| 一种基于One-Class SVM和GP安全事件关联规则生成方法研究 |
| |
| 引用本文: | 杜栋栋,任星彰,陈坤,叶蔚,赵文,张世琨.一种基于One-Class SVM和GP安全事件关联规则生成方法研究[J].电子学报,2018,46(8):1793-1803. |
| |
| 作者姓名: | 杜栋栋 任星彰 陈坤 叶蔚 赵文 张世琨 |
| |
| 作者单位: | 1. 北京大学信息科学技术学院, 北京 100871;
2. 北京大学软件与微电子学院, 北京 100871;
3. 北京大学软件工程国家工程研究中心, 北京 100871 |
| |
| 摘 要: | 随着信息技术的快速发展,网络安全威胁造成的危害日愈严重.安全信息和事件管理(SIEM)在查找组织内部威胁,可疑行为及其它高级持续攻击(APT)中发挥了重要作用.SIEM的检测能力主要依赖于准确,可靠的关联规则.然而,传统的规则生成方式主要基于专家知识人工编写检测规则,因此成本高,效率低.本文给出了一种具备自适应能力的规则生成框架来自动生成关联规则.首先为了更好地识别未知攻击,提出一种基于单类支持向量机(One-Class SVM)的安全事件分类算法对安全事件进行有效分类,实验分类效果准确率高达97%.其次为了提高规则生成准确率,通过重新定义个体结构,交叉与变异方式,优化了基于遗传编程(GP)的规则生成算法,规则适应度高达94%.实验结果表明,本文提出的框架具备自适应能力来识别未知攻击,具备较高的检测准确率,可有效减少人工参与.同时该框架已经部署在实际生产环境中,和原系统相比可以检测更多攻击类型.
|
| 关 键 词: | 安全事件 关联规则生成 日志管理 安全信息和事件管理(SIEM) 单类支持向量机 遗传编程 |
| 收稿时间: | 2017-06-27 |
A Security Event Correlation Rule Generation Method Research Based on One-Class SVM and Genetic Programming |
| |
| DU Dong-dong,REN Xing-zhang,CHEN Kun,YE Wei,ZHAO Wen,ZHANG Shi-kun.A Security Event Correlation Rule Generation Method Research Based on One-Class SVM and Genetic Programming[J].Acta Electronica Sinica,2018,46(8):1793-1803. |
| |
| Authors: | DU Dong-dong REN Xing-zhang CHEN Kun YE Wei ZHAO Wen ZHANG Shi-kun |
| |
| Affiliation: | 1. School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;
2. School of Software and Microelectronics, Peking University, Beijing 100871, China;
3. National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China |
| |
| Abstract: | With the rapid development of information technology,enterprise and orgnizations are suffering different kinds of cyber security threats.Security Information and Event Management (SIEM) is playing an essential role in finding insider threats,suspicious behaviors or other advanced attacks based on its correlation capability.The SIEM detection capability relies on accurate and reliable correlation rule,however,traditional way of generating rule depends on human expert knowledge,which is costly and time consuming with low efficiency.In this paper,we propose an adaptive rule generation framework to generate correlation rule automatically.First,in order to identify unknown attack in a better way,we propose a security event classification algorithm based on One-Class Support Vector Machine (One-Class SVM) to classify security events effectively,and results show that classfication rate reaches as high as 97%.Secondly,for purpose of improving rule generation accuracy rate,we propose and optimize Genetice Programming (GP) rule generation algorithm by redefining individual structure,cross and mutation operation,and results show that best individual fitness reaches as high as 94%.Experiments have been performed and results show that our approach has the ability of self-adaption to identify unkown attack,a competitive threat detection accuracy rate as well as reducing human labor engagement.We also implement our approach to a real production system and more attack type could be detected compared with existing system. |
| |
| Keywords: | security events correlation rule generation log management security information and event management(SIEM) one-class support vector machine generic programming |
|
| 点击此处可从《电子学报》浏览原始摘要信息 |
|
点击此处可从《电子学报》下载全文 |
|
