CN109218305A - Network forensics method and device based on Alerts aggregation - Google Patents

Network forensics method and device based on Alerts aggregation Download PDF

Info

Publication number
CN109218305A
CN109218305A CN201811063114.5A CN201811063114A CN109218305A CN 109218305 A CN109218305 A CN 109218305A CN 201811063114 A CN201811063114 A CN 201811063114A CN 109218305 A CN109218305 A CN 109218305A
Authority
CN
China
Prior art keywords
evidence
alarm
chain
intrusion
scenario
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811063114.5A
Other languages
Chinese (zh)
Other versions
CN109218305B (en
Inventor
张玉臣
胡浩
张红旗
汪永伟
刘小虎
张任川
杨峻楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811063114.5A priority Critical patent/CN109218305B/en
Publication of CN109218305A publication Critical patent/CN109218305A/en
Application granted granted Critical
Publication of CN109218305B publication Critical patent/CN109218305B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention belongs to technical field of network security, in particular to a kind of network forensics method and device based on Alerts aggregation, this method includes: building attack graph;And the intrusion detection data of network key node are obtained, the alarm evidence collection which is analyzed as network forensics;Alarm evidence in alarm evidence set is mapped in attack graph, and obtains alarm chain of evidence;Alarm chain of evidence is clustered, network inbreak scene is constructed, restores network scene of a crime.The present invention is existing when being directed to using intruding detection system progress network forensics to fail to report and reports by mistake problem, by carrying out the mapping of alarm evidence, chain of evidence generates, chain of evidence cluster and intrusion scenario construct, it accurately can completely show the invasion overall picture of attacker, improve network forensics efficiency;Become important electronic evidence with intrusion scenario relative alarm data, there is stronger practicability and operability, be collection network data evidence, returns to scene of a crime and case provides reliable basis.

Description

Network forensics method and device based on Alerts aggregation
Technical field
The invention belongs to technical field of network security, in particular to a kind of network forensics method and dress based on Alerts aggregation It sets.
Background technique
As the continuous improvement of network attack level and attack tool, attack method make rapid progress, computer network is utilized The behavior that network carries out crime is increasingly severe, and network forensics are of great significance for the strike network crime.Network forensics essence On belong to Dynamic Forensics, i.e., on the way intercepted and captured when attack carries out or in the transmission of proof data, pass through collection network Alarm proof data, the crime scene of reconstructed network attack, provides accurately and effectively evidence for case.
Currently, there are mainly two types of the methods of network forensics: one is the method based on sweet trap, another kind be by analyze into The method for invading detection system alarm evidence.Sweet trap refer to using honey jar and honey net etc. Deception Techniques as the network security technology of core, Since sweet trap is a kind of deception system, the information of some non-genuine property is provided, can these information use also as evidence It is worth discussion.Second of alarm for intruding detection system is analyzed, and is taken by obtained evidence to restore invader A series of attack steps, current network forensics method is mostly in this way.However, by intruding detection system accuracy Limitation, affect the accuracy of network forensics result, how to eliminate wrong report and fail to report evidence to evidence obtaining result influence, be this The problem that a little methods face.Meanwhile network data segment of the intrusion detection dependent on capture, evidence obtained are likely to It is sufficiently complete, how supplemented by alarm de-redundancy and omission evidence to eliminate the influence reported by mistake and failed to report, guarantees chain of evidence Integrality, identifies the one or more network intrusions chain of evidence for belonging to same scene of a crime, and reflection invasion overall picture becomes urgently The technical problem of solution.
Summary of the invention
For this purpose, the present invention provides a kind of network forensics method and device based on Alerts aggregation, by alert data into The mapping of row evidence, chain of evidence generate, chain of evidence cluster and intrusion scenario building, reduction network crime scene have stronger reality With property and operability.
According to design scheme provided by the present invention, a kind of network forensics method based on Alerts aggregation, in following Hold:
A attack graph) is constructed;And the intrusion detection data of network key node are obtained, using the intrusion detection data as net The alarm evidence collection of network forensics analysis;
B) alarm evidence in alarm evidence set is mapped in attack graph, and obtains alarm chain of evidence;
C) alarm chain of evidence is clustered, constructs network inbreak scene, restores network scene of a crime.
Above-mentioned, A) in, by enumerating all intrusion paths of attacker, directed acyclic graph is constructed, as attack graph;And lead to Data packet is analyzed and grabbed to the open source intruding detection system for crossing each key node of network, obtains alarm evidence set.
Above-mentioned, B) in, type, source address and the destination address attribute of selection alarm evidence close alarm evidence positioning It is linked on corresponding attack node of graph;The alarm chain of evidence of the alarm evidence retrieval according to caused by attacker's attack step, will Minimum unit of the alarm chain of evidence as building intrusion scenario.
Preferably, B) in the alarm evidence retrieval according to caused by attacker's attack step alarm chain of evidence, include Following content: firstly, alarm chain of evidence collection is set to empty set;Then, each alarm evidence is concentrated for alarm evidence, judges it With the presence or absence of in alarm chain of evidence collection, if it does not exist, then new alarm chain of evidence is added to alarm chain of evidence collection, and by the alarm Evidence is added in the new alarm chain of evidence;If it exists, then alarm is demonstrate,proved according to the set membership in alarm evidence generation time It is added in alarm chain of evidence one by one according to the alarm evidence of concentration, so that each alarm evidence in the alarm chain of evidence has front and back The alarm chain of evidence is incorporated into alarm chain of evidence and concentrated by causality until the alarm evidence chain length no longer increases position.
Above-mentioned, C) in, the similarity of alarm evidence interchain is obtained, similar alarm chain of evidence is clustered, is constructed Preliminary intrusion scenario set;To the every two intrusion scenario in preliminary intrusion scenario set, closed according to the two joining relation And splice, it realizes the complete building of intrusion scenario, restores network scene of a crime.
Preferably, C) in the preliminary intrusion scenario set of building, include following content: firstly, by preliminary intrusion scenario set It is set to empty set;Then, for alarm chain of evidence concentrated alarm chain of evidence, an intrusion scenario is found from preliminary intrusion scenario set, The intrusion scenario is the corresponding alarm chain of evidence of service chain of evidence collection and each intrusion scenario alarm evidence of preliminary intrusion scenario set The maximum intrusion scenario of chain similarity;Judge chain of evidence alarm evidence corresponding with alarm chain of evidence collection of respectively alarming in the intrusion scenario Whether chain similarity maximum value is greater than polymerizing condition threshold value, if it is greater, then by the corresponding alarm chain of evidence of the alarm chain of evidence collection It is added in the intrusion scenario;Otherwise, new intrusion scenario is created, it is new that this is added in the corresponding alarm chain of evidence of the alarm chain of evidence collection Intrusion scenario, and the new intrusion scenario is added in preliminary intrusion scenario set, until alarm chain of evidence concentrates each report Alert chain of evidence is disposed.
Preferably, C) in intrusion scenario merging splicing, include following content: according to two temporal elder generations of intrusion scenario Progressive relationship in relationship and behavior afterwards, determines whether the two is two sub-scenes made of same Attack Scenarios fracture and obtains The two joining relation obtains the distance of two intrusion scenarios according to joining relation;The final output intrusion scenario that will be constructed completely It is set to empty set;For an intrusion scenario in preliminary intrusion scenario set, another and this are chosen from preliminary intrusion scenario set Intrusion scenario calculates in both the intrusion scenario and another intrusion scenario between alarm evidence apart from the smallest intrusion scenario Minimum range will obtain this two alarm evidences in two intrusion scenarios of the minimum range and be denoted as alarm evidence a and a ' respectively; Evidence a and a ' alarm respectively as head and the tail node, and according to the causality between each alarm evidence for belonging to same intrusion scenario, It fills into corresponding alarm evidence and constitutes alarm chain of evidence, establish newly-increased intrusion scenario using the alarm chain of evidence;By the newly-increased invasion Scene, the intrusion scenario and another intrusion scenario merge, and form new intrusion scenario, are added to preliminary intrusion scenario In set, and reject the intrusion scenario and another intrusion scenario;Until any two invasion in preliminary intrusion scenario set There is no joining relations for scene.
Further, C) in, the distance of two intrusion scenarios is obtained according to joining relation, includes following content: according to report The source address of the destination address of affidavit evidence evidence and another alarm evidence, obtains two alarm evidences and corresponds to and accordingly attack in attack graph The distance of node;The distance of corresponding two intrusion scenarios is obtained according to the distance.
A kind of network forensics device based on Alerts aggregation includes: data collection module, evidence chain building module and scene Recovery module, wherein
Data collection module, for constructing attack graph;And the intrusion detection data of network key node are obtained, by the invasion The alarm evidence collection that detection data is analyzed as network forensics;
Evidence chain building module is mapped in attack graph for evidence of alarming in the evidence set that will alarm, and obtains alarm Chain of evidence;
Scene recovery module constructs network inbreak scene, it is existing to restore the network crime for clustering to alarm chain of evidence ?.
In above-mentioned device, the scene recovery module includes that scenario building submodule and scene merge submodule, In,
Scenario building submodule, for the similarity by obtaining alarm evidence interchain, and it is similar using similarity acquisition Alarm chain of evidence clustered, construct preliminary intrusion scenario set;
Scene merges submodule, for being connected according to the two to the every two intrusion scenario in preliminary intrusion scenario set Relationship merges splicing, realizes the complete building of intrusion scenario, restores network scene of a crime.
Beneficial effects of the present invention:
The present invention be directed to it is existing when carrying out network forensics using intruding detection system fails to report and reports by mistake problem, by entering The process chain of evidence of invading is reconstructed, and alarm proof data is successively carried out the mapping of alarm evidence, chain of evidence generates, chain of evidence clusters It is constructed with intrusion scenario, reappears scene of a crime, be conducive to from the invasion motivation and process for macroscopically understanding invader, it can be accurate complete Site preparation shows the invasion overall picture of attacker, improves the efficiency of network forensics;Alert data relevant to intrusion scenario becomes weight The electronic evidence wanted has stronger practicability and operability, is collection network data evidence, returns to scene of a crime and lawsuit Case provides reliable basis.
Detailed description of the invention:
Fig. 1 is the network forensics flow diagram in embodiment;
Fig. 2 is network forensics schematic device in embodiment;
Fig. 3 is attack graph example in embodiment;
Fig. 4 is network forensics working principle diagram in embodiment.
Specific embodiment:
To make the object, technical solutions and advantages of the present invention clearer, understand, with reference to the accompanying drawing with technical solution pair The present invention is described in further detail.The technical term being related in embodiment is as follows:
Currently, for intrusion detection dependent on the situations such as the network data segment captured, network alarming evidence obtained It may not be enough to complete.For this purpose, the embodiment of the present invention provides a kind of network forensics method based on Alerts aggregation, referring to Fig. 1 institute Show, include:
A attack graph) is constructed;And the intrusion detection data of network key node are obtained, using the intrusion detection data as net The alarm evidence collection of network forensics analysis;
B) alarm evidence in alarm evidence set is mapped in attack graph, and obtains alarm chain of evidence;
C) alarm chain of evidence is clustered, constructs network inbreak scene, restores network scene of a crime.
Above-mentioned, by enumerating all intrusion paths of attacker, directed acyclic graph is constructed, as attack graph;And pass through net Data packet is analyzed and grabbed to the open source intruding detection system of each key node of network, obtains alarm evidence set.Attack graph such as Fig. 3 institute Show, enumerate all possible intrusion path of attacker, is the technical foundation of the network forensics towards attack, table can be formalized It is shown as AG=(N, E), wherein 1) N is node set, N=SUA.Wherein S={ si| i=1 ..., n } it is state node set, Variable siIndicate the case where resources in network or permission are by illegal encroachment, value can be 1 or 0, respectively indicate attacker and accounted for There is or do not occupy the resource.A={ ati| i=1 ..., m } it is attack node set, variable atiValue can be 1 or 0, point Do not indicate that certain step attack has occurred or do not occurred.2) E is oriented line set, E={ E1 U E2}.Wherein,Table After showing that attacker occupies certain resources or permission, the follow-on attack that may start is acted;Indicate that attack may Attacker is caused to occupy new resource or promote permission.Based on attack graph, alarm evidence mapping is carried out first, will be collected into Alarm proof data be mapped in attack graph, it is preliminary that invasion situation is presented;Attack is exported by the alarm evidence collection after mapping again Chain of evidence reflects one or more intrusion path present in network;Then similar chain of evidence is clustered, is obtained preliminary Crime scene;The integrality for finally examining crime scene fails to report evidence by supplementing, it would be possible to which there are the criminals of fracture accordingly Guilty scene is spliced, and complete scene of a crime is recovered.
Alarm has corresponding relationship with attack, and alarm mapping is that alarm is mapped to the mistake of respective nodes in attack graph Journey.By alarm evidence mapping, it can intuitively reflect the ownership and distribution of alarm evidence, it is preliminary that crime scene is presented.Alarm with The corresponding relationship of attack node is mainly reflected in type Type, source address SrcIP, on destination address DstIP, and the present invention is at one In embodiment, type, source address and the destination address attribute of selection alarm evidence, by alarm evidence positioning associated to corresponding attack On node of graph;The alarm chain of evidence of the alarm evidence retrieval according to caused by attacker's attack step, by the alarm chain of evidence Minimum unit as building intrusion scenario.Selection alarm evidence Type, SrcIP and DstIP attribute, from alarm evidence collection to The mapping map of node collection is attacked, alarm evidence is accurately navigated into attack node.Function map is one from alarm collection to attacking The mapping of beat time point set, by alert correlation to corresponding attack node.If alarm a is mapped to attack node at, at=map is remembered (a).Specific mapping method can be expressed by following formula.
The chain of evidence that will alarm corresponds to the intrusion path of attacker as the minimum unit of building intrusion scenario, chain of evidence, Both the successful path comprising arrival target also includes the failed path for not reaching target.Chain of evidence is by multiple attack step institutes The alarm evidence sequence of generation, is denoted as AQ=< a1,a2,…,an>, wherein aiIt indicates i-th of alarm, meets relationship ai oRP oai+1, 1≤i < n.The alarm chain of evidence of the alarm evidence retrieval according to caused by attacker's attack step, in following Hold: firstly, alarm chain of evidence collection is set to empty set;Then, each alarm evidence is concentrated for alarm evidence, judges whether it deposits It is chain of evidence collection of alarming, if it does not exist, then adds new alarm chain of evidence extremely alarm chain of evidence collection, and the alarm evidence is added Enter in the new alarm chain of evidence;If it exists, then alarm evidence is concentrated according to the set membership in alarm evidence generation time Alarm evidence be added in alarm chain of evidence one by one so that each alarm evidence in the alarm chain of evidence has front and back cause and effect pass The alarm chain of evidence is incorporated into alarm chain of evidence and concentrated by system until the alarm evidence chain length no longer increases position.Alarm card It may be designed as following content according to chain generating algorithm:
1 chain of evidence of algorithm generates
Input: the alarm evidence collection Alerts after mapping
Output: chain of evidence collection AQueue={ AQ1,AQ2,…}
Chain of evidence collection AQueue is set to empty set by Step1;And i=1 is enabled, j=1.
Step2 is to ai∈ Alerts, ifThen establish new chain of evidence Aqj, and by aiAq is addedjIn;It is no Then go to Step 6.
Step3 is according to the set membership R in alarm evidence generation timep, evidence is added in the alarm evidence in Alerts Chain Aqj, so that AqjIn each alarm evidence have front and back causality.
Step4 repeats Step 3, until chain of evidence AqjLength be not further added by.
Step5 is by chain of evidence AqjIt is incorporated in chain of evidence collection AQuene, enables j=j+1.
If Step6 i < | Alerts |, i=i+1 is enabled, algorithm goes to Step 2, and otherwise the step terminates.
Step7 exports chain of evidence collection AQueue, and algorithm terminates.
In invasion activity, the attack action of next step is typically established on the basis of the resource or permission occupied, and Attacker will not actively abandon the resource obtained or permission, and invasion mode, which is similar to, searches attack graph progress depth-first Rope.Intrusion scenario is the set for all attack sequence chain of evidence that a phagocytic process generates, and is denoted as AS={ AQ1,AQ2,…, AQn, therefore, belonging to has certain identical attack steps between the chain of evidence of same Attack Scenarios, shows in chain of evidence Similitude can realize that intrusion scenario is just built in such a way that chain of evidence clusters.Therefore, in another embodiment of the invention, The similarity for obtaining alarm evidence interchain, similar alarm chain of evidence is clustered, preliminary intrusion scenario set is constructed;To first The every two intrusion scenario in intrusion scenario set is walked, splicing is merged according to the two joining relation, realizes intrusion scenario Building completely restores network scene of a crime.
In attack activity, two chain of evidence for belonging to same attack process not necessarily have identical length, and two The not necessarily real corresponding relationship of alarm evidence in chain of evidence in each position, it is contemplated that the complexity and attack of chain of evidence Practical, the present invention passes through the similarity of sequence alignment technical definition evidence interchain.Introduce operation set Ω={ add (a, i), del (i), replace (a, i) }, wherein a is inserted into add (a, i) expression before i-th of element of chain of evidence, and del (i) indicates to delete card According to i-th of element of chain, replace (a, i) indicates i-th of element in chain of evidence replacing with a, and provides that three of the above is grasped The cost of work is 1.On this basis, it is measured using the operation cost of a Sequence Transformed subsequence for another sequence Similarity degree between two sequences.Thus it can define chain of evidence AQ1And AQ2Between similarity it is as follows:
Wherein, C (AQ1,AQ2) indicate chain of evidence AQ1Be converted to chain of evidence AQ2Subchain minimal action number, L (AQ1) and L (AQ2) respectively indicate chain of evidence AQ1And AQ2Length, i.e. chain of evidence AQ1And AQ2In include alarm evidence number.
Preferably, preliminary intrusion scenario set is constructed, includes following content: firstly, preliminary intrusion scenario set is set to Empty set;Then, for alarm chain of evidence concentrated alarm chain of evidence, an intrusion scenario is found from preliminary intrusion scenario set, this one Intrusion scenario is the corresponding alarm chain of evidence of service chain of evidence collection and each intrusion scenario alarm chain of evidence of preliminary intrusion scenario set The maximum intrusion scenario of similarity;Judge chain of evidence alarm evidence corresponding with alarm chain of evidence collection of respectively alarming in an intrusion scenario Whether chain similarity maximum value is greater than polymerizing condition threshold value, if it is greater, then by the corresponding alarm chain of evidence of the alarm chain of evidence collection It is added in an intrusion scenario;Otherwise, new intrusion scenario is created, the corresponding alarm chain of evidence of the alarm chain of evidence collection is added should New intrusion scenario, and the new intrusion scenario is added in preliminary intrusion scenario set, until alarm chain of evidence is concentrated each Alarm chain of evidence is disposed.On the basis of chain of evidence similarity, alarm chain of evidence is clustered by designing following algorithm, just Step building intrusion scenario:
2 chain of evidence of algorithm cluster
Input: chain of evidence collection AQueue={ AQ1,AQ2,…}
Output: the intrusion scenario AScenario={ AS of Primary Construction1,AS2,…}
Intrusion scenario AScenario is set to empty set by Step1;And enable i=1.
Step2 is to AQi∈ AQueue, finds AS from AScenarioj, meet ASj=argmaxSim ' (AQi,ASj)。
If Step3 Sim ' (AQi,ASj) > η, by AQiScenario A S is addedj.Otherwise new scenario A S is creatednew, by AQiIt is added ASnew, and by ASnewIt is added in AScenario.
If chain of evidence is disposed in Step4 AQueue, which terminates;Otherwise, i=i+1 is enabled, algorithm is gone to Step 2。
Step5 exports scene collection AScenario={ AS1,AS2..., algorithm terminates.
In the algorithm 2, function Sim ' (AQi,ASj) return value be chain of evidence AQiWith scenario A SjIn each chain of evidence it is similar The maximum value of degree, i.e. Sim ' (AQi,ASj)=maxSim (AQi,AQj),AQj∈ASj;Parameter η is whether judgement chain of evidence meets The threshold value of polymerizing condition, usually takes η=0.6.
If rightSo that aoRAOb is set up, then claims Attack Scenarios ASiAnd ASjBetween have linking Relationship is denoted as ASi oRC oASj.Joining relation RCShow two scenario A SiAnd ASjWith temporal precedence relationship and behavior On progressive relationship, it is thus possible to be as same Attack Scenarios fracture made of two sub-scenes.If AS1、AS2Be by it is same enter Two sub-scenes of scenario A S fracture and formation are invaded, then AS1With AS2Meet following two condition:
a.AS1,AS2With joining relation, i.e. AS1oRCoAS2
B. with AS1In all scenes with joining relation, AS2Should be and AS1It is connected most close.
Condition b is based on the assumption that repeatedly continuously failing to report is a small probability event.It is closed to measure linking between scene The compactness of system first provides the calculation method of attack nodal distance and evidence distance of alarming, on this basis, between definition scene Distance, and further realize the merging of intrusion scenario.
Attack node atiAnd atjBetween distance definition be fromiTo atjThe state node number of process, is denoted as dat(ati, atj), work as atiTo atjIt is unreachable, then define dat(at3,at4)=∞.
To alarm evidence a1And a2Between distance definition it is as follows: when alarm evidence a1Destination address DstIP and a2Source When location SrcIP is identical, it is claimed to meet ancestral relationship RA, distance, which is equal to, accordingly attacks node map (a1) and map (a2) between away from From;Otherwise a1And a2Between distance be 0, it may be assumed that
Intrusion scenario ASi,ASjDistance dAS(ASi,ASj) it is defined as follows: as scene ASi,ASjMeet joining relation RCWhen, dAS(ASi,ASj) it is equal to the minimum range between evidence of alarming in two scenes;Otherwise, scenario A Si,ASjDistance be 0.That is:
Wherein, ai∈AS1,aj∈AS2.Distance between intrusion scenario represents the alarm evidence that may be lacked between two scenes Quantity also reflects the correlation degree between two scenes.
In further embodiment of the present invention, it includes following content that the merging of intrusion scenario, which is spliced: according to two intrusion scenarios Progressive relationship in temporal precedence relationship and behavior determines whether the two is two sons made of same Attack Scenarios fracture Scene simultaneously obtains the two joining relation, obtains the distance of two intrusion scenarios according to joining relation;It is final defeated by what is constructed completely Intrusion scenario is set to empty set out;For an intrusion scenario in preliminary intrusion scenario set, chosen from preliminary intrusion scenario set Another, apart from the smallest intrusion scenario, is calculated in both an intrusion scenario and another intrusion scenario with the intrusion scenario Minimum range between alarm evidence, will obtain this two alarm evidences in two intrusion scenarios of the minimum range and is denoted as report respectively Affidavit evidence is according to a and a ';Evidence a and a ' alarm respectively as head and the