Computer Engineering and Applications ›› 2010, Vol. 46 ›› Issue (28): 109-113.DOI: 10.3778/j.issn.1002-8331.2010.28.031

• 网络、通信、安全 • Previous Articles     Next Articles

Design and implementation of attacker-oriented intrusion alert analysis system

PENG Xue-na1,2,ZHU Hong-kai1,WEN Ying-you1,2,ZHAO Hong1,2   

  1. 1.Education Ministry Engineering Research Center of Safety and Security of Complex Network System,Northeastern University,Shenyang 110004,China
    2.Neusoft Research,Neusoft Co. Ltd,Shenyang 110179,China
  • Received:2009-04-20 Revised:2009-08-31 Online:2010-10-01 Published:2010-10-01
  • Contact: PENG Xue-na

面向攻击者的入侵告警分析系统设计与实现

彭雪娜1,2,祝洪凯1,闻英友1,2,赵 宏1,2   

  1. 1.东北大学 复杂网络系统安全保障技术教育部工程研究中心,沈阳 110004
    2.东软集团股份有限公司 东软研究院,沈阳 110179
  • 通讯作者: 彭雪娜

Abstract: Cyber attack behavior analysis techniques can be roughly classified as network-oriented analysis and attacker-oriented analysis.Compared with traditional network-oriented attack behavior analysis,attacker-oriented attack behavior analysis takes account of the relationship among attackers,so that it can present more accurate and more reliable performance.Based on the attack behavior analysis techniques that the authors have presented before,the design and implementation of an attacker-oriented intrusion alert analysis prototype system CABAS is presented.The system is evaluated under Darpa2000 intrusion detection evaluation datasets,the experimental results show that this approach has potential in analyzing complex cooperative attacks and improving the effectiveness and efficiency of security management.

Key words: network security, intrusion detection, alert correlation, Security Operation Center(SOC)

摘要: 现有攻击行为分析技术大致可以分为“面向网络”和“面向攻击者”两类。与传统的“面向网络”的分析方法相比,“面向攻击者”的分析方法更多地考虑了主体相关性等因素,因此分析结果更为准确、可靠。基于以往在攻击行为分析技术领域的相关研究成果,设计并实现了一种面向攻击者的入侵告警分析原型系统CABAS。基于Darpa2000数据集的离线测试结果表明,该系统能够实现对多方合作的复杂攻击进行准确分析,大大提高安全管理工作的有效性。

关键词: 网络安全, 入侵检测, 告警关联, 安全运营中心(SOC)

CLC Number: