基于序列模式挖掘的隐私保护多步攻击关联算法
Privacy-preserving sequential step mining algorithm for multi-step attack correlation
马进 1金茂菁 2杨永丽 3张健1
作者信息
- 1. 上海交通大学信息安全工程学院,上海市信息安全综合管理技术研究重点实验室,上海200240
- 2. 中华人民共和国科学技术部高技术研究发展中心,北京100044
- 3. 中国人民解放军91999部队,青岛266003
- 折叠
摘要
传统的多步攻击关联方法大多过于依赖专家知识或需要复杂的预定义规则,而且较少考虑对原始报警信息的隐私保护。为解决上述问题,该文提出了一种隐私保护的多步攻击报警关联算法。该算法基于序列模式挖掘的思想,在分析攻击行为时序特征的基础上,通过实现支持度评估方法,对候选攻击序列生成方法进行了优化,解决了预定义关联规则复杂性和专家知识依赖性的问题。同时,基于Incog-nito算法,该算法采用数据泛化技术实现了对报警敏感信息的保护。实验结果表明:所提出算法在多步攻击关联方面的误关联和漏关联率均较低,因而具有较好的准确性;并在保护报警敏感信息的同时具有攻击场景构建的性能优势,在关联效率和隐私保护方面取得了折衷。
Abstract
Traditional multi-step attack correlation approaches based on intrusion alerts face challenges recognizing attack scenarios because these approaches require complex pre-defined association rules and dependency on expert knowledge.They have little concern for privacy issues.An algorithm is presented here that identifies multi-step attack scenarios by analyzing sequential steps in the attack behavior patterns.The algorithm analyzes the time sequence characteristics of the attack behaviors with a support evaluation method.An optimized candidate attack sequence generation method is used to replace the complex pre-defined association rules and expert knowledge dependency.An enhanced k-anonymity method is used to protect user privacy.Tests indicate that the privacy-preserving multi-step attack correlation reduces both the false positive ratio and the false negative ratio during multi-step attack correlations,which ensures better accuracy.This also provides better attack scenario construction while protecting sensitive alert information as tradeoff between correlation efficiency and privacy protection.
关键词
入侵检测/多步攻击/报警关联/隐私保护/序列模式Key words
intrusion detection/multi-step attack/alert correlation/privacy-preserving/sequential pattern引用本文复制引用
出版年
2012
国家科技期刊平台
NSTL
维普
万方数据