基于上下文特征的IDS告警日志攻击场景重建方法

doi:10.3969/j.issn.1671-1122.2020.07.001

信息网络安全 ›› 2020, Vol. 20 ›› Issue (7): 1-10.doi: 10.3969/j.issn.1671-1122.2020.07.001

基于上下文特征的IDS告警日志攻击场景重建方法

姜楠¹^,²^,³(), 崔耀辉¹, 王健⁴^,⁵, 吴晋超¹

1.北京工业大学信息学部,北京 100124
2.可信计算北京市重点实验室,北京 100124
3. 信息安全等级保护关键技术国家工程实验室,北京 100124
4.智能交通数据安全与隐私保护技术北京市重点实验室,北京 100044
5.北京交通大学计算机与信息技术学院,北京 100044

收稿日期:2020-05-15 出版日期:2020-07-10 发布日期:2020-08-13
通讯作者: 姜楠 E-mail:jiangnan@bjut.edu.cn
作者简介:姜楠（1977—）,女,山东,副教授,博士,主要研究方向为信息安全|崔耀辉（1995—）,男,甘肃,硕士研究生,主要研究方向为IDS告警信息处理|王健（1975—）,男,山东,副教授,博士,主要研究方向为网络安全、密码应用|吴晋超（1994—）,男,山西,硕士研究生,主要研究方向为信息安全
基金资助:
国家自然科学基金(61502016);教育部—中国移动科研基金(MCM20170402);教育部—中国移动科研基金(MCM20180503)

Context-based Attack Scenario Reconstruction Model for IDS Alarms

JIANG Nan¹^,²^,³(), CUI Yaohui¹, WANG Jian⁴^,⁵, WU Jinchao¹

1. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China
3. National Engineering Laboratory for Critical Technologies of Information Security Classified Protection, Beijing 100124, China
4. Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing 100044, China
5. School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China

Received:2020-05-15 Online:2020-07-10 Published:2020-08-13
Contact: Nan JIANG E-mail:jiangnan@bjut.edu.cn

摘要/Abstract

摘要：

入侵检测系统（IDS）是网络安全防御策略中的关键组成部分,但在现阶段庞大且复杂的网络环境以及网络攻击规模逐年增长的背景下,IDS中存在的告警数量庞大导致的可读性差等问题,使得IDS的易用性极大降低。文章提出一种面向IDS真实告警数据流的攻击场景重建方法,从攻击者的角度将完整的多步攻击行为定义为攻击事件,以动态时间窗辅以告警上下文特征相似度判定的机制分离告警流中并行的事件,并通过提取事件在IP层面表现出的攻击路径的方式,分解事件中攻击者对不同目标的攻击行为,进一步获取攻击者在各条路径上的攻击类型转换序列进行因果知识挖掘,从而直观地展示攻击者的多步攻击场景。实验结果显示,该方法能够完整地捕获告警数据流中的攻击事件,多层次准确直观地展示多步攻击行为,有效提升了IDS的实际应用体验。

关键词: 入侵检测系统, 告警日志分析, 攻击场景重建, 因果知识挖掘

Abstract:

Intrusion detection system(IDS) is a key component of the network security defense strategy. However, under the background of huge and complicated network environment and the increasing scale of network attacks, there are many problems in IDS, such as poor readability caused by large number of alarms, which greatly reduces the usability of IDS. This paper proposes an attack scenario reconstruction method for IDS real alarm data streams. From the perspective of attackers, a complete multi-step attack behavior is defined as an attack event, which creatively separates the parallel events in the alarm stream with the mechanism of dynamic time window supplemented by similarity judgment of alarm context features, and decomposes the attack in the event by extracting the attack path displayed in the IP layer, and further obtain the attack type conversion sequence of the attacker on each path for causality knowledge mining thus intuitively displays the attacker’s multi-step attack scenario. The experimental results show that it can completely capture the attack events in the alarm data stream, and display the multi-step attack behavior accurately and intuitively, which effectively improves the actual application experience of IDS.

