CN100362803C - Network safety warning system based on cluster and relavance - Google Patents

Network safety warning system based on cluster and relavance Download PDF

Info

Publication number
CN100362803C
CN100362803C CNB2004100609656A CN200410060965A CN100362803C CN 100362803 C CN100362803 C CN 100362803C CN B2004100609656 A CNB2004100609656 A CN B2004100609656A CN 200410060965 A CN200410060965 A CN 200410060965A CN 100362803 C CN100362803 C CN 100362803C
Authority
CN
China
Prior art keywords
submodule
module
rule
warning
pattern
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100609656A
Other languages
Chinese (zh)
Other versions
CN1588880A (en
Inventor
金海�
杨志玲
韩宗芬
孙建华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CNB2004100609656A priority Critical patent/CN100362803C/en
Publication of CN1588880A publication Critical patent/CN1588880A/en
Application granted granted Critical
Publication of CN100362803C publication Critical patent/CN100362803C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The present invention relates to a network safety warning system based on cluster and correlation. The whole system mainly comprises monitoring modules, buffering modules, delamination clustering modules, database processing modules, correlation analysis modules and alarm and response modules. All the modules are integrated to a controlling table on the upper layer of the network security system. The delamination clustering modules can reduce the same or the similar redundant warning information, and therefore, the alarm information transmission quantity is reduced. The extra load for processing the redundant alarm in a system is also reduced, and the network safety administrator's treating load is reduced, which makes the administrator clearly recognize the aggressive behaviors and configure security policy. The correlation analysis modules can both discover association rules among a plurality of specific attributes when the aggressive behaviors occur to improve the detecting capability of detecting components and can also discover the generating rules and modes among the aggressive behaviors to identify new or unknown aggressive modes, and thus, the aggressive early warning and containment in advance can be carried out to avoid cooperative or large-scale aggressive behavior generating.

Description

Based on cluster and related network security alarm system
Technical field
The invention belongs to the network security technology field, be specifically related to a kind of based on cluster and related network security alarm system.
Background technology
In the electronic information epoch, along with popularizing of development of internet technology and network application, computer network is penetrated into the every field and the aspect of social life, brings increasing facility and wealth to people; But meanwhile; hacking technique has also obtained develop rapidly and has obviously improved; attack means is increasingly sophisticated and diversified; safety problem has become influence country independent and safety, economical operation and development, social stability and flourishing significant problem, and the network user is faced with security threat and the crisis that increases day by day.Therefore, improve and network security technologys such as development intrusion detection and fire compartment wall in, realize having real-time, flexibility and intelligent network security alarm system be also significant.
Intruding detection system and fire compartment wall etc. are network security technologys commonly used at present.Intrusion detection is a kind of active detecting technology, though it finds and discerns the individuality and the user who legal authorization is arranged but abuse its authority of those unauthorized systems that use a computer as possible, and the user provided warning message, block leak and repair system so that take effective measures.Fire compartment wall is a kind of ad hoc network interconnect equipment that adopts the Passive Defence technology, be used for strengthening access control between the network, realize between internal network and the outside trustless network and isolation and access control between the inner heterogeneous networks security domain, the self-defined property and the flexibility of response policy are provided.
Through years of development, the system configuration of these safety systems is gradually improved, the cumulative flexibility of way to manage, and performance is more and more optimized, and function is also become stronger day by day.But the enhancing of function and optimization in Properties are not considered the characteristics and the drawback of traditional alert mode mainly by the reinforcement of detection and the ability of defense module own.Traditional type of alarm is as shown in Figure 1: report to the police with respond module directly and detection module mutual; unusual or the attack that detection module is found is directly reported to the police at once and is responded; warning message is not carried out the mechanism of coordinated management and association analysis, lack convergence analysis and the function that gathers decision-making are carried out in security incident.Therefore can cause following problem to produce:, may have a plurality of continuous same or analogous redundant warning information in the section at the same time for same attack; The transmission quantity of the network information increases, and safety system often will be handled a large amount of warnings, and the entire system disposal ability descends; The safety officer need tackle the warning message that has redundancy in a large number, is difficult to correctly analyze and discern in real time attack, configuration network security strategy and handles cyberspace vulnerability; Can not clearly find new or unknown attack mode; Be difficult to prediction and take precautions against some to have relevance or synergitic attack in force behavior.
Summary of the invention
The objective of the invention is to overcome above-mentioned weak point, provide a kind of based on cluster and related network security alarm system, this system has solved the redundant warning problem that exists in the general networks safety system, and provide association analysis mechanism at warning message, it can reduce redundant warning and false alarm rate effectively, the detection of raising system and defence capability, and unknown attack and attack in force had certain recognition capability.
In order to realize the foregoing invention purpose, the invention provides a kind of based on cluster and related network security alarm system, it is characterized in that: this system comprises monitors module, cache module, hierarchical cluster module, database processing module, association analysis module and warning and respond module, and each module is integrated in the control desk of network safety system upper strata;
Detection and the defense module of monitoring module and network safety system bottom carry out communication, are responsible for monitoring and the reception local alarm information from detection and defense module specially, and this warning message is submitted to cache module;
Cache module plays buffer memory and synchronous effect between monitoring module and hierarchical cluster processing module, will carry out buffer memory according to sequencing from the warning message of monitoring module;
The hierarchical cluster module is obtained local alarm information successively from cache module, this warning message is carried out concrete hierarchical cluster to be handled, judge whether whether interior local alarm information of this warning message and nearest a period of time has redundancy, submit to warning and respond module with this warning message according to the judged result decision; And whole warning messages are submitted to the database processing module, by the database processing module it is write database, for the association analysis module provides the warning message data source;
Association analysis module and database processing module are mutual, obtain a large amount of warning messages as the association analysis event source, the utilization association algorithm carries out analysis mining and the result is carried out Performance Evaluation, deletion error and useless rule and pattern, final effectively rule and pattern are submitted to warning and respond module, carry out the configuration and the utilization of regular and pattern by it;
Warning is carried out the overall situation to the local alarm information of hierarchical cluster module transmission on the one hand with respond module and is reported to the police, and by with user's mutual realization response, this module is obtained rule and the pattern that the association analysis module produces on the other hand, carries out the backstage configuration, for detecting and the defense module use.
Above-mentioned association analysis module comprises association rule mining submodule and sequential mode mining submodule; The association rule mining submodule is used to find the potential correlation rule between the warning message built-in attribute, and effective rule is submitted to report to the police and respond module; The effect of sequential mode mining submodule is pattern and the rule that produces by between the generation rule of the attribute " attack type " of analyzing warning message and the mode discovery attack, find unknown attack mode or collaborative attack mode, and effective patterns is submitted to warning and respond module.
Above-mentioned association rule mining submodule comprises that the correlation rule source event generates submodule, association rule algorithm utilization submodule, regular Performance Evaluation submodule and rule feedback submodule; The correlation rule source event generates submodule and is used for determining to use which kind of concrete association rules mining algorithm, for association rule algorithm utilization submodule provides source event; Association rule algorithm utilization submodule utilization association rules mining algorithm is handled source event and is obtained corresponding rule, and provides it to regular Performance Evaluation submodule; Rule Performance Evaluation submodule is assessed the rule that receives, and final rule is submitted to rule feedback submodule; Rule feedback submodule feeds back to these rules reports to the police and respond module, carries out the rule configuration by it, uses for detection and defense module.
Above-mentioned sequential mode mining submodule comprises that the sequence pattern source event generates submodule, sequence pattern algorithm utilization submodule, mode performance assessment submodule and pattern feedback submodule;
The sequence pattern source event generates submodule and is used for determining to use which kind of concrete sequential mode mining algorithm, and provides source event for the sequence pattern algorithm uses submodule;
Sequence pattern algorithm utilization submodule obtains corresponding results to the source event utilization sequential mode mining algorithm that receives, and the result is offered pattern assessment submodule; Pattern assessment submodule is trained and Performance Evaluation pattern, and final pattern is submitted to pattern feedback submodule, and pattern feedback submodule feeds back to these patterns reports to the police and respond module, by it pattern is configured, and uses for detection and defense module.
Above-mentioned hierarchical cluster module comprises abstract modeling submodule and concrete hierarchical cluster processing sub; The abstract modeling submodule provides abstract model for concrete hierarchical cluster processing sub, and concrete hierarchical cluster processing sub is handled according to the model that the abstract modeling submodule provides.
Above-mentioned abstract modeling submodule comprises that characteristic attribute extracts submodule, similitude appraisal procedure and determines that submodule, characteristic attribute level determine that submodule and similitude assessment models determine submodule;
Characteristic attribute extracts submodule and is used for extracting characteristic attribute from the attribute of warning message and offers the similitude appraisal procedure and determine that submodule and characteristic attribute level determine submodule;
The similitude appraisal procedure determines that submodule is that above-mentioned characteristic attribute is determined respectively and selected the similitude appraisal procedure, and the result is offered the similitude assessment models determines submodule;
The characteristic attribute level determines that submodule carries out level with above-mentioned characteristic attribute according to importance information according to the detected characteristics of safety system and actual demand and divides, and the result is offered the similitude assessment models determines submodule;
The similitude assessment models determines that submodule carries out analysis-by-synthesis to above-mentioned two results, obtains abstract model, and provides it to concrete hierarchical cluster processing sub.
The present invention has increased the clustering processing and the association analysis function of warning message by introducing cluster and association analysis technology, has improved the direct type of alarm of network security alarm system convention.Wherein the clustering processing integrated use similitude appraisal procedure, layering and clustering processing technology, association analysis specifically comprises association rule mining and two parts of sequential mode mining.
The hierarchical cluster processing capacity is at the warning redundancy issue that exists in the conventional safety system, it combines similitude appraisal procedure, layering and clustering technique, the warning message characteristic attribute is carried out the similitude appraisal procedure determine to divide, obtain a comprehensive model with level.Use this model, the similitude assessment of warning message is carried out from high to low successively according to level, and each level all only carries out the similitude assessment to the attribute of this level.If the similitude assessment result of certain level attribute can directly draw dissimilar result less than the threshold value of regulation, this warning message is directly carried out the overall situation report to the police, needn't carry out following similitude at all levels assessment.The hierarchical cluster function can reduce identical or similar redundant warning information, thereby reduced the warning message transmission quantity, also reduce the extra load of system handles redundant warning, reduce network security manager's processing load, make the keeper be familiar with attack and configuration security strategy more clearly.
Based on " being associated between the warning message the relation that has reflected to a certain extent between the attack " this principle, the present invention uses association analysis mechanism that warning message is excavated, this mechanism mainly comprises association rule mining and two kinds of technology of sequential mode mining, the former excavates the correlation rule between the inner a plurality of attributes of every warning message, the latter excavates the generation pattern of the particular community " attack type " of many warning messages, thereby finds to attack the correlation rule of built-in attribute when producing and generation pattern and the rule between the attack.
The association rule mining technology makes every effort to find every correlation rule between a plurality of attributes in warning message inside, detects or takes precautions against thereby be used for attack.The sequential mode mining technology is excavated the generation pattern and the rule of specific " type of alarm " of warning message at the repetition between the attack, priority and causalnexus relation.The pattern of expression replicated relation helps simplifying the clustering processing process, only needs just can directly abandon through simple analysis the warning message of repetition; Expression priority, causal pattern can be applicable to detect or defense module, both can discern new or unknown attack mode, also can attack early warning and strick precaution in advance, thereby avoid attack generation that work in coordination with or large-scale.
On the whole, the function of network safety system that the present invention is greatly perfect effectively raises systematic function.Particularly, the present invention has the following advantages and effect:
1) supports various safety systems, have good adaptability
Conventional network safety system such as intruding detection system and flow detection all have warning function.The present invention just handles warning message in application layer, and is irrelevant with the system configuration and the detection technique of bottom, is applicable to the safety system of multiple different detection and defense mechanism, has good adaptability.
Simultaneously, the present invention both had been suitable for the system of the single testing mechanism of many detection modules, also was fit to the safety system of the many testing mechanisms of many detection modules, supported the intrusion detection or the system of defense of multiple isomery.
2) module relative independentability
All there are control desk or similar functional module in the general networks safety system, the present invention is integrated in the control desk, the problem that has bulk redundancy warning and shortage security event associative analysis at conventional safety system, between reporting to the police, the overall situation of the local alarm of detection module and control desk increases a kind of function that gathers decision-making and cluster association, eliminate redundant warning as much as possible, and find potential association between the warning message as possible, thereby improve the intelligent and treatment effeciency of system.Therefore, it does not need to revise the structure and the mechanism of bottom detection module, does not influence other function of change control desk yet, has module independence preferably.
3) the functional module extensibility is good
At present, the present invention mainly realizes two kinds of functions: the one, and warning message is carried out clustering processing, thereby reduce redundant warning; The 2nd, the warning message that is kept in the database is carried out association analysis, thereby obtain rule and pattern between warning message and the attack.Therefore, have independence between cluster and the correlation function module, both can unite realization, also can independently use.Simultaneously, can also further optimize, expand or add other and the relevant function of processing of reporting to the police.
4) effectively reduce redundant warning, made things convenient for the network security manager
Clustering processing can effectively reduce the bulk redundancy warning message, solved the problem that has redundant warning in the general networks safety system, reduced the transmission quantity of warning message, make the network security manager can correctly analyze and discern attack, configuration network security strategy and handle cyberspace vulnerability in real time, alleviate the load that the keeper handles a large amount of warnings.
5) help reducing the alert rate of mistake, improve detectability
Effective minimizing of the alert rate of mistake is the minimizing owing to redundant warning on the one hand, and this realizes by the hierarchical cluster function; Be because system detects and the enhancing of defence capability on the other hand, mainly be by a large amount of warning messages are carried out association analysis, find the correlation rule between the inner a plurality of attributes of every warning message and the generation rule and the pattern of many warning message characteristic attributes " attack type ", and improve detection and defence capability by rule and pattern configurations.
6) reduce the load of handling repetition of alarms, improve systematic function
Utilize clustering technique can reduce alarm times and transinformation, reduce the resource overhead and the system load of reporting to the police and handling.Rule and the pattern of utilizing corresponding technology to produce are predicted warning message, can simplify the clustering processing process, thereby improve systematic function.
7) can find the new attack pattern
The sequential mode mining technology can be by excavating warning message generation pattern and the new or unknown attack mode of rule identification and the unknown system vulnerability of characteristic attribute " attack type ", and recognition capability strengthens gradually along with the continual renovation of pattern and configuration.
8) can predict and take precautions against attack
The sequential mode mining technology of association analysis module can be found the generation rule and the pattern of attack, these patterns have reflected collaborative and the relevance between the attack to a certain extent, therefore both can be used for the strategy of configuration response module, thereby improve the intelligent of response; Also can improve detection and defence capability, thereby avoid the generation of attack in force behavior.
Description of drawings
Fig. 1 is the alarm mechanism schematic diagram of existing network safety system.
Fig. 2 is the system assumption diagram that the present invention is based on cluster and related network security alarm system.
Fig. 3 the present invention is based on cluster and related network security alarm system flow schematic diagram.
Fig. 4 is the structural representation of hierarchical cluster module.
Fig. 5 is the process chart of hierarchical cluster module.
Fig. 6 is the structural representation of association analysis module.
Embodiment
Below in conjunction with accompanying drawing the present invention is further done detailed explanation.
The present invention realizes systemic-function by the control desk on extended network safety system upper strata.Divide from operation principle, native system can be divided into six modules: monitor module 2, cache module 3, hierarchical cluster module 4, database processing module 5, association analysis module 6 and warning and respond module 7.Wherein, detection and the defense module 1 of monitoring module 2 and network safety system bottom carry out communication, and architectural schematic as shown in Figure 2.
In a single day the detection of bottom and defense module 1 note abnormalities or detect attack, will send warning message for the control desk on upper strata according to analysis result, are called local alarm information.Monitor module 2 and directly be connected and communication with defense module 1, be responsible for monitoring and reception local alarm information specially, and this warning message is submitted to cache module 3 from detection and defense module 1 with detection.Cache module 3 plays buffer memory and synchronous effect between monitoring module 2 and hierarchical cluster processing module 4, it will carry out buffer memory from the warning message of monitoring module 2 according to the principle of serving earlier first, and assurance local alarm information can not lose, covers and obscure.
Hierarchical cluster module 4 is also obtained local alarm information successively according to the principle of serving earlier first from buffer module 3, this warning message is carried out concrete hierarchical cluster handle.Basic principle is to judge whether the interior overall warning message of this warning message and nearest a period of time t has redundancy, and whether this warning message is submitted to according to judged result decision and to be reported to the police and respond module 7, if be judged as nonredundant, just this warning message given warning and being carried out overall situation warning and response, otherwise not carrying out overall situation warning and response with respond module 7.What the same detection module produced repetition of alarms when time period t represented that same attack takes place may produce may delaying time of similar warning with different detection modules at interval, its size need be determined by empirical value and sampling training, requires to obtain a good balance between alert rate of mistake and false dismissed rate.Simultaneously, no matter whether warning message is redundant, and this module all will be submitted to this warning message database processing module 5, by database processing module 5 it write database, for association analysis module 6 provides the warning message data source.
Association analysis module 6 is mutual with database processing module 5, obtains a large amount of warning messages as the association analysis event source, and it comprises association rule mining submodule 6.1 and sequential mode mining submodule 6.2.
For association rule mining submodule 6.1, it at first obtains a time interval t by experience sampling and repetition training, as the time interval of each reading database.Report to the police as starting point with article one, per blanking time section t, this module and database processing module 5 alternately once read the interior All Alerts information of this time period t successively.In conjunction with the affair character of concrete association analysis algorithm, be an incident with every alarm information processing that comprises a plurality of property values then, all warning messages just constitute an event sets in this time period t.Then to the concrete association analysis algorithm of this event sets utilization for example Apriori carry out analysis mining, obtain attacking the rule between the warning attribute when producing, and rule carried out Performance Evaluation, deletion error and useless rule, at last effective rule is submitted to and reported to the police and respond module 7, carry out the configuration and the utilization of rule by it.
For sequential mode mining submodule 6.2, also need rule of thumb to take a sample and repetition training obtains a time interval t and the time interval is counted n.Every certain interval of time n * t, this module and database processing module 5 are alternately once, time for reading is the value of the attribute " attack type " of the interior All Alerts information of n * t at interval, and successively with all properties value of " attack type " in each time interval t in order as an incident, n interior " attack type " value of the time interval just constituted n the event sets that incident is formed, as the event source of sequential mode mining.Then to the concrete sequential mode mining algorithm of this event sets utilization for example FP-tree carry out analysis mining, obtain some and describe the pattern that attack produces, and these patterns are carried out Performance Evaluation, deletion error and useless pattern, at last effective patterns is submitted to and reported to the police and respond module 7, be configured and use by it.
The local alarm information that warning and respond module 7 are submitted to hierarchical cluster module 4 is on the one hand carried out overall situation warning, and responds by the mutual realization with the user, and response policy comprises this connection of cut-out, sealing corresponding port etc.This module is obtained the rule and the pattern of association analysis module 6 generations and is carried out the backstage configuration on the other hand, for detecting and defense module 1 use, to improve detection efficiency and to detect performance.
Concrete handling process as shown in Figure 3.Hierarchical cluster module and association analysis module are two cores of system, respectively its mechanism are elaborated with realization below.
The hierarchical cluster module
The hierarchical cluster module synthesis has used similitude appraisal procedure, layering and clustering technique, and its main theory is according to being: determine whether have identical or similitude between the warning message by the similitude assessment, thereby whether decision exists redundancy.Simultaneously, utilize the Partial Feature attribute in assessment, to have the characteristics of different importance and key decision effect, characteristic attribute is carried out layering according to importance information.Clustering processing is carried out according to level principle from high to low, and every layer is all carried out the similitude assessment to the characteristic attribute of this layer, if high-rise attributive character does not have similitude, just directly draws dissimilar result, thereby reduces the unnecessary processing load.By the elimination of redundant warning, can reduce the load that system's overall situation is reported to the police, also can alleviate the safety system keeper and tackle the difficulty that a large amount of warnings are difficult to clear understanding attack, help recognition system leak and configuration security strategy.
As shown in Figure 4, the hierarchical cluster module comprises abstract modeling submodule 4.1 and concrete hierarchical cluster processing sub 4.2.
The function of abstract modeling submodule 4.1 is to determine the similitude appraisal procedure and divide level for all characteristic attributes of warning message, and an abstract model is provided for concrete hierarchical cluster processing sub 4.2.It comprises that characteristic attribute extracts submodule 4.1.1, similitude appraisal procedure and determines that submodule 4.1.2, characteristic attribute level determine that submodule 4.1.3 and similitude assessment models determine submodule 4.1.4.Characteristic attribute extraction submodule 4.1.1 extracts from the attribute of warning message similitude is assessed the attribute that reference significance is arranged, and is called characteristic attribute.The similitude appraisal procedure determines that submodule 4.1.2 determines respectively for all characteristic attributes and selection similitude appraisal procedure.Illustrate: for the method for attribute " purpose ip " employing based on boolean, if two values are identical, its similarity just is 1, otherwise just is 0; For the successional attribute of numerical value for example " time of fire alarming ", adopt based on the method for distance and calculate: at first need the unified some value V ' that are mapped between the interval [0,1] original value V; For the value V after two mappings 1' and V 2', its similarity is expressed as | V 1'-V 2' |.Wherein original value is formulated as follows to the mapping of mapping value: the maximum of supposing this attribute is V Max, minimum value is V MinMapping value is V '=(V-V so Min)/(V Max-V Min).Every layer similarity equals adding up of each characteristic attribute similarity of this layer.
The characteristic attribute level determines that submodule 4.1.3 carries out level division with these characteristic attributes according to importance information according to the detected characteristics and the actual demand of safety system, and importance and reference significance are big more, and rank is just high more, and weight is also big more.The characteristic attribute of identical level, its importance is similar, and weight is identical.Illustrate, the characteristic attribute of supposing warning message has (detection module, time of fire alarming, attack type, source ip, purpose ip, source port, destination interface, danger classes, related protocol), can be with " purpose ip ", " attack type " and " time of fire alarming " as the ground floor characteristic attribute, " source ip ", " destination interface " are as second layer characteristic attribute, and " source port " and " related protocol " as the 3rd layer of characteristic attribute, " detection module " and " danger classes " is as the characteristic attribute of last one deck.The similitude threshold value of each layer is made by oneself, and reference value and implication in the similitude assessment are different, and level is high more, and weight is big more, and reference value is also big more.The similitude assessment models determines that submodule 4.1.4 determines that in conjunction with the similitude appraisal procedure submodule 4.1.2 and characteristic attribute level determine submodule 4.1.3, draws a comprehensive abstract model.This model has not only carried out the level division with all characteristic attributes, has also determined concrete similitude appraisal procedure for all characteristic attributes; The similarity of concrete certain one deck equal all characteristic attribute of this layer similarity add up and.
Concrete hierarchical cluster processing sub 4.2 is handled according to the model that abstract modeling submodule 4.1 submodules provide.For any warning message, itself and warning message in nearest a period of time t need be carried out hierarchical cluster and handle, judge whether this warnings is redundant warning message, and whether decision needs to carry out overall situation warning.What the same detection module produced repetition of alarms when time period t represented that same attack takes place may produce may delaying time of similar warning with different detection modules at interval, its size need be determined by empirical value and sampling training, and require to obtain a good balance between alert rate of mistake and false dismissed rate.In order to improve treatment effeciency, concrete hierarchical cluster processing sub 4.2 need be follow-up warning message service according to the warning message in the nearest time period t of sequencing buffer memory.The handling process of this submodule is described below:
Warning message for extracting from buffering area at first carries out the preliminary treatment of warning message, comprises the identification of characteristic attribute and numerical value, the layering of characteristic attribute.Carry out the similitude assessment of this layer then according to level order from high to low, the method model that concrete similitude appraisal procedure provides according to abstract modeling 4.1.Have non-similarity if certain layer similitude assessment result less than the threshold value of this layer regulation, then can be judged as, draw this warning and have nonredundant result, directly carry out the overall situation and report to the police.Otherwise continue the similitude assessment of one deck, to the last one deck down.If judge it is redundant warning message, the database that just this warning message write direct does not carry out the overall situation and reports to the police; Otherwise, give alarm response and configuration module with warning message and carry out the overall situation and report to the police, also this warning message must be write database simultaneously.The handling process of concrete hierarchical cluster processing sub 4.2 as shown in Figure 5.
The association analysis module
The association analysis module is mainly carried out association analysis to a large amount of warning messages of preserving in the database from two aspects, one is the rule that exists between the utilization association rule mining technology mining warning message built-in attribute, find to describe the rule between the built-in attribute that single attack produces, and be used for the rule configuration of intrusion detection and defence; Another is that utilization sequential mode mining technology is excavated " attack type " this particular community of warning message, find the potential association of " attack type " between the warning message or produce rule, mainly comprise " cause and effect " and " repetition " relation, help discerning attack, and be used to attack the strick precaution of prediction and attack in force behavior with concertedness or relevance.
As shown in Figure 6, association analysis module 6 mainly is divided into association rule mining submodule 6.1 and sequential mode mining submodule 6.2.
The function of association rule mining submodule 6.1 is the potential associations of excavating between a plurality of attributes of every warning message inside, describe because warning message is the part of attack information, so these rules can be used for the detection and the defence of attack.It comprises that the correlation rule source event generates submodule 6.1.1, association rule algorithm utilization submodule 6.1.2, regular Performance Evaluation submodule 6.1.3 and rule feedback submodule 6.1.4.The correlation rule source event generates submodule 6.1.1 at first to be determined to use which kind of concrete association algorithm, comprises traditional algorithm or self-designed algorithm, as Apriori algorithm, FP-tree algorithm, and needs to determine the time interval t of reading database; Then in conjunction with the affair character of concrete association analysis algorithm, with every alarm information processing that comprises a plurality of property values is an incident, all warning messages just constitute an event sets in this time period t, and 6.1.2 provides source event for association rule algorithm utilization submodule.
Association rule algorithm utilization submodule 6.1.2 specifically uses this association rules mining algorithm to the source event that the 6.1.1 submodule generates, and obtains corresponding results.These results describe the rule that the warning message built-in attribute produces, illustrate: if generation rule is " source ip=192.168.1.54; source port=99; purpose ip=192.168.1.55; destination interface=88 → attack type=TCP ", its expression is in case satisfy condition " ip address, source is 192.168.1.54; source port is 99; purpose ip is that 192.168.1.55 and destination interface are 88 ", " Port Scan Attacks " will bear results, the source port 99 of ip address, source 192.168.1.54 promptly is described, often the destination interface 88 of purpose ip address 192.168.1.55 is initiated Port Scan Attacks.Like this, detection module is in case find to satisfy condition " ip address, source is that 192.168.1.54, source port are 99 ", 88 ports that just can prior notice purpose ip be 192.168.1.55 carry out attack-defending in advance, comprise the connection of Direct Filtration from this port, perhaps seal this port.So both can improve the recognition capability and the detection efficiency of detection module, and also can reduce the probability of attack and alarm generation, and make systemic-function have certain reproducibility and autgmentability.
Rule Performance Evaluation submodule 6.1.3 carries out evaluation work such as performance evaluation, test to the rule that produces, deletion error, useless or redundant rule, guarantee the correctness and the reliability of rule, and final rule is submitted to rule feedback submodule 6.1.4.Rule is fed back submodule 6.1.4 these rules is fed back to warning and respond module 7, carries out the rule configuration by it, for detecting and the defense module use.
The function of sequential mode mining submodule 6.2 is to excavate the particular community of many warning messages " attack type " generation pattern and rule, these patterns have reflected generation pattern and the rule between the attack, thereby help the identification of unknown attack pattern or concerted attack pattern, and the prediction that is used to report to the police, early warning and strick precaution.It comprises that the sequence pattern source event generates submodule 6.2.1, sequence pattern algorithm utilization submodule 6.2.2, mode performance assessment submodule 6.2.3 and pattern feedback submodule 6.2.4.The sequence pattern source event generates submodule 6.2.1 at first to be needed to determine to use which kind of concrete sequential mode mining algorithm, as class FP-tree algorithm; Simultaneously also need determine that the time interval t and the time interval count n according to experience sampling and repetition training.Report to the police as starting point with article one, per blanking time section t, this module and database processing module 5 alternately once read the interior All Alerts information of this time period t successively.Then in conjunction with the affair character of concrete association analysis algorithm, with every alarm information processing that comprises a plurality of property values is an incident, all warning messages just constitute an event sets in this time period t, as the source event of sequence pattern algorithm utilization submodule 6.2.2.The sequence pattern algorithm can use the classic algorithm of having announced, also can use oneself design or improved algorithm.
Sequence pattern algorithm utilization submodule 6.2.2 specifically uses the sequential mode mining algorithm to the source event that generates, and is excavated the result accordingly.These results describe the particular community of warning message " attack type " generation pattern and rule.Such as, " attack 1; attack 2; attack 3 " if find regular attack mode, promptly attack 1, attack 2 and attack 3 always take place according to certain rules according to this sequencing, therefore can infer and attack 1,2, perhaps there is certain premeditated collaborative between 3, perhaps can be judged as " cause and effect " association that has " attacking 1 takes place can cause attacking 2 simultaneously; 3 take place ", help finding new attack pattern " attack 1+ attacks 2+ and attacks 3 " like this, can also utilize existing attack 1 prediction and take precautions against the attack 2 and 3 that will take place, thereby have the certain defence attack in force and the function of concerted attack; " attack 1; attack 1 " if find attack mode, illustrate that detection module often produces redundant warning message to attack 1, therefore can be in processing in the future carry out after the simple analysis identification attacking 1 warning, directly be judged as the warning message of repetition, thereby reduce the load of clustering processing, improve system handles efficient.
Pattern assessment submodule 6.2.3 trains and Performance Evaluation the pattern that produces, deletion error, useless and pattern redundancy, and the validity of Assured Mode and reliability, and will final pattern submit to pattern and feed back submodule 6.2.4.Pattern feedback submodule 6.2.4 feeds back to these patterns and reports to the police and respond module 7, by it pattern is configured, for detecting and the defense module use.
Illustrate the configuring condition in the native system implementation process below.
Integrated alarm cluster and relating module in the control desk of the network safety system with three kinds of dissimilar detection parts (comprising fire compartment wall, intruding detection system and flow detection), this module is at running background.Its basic configuration is as shown in table 1.
CPU Internal memory Hard disk Network interface card Operating system Network
Two PIII866 256M 30G 3C905B Linux7.3 The 100M switch
The hardware of each node of table 1 and network configuration
Wherein, control desk is installed on the main frame, and intruding detection system, fire compartment wall, three kinds of detection parts of flow detection are installed in respectively on all the other 3 main frames, have formed the network safety system of a perfect in shape and function thus.Concrete enforcement is as follows: main frame 1 serves as control desk, and main frame 2 serves as fire compartment wall, and main frame 3 serves as intruding detection system, and main frame 4 serves as flow quantity detecting system.Configuration instruction to whole system is as follows:
1) warning message database
This table is totally 9 fields, its example such as table 1.
Detection part Attack type Time of fire alarming Danger classes Protocol type Source IP Source port Purpose IP Destination interface
Fire compartment wall Smurf 2004-6-5 8:23:24 3 UDP 10.0.0.1 33333 17.0.0.1 80
Intruding detection system TCP 2004-6-4 9:2:34 1 HTTP 10.0.0.2 562 17.0.0.2 80
Flow quantity detecting system Ping Flood 2004-6-6 4:43:54 2 TCP 10.0.0.3 22222 17.0.0.3 80
Table 1 warning message database example
Being described as follows of each field:
Detection part: produce the detection part of reporting to the police, be divided into fire compartment wall, intruding detection system, flow quantity detecting system.
Attack type: the type of alarm of intrusion event, detect principle and mechanism according to difference and be divided into multiplely, for example fire compartment wall comprises TCP Flood, UDP Flood, Smurf, Ping Flood etc.; Intruding detection system comprises TCP, web attack etc.
Time of fire alarming: the time that this intrusion event is provided warning message.
Danger classes: the harmful grade of this intrusion event.
Protocol type: the protocol type relevant with intrusion event, as TCP, UDP, HTTP etc.
Source IP: the source IP address of intrusion event.
Source port: the source port of intrusion event.
Purpose IP: the purpose IP address of intrusion event.
Destination interface: the destination interface of intrusion event.
2) rule base of warning message and attack inside thereof
This database is totally 3 fields, its example such as table 2.
The reason attribute The consequence attribute The rule confidence level
Protocol type Source IP Source port Attack type Purpose IP Destination interface
HTTP 211.69.196.1 2222 Web attacks 17.0.0.1 80 >0.8
UDP 202.34.1 55.2 4444 Smurf 17.0.0.2 21 >0.9
TCP 210.99.195.8 3333 Syn Flood 17.0.0.3 25 =1.0
The rule base example of table 2 warning message and attack inside thereof
Each field is explained as follows:
Reason attribute: the reason warning attribute of rule.
Consequence type of alarm: the consequence warning attribute of rule.
Confidence level: the credibility that this is regular.
3) rule base between warning message and the attack thereof
This database is totally 3 fields, its example such as table 3.
Reason is attacked Consequence is attacked The rule confidence level
TCP Obtain administrator right, main frame infiltration >0.8
Obtain administrator right The Te Luoyi wooden horse >0.5
Syn attacks Syn attacks >0.7
Rule base example between table 3 warning message and the attack thereof
Each field is explained as follows:
The reason type of alarm: the reason of rule is attacked.
The consequence type of alarm: the consequence of rule is attacked.
Confidence level: the credibility that this is regular.

Claims (6)

1. one kind based on cluster and related network security alarm system, it is characterized in that: this system comprises monitors module (2), cache module (3), hierarchical cluster module (4), database processing module (5), association analysis module (6) and warning and respond module (7), and each module is arranged in the control desk of network safety system upper strata;
Detection and the defense module (1) of monitoring module (2) and network safety system bottom carry out communication, are responsible for monitoring and the reception local alarm information from detection and defense module (1) specially, and this warning message is submitted to cache module (3);
Cache module (3) plays buffer memory and synchronous effect between monitoring module (2) and hierarchical cluster processing module (4), will carry out buffer memory according to sequencing from the warning message of monitoring module (2);
Hierarchical cluster module (4) is obtained local alarm information successively from buffer module (3), this warning message is carried out concrete hierarchical cluster to be handled, judge whether interior local alarm information of this warning message and nearest a period of time has redundancy, and whether this warning message is submitted to warning and respond module (7) according to the judged result decision; And whole warning messages are submitted to database processing module (5), by database processing module (5) it is write database, for association analysis module (6) provides the warning message data source;
Association analysis module (6) is mutual with database processing module (5), obtain a large amount of warning messages as the association analysis event source, the utilization association algorithm carries out analysis mining and the result is carried out Performance Evaluation, deletion error and useless rule and pattern, final effectively rule and pattern are submitted to warning and respond module (7), carry out the configuration and the utilization of rule and pattern by it;
Warning is carried out overall situation warning with the local alarm information that respond module (7) is transmitted hierarchical cluster module (4) on the one hand, and by with user's mutual realization response, this module is obtained rule and the pattern that association analysis module (6) produces on the other hand, carry out the backstage configuration, for detecting and defense module (1) use.
2. warning system according to claim 1 is characterized in that: association analysis module (6) comprises association rule mining submodule (6.1) and sequential mode mining submodule (6.2); Association rule mining submodule (6.1) is used to find the potential correlation rule between the warning message built-in attribute, and effective rule is submitted to report to the police and respond module (7); The effect of sequential mode mining submodule (6.2) is an attribute of analyzing warning message " attack type " the generation rule and the mode discovery attack between the pattern and the rule that produce, find unknown attack mode or collaborative attack mode, and effective patterns is submitted to warning and respond module (7).
3. warning system according to claim 2 is characterized in that: association rule mining submodule (6.1) comprises that the correlation rule source event generates submodule (6.1.1), association rule algorithm utilization submodule (6.1.2), regular Performance Evaluation submodule (6.1.3) and rule feedback submodule (6.1.4); The correlation rule source event generates submodule (6.1.1) and is used for determining to use which kind of concrete association rules mining algorithm, for association rule algorithm utilization submodule (6.1.2) provides source event; Association rule algorithm utilization submodule (6.1.2) utilization association rules mining algorithm is handled source event and is obtained corresponding rule, and offers regular Performance Evaluation submodule (6.1.3); Rule Performance Evaluation submodule (6.1.3) is assessed the rule that receives, and final rule is submitted to rule feedback submodule (6.1.4); Rule is fed back submodule (6.1.4) these rules is fed back to warning and respond module (7), carries out the rule configuration by it, for detecting and defense module (1) use.
4. according to claim 2 or 3 described warning systems, it is characterized in that: sequential mode mining submodule (6.2) comprises that the sequence pattern source event generates submodule (6.2.1), sequence pattern algorithm utilization submodule (6.2.2), mode performance assessment submodule (6.2.3) and pattern feedback submodule (6.2.4);
The sequence pattern source event generates submodule (6.2.1) and is used for determining to use which kind of concrete sequential mode mining algorithm, and provides source event to sequence pattern algorithm utilization submodule (6.2.2);
Sequence pattern algorithm utilization submodule (6.2.2) obtains corresponding results to the source event utilization sequential mode mining algorithm that receives, and offers pattern assessment submodule (6.2.3); Pattern assessment submodule (6.2.3) is trained and Performance Evaluation pattern, final pattern is submitted to pattern feedback submodule (6.2.4), pattern feedback submodule (6.2.4) feeds back to these patterns reports to the police and respond module (7), by it pattern is configured, for detecting and defense module (1) use.
5. warning system according to claim 1 and 2 is characterized in that: hierarchical cluster module (4) comprises abstract modeling submodule (4.1) and concrete hierarchical cluster processing sub (4.2); Abstract modeling submodule (4.1) provides abstract model for concrete hierarchical cluster processing sub (4.2), and concrete hierarchical cluster processing sub (4.2) is handled according to the model that abstract modeling submodule (4.1) submodule provides.
6. warning system according to claim 5 is characterized in that: abstract modeling submodule (4.1) comprises that characteristic attribute extracts submodule (4.1.1), similitude appraisal procedure and determines that submodule (4.1.2), characteristic attribute level determine that submodule (4.1.3) and similitude assessment models determine submodule (4.1.4);
Characteristic attribute extracts submodule (4.1.1) and is used for extracting characteristic attribute from the attribute of warning message and offers the similitude appraisal procedure and determine that submodule (4.1.2) and characteristic attribute level determine submodule (4.1.3);
The similitude appraisal procedure determines that submodule (4.1.2) is determined respectively for above-mentioned characteristic attribute and the similitude appraisal procedure is carried out in selection, and the result is offered the similitude assessment models determines submodule (4.1.4);
The characteristic attribute level determines that submodule (4.1.3) carries out level with above-mentioned characteristic attribute according to importance information according to the detected characteristics of safety system and actual demand and divides, and the result is offered the similitude assessment models determines submodule (4.1.4);
The similitude assessment models determines that submodule (4.1.4) carries out analysis-by-synthesis to above-mentioned two results, obtains abstract model, and provides it to concrete hierarchical cluster processing sub (4.2).
CNB2004100609656A 2004-10-15 2004-10-15 Network safety warning system based on cluster and relavance Expired - Fee Related CN100362803C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100609656A CN100362803C (en) 2004-10-15 2004-10-15 Network safety warning system based on cluster and relavance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100609656A CN100362803C (en) 2004-10-15 2004-10-15 Network safety warning system based on cluster and relavance

Publications (2)

Publication Number Publication Date
CN1588880A CN1588880A (en) 2005-03-02
CN100362803C true CN100362803C (en) 2008-01-16

Family

ID=34603643

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100609656A Expired - Fee Related CN100362803C (en) 2004-10-15 2004-10-15 Network safety warning system based on cluster and relavance

Country Status (1)

Country Link
CN (1) CN100362803C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296130B (en) * 2008-05-30 2011-04-06 北京同步科技有限公司 System and method for multi-process sharing port receiving network message

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100405359C (en) * 2006-05-17 2008-07-23 刘韬 Mine gas outburst amount prediction method
WO2008053336A2 (en) * 2006-11-03 2008-05-08 Network Box Corporation Limited An administration portal
CN101399658B (en) * 2007-09-24 2011-05-11 北京启明星辰信息技术股份有限公司 Safe log analyzing method and system
CN101414996B (en) * 2007-10-15 2012-12-05 北京瑞星信息技术有限公司 Firewall and method thereof
CN101471808B (en) * 2007-12-26 2011-05-04 英业达股份有限公司 Alarm display system and method of cluster storage system
CN101247269B (en) * 2008-03-05 2010-09-01 中兴通讯股份有限公司 Method for automatically discovering association rule for judging redundant alarm
CN101355446B (en) * 2008-08-20 2011-05-11 中兴通讯股份有限公司 Compression treatment method for alarm report and apparatus for compressing alarm
CN101610174B (en) * 2009-07-24 2011-08-24 深圳市永达电子股份有限公司 Log correlation analysis system and method
CN102638445B (en) * 2011-12-27 2015-03-25 中国航天科工集团第二研究院七〇六所 Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device
CN104580168B (en) 2014-12-22 2019-02-26 华为技术有限公司 A kind of processing method of Attacking Packets, apparatus and system
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN105208040B (en) * 2015-10-12 2019-03-26 北京神州绿盟信息安全科技股份有限公司 A kind of network attack detecting method and device
CN106911629B (en) * 2015-12-22 2020-03-10 中国移动通信集团公司 Alarm correlation method and device
CN106730196B (en) * 2016-12-12 2019-11-15 北京怡和嘉业医疗科技股份有限公司 A kind of alarm method, device and ventilator
CN107607794A (en) * 2017-10-11 2018-01-19 贵州电网有限责任公司输电运行检修分公司 A kind of electric network thunder and lightning information issuing system and its dissemination method
CN110555452A (en) * 2018-06-04 2019-12-10 北京亿阳信通科技有限公司 network problem processing method and device based on intelligent clustering
CN109274675A (en) * 2018-09-30 2019-01-25 上海视岳计算机科技有限公司 A kind of extensive Web attack detection method and system based on cloud platform
CN109374053B (en) * 2018-11-13 2021-06-08 深圳市中广控信息科技有限公司 Internet of things machine room management platform based on event-driven response
CN110381015A (en) * 2019-06-03 2019-10-25 西安电子科技大学 A kind of clustering method based on intruding detection system warning message
CN110856178B (en) * 2019-11-05 2021-11-02 天津大学 Behavior identification method based on wireless network physical layer IQ signal
CN112019538B (en) * 2020-08-26 2023-05-26 国网山东省电力公司滨州供电公司 Remote intelligent alarm system and method for safety equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001071978A1 (en) * 2000-03-20 2001-09-27 Futurocom Computer equipment for supervision of computer or telecommunication equipment, network and services
KR20040055513A (en) * 2002-12-21 2004-06-26 한국전자통신연구원 Information model for security policy in policy-based network security system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001071978A1 (en) * 2000-03-20 2001-09-27 Futurocom Computer equipment for supervision of computer or telecommunication equipment, network and services
KR20040055513A (en) * 2002-12-21 2004-06-26 한국전자통신연구원 Information model for security policy in policy-based network security system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于特征检测的分布式网络报警系统. 杨静,刘春.计算机工程,第29卷第2期. 2003 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296130B (en) * 2008-05-30 2011-04-06 北京同步科技有限公司 System and method for multi-process sharing port receiving network message

Also Published As

Publication number Publication date
CN1588880A (en) 2005-03-02

Similar Documents

Publication Publication Date Title
CN100362803C (en) Network safety warning system based on cluster and relavance
Deng et al. Retracted article: mobile network intrusion detection for IoT system based on transfer learning algorithm
CN100463461C (en) Active network safety loophole detector
Han et al. Intrusion detection in cyber-physical systems: Techniques and challenges
Zhu et al. Alert correlation for extracting attack strategies
CN102546638B (en) Scene-based hybrid invasion detection method and system
CN108494810A (en) Network security situation prediction method, apparatus and system towards attack
CN101562537B (en) Distributed self-optimized intrusion detection alarm associated system
Goldman et al. Information modeling for intrusion report aggregation
CN106709613A (en) Risk assessment method suitable for industrial control system
KR100748246B1 (en) Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine
CN1333553C (en) Program grade invasion detecting system and method based on sequency mode evacuation
CN105827594A (en) Suspicion detection method based on domain name readability and domain name analysis behavior
CN110213226A (en) Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor
CN110474885A (en) Alert correlation analysis method based on time series and IP address
CN107579986A (en) A kind of method of network security detection in complex network
CN107733863A (en) Daily record adjustment method and device under a kind of distributed hadoop environment
CN109063205A (en) A kind of construction of knowledge base method of network-oriented safety
CN110062380A (en) A kind of connected reference request safety detection method of mobile application system
CN1710866A (en) Invading detection method based on stack pattern in Linux environment
CN102281163A (en) Network intrusion detection and alert method
CN102195975A (en) Intelligent NIPS (Network Intrusion Prevention System) framework for quantifying neural network based on mobile agent (MA) and learning vector
CN1472916A (en) Data merging mechanism for large distributive intrusion inspecting system
CN103905456A (en) DNS inverse solution attack detecting system and method based on entropy model
CN110061854A (en) A kind of non-boundary network intelligence operation management method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080116

Termination date: 20101015