CN101499928A - Network intrusion scene chart generation method based on cluster analysis - Google Patents
Network intrusion scene chart generation method based on cluster analysis Download PDFInfo
- Publication number
- CN101499928A CN101499928A CNA2009100303022A CN200910030302A CN101499928A CN 101499928 A CN101499928 A CN 101499928A CN A2009100303022 A CNA2009100303022 A CN A2009100303022A CN 200910030302 A CN200910030302 A CN 200910030302A CN 101499928 A CN101499928 A CN 101499928A
- Authority
- CN
- China
- Prior art keywords
- alarm
- polymerization
- degree
- warning
- relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention relates to a method for generating a network intrusion scene graph on the basis of cluster analysis and comprises the following steps of: inputting an intrusion scene original relation pair which is obtained from the correlation analysis of the feature class and calculating the consequent in-degree of all warning relation pairs; and merging the warnings under a same in-degree with same rule marks, the IP addresses with a same attacking source and the IP addresses warning attribute with a same attacking purpose into a new cluster warning from a zero in-degree. The generation time and the ending time of the cluster warning are the minimum generation time and the maximum ending time of all the merged warnings respectively; the layer of the cluster warning corresponds to the in-degree thereof; the number of the warnings for which the attacking times are merged removes the cross-layer relation in the premise of ensuring the connectivity of the intrusion scene graphs so as to form a network intrusion scene graph. The method for generating a network intrusion scene graph on the basis of cluster analysis not only greatly condensates the quantity of the warning relation pairs in the intrusion scene graph, but also ensures the correctness of the intrusion scene, and has the advantages of direct viewing compositional sketch, easiness to understand and convenience for network safety officers to adopt timely and effective responding measures.
Description
Technical field
The present invention relates to a kind of network intrusion scene chart generation method, particularly a kind of network intrusion scene chart generation method, the technical field of the genus network information security based on cluster analysis.
Background technology
Intruding detection system (IDS) is according to certain security strategy, and the operation conditions of network, system is monitored, is used to protect information system.IDS can be divided into abnormality detection and label detection two classes.Abnormality detection is based on the normal behaviour of a main body (such as user or system), and any behavior that is different from normal behaviour all is considered to invasion.Label detection also is referred to as label based on the feature of known invasion and system's susceptibility.Any and behavior tag match all is regarded as invasion.
Abnormality detection and label detection all have its limitation.Because normal behaviour is difficult to be described, abnormality detection has very high false alarms rate.Even description normal behaviour that can be correct, attack personnel still can progressively make IDS believe that his/her intrusion behavior is a normal behaviour.As for label detection, its feature detection based on known attack is attacked, and with packet and tag match.If the match is successful, will report an attack, otherwise will not report.Therefore label detection can not detect some unknown attacks.As replenishing of intrusion prevention technology (such as access control and authentication), intrusion detection is used for the two wires protection of network and information system.
Yet still in the face of a lot of challenges, except some known limitations, such as lacking the ability that detects unknown attack, most IDS have run into increasing serious problems in intrusion detection.At first, current IDS is mostly to be to pay close attention to rudimentary attack and unusual, and report alarm separately, turns a deaf ear to hiding the logic step of attacking thereafter.The Security Officer can only rely on the contact of oneself describing out between these alarms as a result.Its two, most IDS can generate a large amount of alarms usually, comprise real and alarm falseness.Under the situation of intensive invasion, real alarm is being mingled with false alarm, and the quantity of alarm becomes and can not manage.Security Officer/intrusion response system is hard to know alarm intrusion behavior behind as a result, therefore, is difficult in time take suitable action and countermeasure.
At the problems referred to above, in the prior art, improved the use of current I DS, based on the inherent correlation of rudimentary intrusion behavior, construct senior invasion scene.The invasion scene is that whole consideration in the security scenario is brought in the attack that all are relevant into, though original invasion scene graph has deducted the security official to each alarm being carried out the work of correlation analysis, but because the alarm amount that original invasion scene relates to is still a lot, the graph structure complexity, relation is redundant, is unfavorable for that network security person analyzes the invasion step.
