CN109218305B - Network evidence obtaining method and device based on alarm aggregation - Google Patents

Network evidence obtaining method and device based on alarm aggregation Download PDF

Info

Publication number
CN109218305B
CN109218305B CN201811063114.5A CN201811063114A CN109218305B CN 109218305 B CN109218305 B CN 109218305B CN 201811063114 A CN201811063114 A CN 201811063114A CN 109218305 B CN109218305 B CN 109218305B
Authority
CN
China
Prior art keywords
alarm
intrusion
evidence
scene
chain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811063114.5A
Other languages
Chinese (zh)
Other versions
CN109218305A (en
Inventor
张玉臣
胡浩
张红旗
汪永伟
刘小虎
张任川
杨峻楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811063114.5A priority Critical patent/CN109218305B/en
Publication of CN109218305A publication Critical patent/CN109218305A/en
Application granted granted Critical
Publication of CN109218305B publication Critical patent/CN109218305B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention belongs to the technical field of network security, and particularly relates to a network forensics method and a device based on alarm aggregation, wherein the method comprises the following steps: constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis; mapping alarm evidence in the alarm evidence set to an attack graph, and acquiring an alarm evidence chain; clustering alarm evidence chains, constructing a network intrusion scene, and recovering a network crime scene. Aiming at the problems of missing report and false report existing when an intrusion detection system is used for network evidence collection, the intrusion comprehensive picture of an attacker can be accurately and completely shown by performing alarm evidence mapping, evidence chain generation, evidence chain clustering and intrusion scene construction, and the network evidence collection efficiency is improved; alarm data related to the intrusion scene becomes important electronic evidence, has strong practicability and operability, and provides reliable basis for collecting network data evidence and returning to crime scenes and litigation cases.

