Research On Key Technologies Of Network Threat Situation Based On Multi-Source Log

With the rapid development of science and technology informatization,the society has entered the era of big data.Network threat situation as a primary index in network security situation awareness has become an important factor in enterprise security.By extracting the network asset values or threat availabilities or safety equipment information in the network,this technology can evaluate the probability of successful attack and become the basis of network security management.With the qualitative change of the attacking means,the traditional threat assessment technology has not been able to keep up with the demands of network development.The traditional threat situation has the problem of multisource heterogeneity and its frame is low in fusion.It has a high false alarm rate due to its excessive dependence on expert knowledge.Its evaluation method is mainly static,so it cannot respond to the security situation in real time.It can't adapt to the complex and changeable network at this stage.Through the analysis and research of current threat situation assessment technology,this paper presents an research on key technologies of network threat situation based on multi-source log.The major work and innovative points of this paper are described as follows:(1)In order to solve the weak correlation between attributes and low aggregation rate in multi-source log analysis,a multi-source log security event extraction method based on the Str-FSFDP(a fast search and find of peak density based data stream)density peak clustering is proposed.It makes use of the correlation of log attribute types and makes full use of the heterogeneity of multiple source logs.At the same time,a UHAD(Unsupervised heterogeneous framework for anomaly detection)framework based on the time threshold of micro cluster theory is proposed,which solves the problems of too frequent or less aggregation in the log polymerization process.This method ensures the high correlation of the cluster log and the accuracy of the log polymerization,reduces the false alarm rate in the system.(2)In order to solve the static and immobilized problem in attack graph,an attack graph model based on anthropological activity theory(ATM)is presented.The internal contradictions of the attacker's behavior are analyzed with the theory of activity theory,and the contradiction vector in the attack graph is quantified.Attackers' "loss/gain" value on each attack graph node are calculated.Considering the attacker's budget constraints,the attackers' "loss/gain" value as an no deviation amount to improve the least squares genetic algorithm is proposed.It changes the constraint condition to the unconstrained condition,and better fitting the target function in the genetic algorithm(the gain of the attacker)to generate the fitness function.The optimal population is based on the fitness function.In this way,the maximum probability path of an attacker evolves dynamically with different evidence.It can get moreaccurate and dynamic threat assessment results.(3)In order to solve the monophyletic and partial problem in threat situation evaluation,this paper presents a network threat situation assessment prototype system based on multiple source logs.This prototype system realizes the integration of multi-source log analysis technology and attack graph,it carries out a comprehensive threat assessment of the host and its existing network environment.The system combines the security events which are analyzed from the log with network topology and vulnerabilities.This prototype system dynamically changes the "loss/acquisition" value of the attacker in the activity theory attack graph by the evidence obtained from the master drawing module.The system includes master image and network contour portrait,online and offline system to dynamically evaluate the attacker's maximum probability path.Thus,the static nature of the attack graph and the traditional multi-source log analysis can be avoided,which can detect threat values dynamically.