Key words: intrusion detection system, alert analysis, attack scenario reconstruction, causal knowledge mining

中图分类号:

TP309

姜楠, 崔耀辉, 王健, 吴晋超. 基于上下文特征的IDS告警日志攻击场景重建方法[J]. 信息网络安全, 2020, 20(7): 1-10.

JIANG Nan, CUI Yaohui, WANG Jian, WU Jinchao. Context-based Attack Scenario Reconstruction Model for IDS Alarms[J]. Netinfo Security, 2020, 20(7): 1-10.

图/表 4

参考文献 18

[1]	LIAO H J, LIN C H R, LIN Y C, et al. Intrusion Detection System: A Comprehensive Review[J]. Journal of Network & Computer Applications, 2013:36(1):16-24.
[2]	KIM J, SHIN N, JO S Y, et al. Method of Intrusion Detection Using Deep Neural Network[C]// IEEE. 2017 IEEE International Conference on Big Data and Smart Computing(BigComp), February 13-16, 2017, Jeju, South Korea. New Jersey: IEEE, 2017:313-316.
[3]	BENDOVSCHI A . Cyber-Attacks—Trends, Patterns and Security Countermeasures[EB/OL]. https://www.sciencedirect.com/science/article/pii/S2212567115010771, 2020-2-15.
[4]	TJHAI G C, PAPADAKI M, FURNELL S, et al. Investigating the Problem of IDS False Alarms: An Experimental Study Using Snort[C]// Springer. The IFIP TC 11 23rd International Information Security Conference, September 7-10, 2008, Milano, Italy. Heidelberg: Springer, 2008: 253-367.
[5]	NEHINBE J O. A Review of Technical Issues on IDS and Alerts[J]. Global Journal Of Computer Science And Technology, 2018,17(5):51-58.
[6]	PERDISCI R, GIACINTO G, ROLI F. Alarm Clustering for Intrusion Detection Systems in Computer Networks[J]. Machine Learning and Data Mining in Pattern Recognition, 2005,19(4):184-193.
[7]	KOTPALLIWAR M V, WAJGI R D. Classification of Attacks Using Support Vector Machine(SVM) on KDDCUP'99 IDS Database[C]// IEEE. 15th International Conference on Communication Systems and Network Technologies, April 4-6, 2015, Gwalior, India. New Jersey: IEEE, 2015: 987-990.
[8]	TEMPLETON S J, LEVITT K. A Requires/Provides Model for Computer Attacks[C]// ACM. The 2000 Workshop on New Security Paradigms, February 23-25, 2000, Ballycotton, County Cork, Ireland. New York: ACM, 2000: 31-38.
[9]	NING P, CUI Y, REEVES D S. Constructing Attack Scenarios through Correlation of Intrusion Alerts[EB/OL]. http://citeseer.ist.psu.edu/viewdoc/download;jsessionid=0C0DC8318D96FD659364FFFE6FFF5587?doi=10.1.1.57.8612&rep=rep1&type=pdf, 2020-2-11.
[10]	LIU Jianyi, LI Sida, ZHANG Ru. Algorithm of Reducing the False Positives in IDS Based on Correlation Analysis[EB/OL]. http://iopscience.iop.org/article/10.1088/1757-899X/322/6/062016/pdf, 2020-2-11.
[11]	ZALI Z, HASHEMI M R, SAIDI H. Real-Time Intrusion Detection Alert Correlation and Attack Scenario Extraction Based on the Prerequisite Consequence Approach[EB/OL]. https://www.researchgate.net/publication/276355385_REAL-TIME_INTRUSION_DETECTION_ALERT_CORRELATION_AND_ATTACK_SCENARIO_EXTRACTION_BASED_ON_THE_PREREQUISITE-CONSEQUENCE_APPROACH, 2020-2-11.
[12]	ALSERHANI F, AKHLAQ M, AWAN I U, et al. MARS: Multi-stage Attack Recognition System[C]// IEEE. 24th IEEE International Conference on Advanced Information Networking and Applications, April 20-13, 2010, Perth, Australia. New Jersey: IEEE, 2010: 753-759.
[13]	AZODI A, CHENG F, MEINEL C. Towards Better Attack Path Visualizations Based on Deep Normalization of Host/Network IDS Alerts[C]// IEEE. International Conference on Advanced Information Networking & Applications, March 23-25, 2016, Crans-Montana, Switzerland. New Jersey: IEEE, 2016: 1064-1071.
[14]	AZODI A, JAEGER D, CHENG F, et al. A New Approach to Building A Multi-tier Direct Access Knowledgebase for IDS/SIEM Systems[C]// IEEE. 11th International Conference on Dependable, Autonomic and Secure Computing, December 21-22, 2013, Chengdu, China. New Jersey: IEEE, 2013: 118-123.
[15]	WU Dong. Research on Key Technologies of Alert Correlation Based on Data Mining[D]. Guiyang: Guizhou University, 2019.
	吴东. 基于数据挖掘的告警关联关键技术研究[D]. 贵阳:贵州大学, 2019.
[16]	LIU Bowen. Research on IDS Alert Log Scenario Mining Model Based on Neural Network and Bayesian Network Attack Graph[D]. Beijing: Beijing University of Posts and Telecommunications, 2019.
	刘博文. 基于神经网络和贝叶斯网络攻击图的IDS告警日志场景挖掘模型研究[D]. 北京:北京邮电大学, 2019.
[17]	HAAS S, FISCHER M. GAC: Graph-based Alert Correlation for the Detection of Distributed Multi-step Attacks[C]// ACM. The 33rd Annual ACM Symposium on Applied Computing, April 21-23, 2018, New York, USA. New Jersey: ACM, 2018: 979-988.
[18]	SHAH S A R, ISSAC B. Performance Comparison of Intrusion Detection Systems and Application of Machine Learning to Snort System[EB/OL]. https://www.sciencedirect.com/science/article/abs/pii/S0167739X17323178, 2020-2-11.

基于上下文特征的IDS告警日志攻击场景重建方法

Context-based Attack Scenario Reconstruction Model for IDS Alarms

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 18

相关文章 15

编辑推荐

Metrics

本文评价

[1]	程冬梅, 严彪, 文辉, 孙利民. 基于规则匹配的分布式工控入侵检测系统设计与实现[J]. 信息网络安全, 2017, 17(7): 45-51.
[2]	史婷婷, 赵有健. 网络入侵逃逸及其防御和检测技术综述[J]. 信息网络安全, 2016, 16(1): 70-74.
[3]	周益周, 王斌, 谢小权. 云环境下软件定义入侵检测系统设计[J]. 信息网络安全, 2015, 15(9): 191-195.
[4]	程骏路, 杨阳, 秦鹏宇, 程久军. 基于云查杀技术的轻量级局域网信息保护机制研究[J]. 信息网络安全, 2015, 15(1): 56-60.
[5]	. 基于机器学习和NetFPGA的智能高速入侵防御系统[J]. , 2014, 14(2): 12-.
[6]	李艺颖;邓皓文;王思齐;龙军. 基于机器学习和NetFPGA的智能高速入侵防御系统[J]. , 2014, 14(2): 0-0.
[7]	宋健豪;赵刚;宋君易. 基于离线检测的SVMNIDS模式研究[J]. , 2012, 12(9): 0-0.
[8]	曹子建;赵宇峰;容晓峰. 网络入侵检测与防火墙联动平台设计[J]. , 2012, 12(9): 0-0.
[9]	姚小兵. 入侵检测系统在电子商务中的应用研究[J]. , 2011, 11(4): 0-0.
[10]	薛琴. BP神经网络在入侵检测系统中的应用研究[J]. , 2011, 11(11): 0-0.
[11]	姚小兵;高媛. 无线局域网入侵检测系统的架构与应用[J]. , 2010, (9): 0-0.
[12]	杨芳. 网络数据安全保护之入侵检测技术[J]. , 2009, 9(6): 0-0.
[13]	蒋巍;蒋天发. 基于分布式数据安全入侵检测系统中误用检测算法研究[J]. , 2009, 9(6): 0-0.
[14]	苏成. 基于数据挖掘的入侵检测技术综述[J]. , 2008, 8(3): 0-0.
[15]	舒泽萍;张鹰. 基于分布式联动技术的网络安全分析[J]. , 2007, 7(7): 0-0.