Summary of the invention
In order to overcome the deficiency that prior art exists, the invention provides directly perceived, the understanding easily of a kind of composition, be convenient to the network security manager and take the network intrusion scene chart generation method of response means timely and effectively
A kind of network intrusion scene chart generation method based on cluster analysis, the original alarm relation of the invasion scene that obtains behind the input process feature class correlation analysis is right, it is characterized in that carrying out the operation of following steps again:
(1) input through obtain behind the feature class correlation analysis into to invade the scene primitive relation right, calculate the in-degree of its all alarms;
(2), the alarm merging that has identical rule sign, attack source IP address and attack purpose IP address alarm attributes under the same in-degree is become a new polymerization alarm since 0 in-degree; Being designated of this polymerization alarm merged ID number of the arbitrary alarm in the alarm when forming this polymerization alarm, generation time and concluding time correspond to all minimum generation times that merged alarm and maximum concluding time respectively, the level of this polymerization alarm is that the current number of degrees of going into add 1, and number of times of attack is the number that is merged alarm; The consequent of merged alarm concerns in the consequent of the polymerization alarm that is superimposed upon its place;
(3) the consequent alarm in-degree of the alarm of 0 in-degree is subtracted 1 after, recomputate in-degree, the operation of circulation (2) is finished the cluster merging up to travel through all alarms, obtains the polymerization alarm and the polymerization warning relation is right;
(4) take out each polymerization alarm successively, obtain the in-degree that all consequents are alarmed in polymerization respectively,, under the condition that keeps connected graph to be communicated with, remove and stride the ATM layer relationsATM operation, generate network intrusion scene chart the consequent of a plurality of different in-degrees is arranged.
The ATM layer relationsATM operation is striden in described removal, the steps include: to preserve current state earlier and stride ATM layer relationsATM, adopt the mode of depth-first traversal to judge the state of polymerization alarm connected graph again, stride behind the ATM layer relationsATM this polymerization warning relation and then remove the operation of striding ATM layer relationsATM of this polymerization alarm if remove still being connected state; If remove stride layer line after, this polymerization warning relation is to being non-connected state, then turn back to the preceding state of ATM layer relationsATM of striding of removing, take out the next one of this polymerization alarm and stride the state step that ATM layer relationsATM repeats to judge this polymerization alarm connected graph, all finish removal up to all polymerization alarms and striden the ATM layer relationsATM operation, formed network intrusion scene chart.
Operation principle of the present invention is: each alarm that is associated in the invasion scene must have certain attack characteristic and step, if the relation between these alarms not being reached is put optimization in order, for drawing invasion scene graph instrument, the a plurality of attributes such as rule name, generation time, source destination address and the port etc. that characterize all alarms have tangible stochastic behaviour, can represent by a random vector, as: P=(X1, X2, X3, Xn), Xi (i=1,2,3,, n) being concrete alarm attributes, n represents to alarm the dimension of reference compression attribute.Therefore, in to compressible identification of relevant alarm, can use the principle and the method for multivariate statistics.
Cluster analysis in the multivariate statistics is a kind of statistical method of study sample or index classification problem, and the certain rule of this method utilization defines similarity factor or the distance between the sample, gets similarity factor and is classified as a class greatly or apart from approaching sample.Similarity factor little or the distance sample far away be classified as different classes.With this sample is distinguished.
Based on such principle, foundation is based on the polymerisable model of cognition of the alarm of cluster analysis, choose alarm in-degree, rule ID number, source destination address major parameter as the alarm of identification polymerizable, be P=(X1<in-degree 〉, X2<rule ID 〉, X3<source address 〉, X4<destination address 〉, X5<generation time 〉), directly get actual value in the alarm for rule ID, source address, destination address, generation time, the alarm in-degree then calculates from relevant warning relation centering.
Remarkable advantage of the present invention is: the formation method based on the network intrusion scene chart of cluster analysis that provides, be that basic enterprising one-step optimization in original invasion scene is compressed to succinct relatively view, keep the sequential organization between these intrusion behaviors simultaneously, finally the invasion step is reappeared, be formed with threat, high-level, related invasion scene graph, allow network security person promptly and accurately orient hacker source and controlled machines, analyze and attack the latent consequences that causes.By this cluster compression means original complicated figure is become directly perceived more, understands easily, be convenient to the network security manager and take response means timely and effectively.
Description of drawings
Obtain invading the primitive relation of scene to schematic diagram behind Fig. 1 process feature class correlation analysis;
Fig. 2 is the clustering method flow chart that the embodiment of the invention adopts.
Embodiment
Below in conjunction with embodiment and accompanying drawing the present invention is further described.
Embodiment:
Referring to accompanying drawing 1, it be through the primitive relation that obtains invading scene behind the feature class correlation analysis to schematic diagram, among the figure, all node a1~h1 alarm, the primitive relation that the wire list between the node is shown between two nodes is right.
Referring to accompanying drawing 2, it is the flow chart of the clustering method adopted of present embodiment, and its concrete steps are as follows:
The first step: calculate in-degree
Extract its consequent alarm from every pair of warning relation of input, accumulative total is gone into the number of degrees, alarm identifier and corresponding in-degree number is recorded in the dictionary table, if alarm is summit then in-degree is 0.
Second step: cluster merges
(1) following operation is carried out in the alarm of taking out 0 in-degree from dictionary table: identify with rule, attacking source IP address and attacking three alarm attributes in purpose IP address is the merging condition, the alarm that alarm attributes is identical merges, become a polymerization alarm, result after the merging deposits in the dictionary table, to add new alarm in each the polymerization alarm attributes record set that obtain---in the polymerization alarm record, being designated of the polymerization alarm attributes that it is new merged ID number (this is merged alarm and is main alarm) of the arbitrary alarm in the alarm when forming this polymerization alarm, generation time is merged the minimum generation time of alarm for all, concluding time is merged the maximum concluding time of alarm for all, the level of this polymerization alarm is that the current number of degrees of going into add 1, number of times of attack is the number that is merged alarm, and all the other attributes are with identical by the merging alarm; Record polymerization alarm attributes sign in the main alarm attributes of merged alarm.The consequent relation of merged alarm is superimposed upon in the consequent of polymerization alarm.
(2) recomputate in-degree after having merged the alarm (node) of 0 in-degree, adopt the consequent alarm in-degree to the alarm of 0 in-degree to subtract 1 method, the operation of circulation (1) is finished the cluster merging up to travel through all alarms.
The 3rd step: remove and stride ATM layer relationsATM
The polymerization that utilized for second step formed is alarmed, and obtains the level attribute of all consequents alarms of each polymerization alarm, and level is higher than being of minimum level and strides ATM layer relationsATM.
Taking-up has the polymerization alarm of striding ATM layer relationsATM and concerns removal, and the mode of employing depth-first traversal is carried out the connected graph checking, and (removal is preserved current state and striden ATM layer relationsATM before striding ATM layer relationsATM.If remove stride layer line after, figure becomes unconnected graph, then to be cut apart be irrational in security incident, so preserve the preceding state that removes so that recover).At first, create an array, preserve the ergodic state of all polymerization alarms in this array, initial condition is not for traveling through.From more arbitrarily, all polymerizations alarms that the recurrence traversal is adjacent with this point, and upgrade by the state of traversal polymerization alarm.After traversal is finished, check all alarm statuses,, then remove and stride the ATM layer relationsATM operation, otherwise roll back to state before the relation of removal if the whole traversal of alarm still is connected graph if remove after striding ATM layer relationsATM.Then, the next one that takes out this polymerization alarm is striden ATM layer relationsATM and is judged.If got, then remove the relation of striding from next polymerization alarm, all finished to remove up to all polymerization alarms and striden relational operation, the network intrusion scene chart of formation.
