信息网络安全 ›› 2020, Vol. 20 ›› Issue (7): 1-10.doi: 10.3969/j.issn.1671-1122.2020.07.001

• 等级保护 • 上一篇    下一篇

基于上下文特征的IDS告警日志攻击场景重建方法

姜楠1,2,3(), 崔耀辉1, 王健4,5, 吴晋超1   

  1. 1.北京工业大学信息学部,北京 100124
    2.可信计算北京市重点实验室,北京 100124
    3. 信息安全等级保护关键技术国家工程实验室,北京 100124
    4.智能交通数据安全与隐私保护技术北京市重点实验室,北京 100044
    5.北京交通大学计算机与信息技术学院,北京 100044
  • 收稿日期:2020-05-15 出版日期:2020-07-10 发布日期:2020-08-13
  • 通讯作者: 姜楠 E-mail:jiangnan@bjut.edu.cn
  • 作者简介:姜楠(1977—),女,山东,副教授,博士,主要研究方向为信息安全|崔耀辉(1995—),男,甘肃,硕士研究生,主要研究方向为IDS告警信息处理|王健(1975—),男,山东,副教授,博士,主要研究方向为网络安全、密码应用|吴晋超(1994—),男,山西,硕士研究生,主要研究方向为信息安全
  • 基金资助:
    国家自然科学基金(61502016);教育部—中国移动科研基金(MCM20170402);教育部—中国移动科研基金(MCM20180503)

Context-based Attack Scenario Reconstruction Model for IDS Alarms

JIANG Nan1,2,3(), CUI Yaohui1, WANG Jian4,5, WU Jinchao1   

  1. 1. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
    2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China
    3. National Engineering Laboratory for Critical Technologies of Information Security Classified Protection, Beijing 100124, China
    4. Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing 100044, China
    5. School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China
  • Received:2020-05-15 Online:2020-07-10 Published:2020-08-13
  • Contact: Nan JIANG E-mail:jiangnan@bjut.edu.cn

摘要:

入侵检测系统(IDS)是网络安全防御策略中的关键组成部分,但在现阶段庞大且复杂的网络环境以及网络攻击规模逐年增长的背景下,IDS中存在的告警数量庞大导致的可读性差等问题,使得IDS的易用性极大降低。文章提出一种面向IDS真实告警数据流的攻击场景重建方法,从攻击者的角度将完整的多步攻击行为定义为攻击事件,以动态时间窗辅以告警上下文特征相似度判定的机制分离告警流中并行的事件,并通过提取事件在IP层面表现出的攻击路径的方式,分解事件中攻击者对不同目标的攻击行为,进一步获取攻击者在各条路径上的攻击类型转换序列进行因果知识挖掘,从而直观地展示攻击者的多步攻击场景。实验结果显示,该方法能够完整地捕获告警数据流中的攻击事件,多层次准确直观地展示多步攻击行为,有效提升了IDS的实际应用体验。

关键词: 入侵检测系统, 告警日志分析, 攻击场景重建, 因果知识挖掘

Abstract:

Intrusion detection system(IDS) is a key component of the network security defense strategy. However, under the background of huge and complicated network environment and the increasing scale of network attacks, there are many problems in IDS, such as poor readability caused by large number of alarms, which greatly reduces the usability of IDS. This paper proposes an attack scenario reconstruction method for IDS real alarm data streams. From the perspective of attackers, a complete multi-step attack behavior is defined as an attack event, which creatively separates the parallel events in the alarm stream with the mechanism of dynamic time window supplemented by similarity judgment of alarm context features, and decomposes the attack in the event by extracting the attack path displayed in the IP layer, and further obtain the attack type conversion sequence of the attacker on each path for causality knowledge mining thus intuitively displays the attacker’s multi-step attack scenario. The experimental results show that it can completely capture the attack events in the alarm data stream, and display the multi-step attack behavior accurately and intuitively, which effectively improves the actual application experience of IDS.

Key words: intrusion detection system, alert analysis, attack scenario reconstruction, causal knowledge mining

中图分类号: