网络安全事件关联分析方法的研究与实现

华中科技大学硕士学位论文网络安全事件关联分析方法的研究与实现姓名：李亚琴申请学位级别：硕士专业：计算机系统结构指导教师：孙传林20060508IIInternetSATA(SecurityAlerts&ThreatAnalysis)SATAAlertRankAgentServerAlertRankIIIAbstractWithspeeddevelopmentofInternettechnologies,networksecurityhasbecomemoreandmoresensitiveandimportant,thecomplicatedsecretdistributedattackmethodsandtechnologieshavemadetheintrusionintentionrecognitionmoredifficult.Theoccurrenceofvastredundantinessentialalertsgavesystemadministratorenormouspressureandmisconceptionevenneglect.Lackingassociateandforewarningtechnologiesresultinfalsenegativeorfalsepositive.It’sdifficulttoexactlyrecognizeintrusionintentionandgivecorrespondingcounterattack,andthesituationbringsthesystemagreatloss.ThegoalsofSATA(SecurityAlerts&ThreatAnalysis)systemisreducingintrusionfalsepositiveandexactlyintrusionintentionrecognition.Thesystemcollectsandformatstheoriginalalerts,andthentransmitsthemtotheserverprocessforcorrelation.Itwasdesignedandrealizedbythethereasearchofvariouscorrelationtechnology.Themaincontentincludes:presentingahiberarchyofalertcorrelationsystem,therealizationofthefourfunctionmodule,thedesignandexperimentanalysisofprobabilisticcorrelationalgorithmAlertRankbasedonBayesiannetworkwhichcalledeventsseverityranking,andtherealizationofcorrelationalgorithmbasedonrulebase.ThemaincontributionoftheAgentfunctionmoduleisthepretreatmentoftheoriginalalerts.Themoduleextractstheneededattributesofthealertsandgivesthesameattributethesamename.Theconsolidationofformatprovidesguaranteeforstoringandcorrelatingthealertsofservermodule.TheAlertRankalgorithmisaspecialcross-correlationmethod.Itcorrelatesthealertandtheleaks,networktopology,systemassets,securitypolicyintruenetworkenvironmentviaprobabilisticcorrelationalgorithmbasedonBayesiannetwork.Performancetestingprovesthatthealgorithmcanreducealertsandfalsealertratesgreat,andexactlygotointrusionintention.KeywordsAlertCorrelationEventsrankingBayesianNetworkI2006428_____20064282006428111.1Internet20Internet1/470%75IDSVPN122IDSIDS34AlertAlarmSATAsecurityalerts&threatanalysis1.23SRIAndersson[1]ValdesSkinner[2-3]EMERALD,Staniford[4]SpiceJulisch[5-7]CuppensDGAFrenchDefenseAgencyMIRADORalertclusteringDebarWespi[8]IDSfalsepositive[9]MorinM2D2[10-11]Templeton[12-15]JIGSAWPengNing[16-23]Cheung[24]CAMLCuppensMIRADOR[25]4IBMHellerstein[26]IBMTivoliC.Araujo[27]DainCunningham[28]impactanalysisorseveritymeasurementSRIPorras[29]EMERALDmission-impact[30][31-36]ArcSightSecViewArcSightArcSightArcSightSmartAgentforEnterceptArcSightConsoleEnterceptIT51.312SATASecurityAlerts&ThreatAnalysisSATASecurityAlerts&ThreatAnalysisSATAAgentControl_FrameworkUserInterfaceServer33AlertRank4SATASATA61alarmalert2IDS31.412Cross-correlation3SATA4474AlertRankAlertRank5SATAAlertRank6822.1[37]2.1.11()011IPIPIPFIPV4IP1r=32IPr=0IP0r32IPrRij=r/32i,jIP2IP;SYNFLOOD3911O0;2.1.2:ijPijd(ij):pijfpw(f)fδf01d(f)ijfijfδf=0ijffδf=0;δf=1fijfw(f)01D)2.1.3:1:S={alert1,alert2,?,alerti,?,alertn},alertiPXi1,Xi2...XipalertiP2D103alertjSalerti4di,jdi,jDclusteri,cluster_alertclusteri,alertj;i,di,jDalertjSalertk3,D2.24IPSweepPortscanrootshell[37]:1.2.,3.112.2.1A:1.:Attr_alert(A);2.:Pre(A);3.:Post(A)/IDSknows:Upknows(U,p)Upknows:Upknows(U,p)-pUpp(,)(not):Pre(A)=Exprl,Expr2,…,ExprmPost(A)=Exprl,Expr2,…Exprmm,n1Expri:(1)P;(2)not(p);(3)knows(u,p);(4)knows(u,not(p));(P)winnuke?xmlversion=1.0encoding=UTF-8?attackattackname=winnukepreuse_os(Target_address,windows)state(Target_address,available),12dns_server(Target_address)/prepostdeny_of_service(Target_address)/postattr_alertalert(Alert)source(Alert,Source)source_node(Source,Source_node),address(Source_node,Source_address),target(Alert,Target)target_node(Target,Target_node)address(Target_node,Target_address),classification(Alert,winnuke)/attr_alert/attack2.2.2:[1]:ABPost(A)=exprAl,exprA2,…,exprAm;Pre(B)=exprBl,exprB2,...,exprBni[1,m],j[1,n]exprAihyp-exprBjABattack_correlation(A,B)hypexprAk(k[1,m]ki)ABBAattack_correlation(A,B)attack_correlation(B,A):[2]:F1F2F1F2FlF2[3]mgu(mostgeneralunifier):F:F=F1,F2,...,FnψFFϕ13Ωϕ=ψΩ(“)ψFmgu):[1]AB:1ABAB:Post(A)=exprAl,exprA2,?exprAmPre(B)=exprBl,exprB2,?exprBn2mguqi[1m]j[1,n]exprAi//q=exprBj//qAB;3qmguq’i[1m]j[1,n]exprAi//q=knows(User,exprBj)//qAB2.2.1[1]:[2]:ABR:R=R1,...,RqABR1,...,Rq:(1)A[1]mguq0R1(2)j[1,q-1]Rj[1]mguqjRj+l;(3)Rq[1]mguqqB2.2.3alert_correlation(Alert1,Alert2)Alert1Alert2alert_correlation(Alert1,Alert2)Alert1Alert2:Alert1Alert2:[3](1)Attack1Attack2(2)[1]Attack1Attack2mguq14(3)(5)(4)Attack1Attack2alert(attr_alert)Alert1Alert2:alert_correlation(Alert1,Alert2):attr_alert(Attack1)attr_alert(Attack2)q.(5)[2]Attack1Attack2R1,?Rnmguq0,?qn(6)Attack1Attack2(7)Attack1Attack2Attack1Attack2alert(attr_alert)Alert1Alert2:alert_correlation(Alert1,Alert2):cond_detection(Attack1)cond_detection(Attack2)q0,?qn2.2.4Alert1(Attack1)Alert2(Attack2)Alert1Alert2:[4]end_Detectiontime1AlertlDetectiontime()begin_Detectiontime2Alerrt2Detectiontimeend_Detectiontime1begin_Detectiontime2Alert1Alert2Alert1Alert2:15[5](1)attack_correlation:attack_correlation(Attack1,Attack