The network intrusion scene chart that the method that adopts present embodiment to provide forms, not only compressed the quantity that warning relation is right in the invasion scene graph (alarm after the compression and relation are to being original 30% usually) widely, and the accuracy of assurance invasion scene, its composition is directly perceived, understand easily, be convenient to the network security manager and take response means timely and effectively.
Claims (2)
1, a kind of network intrusion scene chart generation method based on cluster analysis, the original alarm relation of the invasion scene that obtains behind the input process feature class correlation analysis is right, it is characterized in that carrying out the operation of following steps again:
(1) input through obtain behind the feature class correlation analysis into to invade the scene primitive relation right, calculate the in-degree of its all alarms;
(2), the alarm merging that has identical rule sign, attack source IP address and attack purpose IP address alarm attributes under the same in-degree is become a new polymerization alarm since 0 in-degree; Being designated of this polymerization alarm merged ID number of the arbitrary alarm in the alarm when forming this polymerization alarm, generation time and concluding time correspond to all minimum generation times that merged alarm and maximum concluding time respectively, the level of this polymerization alarm is that the current number of degrees of going into add 1, and number of times of attack is the number that is merged alarm; The consequent of merged alarm concerns in the consequent of the polymerization alarm that is superimposed upon its place;
(3) the consequent alarm in-degree of the alarm of 0 in-degree is subtracted 1 after, recomputate in-degree, the operation of circulation (2) is finished the cluster merging up to travel through all alarms, obtains the polymerization alarm and the polymerization warning relation is right;
(4) take out each polymerization alarm successively, obtain the in-degree that all consequents are alarmed in polymerization respectively,, under the condition that keeps connected graph to be communicated with, remove and stride the ATM layer relationsATM operation, generate network intrusion scene chart the consequent of a plurality of different in-degrees is arranged.
2, a kind of network intrusion scene chart generation method according to claim 1 based on cluster analysis, it is characterized in that: the ATM layer relationsATM operation is striden in described removal, the steps include: to preserve current state earlier and stride ATM layer relationsATM, adopt the mode of depth-first traversal to judge the state of polymerization alarm connected graph again, stride behind the ATM layer relationsATM this polymerization warning relation and then remove the operation of striding ATM layer relationsATM of this polymerization alarm if remove still being connected state; If remove stride layer line after, this polymerization warning relation is to being non-connected state, then turn back to the preceding state of ATM layer relationsATM of striding of removing, take out the next one of this polymerization alarm and stride the state step that ATM layer relationsATM repeats to judge this polymerization alarm connected graph, all finished to remove up to all polymerization alarms and striden the ATM layer relationsATM operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2009100303022A CN101499928A (en) | 2009-03-18 | 2009-03-18 | Network intrusion scene chart generation method based on cluster analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2009100303022A CN101499928A (en) | 2009-03-18 | 2009-03-18 | Network intrusion scene chart generation method based on cluster analysis |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101499928A true CN101499928A (en) | 2009-08-05 |
Family
ID=40946818
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2009100303022A Pending CN101499928A (en) | 2009-03-18 | 2009-03-18 | Network intrusion scene chart generation method based on cluster analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101499928A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106973039A (en) * | 2017-02-28 | 2017-07-21 | 国家电网公司 | A kind of network security situation awareness model training method and device based on information fusion technology |
CN107092929A (en) * | 2017-04-19 | 2017-08-25 | 广州可度析信息科技有限公司 | Criminal offense case association string and method and system based on clustering technique |
CN108804574A (en) * | 2018-05-23 | 2018-11-13 | 东软集团股份有限公司 | Alarm prompt method, apparatus, computer readable storage medium and electronic equipment |
CN109784043A (en) * | 2018-12-29 | 2019-05-21 | 北京奇安信科技有限公司 | Attack restoring method, device, electronic equipment and storage medium |
CN111083157A (en) * | 2019-12-25 | 2020-04-28 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
CN112102317A (en) * | 2020-11-13 | 2020-12-18 | 之江实验室 | Multi-phase liver lesion detection method and system based on anchor-frame-free |
CN112804226A (en) * | 2021-01-08 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP data processing method, device, equipment and medium |
CN114760189A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Information determination method, equipment and computer readable storage medium |
-
2009
- 2009-03-18 CN CNA2009100303022A patent/CN101499928A/en active Pending
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106973039A (en) * | 2017-02-28 | 2017-07-21 | 国家电网公司 | A kind of network security situation awareness model training method and device based on information fusion technology |
CN107092929A (en) * | 2017-04-19 | 2017-08-25 | 广州可度析信息科技有限公司 | Criminal offense case association string and method and system based on clustering technique |
CN108804574A (en) * | 2018-05-23 | 2018-11-13 | 东软集团股份有限公司 | Alarm prompt method, apparatus, computer readable storage medium and electronic equipment |
CN108804574B (en) * | 2018-05-23 | 2021-06-04 | 东软集团股份有限公司 | Alarm prompting method and device, computer readable storage medium and electronic equipment |
CN109784043A (en) * | 2018-12-29 | 2019-05-21 | 北京奇安信科技有限公司 | Attack restoring method, device, electronic equipment and storage medium |
CN111083157A (en) * | 2019-12-25 | 2020-04-28 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
CN111083157B (en) * | 2019-12-25 | 2022-01-25 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
CN112102317A (en) * | 2020-11-13 | 2020-12-18 | 之江实验室 | Multi-phase liver lesion detection method and system based on anchor-frame-free |
CN112102317B (en) * | 2020-11-13 | 2021-03-02 | 之江实验室 | Multi-phase liver lesion detection method and system based on anchor-frame-free |
CN112804226A (en) * | 2021-01-08 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP data processing method, device, equipment and medium |
CN114760189A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Information determination method, equipment and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101499928A (en) | Network intrusion scene chart generation method based on cluster analysis | |
CN110380896A (en) | Network security situation awareness model and method based on attack graph | |
CN105407103B (en) | A kind of Cyberthreat appraisal procedure based on more granularity abnormality detections | |
CN113645232B (en) | Intelligent flow monitoring method, system and storage medium for industrial Internet | |
Tianfield | Cyber security situational awareness | |
CN107135093A (en) | A kind of Internet of Things intrusion detection method and detecting system based on finite automata | |
CN111586046B (en) | Network traffic analysis method and system combining threat intelligence and machine learning | |
CN105703963A (en) | PSO-OCSVM based industrial control system communication behavior anomaly detection method | |
CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
CN106357470B (en) | One kind threatening method for quickly sensing based on SDN controller network | |
CN102447707B (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
CN106789964A (en) | Cloud resource pool data safety detection method and system | |
CN110213226A (en) | Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor | |
CN108055228B (en) | A kind of smart grid intruding detection system and method | |
CN106209856A (en) | Big data security postures based on trust computing ground drawing generating method | |
CN104601553A (en) | Internet-of-things tampering invasion detection method in combination with abnormal monitoring | |
CN103973697A (en) | Intrusion detecting method of internet-of-things sensing layer | |
CN105867347A (en) | Trans-space cascade fault detection method based on machine learning technology | |
Zhang et al. | Detecting and identifying optical signal attacks on autonomous driving systems | |
CN110022293A (en) | A kind of electric network information physics emerging system methods of risk assessment | |
CN103501302B (en) | Method and system for automatically extracting worm features | |
CN102231743A (en) | Attack-graph-based intrusion response mode | |
CN101335752B (en) | Network intrusion detection method based on frequent fragment rule | |
CN112257546B (en) | Event early warning method and device, electronic equipment and storage medium | |
CN111709021B (en) | Attack event identification method based on mass alarms and electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
DD01 | Delivery of document by public notice |
Addressee: Suzhou Shengshiyang Science & Technology Co., Ltd. Document name: the First Notification of an Office Action |
|
DD01 | Delivery of document by public notice |
Addressee: Jiang Yongfang Document name: Notification that Application Deemed to be Withdrawn |
|
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090805 |