| 引用本文: | 王意洁,程力,马行空.运用警报关联的威胁行为检测技术综述.[J].国防科技大学学报,2017,39(5):128-138.[点击复制] |
| WANG Yijie,CHENG Li,MA Xingkong.Survey of alert-correlation based on network threat detection techniques[J].Journal of National University of Defense Technology,2017,39(5):128-138[点击复制] |
|
| |
|
|
| 本文已被:浏览 8705次 下载 7172次 |
| 运用警报关联的威胁行为检测技术综述 |
| 王意洁1, 程力1, 马行空2 |
|
(1. 国防科技大学 计算机学院 并行与分布处理重点实验室, 湖南 长沙 410073;2. 国防科技大学 计算机学院 网络工程系, 湖南 长沙 410073)
|
| 摘要: |
| 基于警报关联的网络威胁行为检测技术因其与网络上大量部署的安全产品耦合,且能充分挖掘异常事件之间的关联关系以提供场景还原证据,正成为复杂威胁行为检测的研究热点。从威胁行为和网络安全环境的特点出发,引出威胁行为检测的应用需求和分类,介绍基于警报关联的威胁行为检测的基本概念和系统模型;重点论述作为模型核心的警报关联方法,并分类介绍了各类典型算法的基本原理和特点,包括基于因果逻辑的方法、基于场景的方法、基于相似性的方法和基于数据挖掘的方法;并结合实例介绍了威胁行为检测系统的三种典型结构,即集中式结构、层次式结构和分布式结构;基于当前研究现状,提出了对未来研究趋势的一些认识。 |
| 关键词: 威胁行为检测 警报关联 检测模型 检测系统结构 |
| DOI:10.11887/j.cn.201705021 |
| 投稿日期:2016-05-11 |
| 基金项目:国家自然科学基金资助项目(61379052); 国家863计划资助项目(2013AA01A213);湖南省自然科学基金杰出青年基金资助项目(14JJ1026);高等学校博士学科点专项科研基金资助课题(20124307110015) |
|
| Survey of alert-correlation based on network threat detection techniques |
| WANG Yijie1, CHENG Li1, MA Xingkong2 |
|
(1. National Key Laboratory for Parallel and Distributed Processing, College of Computer,
National University of Defense Technology, Changsha 410073, China;2. Department of Network Engineering, College of Computer, National University of Defense Technology, Changsha 410073, China)
|
| Abstract: |
| The rapid development of the Internet also causes more and more network threats. How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues. The alert-correlation-based network threat detection technique is becoming the research hotspot, which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario. Starting from the features of network threats and security environment, the requirements and classification of network threat detection were introduced. Then the basic concepts and system model of alert-correlation-based network threat detection technique were illustrated in detail. The key module of the model, aler correlation method, and the fundamentals and features of different kinds of typical algorithm were studied in detail, including causal-relation-based method, case-based method, similarity-based method and data-mining-based method. Furthermore, three kinds of representative detection system architectures were discussed with practical instances, namely centralized architecture, hierarchical architecture and distributed architecture. Finally, based on the analysis of recent research work, the future work is discussed and outlined. |
| Keywords: network threat detection alert correlation detection model detection system architecture |
|
|
|
|
|
