| Computer networks have become a critical infrastructure for governments, companies, institutions, and billions of users. However, the number of computer security incidents each year is significantly increasing. Meanwhile, new network applications are growing with the increase of network bandwidths, creating a complex and highly dynamic network of systems. Facing the challenge, static network security techniques such as firewall can not meet the requirements of current network security any longer. A development trend of network security is to apply dynamic network security techniques comprehensively, including vulnerability scan, intrusion detection, and post intrusion detection such as alert fusion, alert correlation, real-time risk assessment and intrusion response.Currently, intrusion detection systems have high false positive rate, false negative rate and repetitious rate; the alerts are lower level of information; and the linkage ability with other devices to intrusion response is weak. The post intrusion detection techniques to some extent overcome the difficulties of intrusion detection systems. Fusing the original alerts generated by security devices such as intrusion detection systems, on the one hand can enhance the communication and collaboration between security devices to reduce the false negative rate, on the other hand can effectively filter out repetitious alerts. Alert correlation can reveal the relationship between security incidents, reconstruct the attack processes, help to estimate the attack modes and intrusion trends, and support real-time risk assessment and response decision. In addition, false positive alerts are often not correlated to the true attack process, so alert correlation can reduce the impact of false positives. Alert fusion and correlation play the key roles in the whole process of dynamic defense. The relations between alerts can be described as the two kinds of relations:repetition and causality. Alert fusion mainly deals with repetition, and repetition is relatively clear and easy to judge. Alert correlation mainly deals with causality, and causality is more subtle and difficult to judge. Alert correlation is the core and difficulty in the post intrusion detection techniques. Alert correlation involves problems such as knowledge representation and automated reasoning. Ontology supplies a technique to resolve these problems.In this dissertation, post intrusion detection techniques with alert correlation as the core are investigated, and the following results are obtained: (1) An extended Semantic Web rule language XSWRL is proposed, and a prototype reasoner is implemented. The characteristics of the alert correlation knowledge are suitable for using ontology to represent. However, the existing standard Semantic Web ontology languages, OWL and SWRL, can not represent some alert correlation knowledge. Therefore, based on SWRL, an extended Semantic Web rule language XSWRL is proposed. XSWRL introduces existentially quantified variables in rules to enhance expression. XSWRL extends SWRL in a syntactically and semantically coherent manner. A prototype XSWRL reasoner is implemented with hybrid approach.(2) A hierarchical compound alert correlation knowledge model is presented, and realized based on XSWRL. The model combines prerequisites and consequences security states of attacks and predefined attack scenarios, and introduces hierarchy to view security information from different levels. The model combines the advantages of these alert correlation methods, and is more comprehensive. How to represent the knowledge model using the XSWRL ontology is illustrated, a knowledge base prototype is established, and the alert correlation is implemented. Alert correlation reconstructs the attack processes and changes the basis of risk assessment and response from the isolated alerts into the attack processes.(3) Methods on getting and preprocessing the network security information used by alert correlation are suggested. In order to conveniently convert the wide variety of original security state information formats to the ontology form for the alert correlation, a relational database schema is designed as a medium model, and the converting method is given. By preprocessing the original alerts, the alerts message format is uniformed, the redundant alerts are eliminated, and the alerts from different sources are fused. Finally, the attack information is converted to the ontology form for the alert correlation.(4) A hierarchical real-time risk assessment approach based on risk propagation is presented, and automatic response based on the results of risk assessment is suggested. The risk assessment approach combines the severity, certainty, and successful possibility of attacks, as well as the importance of assets and other factors. The approach real-time assesses the risk status of service, host and network level assets caused by attack processes. The risk status is an important basis for the response. The response planning, response time decision-making and response measures decision-making methods are improved, so that every asset can adopt its own special response goal, and response decision-making is more reasonable. According to the above, the second generation version of the intrusion detection alert management and intrusion response system, IDAM&IRS 2, is developed. The system can dynamically defense in depth in a subnet.
|
PDF Full Text Request