共查询到20条相似文献,搜索用时 109 毫秒
1.
网络攻击越来越复杂,入侵检测系统产生大量告警日志,误报率高,可用性低。为此,论文提出采用聚类分析、关联挖掘算法和基于彩色Petri网的联合挖掘多步骤攻击方法进行IDS告警关联,从宏观和微观攻击轨迹角度重建攻击场景,提高了入侵检测系统的可用性。 相似文献
2.
3.
4.
5.
针对网络攻击出现的大规模、协同、多阶段的特点,提出一种基于攻击图模型的网络安全态势评估方法。首先,结合攻击事件的时空特征融合多源告警数据构建网络攻击行为特征;其次,基于告警信息映射攻击节点,关联多步攻击的路径;再次,在构建攻击图的基础上,结合转移序列构建攻击节点转移概率表,将转移概率引入攻击图中,推断攻击者的攻击意图;最后,针对最大可能的攻击路径,对大概率的攻击节点进行安全态势评估,科学量化网络攻击后潜在攻击节点的安全态势,为网络安全管理人员提前做好防护提供理论支撑和科学依据。 相似文献
6.
7.
8.
针对现有静态评估的漏洞威胁技术不能有效量化网络攻击危害的问题,提出一种基于告警关联的多步攻击意图识别方法。该方法通过告警数据的关联特点挖掘并还原攻击者的多步攻击序列,围绕攻击过程评估基础设施重要性和漏洞威胁探测攻击者意图,从而实现还原攻击场景、刻画攻击行为的目的。实验表明,与传统算法进行对比分析,在DARPA2000上验证了该算法对特定网络攻击场景的识别能力,且百分误差绝对值和均方误差绝对值均低于传统算法。由此可知,文中所述的结合漏洞威胁和基础设施重要性来关联攻击步骤能够有效解决攻击过程出现的虚假攻击问题,提升了网络多步攻击意图识别的准确性。 相似文献
9.
针对现有告警信息相关性分析方法没有客观全面考虑各告警的重要程度,无法体现告警之间个体差异性等问题,该文提出一种基于小波神经网络的加权关联规则告警挖掘算法。综合告警级别、告警类型以及告警设备类型3个主要告警属性,将其作为小波神经网络的输入,通过对历史样本数据的学习确定连接权值,合理地评估各个告警属性重要程度,利用所得权值向量进一步挖掘告警加权关联规则。结果表明所提算法在权值确定时能够综合考虑告警信息的多个属性及历史经验,得到的权值更能合理地反映告警重要度,所得关联规则能够更加准确地反映告警之间的相关性。 相似文献
10.
分布式多步骤入侵的证据可能分散在不同的节点中,很多告警是多步骤攻击中的一个步骤,因此IDS有必要收集并关联不同来源的信息.本文提出了一种完全非集中方式,将分布式多步骤入侵场景建模为分布于被保护网络系统中多个节点上的检测子任务序列.文章为这种模式提出了一种基于XML的分布式多步骤入侵场景描述语言. 相似文献
11.
考虑置信度的告警因果关联的研究 总被引:2,自引:2,他引:0
一个成功的网络攻击往往由若干个处于不同阶段的入侵行为组成,较早发生的入侵行为为下一阶段的攻击做好准备。在因果关联方法中,可以利用入侵行为所需的攻击前提和造成的攻击结果,重构攻击者的攻击场景。论文引入了告警关联置信度的属性描述,用于分析因果关联结果的可信度,进而能够进一步消除虚假关联关系。通过DARPA标准数据集分析,该方法取得了较好的实验结果。 相似文献
12.
《Digital Communications & Networks》2017,3(4):250-259
Cyber security has been thrust into the limelight in the modern technological era because of an array of attacks often bypassing untrained intrusion detection systems (IDSs). Therefore, greater attention has been directed on being able deciphering better methods for identifying attack types to train IDSs more effectively. Keycyber-attack insights exist in big data; however, an efficient approach is required to determine strong attack types to train IDSs to become more effective in key areas. Despite the rising growth in IDS research, there is a lack of studies involving big data visualization, which is key. The KDD99 data set has served as a strong benchmark since 1999; therefore, we utilized this data set in our experiment. In this study, we utilized hash algorithm, a weight table, and sampling method to deal with the inherent problems caused by analyzing big data; volume, variety, and velocity. By utilizing a visualization algorithm, we were able to gain insights into the KDD99 data set with a clear identification of “normal” clusters and described distinct clusters of effective attacks. 相似文献
13.
Khalid Alsubhi Issam Aib Raouf Boutaba 《International Journal of Network Management》2012,22(4):263-284
Intrusion detection systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large, making their evaluation by security analysts a difficult task. Management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This paper considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy‐logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction in the number of alerts. Comparative results between SNORT scores and FuzMet alert prioritization onto a real attack dataset are presented, along with a simulation‐based investigation of the optimal configuration of FuzMet. The results prove the enhanced intrusion detection accuracy brought by our system. Copyright © 2011 John Wiley & Sons, Ltd. 相似文献
14.
Tu Hoang Nguyen Jiawei Luo Humphrey Waita Njogu 《International Journal of Network Management》2014,24(3):153-180
Intrusion detection systems (IDSs) often trigger a huge number of unnecessary alerts. Managing the overwhelming number of alerts, especially from multiple IDS products, is a concern to every security analyst. Analyzing and evaluating these alerts is a difficult task that frustrates the effort of analysts. In fact, true alerts are usually buried under heaps of false alerts. We have identified several research gaps in the existing alert management approaches that need to be addressed, especially when handling alerts from different IDS products. In this work, we present an efficient alert management approach that reduces the unnecessary alerts produced by different IDS products using two main modules: an enhanced alert verification module that validates alerts with vulnerability assessment data; and an enhanced alert aggregator module that reduces redundant alerts and presents them in the form of meta alerts. Finally, we have carried out experiments in our test bed and recorded impressive results in terms of high accuracy and low false positive rate for multiple IDS products. Copyright © 2014 John Wiley & Sons, Ltd. 相似文献
15.
Silvio E. Quincozes Carlos Raniery Raul Ceretta Nunes Célio Albuquerque Diego Passos Daniel Mossé 《International Journal of Network Management》2021,31(3):e2111
Intrusion detection systems (IDSs) are a fundamental component of defense solutions. In particular, IDSs aim to detect malicious activities on computer systems and networks by relying on data classification models built from a training dataset. However, classifiers' performance can vary for each attack pattern. A common technique to overcome this issue is to use ensemble methods, where multiple classifiers are employed and a final decision is taken combining their outputs. Despite the potential advantages of such an approach, its usefulness is limited in scenarios where (i) multiple expert classifiers present divergent results, (ii) all classifiers present poor results due to lack of representative features, or (iii) detectors have insufficient labeled signatures to train their classifiers for a specific attack pattern. In this work, we introduce the concept of a counselors network to deal with conflicts from different classifiers by exploiting the collaboration among IDSs that analyze multiple and heterogeneous data sources. Empirical results demonstrate the feasibility of the proposed architecture in improving the accuracy of the intrusion detection process. 相似文献
16.
《Digital Communications & Networks》2022,8(6):1068-1076
Intrusion is any unwanted activity that can disrupt the normal functions of wired or wireless networks. Wireless mesh networking technology has been pivotal in providing an affordable means to deploy a network and allow omnipresent access to users on the Internet. A multitude of emerging public services rely on the widespread, high-speed, and inexpensive connectivity provided by such networks. The absence of a centralized network infrastructure and open shared medium makes WMNs particularly susceptible to malevolent attacks, especially in multihop networks. Hence, it is becoming increasingly important to ensure privacy, security, and resilience when designing such networks. An effective method to detect possible internal and external attack vectors is to use an intrusion detection system. Although many Intrusion Detection Systems (IDSs) were proposed for Wireless Mesh Networks (WMNs), they can only detect intrusions in a particular layer. Because WMNs are vulnerable to multilayer security attacks, a cross-layer IDS are required to detect and respond to such attacks. In this study, we analyzed cross-layer IDS options in WMN environments. The main objective was to understand how such schemes detect security attacks at several OSI layers. The suggested IDS is verified in many scenarios, and the experimental results show its efficiency. 相似文献
17.
Wireless sensor networks have been widely used in general and military scenarios. And this leads to a need for more security. Wireless sensor network are easy vulnerable to attack and compromise. Wormhole attack is a harmful against routing protocol which can drop data randomly or disturbing routing path. In this paper, we proposed a novel method to detect the wormhole attack based on statistical analysis. In the proposed method, a sensor can detect the fake neighbors which are caused by wormhole through the neighbor discovery process, and then a k-means clustering based method is used to detect wormhole attack according to the neighbor information. That is, by using this proposed method, we can detect the wormhole only by the neighbor information without any special requirement. We did some experiments to evaluate the performance of this method, and the experimental results show that our method can achieve satisfying results. 相似文献
18.
随着网络技术的发展、网络规模的扩大 ,针对网络和计算机系统的非法入侵水平的不断提高 ,其入侵手段的自动化水平和隐蔽性也越来越高。对入侵攻击的检测与防范 ,保障计算机系统、网络系统及整个信息基础设施的安全已经成为刻不容缓的重要课题。单纯引入某些设备已不能满足当今网络安全的需要。为此本文以网络入侵检测系统为例 ,讨论了一些常用的IDS躲避技术 ,以及如何识破这些技术 ,制定更加细致的安全策略 ,以构造出更加强壮的防护体系 相似文献
19.