Description

Network evidence obtaining method and device based on alarm aggregation
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network forensics method and device based on alarm aggregation.
Background
With the continuous improvement of network attack level and the gradual change of attack tools and attack methods, the behavior of criminal offense by using computer networks is more and more serious, and network evidence collection has important significance for fighting against network crimes. The network evidence collection is dynamic in nature, namely, the network evidence collection is carried out when an attack event is carried out or during the transmission of evidence data, and the crime scene of the network attack is reconstructed by collecting network alarm evidence data, so that accurate and effective evidence is provided for litigation cases.
At present, there are two main methods for network forensics: one is a honey trap based approach and the other is by analyzing intrusion detection system alarm evidence. The honeypot and the honeynet are trap technologies, and the trap technology is a trap system and provides some non-authenticity information which is questionable as evidence. Secondly, the alarm of the intrusion detection system is analyzed, a series of attack steps taken by an intruder are restored through the obtained evidence, and most of the current network evidence obtaining methods adopt the method. However, the accuracy of the network forensics result is affected by the limitation of the accuracy of the intrusion detection system, and how to eliminate the influence of false-positive and false-negative evidences on the forensics result is a difficult problem faced by these methods. Meanwhile, intrusion detection depends on captured network data fragments, the obtained evidence is probably incomplete, the influence of misinformation and missing report is eliminated by alarming to remove redundancy and missing evidence supplement, the integrity of evidence chains is ensured, one or more network intrusion evidence chains belonging to the same crime scene are identified, the intrusion overall appearance is reflected, and the technical problem to be solved urgently is formed.
Disclosure of Invention
Therefore, the invention provides a network forensics method and device based on alarm aggregation, which can restore a network crime scene by performing evidence mapping, evidence chain generation, evidence chain clustering and intrusion scene construction on alarm data and has strong practicability and operability.
According to the design scheme provided by the invention, the network forensics method based on alarm aggregation comprises the following contents:
A) constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis;
B) mapping alarm evidence in the alarm evidence set to an attack graph, and acquiring an alarm evidence chain;
C) clustering alarm evidence chains, constructing a network intrusion scene, and recovering a network crime scene.
In the step A), a directed acyclic graph is constructed by enumerating all intrusion paths of an attacker and is used as an attack graph; and analyzing and capturing the data packet through the open source intrusion detection system of each key node of the network to obtain an alarm evidence set.
In the step B), the type, the source address and the target address attribute of the alarm evidence are selected, and the alarm evidence is positioned and associated to the corresponding attack graph node; and acquiring an alarm evidence chain according to an alarm evidence sequence generated in the attack step of the attacker, and taking the alarm evidence chain as a minimum unit for constructing an intrusion scene.
Preferably, the alarm evidence chain obtained in step B) according to the alarm evidence sequence generated in the attack step of the attacker includes the following contents: firstly, setting an alarm evidence chain set as an empty set; then, judging whether each alarm evidence in the alarm evidence set exists in the alarm evidence chain set or not, if not, adding a new alarm evidence chain to the alarm evidence chain set, and adding the alarm evidence into the new alarm evidence chain; if the alarm evidence chain exists, the alarm evidences in the alarm evidence set are added into the alarm evidence chain one by one according to the parent-child relationship of the alarm evidence in time, so that each alarm evidence in the alarm evidence chain has a front-back causal relationship until the length of the alarm evidence chain does not increase any more, and the alarm evidence chain is merged into the alarm evidence chain set.
In the step C), the similarity among the alarm evidence chains is obtained, the similar alarm evidence chains are clustered, and a preliminary intrusion scene set is constructed; and merging and splicing every two intrusion scenes in the preliminary intrusion scene set according to the connection relationship of the two intrusion scenes, so as to realize the complete construction of the intrusion scenes and recover the network crime scene.
Preferably, the preliminary intrusion scene set constructed in step C) includes the following contents: firstly, setting a preliminary intrusion scene set as an empty set; then, aiming at the alarm evidence chain in the alarm evidence chain set, searching an intrusion scene from the preliminary intrusion scene set, wherein the intrusion scene is an intrusion scene with the maximum similarity between the alarm evidence chain corresponding to the service evidence chain set and each intrusion scene alarm evidence chain in the preliminary intrusion scene set; judging whether the similarity maximum value of each alarm evidence chain in the intrusion scene and the alarm evidence chain corresponding to the alarm evidence chain set is greater than the aggregation condition threshold value, if so, adding the alarm evidence chain corresponding to the alarm evidence chain set into the intrusion scene; otherwise, a new intrusion scene is created, the alarm evidence chain corresponding to the alarm evidence chain set is added into the new intrusion scene, and the new intrusion scene is added into the preliminary intrusion scene set until the processing of each alarm evidence chain in the alarm evidence chain set is finished.
Preferably, the merging and splicing of the intrusion scenes in C) includes the following contents: judging whether the two intrusion scenes are two sub-scenes formed by breaking the same attack scene or not according to the time precedence relationship and the behavior progressive relationship of the two intrusion scenes, acquiring the connection relationship of the two sub-scenes, and acquiring the distance between the two intrusion scenes according to the connection relationship; setting the completely constructed final output intrusion scene as an empty set; aiming at one intrusion scene in the preliminary intrusion scene set, selecting another intrusion scene with the minimum distance from the intrusion scene from the preliminary intrusion scene set, calculating the minimum distance between alarm evidences in the intrusion scene and the other intrusion scene, and respectively recording the two alarm evidences in the two intrusion scenes with the minimum distance as alarm evidences a and a'; the alarm evidences a and a' are respectively used as head and tail nodes, corresponding alarm evidences are supplemented to form an alarm evidence chain according to the causal relationship among the alarm evidences belonging to the same intrusion scene, and the alarm evidence chain is utilized to establish a newly-added intrusion scene; combining the newly added intrusion scene, the intrusion scene and the other intrusion scene to form a new intrusion scene, adding the new intrusion scene into the preliminary intrusion scene set, and removing the intrusion scene and the other intrusion scene; until any two intrusion scenes in the preliminary intrusion scene set do not have a connection relation any more.
Further, in C), the distance between the two intrusion scenes is obtained according to the connection relationship, which includes the following contents: according to the destination address of the alarm evidence and the source address of the other alarm evidence, the distance between the corresponding attack nodes on the attack graph corresponding to the two alarm evidences is obtained; and acquiring the distance corresponding to the two intrusion scenes according to the distance.
An alarm aggregation based network forensics device, comprising: a data collection module, an evidence chain construction module and a scene restoration module, wherein,
the data collection module is used for constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis;
the evidence chain construction module is used for mapping the alarm evidence in the alarm evidence set to an attack graph and acquiring an alarm evidence chain;
and the scene recovery module is used for clustering the alarm evidence chains, constructing a network intrusion scene and recovering the network crime scene.
In the above device, the scene recovery module comprises a scene construction sub-module and a scene merging sub-module, wherein,
the scene construction submodule is used for obtaining the similarity among the alarm evidence chains and obtaining similar alarm evidence chains for clustering by utilizing the similarity to construct a preliminary intrusion scene set;
and the scene merging submodule is used for merging and splicing every two intrusion scenes in the preliminary intrusion scene set according to the connection relationship between the two intrusion scenes, so that the complete construction of the intrusion scenes is realized, and the network crime scene is recovered.
The invention has the beneficial effects that:
the invention aims at the problems of missing report and false report when the intrusion detection system is used for network evidence collection, alarm evidence data is subjected to alarm evidence mapping, evidence chain generation, evidence chain clustering and intrusion scene construction in sequence by reconstructing an evidence chain in the intrusion process, and the crime scene is reproduced, so that the intrusion motivation and process of an intruder can be known macroscopically, the intrusion complete picture of the intruder can be accurately and completely shown, and the network evidence collection efficiency is improved; alarm data related to the intrusion scene becomes important electronic evidence, has strong practicability and operability, and provides reliable basis for collecting network data evidence, returning to crime scenes and litigation cases.
Description of the drawings:
FIG. 1 is a schematic diagram of a network forensics process in an embodiment;
FIG. 2 is a schematic diagram of an exemplary network forensics apparatus;
FIG. 3 is an example of an attack graph in an embodiment;
fig. 4 is a schematic diagram of network forensics operation in the embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions. The technical terms involved in the examples are as follows:
at present, for the situation that intrusion detection depends on captured network data fragments and the like, the obtained network alarm evidence is likely to be incomplete. To this end, an embodiment of the present invention provides a network forensics method based on alarm aggregation, which is shown in fig. 1 and includes:
A) constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis;
B) mapping alarm evidence in the alarm evidence set to an attack graph, and acquiring an alarm evidence chain;
C) clustering alarm evidence chains, constructing a network intrusion scene, and recovering a network crime scene.
In the above, a directed acyclic graph is constructed as an attack graph by enumerating all intrusion paths of an attacker; and analyzing and capturing the data packet through the open source intrusion detection system of each key node of the network to obtain an alarm evidence set. The attack graph is shown in fig. 3, enumerates all possible intrusion paths of an attacker, is a technical basis for network forensics facing attacks, and may be formally expressed as AG ═ N, E, where 1) N is a node set, and N ═ SUA. Wherein S ═ { S ═ Si1, …, n is a set of state nodes, and the variable siThe value of the condition that the resource or the authority in the network is illegally occupied can be 1 or 0, and the condition that the attacker occupies or does not occupy the resource is represented respectively. A ═ ati|i=1, …, m is attack behavior node set, variable atiThe value of (a) may be 1 or 0, indicating that an attack action has occurred or has not occurred, respectively. 2) E is a set of directed edges, E ═ E1 U E2}. Wherein the content of the first and second substances,
Figure BDA0001797617940000051
representing the subsequent attack action which is possibly started after the attacker occupies certain resources or rights;
Figure BDA0001797617940000052
representing an attack may result in the attacker occupying new resources or raising permissions. Based on the attack graph, firstly, performing alarm evidence mapping, mapping collected alarm evidence data into the attack graph, and preliminarily presenting an intrusion condition; outputting an attack evidence chain by the mapped alarm evidence set to reflect one or more intrusion paths in the network; clustering the similar evidence chains to obtain a preliminary crime scene; and finally, checking the integrity of the crime scene, and splicing the crime scene which is possibly broken by supplementing corresponding false-positive evidences to restore the complete crime scene.
The alarm and the attack have a corresponding relation, and the alarm mapping is a process of mapping the alarm to a corresponding node in an attack graph. Through alarm evidence mapping, the attribution and distribution of alarm evidence can be visually reflected, and a crime scene is initially presented. The corresponding relation between the alarm and the attack node is mainly embodied on Type, source address SrcIP and target address DstIP, in one embodiment of the invention, the Type, source address and target address attribute of the alarm evidence are selected, and the alarm evidence is positioned and associated to the corresponding attack graph node; and acquiring an alarm evidence chain according to an alarm evidence sequence generated in the attack step of the attacker, and taking the alarm evidence chain as a minimum unit for constructing an intrusion scene. And selecting the attributes of Type, SrcIP and DstIP of the alarm evidence, and accurately positioning the alarm evidence to the attack node from the mapping map from the alarm evidence set to the attack node set. The function map is a mapping from the set of alarms to the set of attack nodes, relating the alarms to the corresponding attack nodes. If the alarm a is mapped to the attack node at, then at ═ map (a). The specific mapping method can be expressed by the following formula.
Figure BDA0001797617940000053
And taking the alarm evidence chain as a minimum unit for constructing an intrusion scene, wherein the evidence chain corresponds to an intrusion path of an attacker and comprises a successful path reaching the target and a failed path not reaching the target. The evidence chain is an alarm evidence sequence generated by a plurality of attack steps and is marked as AQ ═ a1,a2,…,an>Wherein a isiIndicates the ith alarm and satisfies the relation ai oRPoai+1I is more than or equal to 1 and less than n. Obtaining an alarm evidence chain according to an alarm evidence sequence generated in the attack step of the attacker, wherein the alarm evidence chain comprises the following contents: firstly, setting an alarm evidence chain set as an empty set; then, judging whether each alarm evidence in the alarm evidence set exists in the alarm evidence chain set or not, if not, adding a new alarm evidence chain to the alarm evidence chain set, and adding the alarm evidence into the new alarm evidence chain; if the alarm evidence chain exists, the alarm evidences in the alarm evidence set are added into the alarm evidence chain one by one according to the parent-child relationship of the alarm evidence in time, so that each alarm evidence in the alarm evidence chain has a front-back causal relationship until the length of the alarm evidence chain does not increase any more, and the alarm evidence chain is merged into the alarm evidence chain set. The alarm evidence chain generation algorithm can be designed as follows:
algorithm 1 evidence chain generation
Inputting: mapped set of alert evidence
And (3) outputting: chain of evidence collection AQuee ═ { AQ ═ AQ1,AQ2,…}
Step1, setting an evidence chain set AQue as an empty set; let i equal to 1 and j equal to 1.
Step2 for aiE.g., Alerts, if
Figure BDA0001797617940000061
A new chain of evidence Aq is establishedjAnd is combined withA is toiAdding AqjPerforming the following steps; otherwise go to Step 6.
Step3 generates a temporal parent-child relationship R according to the alarm evidencepAdding alarm evidence in Alerts into the evidence chain AqjSo that Aq isjThe alarm evidences in (1) have a contextual causal relationship.
Step4 repeats Step3 until the chain of evidence AqjIs no longer increased.
Step5 links the evidence AqjIncorporated into the evidence chain set AQuene, let j ═ j + 1.
Step6 if i < | Alerts | let i ═ i +1, the algorithm goes to Step2, otherwise the Step ends.
Step7 outputs evidence chain set AQue and the algorithm ends.
In an intrusion activity, the next attack action is usually based on the occupied resources or permissions, and the attacker does not actively give up the acquired resources or permissions, and the intrusion is similar to the deep-first search of the attack graph. The intrusion scene is a set of evidence chains of all attack sequences generated in one intrusion process and is marked AS AS ═ AQ1,AQ2,…,AQnTherefore, certain identical attack steps exist among the evidence chains belonging to the same attack scene, similarity is shown on the evidence chains, and initial construction of the invasion scene can be realized in an evidence chain clustering mode. Therefore, in another embodiment of the invention, the similarity between alarm evidence chains is obtained, and the similar alarm evidence chains are clustered to construct a preliminary intrusion scene set; and merging and splicing every two intrusion scenes in the preliminary intrusion scene set according to the connection relationship of the two intrusion scenes, so as to realize the complete construction of the intrusion scenes and recover the network crime scene.
In the attack activity, two evidence chains belonging to the same attack process do not necessarily have the same length, and the alarm evidence at each position in the two evidence chains does not necessarily have a real corresponding relationship, and the similarity between the evidence chains is defined by the sequence comparison technology in consideration of the complexity of the evidence chains and the attack reality. Introducing an operation set of Ω ═ add (a, i), del (i), place (a, i) }, where add (a, i) is indicated in the evidenceThe insertion a before the ith element of the chain, del (i) represents the deletion of the ith element of the evidence chain, and the place (a, i) represents the replacement of the ith element in the evidence chain with a, and the cost of the three operations is 1. On this basis, the similarity between two sequences is measured by using the operation cost of converting one sequence into a subsequence of another sequence. From this can be defined the evidence chain AQ1And AQ2The similarity between them is as follows:
Figure BDA0001797617940000071
wherein, C (AQ)1,AQ2) Shows the chain of evidence AQ1Conversion to evidence chain AQ2L (AQ) of the daughter strand1) And L (AQ)2) Respectively show the evidence chain AQ1And AQ2Length of (2), i.e. evidence chain AQ1And AQ2The number of alarm evidences contained in (a).
Preferably, a preliminary intrusion scene set is constructed, which includes the following contents: firstly, setting a preliminary intrusion scene set as an empty set; then, aiming at the alarm evidence chain in the alarm evidence chain set, searching an intrusion scene from the preliminary intrusion scene set, wherein the intrusion scene is an intrusion scene with the maximum similarity between the alarm evidence chain corresponding to the service evidence chain set and each intrusion scene alarm evidence chain in the preliminary intrusion scene set; judging whether the similarity maximum value of each alarm evidence chain in the intrusion scene and the alarm evidence chain corresponding to the alarm evidence chain set is greater than the aggregation condition threshold value, if so, adding the alarm evidence chain corresponding to the alarm evidence chain set into the intrusion scene; otherwise, a new intrusion scene is created, the alarm evidence chain corresponding to the alarm evidence chain set is added into the new intrusion scene, and the new intrusion scene is added into the preliminary intrusion scene set until the processing of each alarm evidence chain in the alarm evidence chain set is finished. On the basis of the similarity of the evidence chains, clustering the alarm evidence chains by designing the following algorithm to initially construct an intrusion scene:
algorithm 2 evidence chain clustering
Inputting: chain of evidence collection AQuee ═ { A }Q1,AQ2,…}
And (3) outputting: initially constructed intrusion scene ascinario ═ AS1,AS2,…}
Step1, setting the AScenario of the intrusion scene as an empty set; and let i equal to 1.
Step2 for AQiE.g. AQuee, find AS from AScenariojSatisfies ASj=argmaxSim′(AQi,ASj)。
Step3 if Sim' (AQ)i,ASj)>Eta, mixing AQiJoining a scene ASj. Otherwise, a new scene AS is creatednewMixing AQiAdding ASnewAnd will ASnewAdded to AScenario.
Step4, if the evidence chain in the AQuee is processed completely, the Step is finished; otherwise, let i equal i +1 and the algorithm go to Step 2.
Step5 outputs scene set ascinario ═ { AS ═ AS1,AS2…, the algorithm ends.
In this algorithm 2, the function Sim' (AQ)i,ASj) Is the evidence chain AQiAnd scene ASjThe maximum value of similarity of the evidential chains in (1), i.e., Sim' (AQ)i,ASj)=maxSim(AQi,AQj),AQj∈ASj(ii) a The parameter η is a threshold for determining whether the chain of evidence satisfies the aggregation condition, and is usually equal to 0.6.
If it is paired with
Figure BDA0001797617940000081
So that aoRAIf ob is established, it is called attack scene ASiAnd ASjHave a linking relationship between them, and are marked AS ASi oRC oASj. Linkage relation RCIndicating two scenarios ASiAnd ASjThe attack scene has a temporal precedence relationship and a behavioral progressive relationship, so that two sub-scenes formed by breaking the same attack scene are possible. If AS1、AS2Two sub-scenes formed by breaking of the same intrusion scene AS, the AS1And AS2The following two conditions are satisfied:
a.AS1,AS2having a linking relationship, i.e. AS1oRCoAS2
b. At the AS1In all scenarios with linking relationships, AS2Should be with AS1The closest together.
Condition b is based on the following assumptions: i.e. multiple consecutive false positives is a small probability event. In order to measure the closeness of the connection relation between the scenes, a calculation method of attack node distance and alarm evidence distance is firstly provided, on the basis, the distance between the scenes is defined, and the combination of the intrusion scenes is further realized.
Attack node atiAnd atjThe distance between is defined from atiTo atjNumber of passing status nodes, denoted dat(ati,atj) When atiTo atjIf not, define dat(at3,at4)=∞。
For alarm evidence a1And a2The distance between is defined as follows: when the alarm evidence a1Destination addresses DstIP and a2If the source address SrcIP is the same, the source address SrcIP is called to satisfy the ancestral relation RAThe distance of which is equal to the corresponding attack node map (a)1) And map (a)2) The distance between them; otherwise a1And a2The distance between is 0, i.e.:
Figure BDA0001797617940000082
intrusion scenario ASi,ASjDistance d ofAS(ASi,ASj) The definition is as follows: when scene ASi,ASjSatisfy the relation of linkage RCWhen d is greater thanAS(ASi,ASj) Equal to the minimum distance between the alarm evidences in the two scenes; otherwise, scene ASi,ASjIs 0. Namely:
Figure BDA0001797617940000083
wherein, ai∈AS1,aj∈AS2. The distance between the intrusion scenes represents the number of alarm evidences which may be missing between the two scenes, and also reflects the degree of association between the two scenes.
In another embodiment of the present invention, the merging and splicing of the intrusion scenes includes the following contents: judging whether the two intrusion scenes are two sub-scenes formed by breaking the same attack scene or not according to the time precedence relationship and the behavior progressive relationship of the two intrusion scenes, acquiring the connection relationship of the two sub-scenes, and acquiring the distance between the two intrusion scenes according to the connection relationship; setting the completely constructed final output intrusion scene as an empty set; aiming at one intrusion scene in the preliminary intrusion scene set, selecting another intrusion scene with the minimum distance from the intrusion scene from the preliminary intrusion scene set, calculating the minimum distance between alarm evidences in the intrusion scene and the other intrusion scene, and respectively recording the two alarm evidences in the two intrusion scenes with the minimum distance as alarm evidences a and a'; the alarm evidences a and a' are respectively used as head and tail nodes, corresponding alarm evidences are supplemented to form an alarm evidence chain according to the causal relationship among the alarm evidences belonging to the same intrusion scene, and the alarm evidence chain is utilized to establish a newly-added intrusion scene; combining the newly added intrusion scene, the intrusion scene and the other intrusion scene to form a new intrusion scene, adding the new intrusion scene into the preliminary intrusion scene set, and removing the intrusion scene and the other intrusion scene; until any two intrusion scenes in the preliminary intrusion scene set do not have a connection relation any more. Further, the distance between the two intrusion scenes is obtained according to the connection relationship, which includes the following contents: according to the destination address of the alarm evidence and the source address of the other alarm evidence, the distance between the corresponding attack nodes on the attack graph corresponding to the two alarm evidences is obtained; and acquiring the distance corresponding to the two intrusion scenes according to the distance. On the basis of defining the scene distance, combining the scenes which are most closely linked according to the distance between the scenes, supplementing corresponding missing evidences and realizing the complete construction of the intrusion scene, wherein a specific algorithm can be designed as follows:
