基于警报关联的威胁行为检测技术综述.docVIP

基于警报关联的威胁行为检测技术综述 王意洁I，程力I，马行空2 (1.国防科学技术大学计算机学院并行与分布处理重点实验室，湖南长沙410073； 2.国防科学技术大学计算机学院网络工程系，湖南长沙410073) 摘要：基于警报关联的网络威胁行为检测技术因共与网络上大量部署的安全产品耦合，且能充分挖掘异常事件 之间的关联关系以提供场景还原证据，正成为复杂威胁行为检测的研究热点。从威胁行为和网络安全环境的特点出 发，引出威胁行为检测的应用需求和分类，介绍基于警报关联的威胁行为检测的基本概念和系统模型；重点论述作 为模型核心的警报关联方法，并分类介绍了各类典型算法的基木原理和特点，包括基于因果逻辑的方法、基于场景 的方法、基于相似性的方法和基于数据挖掘的方法；并结合实例介绍了威胁行为检测系统的三种典型结构，即集中 式结构、层次式结构和分布式结构；基于当前研究现状，提出了对未來研究趋势的一些认识。 关键词：威胁行为检测；警报关联；检测模型；检测系统结构 中图分类号：TP393 文献标志码：A 文章编号： A Survey of Alert-Correlation Based Network Threat Detection Techniques WANG Yijie1, CHENG Li1, MA Xingkong2 (1. National Key Laboratory for Parallel and Distributed Processing, College of Computer. National University of DefenseTechnology, Changsha 410073, China; 2. Department of Network Engineering, College of Computer, National University of Defense Technology,Changsha, Hunan, 410073, China) Abstract: The rapid development of Internet also causes more and more network threats? How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues? The alcrt-corrclation-bascd network threat detection technique is becoming the research hotspot, which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario? Starling from the features of network threats and security environment, the requirements and classification of network threat detection are introduced? Then we illuslrate the basic concepts and system model of alert-coiTelatiobased network threat detection technique are in detail? We focus on the key module of the model, alert correlation method, stating the fundamentals and features of different kinds of typical algorithm in detail, including causal-relation-based method, case-based method, similarity-based method and data-mining-based method? Furlhermore, three kinds of representative detection system architectures are discussed with practical instances, namely centralized architecture, hierarch