摘要
为解决多源、异构网络告警融合中蕴含的多步攻击难以被发现的问题,提出一种基于频繁告警序列模式的挖掘模型。利用动态时间窗口对报警数据进行划分,将IDS、防火墙报警数据转化为报警序列;根据报警序列的相似度构造攻击序列集,从而利用两条攻击序列的属性信息判断同一个攻击场景的攻击前后步骤的关联性。实验结果证明:在不需要制定复杂关联规则和储备先验知识的基础上,该模型能自动地向用户提供最小支持度范围,提高关联算法的准确性,为成功发现多步攻击。
It is hard to find out multi-step attack in multi source and heterogeneous network alerting fusion,for solvingthis problem,put forward dig model based on of frequent altering sequence model.Used dynamic time window to dividedalert data,changed the IDS,firewall alerting data into alerting sequence.According to alerting sequence similarity,establish attack sequence set,then used two attack sequence attribute information to judge correlation of attack steps in oneattack environment.The test results analysis show that the model can automatically provide the minimum support degree tothe users without establishing complex correlation rules and storing experience knowledge,it also can improve correctnessof correlation algorithm and successfully find the multi-step attack.
作者
李洪敏
张建平
黄晓芳
卢敏
Li Hongmin;Zhang Jianping;Huang Xiaofang;Lu Min(Institute of System Engineering, China Academy of Engineering Physics, Mianyang 621900, China;School of Computer Science & Technology, Southwest University of Science & Technology, Mianyang 621000, China)
出处
《兵工自动化》
2017年第9期35-38,共4页
Ordnance Industry Automation
关键词
告警关联
频繁项集
多步攻击
聚类
alert correlation
frequent item sets
multi-step attack
clustering