algorithm 3 intrusion scene merging
Inputting: the initial scene set AScenario { AS ═ output by algorithm 21,AS2,…}
And (3) outputting: fully constructed scene set AScenario' ═ { AS1′,AS2′,…}
Step1 for ASiFrom the AScenario, finding ASjMake ASj=argmindAS(ASi,ASj)。
Step2 calculating dAS(AS1,AS2) Determining that d is satisfiedAS(ASi,ASj)=da(a, a ') alarm evidences a and a', wherein a ∈ ASi,a′∈ASj
Step3 supplements evidence { a) according to causal relationship among alarm evidences belonging to the same intrusion scene1,a2…, such that < a, a1,a2,L,a′>Become a chain of evidence and remember ASadd={a1,a2,…}。
Step4 record ASnew=ASi UASjUASaddTo connect ASnewAdded to AScenario, replacing ASi,ASj
Step5 repeats the above steps until any two scenes AS in the scene set AScenarioi,ASjAnd (4) no longer having a connection relation, enabling AScenario 'to be AScenario, outputting AScenario', and ending the algorithm.
Based on the above method, an embodiment of the present invention further provides a network forensics apparatus based on alarm aggregation, as shown in fig. 2, including: a data collection module, an evidence chain construction module and a scene restoration module, wherein,
the data collection module is used for constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis;
the evidence chain construction module is used for mapping the alarm evidence in the alarm evidence set to an attack graph and acquiring an alarm evidence chain;
and the scene recovery module is used for clustering the alarm evidence chains, constructing a network intrusion scene and recovering the network crime scene.
In the above apparatus, the scene recovery module comprises a scene construction sub-module and a scene merging sub-module, wherein,
the scene construction submodule is used for obtaining the similarity among the alarm evidence chains and obtaining similar alarm evidence chains for clustering by utilizing the similarity to construct a preliminary intrusion scene set;
and the scene merging submodule is used for merging and splicing every two intrusion scenes in the preliminary intrusion scene set according to the connection relationship between the two intrusion scenes, so that the complete construction of the intrusion scenes is realized, and the network crime scene is recovered.
In the invention, referring to fig. 4, according to alarm data generated by an intrusion detection system, an alarm is firstly mapped into an attack graph by extracting effective alarm evidence, and behaviors of different hosts are abstracted; then, according to the attack graph, an attack behavior evidence chain is output from the mapped alarm set to reflect an intrusion path existing in the network; clustering the similar evidence chains to obtain a preliminary invasion scene; finally, necessary supplement is carried out on the alarm missing through analyzing the connection relation among the sub-scenes, the invasion scene is supplemented, and the crime scene is reproduced; the evidence chain of the intrusion process obtained by the method is accurate and complete, accords with the actual situation, is beneficial to understanding the intrusion motivation and the process of an intruder macroscopically, improves the network evidence obtaining efficiency and provides reliable data reference for network evidence obtaining.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The elements of the various examples and method steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and the components and steps of the examples have been described in a functional generic sense in the foregoing description for clarity of hardware and software interchangeability. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Those skilled in the art will appreciate that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, which may be stored in a computer-readable storage medium, such as: read-only memory, magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A network forensics method based on alarm aggregation is characterized by comprising the following contents:
A) enumerating all possible intrusion paths of an attacker, and constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis;
B) mapping alarm evidence in the alarm evidence set to an attack graph, and acquiring an alarm evidence chain; taking an alarm evidence chain as a minimum unit for constructing an intrusion scene, wherein the alarm evidence chain corresponds to an intrusion path of an attacker and comprises a successful path reaching a target and a failed path not reaching the target;
C) clustering alarm evidence chains, wherein the evidence chains are composed of alarm evidence sequences generated in a plurality of attack steps, defining the similarity between the evidence chains through a sequence comparison technology, measuring the similarity between two sequences by using the operation cost of converting one sequence into a subsequence of another sequence, constructing a network intrusion scene, and recovering a network crime scene.
2. The alarm aggregation-based network forensics method according to claim 1, wherein in A), a directed acyclic graph is constructed as an attack graph by enumerating all intrusion paths of an attacker; and analyzing and capturing the data packet through the open source intrusion detection system of each key node of the network to obtain an alarm evidence set.
3. The alarm aggregation-based network forensics method according to claim 1, wherein in B), the type, source address and target address attribute of the alarm evidence are selected, and the alarm evidence is positioned and associated to the corresponding attack graph node; and acquiring an alarm evidence chain according to an alarm evidence sequence generated in the attack step of the attacker, and taking the alarm evidence chain as a minimum unit for constructing an intrusion scene.
4. The alarm aggregation-based network forensics method according to claim 3, wherein the chain of alarm evidence is obtained in B) according to the alarm evidence sequence generated in the attack step of the attacker, and the chain of alarm evidence comprises the following contents: firstly, setting an alarm evidence chain set as an empty set; then, judging whether each alarm evidence in the alarm evidence set exists in the alarm evidence chain set or not, if not, adding a new alarm evidence chain to the alarm evidence chain set, and adding the alarm evidence into the new alarm evidence chain; if the alarm evidence chain exists, the alarm evidences in the alarm evidence set are added into the alarm evidence chain one by one according to the parent-child relationship of the alarm evidence in time, so that each alarm evidence in the alarm evidence chain has a front-back causal relationship until the length of the alarm evidence chain does not increase any more, and the alarm evidence chain is merged into the alarm evidence chain set.
5. The alarm aggregation-based network forensics method according to claim 1, wherein in C), the similarity among alarm evidence chains is obtained, and the similar alarm evidence chains are clustered to construct a preliminary intrusion scene set; and merging and splicing every two intrusion scenes in the preliminary intrusion scene set according to the connection relationship of the two intrusion scenes, so as to realize the complete construction of the intrusion scenes and recover the network crime scene.
6. The alarm aggregation-based network forensics method according to claim 5, wherein a preliminary intrusion scene set is constructed in C), and the preliminary intrusion scene set comprises the following contents: firstly, setting a preliminary intrusion scene set as an empty set; then, aiming at the alarm evidence chain in the alarm evidence chain set, searching an intrusion scene from the preliminary intrusion scene set, wherein the intrusion scene is an intrusion scene with the maximum similarity between the alarm evidence chain corresponding to the service evidence chain set and each intrusion scene alarm evidence chain in the preliminary intrusion scene set; judging whether the similarity maximum value of each alarm evidence chain in the intrusion scene and the alarm evidence chain corresponding to the alarm evidence chain set is greater than the aggregation condition threshold value, if so, adding the alarm evidence chain corresponding to the alarm evidence chain set into the intrusion scene; otherwise, a new intrusion scene is created, the alarm evidence chain corresponding to the alarm evidence chain set is added into the new intrusion scene, and the new intrusion scene is added into the preliminary intrusion scene set until the processing of each alarm evidence chain in the alarm evidence chain set is finished.
7. The alarm aggregation-based network forensics method according to claim 5, wherein the merging and splicing of the intrusion scenes in C) comprises the following steps: judging whether the two intrusion scenes are two sub-scenes formed by breaking the same attack scene or not according to the time precedence relationship and the behavior progressive relationship of the two intrusion scenes, acquiring the connection relationship of the two sub-scenes, and acquiring the distance between the two intrusion scenes according to the connection relationship; setting the completely constructed final output intrusion scene as an empty set; aiming at one intrusion scene in the preliminary intrusion scene set, selecting another intrusion scene with the minimum distance from the intrusion scene from the preliminary intrusion scene set, calculating the minimum distance between alarm evidences in the intrusion scene and the other intrusion scene, and respectively recording the two alarm evidences in the two intrusion scenes with the minimum distance as alarm evidences a and a'; the alarm evidences a and a' are respectively used as head and tail nodes, corresponding alarm evidences are supplemented to form an alarm evidence chain according to the causal relationship among the alarm evidences belonging to the same intrusion scene, and the alarm evidence chain is utilized to establish a newly-added intrusion scene; combining the newly added intrusion scene, the intrusion scene and the other intrusion scene to form a new intrusion scene, adding the new intrusion scene into the preliminary intrusion scene set, and removing the intrusion scene and the other intrusion scene; until any two intrusion scenes in the preliminary intrusion scene set do not have a connection relation any more.
8. The alarm aggregation-based network forensics method according to claim 7, wherein in the step C), the distance between the two intrusion scenes is obtained according to a connection relationship, and the method comprises the following steps: according to the destination address of the alarm evidence and the source address of the other alarm evidence, the distance between the corresponding attack nodes on the attack graph corresponding to the two alarm evidences is obtained; and acquiring the distance corresponding to the two intrusion scenes according to the distance.
9. An alarm aggregation-based network forensics device, which is implemented based on the network forensics method of claim 1, and comprises: a data collection module, an evidence chain construction module and a scene restoration module, wherein,
the data collection module is used for constructing an attack graph; intrusion detection data of network key nodes are obtained and are used as an alarm evidence set for network evidence obtaining analysis;
the evidence chain construction module is used for mapping the alarm evidence in the alarm evidence set to an attack graph and acquiring an alarm evidence chain;
and the scene recovery module is used for clustering the alarm evidence chains, constructing a network intrusion scene and recovering the network crime scene.
10. The alarm aggregation-based network forensics device of claim 9, wherein the scene recovery module comprises a scene construction sub-module and a scene merging sub-module, wherein,
the scene construction submodule is used for obtaining the similarity among the alarm evidence chains and obtaining similar alarm evidence chains for clustering by utilizing the similarity to construct a preliminary intrusion scene set;
and the scene merging submodule is used for merging and splicing every two intrusion scenes in the preliminary intrusion scene set according to the connection relationship between the two intrusion scenes, so that the complete construction of the intrusion scenes is realized, and the network crime scene is recovered.
CN201811063114.5A 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation Active CN109218305B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811063114.5A CN109218305B (en) 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811063114.5A CN109218305B (en) 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation

Publications (2)

Publication Number Publication Date
CN109218305A CN109218305A (en) 2019-01-15
CN109218305B true CN109218305B (en) 2020-12-08

Family

ID=64983723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811063114.5A Active CN109218305B (en) 2018-09-12 2018-09-12 Network evidence obtaining method and device based on alarm aggregation

Country Status (1)

Country Link
CN (1) CN109218305B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111787024B (en) * 2020-07-20 2023-08-01 杭州安恒信息安全技术有限公司 Method for collecting network attack evidence, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567852A (en) * 2004-03-29 2005-01-19 四川大学 Network monitoring and dynamic evidence obtaining system and method
CN105959328A (en) * 2016-07-15 2016-09-21 北京工业大学 Evidence graph and vulnerability reasoning combined network evidence collection method and system
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282460B (en) * 2017-12-19 2020-06-09 中国科学院信息工程研究所 Evidence chain generation method and device for network security event

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567852A (en) * 2004-03-29 2005-01-19 四川大学 Network monitoring and dynamic evidence obtaining system and method
CN105959328A (en) * 2016-07-15 2016-09-21 北京工业大学 Evidence graph and vulnerability reasoning combined network evidence collection method and system
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances;Noel S , Robertson E , Jajodia S;《Computer Security Applications Conference》;20041231;第1-7节,摘要 *
基于场景重构与报警聚合的网络取证分析技术;董晓梅等;《控制与决策》;20140131;39~44 *

Also Published As

Publication number Publication date
CN109218305A (en) 2019-01-15

Similar Documents

Publication Publication Date Title
CN108494810B (en) Attack-oriented network security situation prediction method, device and system
CN113676464B (en) Network security log alarm processing method based on big data analysis technology
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
Farhadi et al. Alert correlation and prediction using data mining and HMM.
CN111355697B (en) Detection method, device, equipment and storage medium for botnet domain name family
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
US10885185B2 (en) Graph model for alert interpretation in enterprise security system
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
Soleimani et al. Multi-layer episode filtering for the multi-step attack detection
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
CN111078513A (en) Log processing method, device, equipment, storage medium and log alarm system
CN111740946A (en) Webshell message detection method and device
CN115426137A (en) Malicious encrypted network flow detection tracing method and system
CN112887159A (en) Statistical alarm method and device
CN115632821A (en) Transformer substation threat safety detection and protection method and device based on multiple technologies
CN109218305B (en) Network evidence obtaining method and device based on alarm aggregation
CN116418591A (en) Intelligent computer network safety intrusion detection system
CN115622793A (en) Attack type identification method and device, electronic equipment and storage medium
CN115296849B (en) Associated alarm method and system, storage medium and electronic equipment
Ukil Application of Kolmogorov complexity in anomaly detection
CN114553580B (en) Network attack detection method and device based on rule generalization and attack reconstruction
KR102114136B1 (en) method of providing object sequence management for compressed video by use of blockchain of motion vectors
KR102609592B1 (en) Method and apparatus for detecting abnormal behavior of IoT system
CN114756401B (en) Abnormal node detection method, device, equipment and medium based on log
Tao et al. An intrusion alarm data association analysis method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant