计算机工程与应用 ›› 2019, Vol. 55 ›› Issue (16): 70-76.DOI: 10.3778/j.issn.1002-8331.1902-0003

• 网络、通信与安全 • 上一篇    下一篇

基于事件流数据世系的恶意网络行为检测方法

孙璇,高昕   

  1. 1.北京信息科技大学 信息管理学院,北京 100192
    2.国家计算机网络应急技术处理协调中心,北京 100029
  • 出版日期:2019-08-15 发布日期:2019-08-13

Malicious Network Behavior Detection Method Based on Event Stream Data Provenance

SUN Xuan, GAO Xin   

  1. 1.School of Information Management, Beijing Information Science & Technology University, Beijing 100192, China
    2.The National Computer Network Emergency Response Technical Team Coordination Center of China, Beijing 100029, China
  • Online:2019-08-15 Published:2019-08-13

摘要: 目前网络攻击呈现高隐蔽性、长期持续性等特点,极大限制了恶意网络行为检测对网络攻击识别、分析与防御的支撑。针对该问题,提出了一种基于事件流数据世系的恶意网络行为检测方法,采用事件流刻画系统与用户及其他系统间的网络交互行为,构建数据驱动的事件流数据世系模型,建立面向事件流数据世系相关性的异常检测算法,从交互数据流角度分析和检测恶意网络行为事件,并基于事件流数据世系追溯恶意网络行为组合,为网络攻击分析提供聚焦的关联性威胁信息。最后通过模拟中间人和跨站脚本组合式网络渗透攻击实验验证了方法的有效性。

关键词: 恶意网络行为, 事件流, 数据世系

Abstract: Because of the high concealment and long-term persistence of network attacks, these greatly limit the support of malicious network behavior detection for network attack identification, analysis and defense. To solve this problem, this paper proposes a method of malicious network behavior detection and traceability based on event stream data provenance. This paper uses event stream to characterize the network interaction between system and users or other systems, constructs data-driven event stream data provenance model, and establishes an anomaly detection algorithm oriented to the relativity of event stream data provenance from the perspective of interaction data flow. Then, this paper detects malicious network behavior events and traces malicious network behavior combination based on event stream data provenance, which can provide focused relational threat information for network attack analysis. Finally, the effectiveness of the method is verified by simulating the penetration attack of the combination of middleman and XSS.

Key words: malicious network behavior, event stream, data provenance