基于OSSIM的关联分析技术的蠕虫检测
摘要
网络蠕虫是一种自动化攻击程序,它通过扫描和攻击网络上存在系统漏洞的节点主机,实现大范围的传播。网络蠕虫已经成为严重威胁网络安全的公害,发展高效实用的网络蠕虫检测技术成为近年来学术界的研究热点。
根据蠕虫典型的入侵和传播模式,蠕虫爆发引致的安全事件具有序列相关性,即若前一次攻击阶段的结果是下一次攻击成功的前提条件之一,那么这两次攻击不仅是关联的,而且还是同一系列攻击中的两个步骤。本文提出了基于序列化启发式关联技术的蠕虫检测方法,通过对网络蠕虫入侵过程形式化,可给出对典型网络蠕虫检测的通用规则。
著名的开源系统OSSIM是一个安全事件集中管理平台,其提供的关联分析引擎支持以不同的关联规则检测各类攻击事件,关联规则可以采用XML格式文档构建。本文深入研究OSSIM的体系结构和关联分析技术应用方法,并给出一种基于序列化启发式关联技术的蠕虫检测通用规则。论文以DCOM蠕虫攻击为例进行实验,测试结果表明在OSSIM平台上采用该规则可得到准确可靠的检测结果。
Network worm is an automatice invasive process, which is going to achieve large-scale dissemination through scanning and systematic vulnerabilyties in node hosts. Now, network worm has become a serious threat to network. Therefor, the development of highly-efficient and practical detection technology is becoming the academic research point.
According to the typical worm's invasion and spread model, the worm outbreak by a series related security incidents. That is ,if the result of last attack step is the premise conditions of next successful attack, then these two attacks are related and two steps of the same attacks. In this paper, the writer creates a worm detection method which was based on the sequence-heuristic correlation technology, and gave the general detection rules of typical network worms by analysising the network worm invasion formal process.
OSSIM, which is famous open-source system, is a centralized security incidents management platform. It provides correlation engine to detect different types incidents by correlation rules. Association rules can be constructed by XML files. This paper has done lots of researches on OSSIM architecture and correlation analysis technology, and presented general rules of worm detection based on sequence-heuristic correlation technic. Author has done experinents about DCOM worm. And the test result shows that detection results would be more accurate and reliable by using correlation rules on OSSIM.
根据蠕虫典型的入侵和传播模式,蠕虫爆发引致的安全事件具有序列相关性,即若前一次攻击阶段的结果是下一次攻击成功的前提条件之一,那么这两次攻击不仅是关联的,而且还是同一系列攻击中的两个步骤。本文提出了基于序列化启发式关联技术的蠕虫检测方法,通过对网络蠕虫入侵过程形式化,可给出对典型网络蠕虫检测的通用规则。
著名的开源系统OSSIM是一个安全事件集中管理平台,其提供的关联分析引擎支持以不同的关联规则检测各类攻击事件,关联规则可以采用XML格式文档构建。本文深入研究OSSIM的体系结构和关联分析技术应用方法,并给出一种基于序列化启发式关联技术的蠕虫检测通用规则。论文以DCOM蠕虫攻击为例进行实验,测试结果表明在OSSIM平台上采用该规则可得到准确可靠的检测结果。
Network worm is an automatice invasive process, which is going to achieve large-scale dissemination through scanning and systematic vulnerabilyties in node hosts. Now, network worm has become a serious threat to network. Therefor, the development of highly-efficient and practical detection technology is becoming the academic research point.
According to the typical worm's invasion and spread model, the worm outbreak by a series related security incidents. That is ,if the result of last attack step is the premise conditions of next successful attack, then these two attacks are related and two steps of the same attacks. In this paper, the writer creates a worm detection method which was based on the sequence-heuristic correlation technology, and gave the general detection rules of typical network worms by analysising the network worm invasion formal process.
OSSIM, which is famous open-source system, is a centralized security incidents management platform. It provides correlation engine to detect different types incidents by correlation rules. Association rules can be constructed by XML files. This paper has done lots of researches on OSSIM architecture and correlation analysis technology, and presented general rules of worm detection based on sequence-heuristic correlation technic. Author has done experinents about DCOM worm. And the test result shows that detection results would be more accurate and reliable by using correlation rules on OSSIM.
引文
[1]Steve R.White,"Open Problems in Computer Virus Research",http://www.research.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
[2]Bill Amolb,David Chess,John Mornar,Alia Segal,Morton Swimmer,An Environ-Ment for Controlled Worm Replication and Analysis,published at the Virus Bulletin,2007
[3]Jose Nazario,Jeremy Anderson,Rick Wash,Chris Connelly,"The Future of Interner Worms",Presented at Blackhat Briefings,July,2006,LasVegasURL:http://www.Crimelabs.net/do cs/worm.html
[4]Nicholas Weaver,"Protential Strangies for High Speed Active Worms",2002,http://www.cs.berleley.edu/nweaver/worms.pdf
[5]Shoch.John F,JonA,flupp,"The Worm Programs Experience with a Distributed Computa tion",Communications of the AMC,1982,25(3),172-180
[6]S.E.Schechter,M.D.Smith,"Access For Sale:a class of worm",In Proceedings of the 2003 ACM workshop on rapid Malcode,Washington DC,2003,October 2003,138-147
[7]Cohen,Fred,"Computer Virus:Theoryand Experiments",http://vx.netlux.org/lib/afc01.Html
[8]左晓东,戴英侠,“‘狮子'网络分析及相关讨论”,计算机工程,Vol.28(1),2002
[9]谢勍.计算机网络入侵检测技术探讨 科学技术与工程[C].2008,(01)
[10]SYMANTEC,SecurityResponse,http://www,symentec.com/regions/cn/venc/data/cn-w32.sobjg.f@mm.html
[11]徐前方,阚建杰,李永春,李荣盛,郭军.一种具有时序特征的告警关联规则挖掘算法[J].微电子学与计算机,2007,(03)
[12]王伟钊,李承,李家滨.网络安全审计系统的实现方法[J].计算机应用与软件,2002,(11)
[13]张晗,杨文飞,陈静.“免疫系统”方法在系统级入侵检测中的应用[J].科学技术与工程,2008,(01)
[14]Stuart Staniford,Gary Grim,and Roelof Jonkman,"Flash Worm:Thirty Seconds to Infect the Internet",Silion Defense-Security Information,August 2001
[15]王业君等.“缓冲区溢出攻击原理与防范的研究”[C].2004
[16]SYMANTEC,SecurityResponse,http://www,symentec.com/regions/cn/venc/data /cn-w32.sobjg.f@mm.html
[17]A.Valdes,K.Skinner.Probabilistic Alert Correlation.Recent Advances in Intrusion Detection(RAID 2001).Berlin Heidelberg:Springer-Verlag,2001:45-55
[18]沈云斐,李丹,陶琨,覃征.基于关联规则和情景规则的网络告警分析模型[J].小型微型计算机系统,2007,(02)
[19]何明耘,戴冠中.智能入侵检测技术发展概貌.计算机工程与应用.2001,15:14
[20]Klaus Julisch.Dealing with False Positives in Intrusion Detection.Recent Advances in Intrusion Detection(RAID 2000).Toulouse,France,2000
[21]钱冬云.关联规则之Apriori算法的改进[J].福建电脑.2006,(03)
[22]明吉明,鲜学丰.挖掘关联规则中Apriori算法的研究与改进[J].计算机技术与发展,2006,(04)
[23]叶孝明,柳炳祥.基于关联规则挖掘的零售业交叉销售的策略[J].统计与决策, 2007,(07)
[24]罗可,贺才望.基于Apriori算法改进的关联规则提取算法[J].计算机与数字工程,2006,(04)
[25]张秀玉.基于现有数据挖掘结果的关联规则更新算法[J].福建信息技2005/03
[26]韩柯,王汇源.基于主元分析和神经网络的人脸识别方法[J].山东大学报,2004,34(2):55-58
[27]Common P.Independent component analysis,a new concept[J].Signal Processing,1994,36:287-314
[28]Hyvarinen A,Oja E.A fast fixed-point algorithm for inde2pendent component analysis [J].Neural Computation,1997,9(7):1483-1492
[29]Cheung D W,etal.Maintenance of discovered association rules in large databases:an incremental updating technique.Proceedings of the 12thInternet Engineering,1997,9(5):813.
[30]陈世强.审计系统中基于状态机的实时关联分析子系统研究与实现[J].计算机与现代化,2006,(06)
[31]熊云艳,毛宜军,丁志.安全事件管理关联分析引擎的事项与研究[J].计算机工程,2006,(13)
[32]吴胜兵,周兴斌,胡玉娟,饶泓.基于关联规则的Web使用模式挖掘[J].计算机与现代化,2007,(11)
[33]URL:http://www.ossim.com/document/correlation_engine_explained_rpc_dcom_example.pdf
[34]URL:http://www.ossim.com/document/correlation_engine_explained_worm_example.pdf
[35]韦潜,李联,夏清国.面向安全管理中心的关联引擎技术的研究[J].信息安全与通信保密
[36]王宇,卢昱.信息网络的安全控制模式[J].计算机应用研究,2006,(03)
[37]Szabolcs Dr,Peter Fisztics.Will IPv6 bring better security[A].Proceedings of the 30th Euromicro Conference[C].2004.5322537
[38]Agrawal R,Imielinski T,Swami A.Mining association rules between sets of items in large databases.In:Buneman P,Sushil Jajodia,eds.Proceedings of the ACM SIGMOD Conference on Management of Data.Washington D C:ACM Press,1993.207-216
[39]Han Jiawei,Kamber M.Data mining:concepts and techniques.San Francisco:Morgan Kaufmann Publishers,2000
[40]崔国华,侯澄志,洪帆.审计日志的关联规则挖掘[J].华中科技大学学报(自然科学版),2002,(09)
[41]K.Kendall.A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems.1999
[2]Bill Amolb,David Chess,John Mornar,Alia Segal,Morton Swimmer,An Environ-Ment for Controlled Worm Replication and Analysis,published at the Virus Bulletin,2007
[3]Jose Nazario,Jeremy Anderson,Rick Wash,Chris Connelly,"The Future of Interner Worms",Presented at Blackhat Briefings,July,2006,LasVegasURL:http://www.Crimelabs.net/do cs/worm.html
[4]Nicholas Weaver,"Protential Strangies for High Speed Active Worms",2002,http://www.cs.berleley.edu/nweaver/worms.pdf
[5]Shoch.John F,JonA,flupp,"The Worm Programs Experience with a Distributed Computa tion",Communications of the AMC,1982,25(3),172-180
[6]S.E.Schechter,M.D.Smith,"Access For Sale:a class of worm",In Proceedings of the 2003 ACM workshop on rapid Malcode,Washington DC,2003,October 2003,138-147
[7]Cohen,Fred,"Computer Virus:Theoryand Experiments",http://vx.netlux.org/lib/afc01.Html
[8]左晓东,戴英侠,“‘狮子'网络分析及相关讨论”,计算机工程,Vol.28(1),2002
[9]谢勍.计算机网络入侵检测技术探讨 科学技术与工程[C].2008,(01)
[10]SYMANTEC,SecurityResponse,http://www,symentec.com/regions/cn/venc/data/cn-w32.sobjg.f@mm.html
[11]徐前方,阚建杰,李永春,李荣盛,郭军.一种具有时序特征的告警关联规则挖掘算法[J].微电子学与计算机,2007,(03)
[12]王伟钊,李承,李家滨.网络安全审计系统的实现方法[J].计算机应用与软件,2002,(11)
[13]张晗,杨文飞,陈静.“免疫系统”方法在系统级入侵检测中的应用[J].科学技术与工程,2008,(01)
[14]Stuart Staniford,Gary Grim,and Roelof Jonkman,"Flash Worm:Thirty Seconds to Infect the Internet",Silion Defense-Security Information,August 2001
[15]王业君等.“缓冲区溢出攻击原理与防范的研究”[C].2004
[16]SYMANTEC,SecurityResponse,http://www,symentec.com/regions/cn/venc/data /cn-w32.sobjg.f@mm.html
[17]A.Valdes,K.Skinner.Probabilistic Alert Correlation.Recent Advances in Intrusion Detection(RAID 2001).Berlin Heidelberg:Springer-Verlag,2001:45-55
[18]沈云斐,李丹,陶琨,覃征.基于关联规则和情景规则的网络告警分析模型[J].小型微型计算机系统,2007,(02)
[19]何明耘,戴冠中.智能入侵检测技术发展概貌.计算机工程与应用.2001,15:14
[20]Klaus Julisch.Dealing with False Positives in Intrusion Detection.Recent Advances in Intrusion Detection(RAID 2000).Toulouse,France,2000
[21]钱冬云.关联规则之Apriori算法的改进[J].福建电脑.2006,(03)
[22]明吉明,鲜学丰.挖掘关联规则中Apriori算法的研究与改进[J].计算机技术与发展,2006,(04)
[23]叶孝明,柳炳祥.基于关联规则挖掘的零售业交叉销售的策略[J].统计与决策, 2007,(07)
[24]罗可,贺才望.基于Apriori算法改进的关联规则提取算法[J].计算机与数字工程,2006,(04)
[25]张秀玉.基于现有数据挖掘结果的关联规则更新算法[J].福建信息技2005/03
[26]韩柯,王汇源.基于主元分析和神经网络的人脸识别方法[J].山东大学报,2004,34(2):55-58
[27]Common P.Independent component analysis,a new concept[J].Signal Processing,1994,36:287-314
[28]Hyvarinen A,Oja E.A fast fixed-point algorithm for inde2pendent component analysis [J].Neural Computation,1997,9(7):1483-1492
[29]Cheung D W,etal.Maintenance of discovered association rules in large databases:an incremental updating technique.Proceedings of the 12thInternet Engineering,1997,9(5):813.
[30]陈世强.审计系统中基于状态机的实时关联分析子系统研究与实现[J].计算机与现代化,2006,(06)
[31]熊云艳,毛宜军,丁志.安全事件管理关联分析引擎的事项与研究[J].计算机工程,2006,(13)
[32]吴胜兵,周兴斌,胡玉娟,饶泓.基于关联规则的Web使用模式挖掘[J].计算机与现代化,2007,(11)
[33]URL:http://www.ossim.com/document/correlation_engine_explained_rpc_dcom_example.pdf
[34]URL:http://www.ossim.com/document/correlation_engine_explained_worm_example.pdf
[35]韦潜,李联,夏清国.面向安全管理中心的关联引擎技术的研究[J].信息安全与通信保密
[36]王宇,卢昱.信息网络的安全控制模式[J].计算机应用研究,2006,(03)
[37]Szabolcs Dr,Peter Fisztics.Will IPv6 bring better security[A].Proceedings of the 30th Euromicro Conference[C].2004.5322537
[38]Agrawal R,Imielinski T,Swami A.Mining association rules between sets of items in large databases.In:Buneman P,Sushil Jajodia,eds.Proceedings of the ACM SIGMOD Conference on Management of Data.Washington D C:ACM Press,1993.207-216
[39]Han Jiawei,Kamber M.Data mining:concepts and techniques.San Francisco:Morgan Kaufmann Publishers,2000
[40]崔国华,侯澄志,洪帆.审计日志的关联规则挖掘[J].华中科技大学学报(自然科学版),2002,(09)
[41]K.Kendall.A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems.1999
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |