基于告警关联的“互联网”多步攻击意图识别方法  

Multi-Step Attack Intention Identification Method of"Internet"Based on Alarm Correlation

在线阅读下载全文

作  者:汤旭 贾智存 尤扬 TANG Xu;JIA Zhicun;YOU Yang(NSFOCUS Technologies Group Co.,Ltd.,Beijing 100089,China)

机构地区:[1]绿盟科技集团股份有限公司,北京100089

出  处:《移动通信》2023年第4期92-97,共6页Mobile Communications

基  金:2023年四川省科技计划项目-多模态异构数据融合的智能制造融合安全处理关键技术研究与应用(2023YFG0118);2023年重庆市科技计划项目-基于事件认知与意图理解的人机协同威胁狩猎关键技术研究及应用(CSTB2022TIAD-KPX0054)。

摘  要:针对现有静态评估的漏洞威胁技术不能有效量化网络攻击危害的问题,提出一种基于告警关联的多步攻击意图识别方法。该方法通过告警数据的关联特点挖掘并还原攻击者的多步攻击序列,围绕攻击过程评估基础设施重要性和漏洞威胁探测攻击者意图,从而实现还原攻击场景、刻画攻击行为的目的。实验表明,与传统算法进行对比分析,在DARPA2000上验证了该算法对特定网络攻击场景的识别能力,且百分误差绝对值和均方误差绝对值均低于传统算法。由此可知,文中所述的结合漏洞威胁和基础设施重要性来关联攻击步骤能够有效解决攻击过程出现的虚假攻击问题,提升了网络多步攻击意图识别的准确性。Aiming at the problem that the existing vulnerability threat technology for static evaluation cannot effectively quantify the harm of network attacks,this paper proposes a multi-step attack intent identification method based on alarm correlation.This method mines and restores the multi-step attack sequence of attackers through the correlation characteristics of alarm data,evaluates the importance of infrastructure and detects the intention of attackers around the attack process,so as to achieve the purpose of restoring the attack scenario and depicting the attack behavior.The experiment shows that the recognition ability of the algorithm for specific network attack scenarios is verified on DARPA2000 by comparing with the traditional algorithm,and the absolute values of percentage error and mean square error are lower than the traditional algorithm.It can be seen that the combination of vulnerability threat and the importance of infrastructure to correlate attack steps described in the article can effectively solve the problem of false attacks in the attack process,and improve the accuracy of the identification of multiple network attack intentions.

关 键 词:告警关联 多步攻击 基础设施重要性 漏洞威胁评估 

分 类 号:TN929.5[电子电信—通信与信息系统]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象