计算机与现代化
• 信息安全 • 上一篇 下一篇
收稿日期:
出版日期:
发布日期:
作者简介:
Received:
Online:
Published:
摘要: 当前大部分基于隐马尔科夫(HMM)的网络安全态势的评估方法都集中于对HMM参数的研究,而忽视了观测值的选取对评估准确度的影响。本文在告警信息聚合的基础上,以攻击模式作为关联依据,结合网络资产的脆弱性信息,识别主机所处受攻击阶段并转化为主机的威胁等级,以威胁等级作为HMM的观测值,最后利用HMM实现对主机和网络的安全态势评估。基于DARPA2000测试数据集的相关实验表明,相比一般的HMM方法,本文方法能体现攻击的多步骤特点,且能更加准确地反映网络态势的变化。
关键词: 多步攻击模式, 关联分析, HMM, 网络安全态势评估
Abstract: MostofthecurrentnetworksecuritysituationassessmentmethodsbasedonHMMarefocusedonthestudyofHMMparameters,ignoringtheimpactofobservationvaluesonevaluationaccuracy.Thispaperisbasedontheaggregationofalarminformation,takesattackmodeasabasisforassociation,combinesthevulnerabilityinformationofnetworkassets,identifiestheattackphaseofthehostandconvertsittothethreatlevelofthehost,andfinally,usesHMMtoevaluatethesecuritysituationofthehostandnetwork.ExperimentbasedonDARPA2000datasetshows,comparedwiththegeneralHMMmethod,thismethodcanreflectthemulti-stepcharacteristicsoftheattack,anditcanmoreaccuratelyreflectthechangeofnetworksituation.
Key words: multi-stepattackspattern, associationanalysis, hiddenMarkovmodel, cybersecuritysituationevaluation
中图分类号:
TP393.08
吴建台,刘光杰,刘伟伟,戴跃伟. 一种基于关联分析和HMM的网络安全态势评估方法[J]. 计算机与现代化, doi: 10.3969/j.issn.1006-2475.2018.06.007.
WUJian-tai,LIUGuang-jie,LIUWei-wei,DAIYue-wei. CyberSecuritySituationEvaluationMethodBasedon#br# AssociationAnalysisandHiddenMarkovModel[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2018.06.007.
0 / / 推荐
导出引用管理器 EndNote|Ris|BibTeX
链接本文: http://www.c-a-m.org.cn/CN/10.3969/j.issn.1006-2475.2018.06.007
http://www.c-a-m.org.cn/CN/Y2018/V0/I06/30