tail node, and according to each alarm evidence for belonging to same intrusion scenario Between causality, fill into corresponding alarm evidence and constitute alarm chain of evidence, the alarm chain of evidence is utilized to establish newly-increased intrusion scenario; It increases this newly intrusion scenario, the intrusion scenario and another intrusion scenario to merge, forms new intrusion scenario, be added to In preliminary intrusion scenario set, and reject the intrusion scenario and another intrusion scenario;Until in preliminary intrusion scenario set There is no joining relations for any two intrusion scenario.Further, the distance of two intrusion scenarios is obtained according to joining relation, wrapped Containing following content: according to the destination address of alarm evidence and the source address of another alarm evidence, obtaining two alarm evidences pair Answer the distance that node is accordingly attacked in attack graph;The distance of corresponding two intrusion scenarios is obtained according to the distance.Defining scene On the basis of distance, according to the distance between scene, most close scene will be connected and merged, and supplement corresponding leakage evidence, Realize the complete building of intrusion scenario, specific algorithm can design as follows:
3 intrusion scenario of algorithm merges
Input: the preliminary scene collection AScenario={ AS that algorithm 2 exports1,AS2,…}
Output: the scene collection AScenario '={ AS constructed completely1′,AS2′,…}
Step1 is to ASi∈ AScenario, finds AS from AScenarioj, so that ASj=argmindAS(ASi, ASj)。
Step2 calculates dAS(AS1,AS2), determination meets dAS(ASi,ASj)=daThe alarm evidence a and a ' of (a, a '), In, a ∈ ASi,a′∈ASj
Step3 has causality, adminicle { a according to belonging between each alarm evidence of same intrusion scenario1, a2..., so that < a, a1,a2, L, a ' > become a chain of evidence, and remember ASadd={ a1,a2,…}。
Step4 remembers ASnew=ASi UASjUASadd, by ASnewIt is added in AScenario, replaces ASi,ASj
Step5 repeats the above steps, until two scenario As S any in scene collection AScenarioi,ASjNo longer there is linking Relationship enables AScenario '=AScenario, exports AScenario ', and algorithm terminates.
Based on above-mentioned method, the embodiment of the present invention also provides a kind of network forensics device based on Alerts aggregation, referring to Shown in Fig. 2, include: data collection module, evidence chain building module and scene recovery module, wherein
Data collection module, for constructing attack graph;And the intrusion detection data of network key node are obtained, by the invasion The alarm evidence collection that detection data is analyzed as network forensics;
Evidence chain building module is mapped in attack graph for evidence of alarming in the evidence set that will alarm, and obtains alarm Chain of evidence;
Scene recovery module constructs network inbreak scene, it is existing to restore the network crime for clustering to alarm chain of evidence ?.
In above-mentioned device, scene recovery module includes that scenario building submodule and scene merge submodule, wherein
Scenario building submodule, for the similarity by obtaining alarm evidence interchain, and it is similar using similarity acquisition Alarm chain of evidence clustered, construct preliminary intrusion scenario set;
Scene merges submodule, for being connected according to the two to the every two intrusion scenario in preliminary intrusion scenario set Relationship merges splicing, realizes the complete building of intrusion scenario, restores network scene of a crime.
It is shown in Figure 4 in the present invention, according to the alert data that intruding detection system generates, by extracting effectively alarm Alarm is mapped in attack graph by evidence first, takes out the behavior of different hosts;Again according to attack graph from the alarm after mapping Output attack chain of evidence is concentrated, reflects intrusion path present in network;And then similar chain of evidence is clustered, it obtains Obtain intrusion scenario tentatively;Finally by the joining relation between analysis sub-scene, to the alert necessary supplement of progress is failed to report, completion enters Scene is invaded, crime scene is reappeared;The phagocytic process chain of evidence obtained using this method is accurate, complete, tallies with the actual situation, favorably In from the invasion motivation and process for macroscopically understanding invader, the efficiency of network forensics is improved, providing for network forensics can The data reference leaned on.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part It is bright.
The unit and method and step of each example described in conjunction with the examples disclosed in this document, can with electronic hardware, The combination of computer software or the two is realized, in order to clearly illustrate the interchangeability of hardware and software, in above description In generally describe each exemplary composition and step according to function.These functions are held with hardware or software mode Row, specific application and design constraint depending on technical solution.Those of ordinary skill in the art can be to each specific Using using different methods to achieve the described function, but this realization be not considered as it is beyond the scope of this invention.
Those of ordinary skill in the art will appreciate that all or part of the steps in the above method can be instructed by program Related hardware is completed, and described program can store in computer readable storage medium, such as: read-only memory, disk or CD Deng.Optionally, one or more integrated circuits also can be used to realize, accordingly in all or part of the steps of above-described embodiment Ground, each module/unit in above-described embodiment can take the form of hardware realization, can also use the shape of software function module Formula is realized.The present invention is not limited to the combinations of the hardware and software of any particular form.
The foregoing description of the disclosed embodiments makes professional and technical personnel in the field can be realized or use the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the application.Therefore, the application It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (10)

