入侵进程的层次化在线风险评估  被引量：8

作　　者：穆成坡[1] 黄厚宽[2] 田盛丰[2] 

机构地区：[1]北京理工大学机电学院,北京100081 [2]北京交通大学计算机与信息技术学院,北京100044

出　　处：《计算机研究与发展》2010年第10期1724-1732,共9页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(60442002)~~

摘　　要：提出了从服务、主机和网络自下到上的层次化在线风险评估模型,实时地评估一个正在发生的入侵进程在这3个层面所产生的风险情况.在服务层面,使用了证据理论来融合报警线程中多个能够反映风险变化情况的变量来计算风险指数,通过风险指数反映入侵风险的客观情况,同时结合主观安全意识所反映出的目标风险分布,综合评估目标的风险状态.在主机层面提出了基于木桶原理的风险评估方法,在网络层面提出了安全依赖网络概念,利用了改进的风险传播算法,完成了网络层面的风险评估.提出的评估算法将报警验证、聚合与关联,以及报警置信度学习这些报警处理过程同风险评估紧密结合起来,很好地处理了风险评估中主观性、模糊性和不确定性等问题.实验表明对各种入侵进程进行的层次化在线风险评估结果与攻击实际特点相符合,为响应决策提供了有利的支持.A hierarchical online risk assessment model is proposed in this paper,which can assess real-time risks caused by an ongoing intrusion scenario at service level,host level and network level.D-S evidence theory is used to fuse multiple variables of an alert thread which can reflect risk trend to calculate the risk index at service level.The risk situation at service level is evaluated by combining the risk index with target risk distribution character.The character is determined by the importance of attacked services.A risk assessment approach based on the barrel principle is proposed to evaluate the risk situation at host level.The security dependency network concept and its corresponding properties are defined.An improved algorithm of risk propagation is used to assess the risk situation in network level.The proposed assessment model properly combines alert processing algorithms,including alert verification,alert aggregation,alert correlation and alert confidence learning,with risk assessment.As a result,the model can deal with the problems of subjectivity fuzziness and uncertainty very well.The experiments show that the online risk assessment results accord with the real situation of attacks.Therefore the hierarchical risk assessment approach gives a strong support to intrusion response time decision-making,intrusion response measure decision-making and response adjustment.

关 键 词：在线风险评估 报警处理 入侵响应 入侵检测 网络安全 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]