基于知识发现的网络安全态势感知系统  被引量：29

作　　者：王春雷[1,2] 方兰[2] 王东霞[2] 戴一奇[1] 

机构地区：[1]清华大学计算机科学与技术系,北京100084 [2]北京系统工程研究所信息系统安全技术重点实验室,北京100101

出　　处：《计算机科学》2012年第7期11-17,24,共8页Computer Science

摘　　要：由于网络安全告警数据的复杂性和多样性,使得难以精确地分析和评估网络安全态势。通过总结网络安全态势感知的最新研究进展和现存问题,提出了一种基于知识发现的网络安全态势建模与生成框架,在该框架的基础上设计并实现了网络安全态势感知系统Net-SSA。该系统主要由安全态势建模和安全态势生成两部分组成。安全态势建模就是基于D-S证据理论构建适应于度量网络安全态势的形式模型,用于支持态势传感器的安全事件融合和关联分析。安全态势生成就是通过知识发现方法,挖掘网络安全态势数据集中的频繁模式和序列模式,并且将其转化成安全态势的关联规则,从而支持网络安全态势图的自动生成。通过相应的实验过程和结果分析,表明该系统能够支持网络安全态势的准确建模和高效生成。Network security administrators need to obtain and analyze network security situation for management,main- tenance, and planning purposes. The complexities and diversities of security alert data on modem networks, however, make the precise analysis and evaluation of network security situation extremely difficult. We summarized the research progress and existing problems of network security situation awareness, and proposed a network security situation mo- deling and generation framework based on knowledge discovery. Then, we designed and implemented the network secur- ity situation awareness system（Net-SSA） based on this framework. Net-SSA consists of the modeling of network secur- ity situation and the generation of network security situation. The purpose of modeling is to construct the formal model of network security situation measurement based upon the D-S evidence theory, and support the general process of fu- sing and analyzing security alert events collected from security situation sensors. The network security situation is gen- erated by extracting the frequent patterns and sequential patterns from the dataset of network security situation based upon knowledge discovery methods and transforming these patterns to the correlation rules of network security situa- tion,and finally automatically constructing the network security situation graph. The experimental results show that the system supports the accurate modeling and effective generation of network security situation.

关 键 词：网络安全 安全态势建模 安全态势生成 数据挖掘 知识发现 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]