基于攻击模式识别的网络安全态势评估方法

通过对已有网络安全态势评估方法的分析与比较,发现其无法准确反映网络攻击行为逐渐呈现出的大规模、协同、多阶段等特点,因此提出了一种基于攻击模式识别的网络安全态势评估方法。首先,对网络中的报警数据进行因果分析,识别出攻击意图与当前的攻击阶段;然后,以攻击阶段为要素进行态势评估;最后,构建攻击阶段状态转移图(STG),结合主机的漏洞与配置信息,实现对网络安全态势的预测。通过网络实例对所提出的网络安全态势评估模型验证表明,随着攻击阶段的不断深入,其网络安全态势值也随之增大,能够更加准确地反映攻击实情;且在态势预测中无需对历史序列进行训练,具有更高的预测效率。

Network security situation evaluation method based on attack pattern recognition

By analyzing and comparing the existing network security situation evaluation methods, it is found that they can not accurately reflect the features of large-scale, coordination, multi-stage gradually shown by network attack behaviors. Therefore, a network security situation evaluation method based on attack pattern recognition was proposed. Firstly, the causal analysis of alarm data in the network was made, and the attack intention and the current attack phase were recognized. Secondly, the situation evaluation based on the attack phase was realized. Lastly the State Transition Diagram (STG) of attack phase was created to realize the forecast of network security situation by combining with vulnerability and configuration information of host. A simulation experiment for the proposed network security situation evaluation model was performed by network examples. With the deepening of the attack phase, the value of network security situation would increase. The experimental results show that the proposed method is more accurate in reflecting the truth of attack, and the method does not need training on the historical sequence, so the method is more effective in situation forecasting.