Journal of Computer Applications ›› 2020, Vol. 40 ›› Issue (1): 123-128.DOI: 10.11772/j.issn.1001-9081.2019071229

• Cyber security • Previous Articles     Next Articles

Analysis of attack events based on multi-source alerts

WANG Chunying1,2, ZHANG Xun3, ZHAO Jinxiong3, YUAN Hui3, LI Fangjun4, ZHAO Bo4, ZHU Xiaoqin3, YANG Fan3, LYU Shichao2   

  1. 1. School of Software and Microelectronics, Peking University, Beijing 102600, China;
    2. Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
    3. Grid Technology Center, State Grid Gansu Electric Power Research Institute, Lanzhou Gansu 730070, China;
    4. State Grid Gansu Electric Power Company, Lanzhou Gansu 730030, China
  • Received:2019-07-15 Revised:2019-09-04 Online:2020-01-10 Published:2019-09-29
  • Supported by:
    This work is partially supported by the Key Project of National Natural Science Foundation of China (U1766215), the Science and Technology Project of Headquarters of State Grid Corporation of China (522722180007).

基于多源告警的攻击事件分析

王淳颖1,2, 张驯3, 赵金雄3, 袁晖3, 李方军4, 赵博4, 朱小琴3, 杨凡3, 吕世超2   

  1. 1. 北京大学 软件与微电子学院, 北京 102600;
    2. 中国科学院信息工程研究所 物联网信息安全技术北京市重点实验室, 北京 100093;
    3. 国网甘肃省电力公司电力科学研究院, 兰州 730070;
    4. 国网甘肃省电力公司, 兰州 730030
  • 通讯作者: 吕世超
  • 作者简介:王淳颖(1997-),女,天津人,硕士研究生,主要研究方向:机器学习、数据挖掘;张驯(1982-),男,江苏扬州人,高级工程师,硕士,主要研究方向:电力信息安全管理、机器学习、无线安全、工控安全;赵金雄(1991-),男,甘肃环县人,工程师,硕士,主要研究方向:信息安全系统运检、威胁辨识、工控安全;袁晖(1989-),男,河南扶沟人,工程师,硕士,主要研究方向:信息规划、漏洞挖掘、无线通信安全;李方军(1979-),男,山东荣成人,高级工程师,硕士,主要研究方向:电力信息化建设及管理;赵博(1981-),男,甘肃平凉人,高级工程师,硕士,主要研究方向:网络与信息管理;朱小琴(1990-),女,甘肃临洮人,工程师,硕士,主要研究方向:信息安全系统运检、威胁辨识、工控安全;杨凡(1984-),男,山西运城人,工程师,硕士,主要研究方向:机器学习、数据挖掘;吕世超(1985-),男,河北保定人,助理研究员,博士,主要研究方向:无线通信安全、工控安全。
  • 基金资助:
    国家自然科学基金重点项目(U1766215);国家电网公司总部科技项目(522722180007)。

Abstract: In order to overcome the difficulty in discovering multi-stage attack from multi-source alerts, an algorithm was proposed to mine the attack sequence pattern. The multi-source alerts were normalized into a unified format by matching them with regular expressions. The redundant information of alerts was compressed, and the alerts of the same stage were clustered according to the association rule set trained by strong association rules, efficiently removing the redundant alerts, so that the number of alerts was reduced. Then, the clustered alerts were divided to obtain candidate attack event dataset by sliding-window, and the attack pattern mining algorithm PrefixSpan was used to find out the attack sequence patterns of multi-stage attack events. The experimental results show that the proposed algorithm can lead to an accurate and efficient analysis of alert correlation and extract the attack steps of attack events without expert knowledge. Compared with the traditional algorithm PrefixSpan, the algorithm has an increase in attack pattern mining efficiency of 48.05%.

Key words: multi-source alert, alert cluster, association rule, sequence pattern mining, multi-stage attack event

摘要: 为解决多源告警中的复杂攻击难以被发现的问题,提出一种攻击序列模式挖掘算法。利用正则表达式匹配告警,将多源告警规范化为统一格式。对冗余告警信息进行压缩,利用强关联规则训练得到的规则集聚合同一阶段的告警,有效去除冗余告警,精简告警数量。利用滑动窗口对聚合后的告警进行划分得到候选攻击事件数据集,通过改进的PrefixSpan算法挖掘得到多阶段攻击事件的攻击序列模式。实验结果表明,该算法在不依赖专家知识的前提下,能够准确并高效地分析告警相关性,还原攻击事件中的攻击步骤。相比传统PrefixSpan算法,提出的改进算法的攻击模式挖掘效率提升了48.05%。

关键词: 多源告警, 告警聚类, 关联规则, 序列模式挖掘, 多阶段攻击事件

CLC Number: