基于多源日志的网络安全态势系统的研究与实现
|
摘要
随着网络安全防护技术的不断发展,应用到网络中的安全设备越来越多。虽然这些安全设备在某些方面发挥了一定的作用,但如何高效率分析这些相对独立的设备产生的海量日志信息,从而有效地把握网络安全态势,成为安全管理员面临的一个主要问题。针对上述问题,本文研究和设计了一个基于多源日志的网络安全态势系统。
论文首先分析了网络安全态势系统的背景和意义,比较了国内外对网络安全态势系统研究的进展情况,找出了需要改进的方面;总结了网络安全态势的相关概念、研究内容以及主流的安全态势技术等内容,给出了日志的概念、分类、常见格式和应用,指出了日志在网络安全态势中的重要性。
其次建立了网络安全态势概念模型,并依据概念模型设计了系统体系框架,从分析要素、计算模型和分析过程等角度研究了网络安全态势分析方法;然后从系统的需求和系统设计原则出发,依次研究了系统的应用部署结构、功能模块划分、通信协议设计以及安全性设计等内容。
设计和实现了系统的主要功能模块,主要包括日志采集、日志分析、态势数据生成、态势展示、安全响应以及系统管理等模块,并给出了应用实例和系统测试,验证了系统的可用性和准确性。
论文最后总结了全文的工作及创新点,同时指出了系统的不足和下一步的工作。
Research and Implementation of a Multiform Log Based Network Security Situation System With the development of network security protection technology, more and more security devices come into existence and take certain effects. However, they are relatively self-governed. As a result, security staff can hardly analyze all of the logs produced by them effectively within finite time, let alone master the network security situation in depth. A multiform log based network security situation system is designed and implemented to solve this problem.
This paper firstly analyzes the background and meaning of this system. Based on the compare among the existing technologies and products, a new method is provided to improve on the traditional method. Secondly, paper discusses the concept and content of network security situation, and several popular network security situation technologies. Also, classify and format of log are presented, and the importance of log in the network security situation is point out. Thirdly, paper builds the model of network security situation, and then designs system framework. The method of network security situation is presented. Fourthly, paper starts with the requirement and principle, and then the system is designed deeply, including deployment, function framework, communication protocols and self-security. Fifthly, every function modules are designed and implemented in detail, including logs collection, logs analyse, network security situation data formed, network security situation display, security response and system maintenance. An application example is given to testify the usability of this system.
At last, the paper points out the innovations, and discusses the flaws of this system and the further work.
论文首先分析了网络安全态势系统的背景和意义,比较了国内外对网络安全态势系统研究的进展情况,找出了需要改进的方面;总结了网络安全态势的相关概念、研究内容以及主流的安全态势技术等内容,给出了日志的概念、分类、常见格式和应用,指出了日志在网络安全态势中的重要性。
其次建立了网络安全态势概念模型,并依据概念模型设计了系统体系框架,从分析要素、计算模型和分析过程等角度研究了网络安全态势分析方法;然后从系统的需求和系统设计原则出发,依次研究了系统的应用部署结构、功能模块划分、通信协议设计以及安全性设计等内容。
设计和实现了系统的主要功能模块,主要包括日志采集、日志分析、态势数据生成、态势展示、安全响应以及系统管理等模块,并给出了应用实例和系统测试,验证了系统的可用性和准确性。
论文最后总结了全文的工作及创新点,同时指出了系统的不足和下一步的工作。
Research and Implementation of a Multiform Log Based Network Security Situation System With the development of network security protection technology, more and more security devices come into existence and take certain effects. However, they are relatively self-governed. As a result, security staff can hardly analyze all of the logs produced by them effectively within finite time, let alone master the network security situation in depth. A multiform log based network security situation system is designed and implemented to solve this problem.
This paper firstly analyzes the background and meaning of this system. Based on the compare among the existing technologies and products, a new method is provided to improve on the traditional method. Secondly, paper discusses the concept and content of network security situation, and several popular network security situation technologies. Also, classify and format of log are presented, and the importance of log in the network security situation is point out. Thirdly, paper builds the model of network security situation, and then designs system framework. The method of network security situation is presented. Fourthly, paper starts with the requirement and principle, and then the system is designed deeply, including deployment, function framework, communication protocols and self-security. Fifthly, every function modules are designed and implemented in detail, including logs collection, logs analyse, network security situation data formed, network security situation display, security response and system maintenance. An application example is given to testify the usability of this system.
At last, the paper points out the innovations, and discusses the flaws of this system and the further work.
引文
[1]潘兆亮.网络安全态势系统关键技术分析与建模[D].上海:上海交通大学, 2008.
[2]刘超,谢宝陵,祝伟玲.徐国明.刘万全.基于数据融合模型的网络安全分析评估系统[J].计算机工程,2005(7),31(13):140-161.
[3]萧海东.网络安全态势评估与趋势感知的分析研究[D].上海:上海交通大学,2007.
[4] Jiawei Han, Micheline Kamber著,范明,孟小峰等译.数据挖掘概念与技术[M].北京:机械工业出版社. 2005:197-199.
[5]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J],软件学报,2006,17(4):885-897.
[6]廖楷炜.网络安全管理平台中安全设备数据采集的研究和开发[D].广州:华南理工大学,2004.
[7]刘合富. SYSLOG日志数据采集实现[J].中国教育网,2007(8):50-51.
[8]赖积保.网络安全态势感知系统关键技术研究[D].哈尔滨:哈尔滨工程大学,2006.
[9] Hall,D. Mathematical Techniques in Multisensor Data Fusion.1992. Artech House, Boston, MA.
[10] Waltz,E., and Llinas, J. Multisensor Data Fusion. Artech House, Boston, MA. 1990.
[11] Waltz,E. Information Warfare Principles and Operations, Artech House, Boston, MA, 1998.
[12] Tim B. Multisensor data fusion for next generation distributed intrusion detection systems[A]. 1999 IRIS National Symposium on Sensor and Data Fusion, Laurel, USA, 1999.
[13] Tim B. Intrusion detection systems and multisensor data fusion: creating cyberspace situational awareness[J]. Communications of the ACM, 2000, 43(4):99-105.
[14]邓维斌,朱振国,鄢羽,张闽.融合网络安全信息的网络安全态势评估模型[J].微计算机信息,2007(24).
[15]张涛.网络安全指标量化和智能评估研究[D].合肥:中国科学技术大学,2003.
[16]陈亮.网络安全态势的分析方法及建立相关模型[D].上海:上海交通大学,2005.
[17]彭雪娜,闻英友,赵宏.网络安全信息关联与分析技术的研究进展[J],计算机工程,2006,32(17):1-3.
[18]梁颖.基于数据融合的网络安全态势定量感知方法研究[D].哈尔滨:哈尔滨工程大学,2006.
[19] K. Appleby, G. Goldszmidt. Yemanja– A layered event correlation engine for multi-domain server farms[C]. In: Proc. 7th International Symposium on Integrated Network Management (IFIP/IEEE), 2001.
[20]郑挺,胡华平.入侵检测系统报警信息融合模型的设计与实现[J],计算机应用研究,2004,21(8):95-98.
[21]郑丽君.基于日志的安全态势传感器设计与实现研究[D].哈尔滨:哈尔滨工程大学,2007.
[22]孙宁.网络化系统安全态势评估设计及态势融合模型研究[D].兰州:兰州理工大学,2007.
[23] Peng Ning, Yun Cui.An intrusion alert correlator based on prerequisites of intrusion[R].Department of Computer Science, North Carolina State University, Tech. Rep: TR-2002-01, 2002.
[24]邱荣斌.基于信息关联的网络安全管理平台[D].福州:福州大学,2005.
[25]沈金明.基于系统日志的计算机网络用户行为取证分析系统的研究与实现[D].南京:东南大学,2006.
[26]张云涛,龚玲.数据挖掘原理与技术[M].北京:电子工业出版社,2004:1-57.
[27] Christos Siaterlis,Basil Maglaris. Towards Multisensor Data Fusion for Dos Detection Network Management and OPtimal Design [J]. Lab National Technical University of Athens SAC' 04,Nicosia,Cyprus,March,2004:P439-446.
[28] IETF syslog working group. RFC 3164 - The BSD syslog Protocol.
[29] RFC 1155.(SNMP) Structure and Identification of Management Information for TCP/IP-basedInternets[S].
[30] David Curry, Herve Debar, et al. IDMEF Data Model and XML DTD[EB/OL]. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt, 2006:18-23.
[31]陈彦德,赵陆文,王琼,潘志松,周志杰.网络安全态势感知系统结构研究[J].计算机工程与应用,2008.44(1):100-102.
[32] Wanke Lee,Sal Stolfo,Kui Mok. A Data Mining Framework for Building Intrusion Detection Models [J]. In:IEEE Symposium on Security and Privacy,Berkeley,California,1999(5):P120-132.
[33]王智学. ROSE对象建模方法与技术[M].北京:机械工业出版社,2003:42-84.
[34]韩正平,蔡凤娟,许榕生.网络安全信息关联分析技术研究与应用[J].计算机应用研究,2006,23(10):93-94, 100.
[35]吴庆.安全事件管理系统原型的设计与实现[D].南京:解放军理工大学,2007.
[36] Extensible Markup Language(XML) [EB/OL]. http://www.w3.org/XML/. 2007.
[37]吴礼发.网络程序设计教程[M].北京:希望电子出版社,2002.
[38]裴晋泽.基于IDS的网络安全预警系统关键技术研究与实现[D].长沙:国防科学技术大学,2004:18-23.
[39]张潇毅.网络安全攻击平台的研究与实现[D].南京:解放军理工大学,2007.
[40] FusionCharts. http://www.fusioncharts.com/free, 2009.
[41]正则表达式. http://www.cnblogs.com/philipsslg/articles/174699.html, 2009.
[42]胥光辉.网络事件关联技术研究[D].南京:解放军理工大学, 1999.
[43]胡谷雨.网络管理技术教程[M].北京:希望电子出版社,2002,9:34-82.
[44] Fredrik Valeur ,Giovanni Vigna,Christopher Kruegel,et al.A comprehensive approach to intrusion detection alert correlation[J].IEEE Trans.Dependable and Secure Computing,2004,1(3):146-169.
[45] Joshua Maines,Dorene Kewley,Laura Tinnel,et al.Validation of sensor alert correlators[J]. IEEE Security & Privacy Magazine.2003,1(1):46-56.
[46] Christopher Kruegel, William Robertson, Giovanni Vigna. Using Alert Verification to Identify Successful Intrusion Attempts [J]. PIK, 2004, 27(4):220-228.
[47] Peng Ning, Yun Cui.An intrusion alert correlator based on prerequisites of intrusion[R].Department of Computer Science, North Carolina State University, Tech. Rep: TR-2002-01, 2002.
[48] Peng Ning, Douglas S. Reeves, Yun Cui. Corrlating Alerts Using Prerequisites of Intusions[R]. North Carolina State University, Department of Computer Science. Technical Report TR-2001-13, 2001.
[49] JTDS. http://jtds.sourceforge.net, 2009.
[50] Frederic Cuppens, Alexandre Miege. Alert correlation in a cooperative intrusion detection framework[C].The IEEE Symposium on Security and Privacy, Oakland, CA, 2002.
[51]朱亮.网络安全态势可视化及其实现技术研究[D].哈尔滨:哈尔滨工程大学,2006.
[52] Alfonso Valdes, Keith Skimmer. Probabilistic Alert Correlation[C]. In: 4th Workshop on Recent Advances in Intrusion Detection (RAID), LNCS, Springer Verlag, 2001: 54-68.
[53]薛倡.基于数据整合的网络安全状态分析的研究与实现[D].长沙:国防科学技术大学,2005.
[54]郭山清,阳雪林,曾英佩等.安全报警事件关联算法研究[J],计算机应用,2005,25(10):2276-2279.
[2]刘超,谢宝陵,祝伟玲.徐国明.刘万全.基于数据融合模型的网络安全分析评估系统[J].计算机工程,2005(7),31(13):140-161.
[3]萧海东.网络安全态势评估与趋势感知的分析研究[D].上海:上海交通大学,2007.
[4] Jiawei Han, Micheline Kamber著,范明,孟小峰等译.数据挖掘概念与技术[M].北京:机械工业出版社. 2005:197-199.
[5]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J],软件学报,2006,17(4):885-897.
[6]廖楷炜.网络安全管理平台中安全设备数据采集的研究和开发[D].广州:华南理工大学,2004.
[7]刘合富. SYSLOG日志数据采集实现[J].中国教育网,2007(8):50-51.
[8]赖积保.网络安全态势感知系统关键技术研究[D].哈尔滨:哈尔滨工程大学,2006.
[9] Hall,D. Mathematical Techniques in Multisensor Data Fusion.1992. Artech House, Boston, MA.
[10] Waltz,E., and Llinas, J. Multisensor Data Fusion. Artech House, Boston, MA. 1990.
[11] Waltz,E. Information Warfare Principles and Operations, Artech House, Boston, MA, 1998.
[12] Tim B. Multisensor data fusion for next generation distributed intrusion detection systems[A]. 1999 IRIS National Symposium on Sensor and Data Fusion, Laurel, USA, 1999.
[13] Tim B. Intrusion detection systems and multisensor data fusion: creating cyberspace situational awareness[J]. Communications of the ACM, 2000, 43(4):99-105.
[14]邓维斌,朱振国,鄢羽,张闽.融合网络安全信息的网络安全态势评估模型[J].微计算机信息,2007(24).
[15]张涛.网络安全指标量化和智能评估研究[D].合肥:中国科学技术大学,2003.
[16]陈亮.网络安全态势的分析方法及建立相关模型[D].上海:上海交通大学,2005.
[17]彭雪娜,闻英友,赵宏.网络安全信息关联与分析技术的研究进展[J],计算机工程,2006,32(17):1-3.
[18]梁颖.基于数据融合的网络安全态势定量感知方法研究[D].哈尔滨:哈尔滨工程大学,2006.
[19] K. Appleby, G. Goldszmidt. Yemanja– A layered event correlation engine for multi-domain server farms[C]. In: Proc. 7th International Symposium on Integrated Network Management (IFIP/IEEE), 2001.
[20]郑挺,胡华平.入侵检测系统报警信息融合模型的设计与实现[J],计算机应用研究,2004,21(8):95-98.
[21]郑丽君.基于日志的安全态势传感器设计与实现研究[D].哈尔滨:哈尔滨工程大学,2007.
[22]孙宁.网络化系统安全态势评估设计及态势融合模型研究[D].兰州:兰州理工大学,2007.
[23] Peng Ning, Yun Cui.An intrusion alert correlator based on prerequisites of intrusion[R].Department of Computer Science, North Carolina State University, Tech. Rep: TR-2002-01, 2002.
[24]邱荣斌.基于信息关联的网络安全管理平台[D].福州:福州大学,2005.
[25]沈金明.基于系统日志的计算机网络用户行为取证分析系统的研究与实现[D].南京:东南大学,2006.
[26]张云涛,龚玲.数据挖掘原理与技术[M].北京:电子工业出版社,2004:1-57.
[27] Christos Siaterlis,Basil Maglaris. Towards Multisensor Data Fusion for Dos Detection Network Management and OPtimal Design [J]. Lab National Technical University of Athens SAC' 04,Nicosia,Cyprus,March,2004:P439-446.
[28] IETF syslog working group. RFC 3164 - The BSD syslog Protocol.
[29] RFC 1155.(SNMP) Structure and Identification of Management Information for TCP/IP-basedInternets[S].
[30] David Curry, Herve Debar, et al. IDMEF Data Model and XML DTD[EB/OL]. http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt, 2006:18-23.
[31]陈彦德,赵陆文,王琼,潘志松,周志杰.网络安全态势感知系统结构研究[J].计算机工程与应用,2008.44(1):100-102.
[32] Wanke Lee,Sal Stolfo,Kui Mok. A Data Mining Framework for Building Intrusion Detection Models [J]. In:IEEE Symposium on Security and Privacy,Berkeley,California,1999(5):P120-132.
[33]王智学. ROSE对象建模方法与技术[M].北京:机械工业出版社,2003:42-84.
[34]韩正平,蔡凤娟,许榕生.网络安全信息关联分析技术研究与应用[J].计算机应用研究,2006,23(10):93-94, 100.
[35]吴庆.安全事件管理系统原型的设计与实现[D].南京:解放军理工大学,2007.
[36] Extensible Markup Language(XML) [EB/OL]. http://www.w3.org/XML/. 2007.
[37]吴礼发.网络程序设计教程[M].北京:希望电子出版社,2002.
[38]裴晋泽.基于IDS的网络安全预警系统关键技术研究与实现[D].长沙:国防科学技术大学,2004:18-23.
[39]张潇毅.网络安全攻击平台的研究与实现[D].南京:解放军理工大学,2007.
[40] FusionCharts. http://www.fusioncharts.com/free, 2009.
[41]正则表达式. http://www.cnblogs.com/philipsslg/articles/174699.html, 2009.
[42]胥光辉.网络事件关联技术研究[D].南京:解放军理工大学, 1999.
[43]胡谷雨.网络管理技术教程[M].北京:希望电子出版社,2002,9:34-82.
[44] Fredrik Valeur ,Giovanni Vigna,Christopher Kruegel,et al.A comprehensive approach to intrusion detection alert correlation[J].IEEE Trans.Dependable and Secure Computing,2004,1(3):146-169.
[45] Joshua Maines,Dorene Kewley,Laura Tinnel,et al.Validation of sensor alert correlators[J]. IEEE Security & Privacy Magazine.2003,1(1):46-56.
[46] Christopher Kruegel, William Robertson, Giovanni Vigna. Using Alert Verification to Identify Successful Intrusion Attempts [J]. PIK, 2004, 27(4):220-228.
[47] Peng Ning, Yun Cui.An intrusion alert correlator based on prerequisites of intrusion[R].Department of Computer Science, North Carolina State University, Tech. Rep: TR-2002-01, 2002.
[48] Peng Ning, Douglas S. Reeves, Yun Cui. Corrlating Alerts Using Prerequisites of Intusions[R]. North Carolina State University, Department of Computer Science. Technical Report TR-2001-13, 2001.
[49] JTDS. http://jtds.sourceforge.net, 2009.
[50] Frederic Cuppens, Alexandre Miege. Alert correlation in a cooperative intrusion detection framework[C].The IEEE Symposium on Security and Privacy, Oakland, CA, 2002.
[51]朱亮.网络安全态势可视化及其实现技术研究[D].哈尔滨:哈尔滨工程大学,2006.
[52] Alfonso Valdes, Keith Skimmer. Probabilistic Alert Correlation[C]. In: 4th Workshop on Recent Advances in Intrusion Detection (RAID), LNCS, Springer Verlag, 2001: 54-68.
[53]薛倡.基于数据整合的网络安全状态分析的研究与实现[D].长沙:国防科学技术大学,2005.
[54]郭山清,阳雪林,曾英佩等.安全报警事件关联算法研究[J],计算机应用,2005,25(10):2276-2279.