计算机应用 ›› 2016, Vol. 36 ›› Issue (1): 194-198.DOI: 10.11772/j.issn.1001-9081.2016.01.0194

• 网络空间安全 • 上一篇    下一篇

基于攻击模式识别的网络安全态势评估方法

王坤, 邱辉, 杨豪璞   

  1. 信息工程大学, 郑州 450001
  • 收稿日期:2015-08-05 修回日期:2015-09-15 出版日期:2016-01-10 发布日期:2016-01-09
  • 通讯作者: 邱辉(1990-),男,河南永城人,硕士研究生,主要研究方向:网络安全、态势感知
  • 作者简介:王坤(1975-),男,河南周口人,副教授,博士,主要研究方向:网络安全、数据挖掘;杨豪璞(1993-),女,河南封丘人,硕士研究生,主要研究方向:网络安全、攻击检测。
  • 基金资助:
    国家自然科学基金资助项目(61309013)。

Network security situation evaluation method based on attack pattern recognition

WANG Kun, QIU Hui, YANG Haopu   

  1. Information Engineering University, Zhengzhou Henan 450001, China
  • Received:2015-08-05 Revised:2015-09-15 Online:2016-01-10 Published:2016-01-09
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61309013).

摘要: 通过对已有网络安全态势评估方法的分析与比较,发现其无法准确反映网络攻击行为逐渐呈现出的大规模、协同、多阶段等特点,因此提出了一种基于攻击模式识别的网络安全态势评估方法。首先,对网络中的报警数据进行因果分析,识别出攻击意图与当前的攻击阶段;然后,以攻击阶段为要素进行态势评估;最后,构建攻击阶段状态转移图(STG),结合主机的漏洞与配置信息,实现对网络安全态势的预测。通过网络实例对所提出的网络安全态势评估模型验证表明,随着攻击阶段的不断深入,其网络安全态势值也随之增大,能够更加准确地反映攻击实情;且在态势预测中无需对历史序列进行训练,具有更高的预测效率。

关键词: 因果分析, 状态转移图, 态势评估, 模式识别, 多阶段攻击

Abstract: By analyzing and comparing the existing network security situation evaluation methods, it is found that they can not accurately reflect the features of large-scale, coordination, multi-stage gradually shown by network attack behaviors. Therefore, a network security situation evaluation method based on attack pattern recognition was proposed. Firstly, the causal analysis of alarm data in the network was made, and the attack intention and the current attack phase were recognized. Secondly, the situation evaluation based on the attack phase was realized. Lastly the State Transition Diagram (STG) of attack phase was created to realize the forecast of network security situation by combining with vulnerability and configuration information of host. A simulation experiment for the proposed network security situation evaluation model was performed by network examples. With the deepening of the attack phase, the value of network security situation would increase. The experimental results show that the proposed method is more accurate in reflecting the truth of attack, and the method does not need training on the historical sequence, so the method is more effective in situation forecasting.

Key words: causal analysis, state transition diagram, situation evaluation, pattern recognition, multi-stage attack

中图分类号: