基于告警属性聚类的攻击场景关联规则挖掘方法研究
Research on Attack Scene Association Rule Mining Method Based on Alarm Attributes Clustering
作者:陈兴蜀(四川大学 网络空间安全学院, 四川 成都 610065;四川大学 网络空间安全研究院, 四川 成都 610065);何涛(四川大学 网络空间安全学院, 四川 成都 610065);曾雪梅(四川大学 网络空间安全研究院, 四川 成都 610065);邵国林(四川大学 网络空间安全研究院, 四川 成都 610065)
Author:CHEN Xingshu(College of Cybersecurity, Sichuan Univ., Chengdu 610065, China;Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China);HE Tao(College of Cybersecurity, Sichuan Univ., Chengdu 610065, China);ZENG Xuemei(Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China);SHAO Guolin(Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China)
收稿日期:2018-09-24 年卷(期)页码:2019,51(3):144-150
期刊名称:工程科学与技术
Journal Name:Advanced Engineering Sciences
关键字:攻击场景重构;告警关联;属性相似度;误告警
Key words:attack scenario reconstruction;alert correlation;attribute similarity;false alarms
基金项目:国家自然科学基金项目(61802270);国家“双创”示范基地之变革性技术国际研发转化平台(C700011);四川省重点研发项目(2018G20100);四川省科技支撑计划项目(2016GZ0038);中央高校基本科研业务费专项资金(2017SCU11059;2017SCU11065;SCU2016D009)
中文摘要
针对现有攻击场景重构方法中存在关联规则挖掘不充分、攻击场景链断裂的问题,以及安全设备的误告警影响攻击场景重构准确性的现状,提出一种基于告警属性聚类的攻击场景关联规则挖掘方法。该方法能够有效挖掘攻击场景关联规则,减少攻击链断裂,还原实际的多步攻击,更好地帮助安全管理员深入理解攻击者入侵行为并掌握攻击全貌。以真实网络中的安全设备的原始告警为数据源,首先,对原始告警数据进行预处理,实现告警数据的归一化。然后,通过构建告警时间序列,利用FFT和Pearson相关系数对误告警周期特性进行分析,生成误告警过滤规则。接着,提出一种基于动态时间阈值的告警属性聚类方法,通过告警属性相似性刻画告警间相似度,并根据告警发生的时间间隔结合动态时间阈值方法更新聚类时间,对属于同一攻击场景的告警进行聚类。最后,利用Apriori频繁项挖掘算法生成攻击场景序列模式,并对具有重复攻击步骤的攻击场景序列模式进行融合生成关联规则。在四川大学校园网真实环境中进行实验,结果表明所提方法可有效缓解攻击链断裂问题和误告警的影响,相较于对比方法可有效提升生成的攻击场景关联规则的完整性。
英文摘要
In order to solve the problems that the association rules are not fully exploited, the attack scenario chain breaks in the existing attack scene reconstruction methods, and false alarms of security device affect the accuracy of attack scene reconstruction, an attack scenario association rule mining method based on alarm attributes similarity clustering was proposed in this paper. The method can effectively mine attack scene association rules, reduce attack chain breaks, restore actual multi-step attacks, and help the security administrator to deeply understand the attacker's intrusion behaviors and master the attack. First, the alarm data including the original alarms of security device in the real network and the data source was preprocessed and normalized. By constructing an alarm time series, the FFT and Pearson correlation coefficients were used to analyze the characteristics of the false alarm period to generate a false alarm filtering rule. Then, an alarm attributes clustering method based on dynamic time threshold was proposed. The similarity between alarms was characterized by the similarity of alarm attributes. The clustering time was updated according to the interval between alarms and the dynamic time threshold. Finally, the Apriori frequent item mining algorithm was used to generate the attack scene sequence pattern, and the attack sequences with repeated steps were merged to generate the association rules. The experiments results showed that the proposed method can effectively alleviate the impact of attack chain breaks and false alarms. Compared with the comparison methods, the integrity of the generated attack scene association rules can be effectively improved.
【关闭】