1. a kind of network forensics method based on Alerts aggregation, which is characterized in that include following content:
A attack graph) is constructed;And the intrusion detection data of network key node are obtained, it is taken using the intrusion detection data as network Demonstrate,prove the alarm evidence collection of analysis;
B) alarm evidence in alarm evidence set is mapped in attack graph, and obtains alarm chain of evidence;
C) alarm chain of evidence is clustered, constructs network inbreak scene, restores network scene of a crime.
2. the network forensics method according to claim 1 based on Alerts aggregation, which is characterized in that A) in, by enumerating All intrusion paths of attacker construct directed acyclic graph, as attack graph;And inspection is invaded by the open source of each key node of network Data packet is analyzed and grabbed to examining system, obtains alarm evidence set.
3. the network forensics method according to claim 1 based on Alerts aggregation, which is characterized in that B) in, selection alarm Type, source address and the destination address attribute of evidence, will be on alarm evidence positioning associated to corresponding attack node of graph;According to attack Alarm evidence retrieval alarm chain of evidence caused by person's attack step, using the alarm chain of evidence as building intrusion scenario Minimum unit.
4. the network forensics method according to claim 3 based on Alerts aggregation, which is characterized in that B) according to attacker Alarm evidence retrieval alarm chain of evidence caused by attack step, includes following content: firstly, alarm chain of evidence collection is set For empty set;Then, each alarm evidence is concentrated for alarm evidence, judges that it whether there is in alarm chain of evidence collection, if not depositing New alarm chain of evidence extremely alarm chain of evidence collection is then being added, and the alarm evidence is added in the new alarm chain of evidence;If In the presence of then according to the set membership in alarm evidence generation time, alarm is added in the alarm evidence that evidence is concentrated that will alarm one by one In chain of evidence, so that each alarm evidence in the alarm chain of evidence has front and back causality, until the alarm evidence chain length Degree is not further added by position, which is incorporated into alarm chain of evidence and is concentrated.
5. the network forensics method according to claim 1 based on Alerts aggregation, which is characterized in that C) in, obtain alarm Similar alarm chain of evidence is clustered, constructs preliminary intrusion scenario set by the similarity of evidence interchain;To preliminary invasion field Every two intrusion scenario in scape set merges splicing according to the two joining relation, realizes the complete building of intrusion scenario, Restore network scene of a crime.
6. the network forensics method according to claim 5 based on Alerts aggregation, which is characterized in that C) in building just step into Scene set is invaded, includes following content: firstly, preliminary intrusion scenario set is set to empty set;Then, for alarm chain of evidence collection Middle alarm chain of evidence finds an intrusion scenario from preliminary intrusion scenario set, which is the corresponding report of service chain of evidence collection Alert chain of evidence and each intrusion scenario alarm maximum intrusion scenario of chain of evidence similarity of preliminary intrusion scenario set;Judge that this enters Invade in scene whether chain of evidence of respectively alarming alarm chain of evidence similarity maximum value corresponding with alarm chain of evidence collection is greater than polymerizing condition Threshold value, if it is greater, then the corresponding alarm chain of evidence of the alarm chain of evidence collection is added in the intrusion scenario;Otherwise, it creates new The new intrusion scenario is added in the corresponding alarm chain of evidence of the alarm chain of evidence collection by intrusion scenario, and by the new intrusion scenario It is added in preliminary intrusion scenario set, until alarm chain of evidence concentrates each alarm chain of evidence to be disposed.
7. the network forensics method according to claim 5 based on Alerts aggregation, which is characterized in that C) in intrusion scenario Merge splicing, include following content: according to the progressive relationship in the temporal precedence relationship of two intrusion scenarios and behavior, determining Whether the two is two sub-scenes made of same Attack Scenarios fracture and obtains the two joining relation, is obtained according to joining relation The distance of two intrusion scenarios;The final output intrusion scenario constructed completely is set to empty set;For preliminary intrusion scenario set In an intrusion scenario, another is chosen from preliminary intrusion scenario set with the intrusion scenario apart from the smallest intrusion scenario, meter The minimum range between evidence of alarming in both the intrusion scenario and another intrusion scenario is calculated, the two of the minimum range will be obtained This two alarm evidences are denoted as alarm evidence a and a ' respectively in a intrusion scenario;The evidence a and a ' that alarm is saved respectively as head and the tail Point, and according to the causality between each alarm evidence for belonging to same intrusion scenario, it fills into corresponding alarm evidence and constitutes alarm card According to chain, newly-increased intrusion scenario is established using the alarm chain of evidence;By this increase newly intrusion scenario, the intrusion scenario and this another enter It invades scene to merge, forms new intrusion scenario, be added in preliminary intrusion scenario set, and reject the intrusion scenario and be somebody's turn to do Another intrusion scenario;Until there is no joining relations for any two intrusion scenario in preliminary intrusion scenario set.
8. the network forensics method according to claim 7 based on Alerts aggregation, which is characterized in that C) in, according to linking Relationship obtains the distance of two intrusion scenarios, includes following content: destination address and another alarm card according to alarm evidence According to source address, obtain two alarm evidences and correspond to the distance for accordingly attacking node in attack graph;It obtains and corresponds to according to the distance The distance of two intrusion scenarios.
9. a kind of network forensics device based on Alerts aggregation is, characterized by comprising: data collection module, evidence chain building Module and scene recovery module, wherein
Data collection module, for constructing attack graph;And the intrusion detection data of network key node are obtained, by the intrusion detection The alarm evidence collection that data are analyzed as network forensics;
Evidence chain building module is mapped in attack graph for evidence of alarming in the evidence set that will alarm, and obtains alarm evidence Chain;
Scene recovery module constructs network inbreak scene, restores network scene of a crime for clustering to alarm chain of evidence.
10. the network forensics device according to claim 9 based on Alerts aggregation, which is characterized in that the scene is extensive Multiple module includes that scenario building submodule and scene merge submodule, wherein
Scenario building submodule obtains similar report for the similarity by obtaining alarm evidence interchain, and using similarity Alert chain of evidence is clustered, and preliminary intrusion scenario set is constructed;
Scene merges submodule, for the every two intrusion scenario in preliminary intrusion scenario set, both foundations joining relation Splicing is merged, realizes the complete building of intrusion scenario, restores network scene of a crime.
CN201811063114.5A 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation Active CN109218305B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811063114.5A CN109218305B (en) 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811063114.5A CN109218305B (en) 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation

Publications (2)

Publication Number Publication Date
CN109218305A true CN109218305A (en) 2019-01-15
CN109218305B CN109218305B (en) 2020-12-08

Family

ID=64983723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811063114.5A Active CN109218305B (en) 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation

Country Status (1)

Country Link
CN (1) CN109218305B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111787024A (en) * 2020-07-20 2020-10-16 浙江军盾信息科技有限公司 Network attack evidence collection method, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567852A (en) * 2004-03-29 2005-01-19 四川大学 Network monitoring and dynamic evidence obtaining system and method
CN105959328A (en) * 2016-07-15 2016-09-21 北京工业大学 Evidence graph and vulnerability reasoning combined network evidence collection method and system
CN108282460A (en) * 2017-12-19 2018-07-13 中国科学院信息工程研究所 A kind of the chain of evidence generation method and device of network-oriented security incident
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567852A (en) * 2004-03-29 2005-01-19 四川大学 Network monitoring and dynamic evidence obtaining system and method
CN105959328A (en) * 2016-07-15 2016-09-21 北京工业大学 Evidence graph and vulnerability reasoning combined network evidence collection method and system
CN108282460A (en) * 2017-12-19 2018-07-13 中国科学院信息工程研究所 A kind of the chain of evidence generation method and device of network-oriented security incident
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
NOEL S , ROBERTSON E , JAJODIA S: "Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances", 《COMPUTER SECURITY APPLICATIONS CONFERENCE》 *
沈江等: "实体异构性下证据链融合推理的多属性群决策", 《自动化学报》 *
董晓梅等: "基于场景重构与报警聚合的网络取证分析技术", 《控制与决策》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111787024A (en) * 2020-07-20 2020-10-16 浙江军盾信息科技有限公司 Network attack evidence collection method, electronic device and storage medium

Also Published As

Publication number Publication date
CN109218305B (en) 2020-12-08

Similar Documents

Publication Publication Date Title
CN108494810B (en) Attack-oriented network security situation prediction method, device and system
Lee et al. Mining in a data-flow environment: Experience in network intrusion detection
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
CN108270785A (en) Knowledge graph-based distributed security event correlation analysis method
CN111049680B (en) Intranet transverse movement detection system and method based on graph representation learning
Li et al. Network anomaly detection based on TCM-KNN algorithm
CN108769051A (en) A kind of network intrusions situation intention appraisal procedure based on alert correlation
CN102075516A (en) Method for identifying and predicting network multi-step attacks
Soleimani et al. Multi-layer episode filtering for the multi-step attack detection
CN114422224B (en) Threat information intelligent analysis method and system for attack tracing
CN101494535A (en) Method for constructing network inbreak scene based on hidden Mrakov model
Hu et al. Attack scenario reconstruction approach using attack graph and alert data mining
CN110474885A (en) Alert correlation analysis method based on time series and IP address
CN103957203A (en) Network security defense system
CN109191021A (en) The correlation rule matching process and device of power grid anomalous event
CN109660515A (en) Attack chain detection method and device
CN110012037A (en) Network attack prediction model construction method based on uncertain perception attack graph
CN113225337A (en) Multi-step attack alarm correlation method, system and storage medium
CN109218305A (en) Network forensics method and device based on Alerts aggregation
CN117240632B (en) Attack detection method and system based on knowledge graph
CN107835153B (en) Vulnerability situation data fusion method
CN114205816B (en) Electric power mobile internet of things information security architecture and application method thereof
CN109257384A (en) Application layer ddos attack recognition methods based on access rhythm matrix
Saboori et al. Verification of infinite-step opacity and analysis of its complexity
Zhuang et al. Applying data fusion in collaborative alerts correlation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant