面向网络攻击建模的分布式过程挖掘与图分割方法  被引量：8

作　　者：刘贞宇 陈羽中[1,2] 郭昆[1,2] 张毓东 LIU Zhen-yu;CHEN Yu-zhong;GUO Kun;ZHANG Yu-dong(Fujian Key Laboratory of Network Computing and Intelligent Information Processing,Fuzhou University,Fuzhou 350116,China;Key Laboratory of Spatial Data Mining&Information Sharing,Fuzhou University,Fuzhou 350116,China)

机构地区：[1]福州大学数学与计算机科学学院,福州350116 [2]福州大学福建省网络计算与智能信息处理重点实验室,福州350116

出　　处：《小型微型计算机系统》2020年第8期1732-1740,共9页Journal of Chinese Computer Systems

基　　金：国家自然科学基金项目(61672158,61972097)资助;福建省高校产学合作项目(2018H6010)资助;福建省自然科学基金项目(2018J01795)资助。

摘　　要：网络攻击建模利用网络安全设备产生的日志对网络攻击行为进行建模,发现网络攻击的特点与规律,以提高应对突发网络攻击的能力.针对网络攻击建模,本文提出了一种攻击图生成方法,基于网络攻击行为与工作流的相似性,利用启发式过程挖掘算法对网络攻击行为建模,生成网络攻击图;针对网络攻击图过于复杂的问题,提出了一种攻击图分割方法,通过分离攻击分支步骤分割网络攻击图,在保留网络攻击图的基本结构的同时,将复杂网络攻击图划分为多个网络攻击子图,提高了网络攻击图的可读性;针对海量安全日志数据的网络攻击建模问题,提出了分布式攻击图生成算法以及攻击图分割方法,提高了网络攻击模型的挖掘效率.实验表明,相较于对比方法,本文提出的方法能够更完备地挖掘入侵者的攻击步骤.Attack modeling aims to generate attack models by investigating attack behaviors recorded in intrusion alerts raised in network security devices.Attack models can help network security administrators discover an attack strategy that intruders use to compromise the network and implement a timely response to security threats.However,the state-of-the-art algorithms for attack modeling are unable to obtain a high-level or global-oriented viewof the attack strategy.To address the aforementioned issue,considering the similarity between attack behavior and workflow,we employ a heuristic process-mining algorithm to generate the initial attack graph.Although the initial attack graphs generated by the heuristic process mining algorithm are complete,they are extremely complex for manual analysis.To improve their readability,we propose a graph segmentation algorithm to split a complex attack graph into multiple subgraphs while preserving the original structure.Furthermore,to handle massive volume alert data,we propose a distributed attack graph generation algorithm based on Hadoop MapReduce and a distributed attack graph segmentation algorithm based on Spark GraphX.Additionally,we conduct comprehensive experiments to validate the performance of the proposed algorithms.The experimental results demonstrate that the proposed algorithms achieve considerable improvement over comparative algorithms in terms of accuracy and efficiency.

关 键 词：分布式攻击建模 过程挖掘 攻击图 图分割 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]