| 基于多源告警的攻击事件分析 |
| |
| 引用本文: | 王淳颖,张驯,赵金雄,袁晖,李方军,赵博,朱小琴,杨凡,吕世超.基于多源告警的攻击事件分析[J].计算机应用,2020,40(1):123-128. |
| |
| 作者姓名: | 王淳颖 张驯 赵金雄 袁晖 李方军 赵博 朱小琴 杨凡 吕世超 |
| |
| 作者单位: | 1. 北京大学 软件与微电子学院, 北京 102600;2. 中国科学院信息工程研究所 物联网信息安全技术北京市重点实验室, 北京 100093;3. 国网甘肃省电力公司电力科学研究院, 兰州 730070;4. 国网甘肃省电力公司, 兰州 730030 |
| |
| 基金项目: | 国家自然科学基金重点项目(U1766215);国家电网公司总部科技项目(522722180007)。 |
| |
| 摘 要: | 为解决多源告警中的复杂攻击难以被发现的问题,提出一种攻击序列模式挖掘算法。利用正则表达式匹配告警,将多源告警规范化为统一格式。对冗余告警信息进行压缩,利用强关联规则训练得到的规则集聚合同一阶段的告警,有效去除冗余告警,精简告警数量。利用滑动窗口对聚合后的告警进行划分得到候选攻击事件数据集,通过改进的PrefixSpan算法挖掘得到多阶段攻击事件的攻击序列模式。实验结果表明,该算法在不依赖专家知识的前提下,能够准确并高效地分析告警相关性,还原攻击事件中的攻击步骤。相比传统PrefixSpan算法,提出的改进算法的攻击模式挖掘效率提升了48.05%。
|
| 关 键 词: | 多源告警 告警聚类 关联规则 序列模式挖掘 多阶段攻击事件 |
| 收稿时间: | 2019-07-15 |
| 修稿时间: | 2019-09-04 |
Analysis of attack events based on multi-source alerts |
| |
| WANG Chunying,ZHANG Xun,ZHAO Jinxiong,YUAN Hui,LI Fangjun,ZHAO Bo,ZHU Xiaoqin,YANG Fan,LYU Shichao.Analysis of attack events based on multi-source alerts[J].journal of Computer Applications,2020,40(1):123-128. |
| |
| Authors: | WANG Chunying ZHANG Xun ZHAO Jinxiong YUAN Hui LI Fangjun ZHAO Bo ZHU Xiaoqin YANG Fan LYU Shichao |
| |
| Affiliation: | 1. School of Software and Microelectronics, Peking University, Beijing 102600, China;2. Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;3. Grid Technology Center, State Grid Gansu Electric Power Research Institute, Lanzhou Gansu 730070, China;4. State Grid Gansu Electric Power Company, Lanzhou Gansu 730030, China |
| |
| Abstract: | In order to overcome the difficulty in discovering multi-stage attack from multi-source alerts, an algorithm was proposed to mine the attack sequence pattern. The multi-source alerts were normalized into a unified format by matching them with regular expressions. The redundant information of alerts was compressed, and the alerts of the same stage were clustered according to the association rule set trained by strong association rules, efficiently removing the redundant alerts, so that the number of alerts was reduced. Then, the clustered alerts were divided to obtain candidate attack event dataset by sliding-window, and the attack pattern mining algorithm PrefixSpan was used to find out the attack sequence patterns of multi-stage attack events. The experimental results show that the proposed algorithm can lead to an accurate and efficient analysis of alert correlation and extract the attack steps of attack events without expert knowledge. Compared with the traditional algorithm PrefixSpan, the algorithm has an increase in attack pattern mining efficiency of 48.05%. |
| |
| Keywords: | multi-source alert alert cluster association rule sequence pattern mining multi-stage attack event |
| 本文献已被 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机应用》浏览原始摘要信息 |
|
点击此处可从《计算机应用》下载全文 |
|
