摘要
在复杂网络环境中,态势感知技术根据警报数据实时捕捉多种安全要素及其引起的态势变化,对网络安全进行感知和预测,在安全建设中发挥着重大作用。然而,互联网中海量威胁日志和事件信息带来了极高的分析复杂度,甚至造成了评估和感知技术的误判问题,给安全管理带来了极大挑战。因此,警报事件的过滤起到了重要作用,并且过滤的细粒度、准确性是后续可靠安全态势评估的基础。文中提出了一个面向多源网络攻击告警的层次化数据过滤模型EHFM,并将其应用于一个安全态势感知系统中。EHFM包含5层过滤器,为多源告警日志设计了统一格式,提出了联合性能熵之差的概念,并结合模糊层次分析等方法,对大量的警报进行统一、精细、定制化的过滤,从而提升安全态势评估算法的准确性、灵活性,解决了网络攻击告警规模过大导致的安全状态误判问题。通过对上述EHFM过滤模型和态势感知系统的代码实现,该方案的可行性得到了证明。经过大量实验,结果表明,该方案能够对恶意事件进行精细的分类和过滤,有效避免外界环境因素带来的误判,在大规模网络攻击告警的场景下提升安全态势评估算法的准确性。
Security situation awareness technology based on the alarm data plays an essential role in system protection.In the complex network environment,situation awareness systems control and predict the network security in time by capturing multiple metrics representing system situations combined with alert data.However,network security detection or protection systems ge-nerate massive and diverse alarm logs daily.Such massive threat logs and event information lead to a sharp rise in complexity and even bring some misjudgment problems.Therefore,there is a need for methods that filter the massive warning alerts with fine granularity and high accuracy to provide the basis for building subsequent reliable situation awareness systems.This paper proposes an efficient hierarchical filtering method(EHFM)for multi-source alarm data.EHFM contains five layers of filters,and the proposed hierarchical filtering structure guarantees its scalability and flexibility.Firstly,EHFM designs a unified format for multi-source alarm data to provide unified and customizable filtering.Moreover,the concept of“difference in joint performance entropy”incorporated with the fuzzy analytic hierarchy algorithm is proposed,which guarantees its robustness.These methods improve filtering accuracy by solving the problem of misjudgment caused by excessive alarm scale and external environmental factors.Then,the threat degree of malicious events to the system is classified by considering both the frequency and the impact of alerts.Finally,the classified and filtered alerts are visualized to facilitate the subsequent processing by security managers or software.Based on the proposed EHFM,a security situation awareness system is developed to verify its efficiency.The results of comprehensive experiments demonstrate that the proposed scheme filters and classifies malicious events in fine granularity and hence improves the accuracy and effectiveness of security situation awareness technology in large-scale alarm scenarios.
作者
杨昕
李更新
李挥
YANG Xin;LI Gengxin;LI Hui(Peking University Shenzhen Graduate School,Shenzhen,Guangdong 518055,China;Peng Cheng Laboratory,Shenzhen,Guangdong 518055,China)
出处
《计算机科学》
CSCD
北大核心
2023年第2期324-332,共9页
Computer Science
基金
广东省重点领域研发计划网络信息安全(2019B010137001)
国家重点研发计划(2017YFB0803204,2017YFB0803200)
深圳市基础研究项目(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340)。
关键词
安全分析
层次化警报过滤
多源告警
安全态势感知
模糊层次分析法
Security analysis
Hierarchical alarm filtering
Multi-source alerts
Security situation assessment
Fuzzy analytic hie-rarchy process
