华中科技大学硕士学位论文改进的HMM网络安全风险评估方法研究姓名:董静申请学位级别:硕士专业:计算机系统结构指导教师:李之棠20080603IHMMIDSHMMJAVADarpa2000HMMIIAbstractWiththeextensiveapplicationsofcomputernetworktechnology,networksecurityhasbecomeincreasinglyimportantandhasbeenanimportantpartofnationalsecurity.ThekeyofimprovingnetworksecurityisHowtoaccuratelyassesstheriskofanetwork.Thetraditionalmethodsinriskassessmenttonetworksecuritycanonlydostaticriskassessmentandcan’treflectthereal-timethreatandriskstatus.Basedontheresearch,theHiddenMarkovModel(HMM)methodsofriskassessmenttonetworksecurityhasbeenrealized.ThemethodtakesIntrusionDetectionSystem(IDS)alertsasinput,andcanquantifytheriskofreal-timenetwork,andcaneffectivelyassessthethreatofthenetwork,comparedwiththetraditionalstaticapproachhasgreatadvantages.twoissuesinthetraditionalHMMmethodofriskassessmenttonetworksecurity,whicharethedifficultiesofcontrollingparametersscaleanddeterminingparameters,havebeensolved.Forthefirstone,alertsareclassifiedbyassessingthethreatofthem,inordertocontrolthescaleofobservationmatrix.Intheprocessofassessingthreat,combineIDSeventswithvulnerability,networkassetsandnetworkenvironments,byassessingtheattacksonfourfactors:theseverity,Targetsassets,theadministratorpointandprobabilityofsuccess,todefinethethreatofattacks.Inaccordancewiththethreat,theattackwillbedividedintotenlevels.Forthesecondproblem,usegeneticalgorithmsforauto-solvingtheparametersintheHMMmatrix,andbinarycodetodescribematrix,defineriskdescribedrulesasthetargetfortheoptimization.Theaccuracyofparameterssettinghasbeenimproved,byusingauto-generatedparametersinsteadofmanualsettings.TheabovemethodhasbeenrealizedinJAVAplatform,andexperimentshasbeendonewiththeuseofHoneynetdataandDarpa2000data.ExperimentsshowthattheproposedmethodcansolvethetwoproblemsinHMM-basedriskassessmentmethodssuccessful,andsystemscaneffectivelyreflectthereal-timenetworksecurityrisksituation.Keyword:networksecurity,riskassessment,HiddenMarkovModel,threatassessment,geneticalgorithms____________111.1[1][2,3][4][5]21.21.2.1TCSEC[6]ITSEC[7]CC[8]BS7799[9]TCSEC[6]198547ITSEC[7]90CC[8]1996ISO15408BS7799[9]ISO17799ISO13335[10]IT632001ISO/IEC15408GB/T18336-2001200491.2.2COBRA[11]OCTAVE[12]COBRA(ConsultativeObjectiveandBi-functionalRiskAnalysis)[11]4OCTAVE[12]OperationallyCriticalThreatAssetandVulnerabilityEvaluation·1999OCTAVEOCTAVEOCTAVE1.2.3OrtaloR.[13]CORAS[14](ConsultativeObjectiveRiskAnalysisSystem)37CORASCORASCORASUMLCORAS[15]5[16]()[17][18][19]1.36[20]IDS[21][21]OSSIM(OpenSourceSecurityInformationManagement)[22][2324]IDS7Wing[25]AttackSurfaceAttackSurfaceAttackSurfaceAttackSurfaceE.JonssonT.Olovsson[26,27]IDSGehaniA.[28]Arnes[29-31]HMM:HiddenMarkovModel(HMM)IDSIDS[32]IDSIDSDDoS1.41.4.181231234SATA1.4.29HMM10HMMHMMHMM1.5102HMM:HiddenMarkovModel2.1HMMHMMBaumWelch2060[33,34][35]HMM2.1.1MarkovMarkovMarkovMarkovtOtNsss,...,,21m+kkmq+mmqm)(),...,,(1111mmkmkmmmmmkmkmqOqOPqOqOqOqOP=======++−−++),...,,(,,...,,2121Nkmmsssqqqq∈+tOMarkov11NjisqsqPkmmPimjkmij≤≤===++,1),(),(mkkm)(),(KPkmmPijij=+Markovk=12.1.2HMMHMMMarkovMarkovMarkovMarkovMarkovMarkovMarkovHMM[36]HMMHMMSunCloudRainSoggyDampDryishDry2-1HMMSoggyDampDryishDry12suncloudrainHMM2-112345P(suncloudrain)=(100)4.02.04.035.04.025.015.035.05.0SunCloudRainSunCloudRain50.035.010.005.025.025.025.025.005.015.020.060.0SunCloudRainDryDryishDampSoggyHMMHMMHMM1SHMMMarkovNNsss,...,,21ttq),...,,(21Ntsssq∈132VM},...,,{21MvvvV=},...,,...,,{21TtooooO=Vot∈T3π},...,,{21Mππππ=)(1iivqP==πNi≤≤14Trans}{ijTransTrans=)(1jtitijsqsqPTrans===+Nji≤≤,1Nt≤≤15Obs)}({mobsObsj=)()(jtmtjsqvoPmobs===Nm≤≤1Nj≤≤1HMMHMM),,,,(ObsTransVSπλ=2.2HMMIDSIDS{,,,}SGPAC=41s=GGood2s=PProbed3s=AAttacked4s=CCompromised2-214GPAC2-2M},...,,{21MvvvV=},...,,...,,{21TtooooO=Vot∈HMM(),,TransObsλπ=TransijTranstiSt+1jS1(|),1,ijtjtiTransPqsqsijN+===≤≤ObsnmObstnSma()|,1,1nmtmtnObsPoaqsnNmM===≤≤≤≤π1(,...,)Nrrπ=TransObs1(,...,)tNsrr=t{}()ttrri=1iN≤≤()()|ttitriPqsy==(2-1)CC={11020100}1NiiiRrc==∑(2-2)15110102020L1LnetiiRR==∑(2-3),,TransObsπ()0.7,0.1,0.1,0.1π=0.80.10.080.020.10.80.050.050.080.050.850.020.020.050.080.85Trans=0.20.150.150.10.10.0750.0750.0750.050.0250.10.10.20.150.150.0750.0750.0750.050.0250.0250.0750.0750.10.150.20.150.10.0750.050.0250.050.0750.0750.0750.10.150.150.20.1Obs=IDSHMMIPSTransObs162.3Darpa20002.3.1Darpa2000[37]Darpa20004C172.16.112.0/24172.16.113.0/24172.16.114.0/24172.16.115.0/24Snort3IDSMill(172.16.115.20)Pascal(172.16.112.50)Locke(172.16.112.10)IPDDoSIPSweepSadmindPingSadmindExploitInstallingDDoSSoftwareDDoSAttack2-3Darpa20002-3Darpa2000DDoS1IP225123012SadmindPing23082318Sadmind3MillPascalLocke233323342MillPascalLockeSadmind4MillPascalLockeDDoS1150RSH17DDoSMstreamserverMstreammasterservers5DDoS0027TelnetmasterserversIPDDoSSnortv2.4Darpa2000112-4IPsweepDDosAttackDaemonInstalledSadmindExploitSadmindPingICMPechorequestICMPechoreply1RPCportmapSadmindrequestUDPRPCSadmindUDPPING243State1State2RPCSadmindrequestquerywithrootcredentialsattemptUDPATTACK-RESPONSESdirectorylistingRPCportmapSolarissadminportqueryudprequestRPCpor