摘要
针对传统告警聚合与关联方法在合理性和准确性上的不足,提出了基于多级划分思想的告警聚合方法和基于马尔可夫链模型的告警关联方法。首先,使用入侵检测消息交换格式来描述网络告警,利用告警的时序接近关系进行时间窗口的自动扩展,将时间间隔小于预设阈值的告警划分到同一个时间窗内;进而,分别根据攻击类型、时间窗口、子网掩码、IP地址和端口信息依次划分告警,利用属性匹配方法进行子网级、主机级和服务级聚合,有效聚合攻击者利用同一路由器、傀儡主机或服务端口实施攻击而产生的相似告警;在此基础上,利用1阶马尔可夫链模型生成告警关联图,将攻击类型间的条件转移概率作为关联图的有向边,并利用告警的时序紧邻关系计算出攻击类型间的转移概率。实验中,利用入侵检测系统Snort的最严格模式处理DARPA2000流量数据,得到LLDo S1.0攻击场景所对应的入侵告警集合;利用本文方法对集合中的5类告警进行聚合和关联,通过参数寻优得到自扩展时间窗口最理想的间隔阈值,使得告警多级聚合结果能够有效精简告警,并与告警源IP和源端口的分布情况一致;通过比较告警关联结果与攻击场景的官方描述来计算告警关联的准确率。与传统方法进行对比,本文方法的告警关联准确率为97.94%,比传统方法提高了2.29%。
In order to deal with the shortages of traditional alerts aggregation and correlation methods on rationality and accuracy ,an aggregation method based on multistage division and a correlation method based on Markov chains model were presented. Firstly, the network alerts were described by intrusion detection message exchange format. If the time internals of alerts were shorter than the predefined threshold, the alerts would be divided into the same time window, and the time windows were extended automatically based on the temporal relationship of alerts. Then, the alerts were divided respectively according to the attributes of attack types, time windows, subnet masks, IP addresses and ports. To aggregate the similar alerts generated by the attacks which used the same router, host or port, the aggregation processes on the stages of subnet,host and service were respectively carried out based on attributes matching. On this basis, alerts correlation graph was generated by using one-step Markov chains model. In the graph,the directed edges represented the conditional transition probabilities between attack types, and the transition probabilities were calculated by the number of adjacent alerts. Finally, in the experiment, DARPA2000 traffic data was handled by the intrusion detection system Snort which was been configured as the most strict mode. After generating intrusion alerts set of LLDoS1.0 attack scenario, the above aggregation and correlation methods were con- ducted on the alerts of five types. The most ideal internal threshold of the self-extending time windows was further determined by param- eter optimization. In this way, the alerts were reduced by the multistage aggregation effectively, and the results of aggregation were in accordance with the distribution of alerts source IP and source ports. Moreover, the accuracy rate of alerts correlation was calculated by comparing the correlation results with the official description of LLDoS1.0. Experiments demonstrated that the accuracy rate of the proposed meth
出处
《工程科学与技术》
EI
CAS
CSCD
北大核心
2017年第1期206-212,共7页
Advanced Engineering Sciences
基金
国家自然科学基金资助项目(61672531)
湖北省自然科学基金资助项目(2015CFC867)
