节点文献
改进的HMM网络安全风险评估方法研究
Research on the Improvement of HMM Method in Risk Assessment to Network Security
【作者】 董静;
【导师】 李之棠;
【作者基本信息】 华中科技大学 , 计算机系统结构, 2008, 硕士
【摘要】 随着计算机网络技术的广泛应用,网络安全的重要性日益凸显,并已成为国家安全的重要组成部分。准确地评估网络风险是提高网络安全性的关键。传统的网络安全风险评估方法只能进行静态风险评估,不能反映实时的威胁和风险状况。研究并实现了基于隐马尔可夫模型(HMM)的网络安全风险评估方法。该方法以入侵检测系统(IDS)告警作为输入,能够量化实时的网络风险值,有效地评估网络受到的威胁,相比传统的静态评估方法有很大优势。解决了该方法中观测矩阵规模难以控制和模型参数值难以确定两个问题。针对第一个问题,通过评估告警的威胁度来对告警(观测事件)进行分类,以控制观测矩阵的规模。威胁评估过程中将告警与主机的漏洞、网络资产及网络环境信息结合起来,考虑攻击严重度、目标资产关键度、管理员角度因素和攻击成功概率这四个因素来评估攻击的威胁度,然后将告警按照威胁等级分成十类。针对第二个问题,利用遗传算法自动求解HMM模型中的参数矩阵,将矩阵用二进制编码表示,定义风险描述规则作为求解的优化目标,用参数自动生成代替手工设置,提高了参数设置的准确性。使用JAVA平台实现了上述方法,并采用蜜网数据和Darpa 2000数据进行实验。实验表明所提出的方法能较好地解决基于HMM的风险评估方法中的两个问题,并且系统能够有效地反映实时的网络安全风险状况。
【Abstract】 With the extensive applications of computer network technology, network security has become increasingly important and has been an important part of national security. The key of improving network security is How to accurately assess the risk of a network. The traditional methods in risk assessment to network security can only do static risk assessment and can’t reflect the real-time threat and risk status.Based on the research, the Hidden Markov Model (HMM) methods of risk assessment to network security has been realized. The method takes Intrusion Detection System (IDS) alerts as input, and can quantify the risk of real-time network, and can effectively assess the threat of the network, compared with the traditional static approach has great advantages.two issues in the traditional HMM method of risk assessment to network security, which are the difficulties of controlling parameters scale and determining parameters, have been solved. For the first one, alerts are classified by assessing the threat of them, in order to control the scale of observation matrix. In the process of assessing threat, combine IDS events with vulnerability, network assets and network environments, by assessing the attacks on four factors: the severity, Targets assets, the administrator point and probability of success, to define the threat of attacks. In accordance with the threat, the attack will be divided into ten levels. For the second problem, use genetic algorithms for auto-solving the parameters in the HMM matrix, and binary code to describe matrix, define risk described rules as the target for the optimization. The accuracy of parameters setting has been improved, by using auto-generated parameters instead of manual settings.The above method has been realized in JAVA platform ,and experiments has been done with the use of Honeynet data and Darpa 2000 data. Experiments show that the proposed method can solve the two problems in HMM-based risk assessment methods successful, and systems can effectively reflect the real-time network security risk situation.
【Key words】 network security; risk assessment; Hidden Markov Model; threat assessment; genetic algorithms;
- 【网络出版投稿人】 华中科技大学 【网络出版年期】2010年 05期
- 【分类号】TP393.08
- 【被引频次】14
- 【下载频次】360