻击场景, 报警推断, 实时性

Abstract: The alert correlation approach based causal relationship has the problems that it cannot be able to process massive alerts in time and the attack scenario graphs split. In order to solve the problem, a novel real-time alert correlation approach based on Attack Planning Graph (APG) was proposed. Firstly, the definition of APG and Attack Planning Tree (APT) were presented. The real-time alert correlation algorithm based on APG was proposed by creating APG model on basis of priori knowledge to reconstruct attack scenario. And then, the attack scenario was completed and the attack was predicted by applying alert inference mechanism. The experimental results show that, the proposed approach is effective in processing massive alerts and rebuilding attack scenarios with better performance in terms of real-time. The proposed approach can be applied to analyze intrusion attack intention and guide intrusion responses.

Key words: alert correlation, casual relationship, Attack Planning Graph (APG), attack scenario, alert inference, real-time

中图分类号:

TP393.08

张靖, 李小鹏, 王衡军, 李俊全, 郁滨. 基于攻击规划图的实时报警关联方法[J]. 计算机应用, 2016, 36(6): 1538-1543.

ZHANG Jing, LI Xiaopeng, WANG Hengjun, LI Junquan, YU Bin. Real-time alert correlation approach based on attack planning graph[J]. Journal of Computer Applications, 2016, 36(6): 1538-1543.

参考文献

[1] 卿斯汉,蒋建春,马恒太,等.入侵检测技术研究综述[J].通信学报,2004,25(7):19-29.(QING S H, JIANG J C, MA H T, et al. Research on intrusion detection techniques: a survey[J]. Journal of China Institute of Communications, 2004, 25(7): 19-29.)
[2] 诸葛建伟,韩心慧,叶志远,等.基于扩展目标规划图的网络攻击规划识别算法[J].计算机学报,2006,29(8):1356-1366.(ZHUGE J W, HAN X H, YE Z Y, et al. A network attack plan recognition algorithm based on the extended goal graph[J]. Chinese Journal of Computers, 2006, 29(8): 1356-1366.)
[3] MIRHEIDARI S A, ARSHAD S, JALILI R. Alert correlation algorithms: a survey and taxonomy[C]//CSS 2013: Proceedings of the 5th International Symposium on Cyberspace Safety and Security, LNCS 8300.[S.l.]: Springer International Publishing, 2013: 183-197.
[4] SHITTU R, HEALING, GHANEAL-HERCOCK R, et al. Intrusion alert prioritisation and attack detection using post-correlation analysis[J]. Computers & Security, 2015, 50: 1-15.
[5] GHASEMIGOL M, GHAEMI-BAFGHI A. A new alert correlation framework based on entropy[C]//ICCKE 2013: Proceedings of the 20133th International Conference of Computer and Knowledge Engineering. Piscataway, NJ: IEEE, 2013: 184-189.
[6] 殷其雷,吴平平.基于Apriori算法的攻击行为时序关联规则检测方法[J].计算机安全,2014(9):2-7.(YIN Q L, WU P P. Detecting temporal association rules of attack activities based on Apriori algorithm[J]. Network and Computer Security, 2014(9): 2-7.)
[7] ELSHOUSH H T, OSMAN I M. An improved framework for intrusion alert correlation[C/OL]//WCE 2012: Proceedings of the World Congress on Engineering 2012. London:[s.n.], 2012[2015-11-23]. http://www.iaeng.org/publication/WCE2012/WCE2012_pp518-523.pdf.
[8] ELSHOUSH H T, OSMAN I M. Alert correlation in collaborative intelligent intrusion detection systems-a survey[J]. Applied Soft Computing, 2011, 11(7): 4349-4365.
[9] 王璐璐.基于告警因果关系和概率统计的攻击场景重建方法的研究[D].上海:上海交通大学,2011:22-41.(WANG L L. Research on attack scenarios reconstructing method based on causal correlation and probabilistic correlation[D]. Shanghai: Shanghai Jiao Tong University, 2011: 22-41.)
[10] NING P, XU D. Adapting query optimization techniques for efficient intrusion alert correlation[M]//Data and Applications Security XVII.[S.l.]: Springer US, 2004: 75-88.
[11] BATENI M, BARAANI A. Time window management for alert correlation using context information and classification[J]. International Journal of Computer Network & Information Security, 2013, 5(11): 9-16.
[12] ZALI Z, HASHEMI M.R, SAIDI H. Real-time attack scenario detection via intrusion detection alert correlation[C]//Proceedings of the 20129th International ISC Conference on Information Security and Cryptology. Piscataway: IEEE, 2012: 95-102.
[13] NING P, CUI Y, REEVES D S, et al. Techniques and tools for analyzing intrusion alerts[J]. ACM Transactions on Information & System Security, 2004, 7(2): 274-318.
[14] 陈锋,张怡,苏金树,等.攻击图的两种形式化分析[J].软件学报,2010,21(4):838-848.(CHEN F, ZHANG Y, SU J S, et. Two formal analyses of attack graphs[J]. Journal of Software, 2010, 21(4): 838-848.)

[1]	刘晓光, 靳少康, 韦子辉, 梁铁, 王洪瑞, 刘秀玲. 基于阈值和极端随机树的实时跌倒检测方法[J]. 计算机应用, 2021, 41(9): 2761-2766.
[2]	王朱君, 王石, 李雪晴, 朱俊武. 基于深度学习的事件因果关系抽取综述[J]. 计算机应用, 2021, 41(5): 1247-1255.
[3]	蔡瑞初, 白一鸣, 乔杰, 郝志峰. 基于混淆因子隐压缩表示模型的因果推断方法[J]. 计算机应用, 2021, 41(10): 2793-2798.
[4]	彭铎, 周建国, 羿舒文, 江昊. 基于空间合作关系的基站流量预测模型[J]. 计算机应用, 2019, 39(1): 154-159.
[5]	赵宏, 常兆斌, 王乐. 基于词法特征的恶意域名快速检测算法[J]. 计算机应用, 2019, 39(1): 227-231.
[6]	林杰, 覃飙, 覃雄派. 数据库中不等式查询语句的resilience计算[J]. 计算机应用, 2018, 38(7): 1893-1897.
[7]	李卓, 刘洁瑜, 李辉, 周小刚, 李维鹏. 基于ORB-LATCH的特征检测与描述算法[J]. 计算机应用, 2017, 37(6): 1759-1762.
[8]	乔通, 赵卓峰, 丁维龙. 面向套牌甄别的流式计算系统[J]. 计算机应用, 2017, 37(1): 153-158.
[9]	王寒光, 王旭光, 汪浩源. 基于圆形感兴趣区域多路视频实时拼接[J]. 计算机应用, 2016, 36(10): 2849-2853.
[10]	任秀丽, 彦琨. 交通监控中基于模糊聚类的无线传感网MAC协议[J]. 计算机应用, 2016, 36(10): 2653-2658.
[11]	曹彦珏, 安博文, 李启明. 基于后处理的实时景深模拟与应用[J]. 计算机应用, 2015, 35(5): 1439-1443.
[12]	胡昭华, 邢卫国, 何军, 张秀再. 多通道核相关滤波的实时跟踪方法[J]. 计算机应用, 2015, 35(12): 3544-3549.
[13]	关国栋, 滕飞, 杨燕. 基于心跳超时机制的Hadoop实时容错技术[J]. 计算机应用, 2015, 35(10): 2784-2788.
[14]	赵源陆天波. 基于多维度的P2P网络信任管理机制[J]. 计算机应用, 2014, 34(11): 3157-3159.
[15]	朱梦影徐蕾. 基于攻击图与报警相似性的混合报警关联模型[J]. 计算机应用, 2014, 34(1): 108-112.

基于攻击规划图的实时报警关联方法

Real-time alert correlation approach based on attack planning graph

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics