| With the rapid development of information technology,the scale of influence of the Internet is constantly expanding,and network attacks are increasingly diversified and complicated.Network security is always facing severe challenges.At present,multi-stage and highly concealed multi-step attacks have gradually become the main means of network attacks.The existing researches on multi-step attack correlation only consider the correlation between attacks from a single perspective,and it is easy to ignore the intrusion logic between attacks,resulting in a gap between the constructed attack correlation and the actual situation,which will affect the accuracy and rationality of security situation assessment.Therefore,it is of great theoretical significance and application value for optimizing network security to comprehensively analyze the correlation between multi-step attacks,reasonably evaluate network security situation,and turn passive processing attacks into active defense.Aiming at the problems of incomplete correlation scenarios and wrong intrusion logic in the existing attack correlation detection of multi-step attacks,this thesis studies the attack correlation detection of multi-step attacks,and designs a security situation assessment model based on the attack correlation relationship.Finally,a prototype system of network security situation assessment is implemented and tested.The main work is as follows:1.Aiming at the problems of incomplete correlation scenarios and wrong intrusion logic considered in the existing research on attack correlation,this thesis proposes an attack correlation detection model based on multi-step attack.The correlation of attack events between devices in the same group and devices in different groups is comprehensively considered.Firstly,the attack correlation between devices in the same group is constructed by clustering and timing relationship,etc.Secondly,the related devices in different groups are found out based on depth-first traversal,and the attack correlation between devices in different groups is constructed based on IP correlation,and finally a more complete attack correlation is constructed.This method is applicable to more attack scenarios and makes up for the lack of missing items in the detection methods that only correlate attacks between devices in the same group or between devices in different groups.And,based on the dynamic sliding window strategy,the attack correlation that does not conform to the attack dependency relationship is found and processed,so as to correct the wrong intrusion logic of the attack correlation and improve the accuracy of the multi-step attack correlation.After conducting comparative experiments using the DARPA2000 dataset,it was found that the model is able to extract complete and accurate attack correlations and accurately restore attack intentions,which proves the effectiveness of the model.2.Based on the attack correlation of the multi-step attacks detected above,this thesis designed a security situation assessment system based on multi-step attack correlation.The system is divided into four modules based on demand analysis,of which the situation awareness module and the situation visualization module are the main modules.The situation awareness module comprehensively analyzes the security situation indicators from three aspects of threat,vulnerability and availability,constructs a security situation assessment model based on AHP,and quantifies the situation value of each device in the form of numerical value.In addition,based on the visual display of attack scenarios by attack correlation,the impact of each device on network security is analyzed reasonably through weight analysis,and the network security situation is finally quantified.The rationality and accuracy of the security situation assessment are improved by combining with the security situation assessment of attack correlation.The situation visualization module realizes the visual display of network situation analysis,device status display,attack correlation,system management and other functions.We use the network situation analysis to evaluate the network security status,and quantifies it with the level of "excellent,good,medium,poor and dangerous".On this basis,we use the device status display,attack correlation and system management to display the device status,attack distribution,and the under-lying data of the system respectively,so as to help users to carry out the auxiliary managements such as attack tracing,location and prevention.Each module of the system cooperates with each other,providing a reliable basis for users to understand network security in an intuitive and concise form.3.Based on the design of the above system,this thesis implemented a set of security situation assessment system based on multi-step attack correlation.The situation awareness module of the system realizes the network security situation assessment of the network based on the analytic hierarchy process by quantifying the situation indicators and combining the attack correlation and security situation assessment model.The experimental verification of the DARPA attack scenario shows that the security status of this part is quantified as "dangerous",which is consistent with the security situation of the actual scenario,and proves the effectiveness of the module.The experimental verification shows that the security assessment results of the module are consistent with the reality and effective.In addition,the situation visualization module realizes the permission management of roles,improves the security of the system,and realizes the visual display of functions with the help of front-end forms such as Echarts.Based on the security situation analysis,the system realizes the alarm response in the form of e-mail,realizes the global display of attack distribution with the dragable diagram,and realizes the direct query of the detailed display of the database to realize the detailed display of the underlying data.The system provides powerful guidance for users to conduct security management. |
PDF Full Text Request