基于时空关联分析的网络实时威胁识别与评估  被引量：31

作　　者：吕慧颖[1] 彭武 王瑞梅[1] 王洁[1] 

机构地区：[1]首都师范大学管理学院北京100089 [2]中国电子科技集团公司电子科学研究院北京100041

出　　处：《计算机研究与发展》2014年第5期1039-1049,共11页Journal of Computer Research and Development

基　　金：北京市教育委员会科技计划面上项目(KM201010028020);国家科技支撑计划重点项目(2009BADA9B02)

摘　　要：如何从大量安全报警中提取有效威胁并识别当前状态,是评估实时威胁状况的前提和关键,这需要对威胁事件进行多角度、多信息的关联融合.为此,深入分析网络安全对抗环境在空间上的复杂性和时间上的动态性,提出一种基于时空关联分析的网络实时威胁识别与量化评估方法.首先基于威胁状态转移图挖掘威胁事件的时空关联关系,在时间维度上结合威胁渗透过程,在空间维度上关联威胁状态属性,获得当前有效威胁及实时状态;进而基于网络实体价值、威胁严重度、威胁成功3个要素,提出多粒度的层次化递推算法,按照"点、线、面"的思路,分别从威胁状态、威胁路径、网络全局3个层面上量化评估安全威胁,以反映不同粒度的威胁态势.通过仿真实验,验证了该方法的实用性及有效性.How to identify and key to network reabti successful threat activities and current security state, is the me threat assessment. To do this, all the detected threats prerequisite need to he associated and studied in many ways and multiple directions. Aiming at this issue, a network real-time threat identification and quantitative assessment approach is proposed based on the association analysis from two dimensions of time and space. This approach fully considers spatial complexity and temporal dynamic under network attack-defense confrontation environment. Firstly threat state transition graph is constructed to simulate intruding process and model threat scenarios. Based on the graph, by associating threat spreading paths in temporal dimension and correlating with threat state features in spatial dimension, valid threats can be filtered out and current threat state can be recognized. Then a multi-granularity hierarchical assessment method is put forward to evaluate network threat. This method takes entity value, threat weight and threat success probability as evaluation indexes in order to quantitatively analyze threat indexes of single state, path and the whole network respectively. Therefore, the results report network real-time risk situation in different levels. Finally simulation experiment verifies the effectiveness and advantage of the approach, and the approach can reveal threat situation more thoroughly and provide valuable guide for intrusion response decision-making and dynamic defense strategy adjusting.

关 键 词：威胁 评估 状态转移 关联分析 多粒度 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]