网络安全风险分析的事件关联研究

上海交通大学硕士学位论文网络安全风险分析的事件关联研究姓名：褚音申请学位级别：硕士专业：计算机应用技术指导教师：谷大武20050601-5--6-ABSTRACTCurrentComputerNetworksSystemisexposedtoinvolutethreats,includingdelugedvirus,multiformandstochasticattacksetc.Thewaysofattackshasbecomemoreandmoreintricateandcovert,andthesecurityproblemsalsohavebecomeworseandworse.Practiceinthefieldindicatesthatit’shardtoeffectivelymanageandcontrolriskonlybyupgradingsinglesecuritycomponentssuchasfirewall,vulnerabilityscannerandIDSetc,orbypiledsecuritycomponentstogether,thesecurityofsystemisstillweak.AnIntegratedSecurityRiskManagementSystemisaneffectiveapproach,andcouldberegardedasauniformmeasuretoreinforcethedefense.EventCorrelationhasbecomethecoretechniqueinimplementingsuchRiskmanagementSystem.EventCorrelationanalyzescorrelativerelationshipamongvastofdiscreteinformationmonitoringandrecordedbyvarioussecuritycomponents,improvesbothsensitivityandveracityofriskdetection,therebyguidingtoapplyappropriatedefendingmeasurements.Mostofeventcorrelationresearchatpresentisabstractinconceptanddiversiforminmethod,andprototyperelatedresearchisbasicallyinleadingstrings.Existingcorrelationtoolsorapplicationsystemsareoftenheavyweightsolutionswithcomplicateddesign,beingthereforeinflexiblefordeployingtofitinwithdiffernetworks.Inaddition,mostofsolutionsofeventcorrelationtendtobesecurityapplicationcondition-dependent,anddifficulttoaccommodatethedynamicsofsecuritycircumstance.Thispaperpresentsareformativeschemeanddescribesitsdesignandimplementationbyproposingtwokeytechniques:CompositeEventDetectionMechanismandDynamicExtendingMechanism.Comparingwithexistingeventcorrelationsolution,thispaperextendsearlierworkonCompositeEventDetectionMechanism.TheGlobaltimingdomainandahierarchicalarchitectureofexpressinginformationimplicationareintroducedtore-definethenotionofevents.Toensurethatrelationshipofeventoccurrenceisexpresseduniversallyandprecisely,SemanticOperatorsisdefinedtoexpressubiquitouslogicalrelationsamongoccurredevents,andContextismanagedtoabstractlyexpressprominentcharacteristicsofeventshappening.Inthisway,thecomplexrelationshipofeventsoccurringatsystemcancomprehensivelybedepicted,andcombinesthelogicalcoherenceaswellasspatio-temporalothernessofsuchcorrelativerelationship.Inordertoaccommodatethereal-timesecuritychangingatapplicationsystem,Rule-basedDynamicsituationdrivingframeisproposedtodesignDynamicExtendingMechanism,aimingatactualizingmulti-step,multi-route,andtemporaryjudgmentforcorrelationprocess.Inaddition,rulesanditsimplementationcarryouttheprocessofcorrelationsuccessfullytotrackthetransformofsecurityconditionandreactforwardlyforsupportinginfocollection,-7-feedback,andself-validationetc.Thispaperprovidesanefficient,feasiblesolutiontoenhancetheintegratedcapabilityofanalysisandtheextentofintelligenceofEventCorrelation.Keywords:Riskanalysis,RiskManagement,Eventcorrelation,CompositeEvent,DynamicSituation,Aggregationtreealgebra-10-1-12-1ISO133352-2SSE-CMM2-32-4COBRA2-53-13-23-33-44-14-24-35-15-25-35-45-55-65-75-8-11-1-11-1Figure1-1ConstituteoffirewallIP1.2.GatewayInternalExternalFilteFilte-12-(),-1.,2.,3.1.-13-2.1.IPTCP2.DoS3123PING3PING12TCP/IP31.-14-2.PerlC1.2.-15-Nimda1988MorrisWindowsApacheLinuxexe1989Form1995ConceptMacroLoveLetterCodeRed90Nimda30“”Windows20036BugbearBugbear.BBugbear.B-16-80%1.2.3.20004.InternetIRC(InternetRelayChat)IR(InstantMessage)1.2.3.IRCHTTP-17-“”IDSIDS-18--19-FIPS65-ALE@Risk[13]BDSSBuddyALEOCTACVEISO133352-12-1ISO13335Figure2-1ISO13335RiskmanagementrelationshipmodelSSE-CMM[16]2-2,-20-0-2SSE-CMMFigure2-2SSE-CMMRiskManagementProcedureISO/IEC17799BS7799[10],2-30-1Figure2-3Theframeofriskmanagement…….-21-1991C&ACOBRA[11]ITCOBRA1.Deterrentcontrol2.Preventativecontrol3.Correctivecontrol4.DetectivecontrolAttack2-40-1COBRAFigure2-4COBRAModelTVIImpactCRIVTR××=RRResidualRiskCIVTRR÷××=-22-COBRACOBRAFTA(Top-Down)MarkovMarkovMarkovMarkovMarkovMarkovMarkovMarkovMarkovMarkovA-23-BMarkov(FTA-FaultTreeAnalysis)FTAMarkovMarkov2-50-1Figure2-5Therelationshipbetweenriskandevents/Risk-Cryptic-NothappenRisk-Evident-HappeningEventsCauseImpact-24--25-ShaneO’DonnellOpenNMSMAJIStanifordetal.GrIDSOpen-sourceCLIPS3-13-1Figure3-1FaultlocalizationtechniquesAI-26-Rule-basedModel-basedCase-basedCausalityGraphG(E,C)NEC∈)e,(ejiiejeiejejiee→-27-jiee→jeieCodeBook&CorrelationMatrix[0,1])P,(SjijPiS3-2-28-3-1Figure3-2Theprocessofeventcorrelation,81,21,2KErrorKFaultKEvent↔→1.Setcorrelation2.Sequencecorrelation3.ThresholdcorrelationErrorK1EventEventEventK…FaultK1FaultK2Error…FaultNEventN…ErrorK2Fault……“”“”“”-29-E(t)1.Definite_Event2.Temporal_EventAbsolutetemporaleventtimestringEvent+(hh/mm/ss)mm/dd/yyRelativetemporalevent3-33-1Figure3-3CompositeeventdetectionEventsEventsEventsCompositeEventRelationshipbetweenEvents-30-3-43-2Figure3-4DynamicmechanismofcorrelationprocessDriveEventsTemporalAnalysisState-31-1.?2.3.4-1--(EventSemantic)4-1Figure4-1Theeventcoalitionmodel4-1(SemanticsOperators)(Context)4-1PrimaryEventsContextCompositeEventsOperator-32-[0,t]EE(t)E!E(t)n(E1,E2,...,En)CElE2,E1E2)t(E2E1(t)E2)(t)(E1∨=∨ElE2,E1E