| Today, mobile network security problems are constantly emerging. With the deployment of a firewall, anti-virus and IDS, and much other safety equipment, Operators are still unable to effectively carry out safety precautions. The crux of the above problem lies in the lack of a unified network security management platform. SOC-based comprehensive information security management system is an effective way to solve these problems. It tries to build the core support system of information security management, which achieves the centralized management of a variety of security events, user behavior, security risks for wireless mobile networks. In this paper, some key technologies involved in the various stages of comprehensive information security management system are in-depth studied. The main contribution of this paper is as follows:(1) In accordance with the objectives and work processes of SOC-based comprehensive information security management system, we design the overall technical program of comprehensive information security management system for wireless mobile environment, which achieves the whole network security risk management. Security Event Collection Server collects a variety of wireless mobile network security logs generated by some objects, for example router, firewall, GTP firewall, IDS, VoIP IDS, DPI, MSC, HLR, GGSN, CDRdatabase and so on. Security Management Kernel Server processes all security log information from security event acquisition server, which is associated with the wireless mobile network users for user behavior analysis in order to discover the security-related events. Security Strategy Server queries the knowledge base and automatically responds to security policy, which will be processed by administrators or work order system. With network management center functions, comprehensive information security management system can centrally configure device management and security policy definition of whole network, completing the security configuration deployment and real-time updates.(2) It's an efficient approach to identify the application traffic through application-level signatures, but the performance of a protocol detection system heavily depends on accuracy and abundance of signatures. Unfortunately, deriving the signatures automatically is very time consuming and difficult. We present the notion of sequence itemset such that our algorithm is available while itemset is a permutations items or transaction is a set of itemsets. We provide a recursive method to get signatures with different length in turn. And then, we utilize offset attributor set to restrict and remove ineffective itemsets, which will effectively control the scale of signatures. According to selection principle, we can find the optimal constrained frequency sequence itemset as signatures. The result shows that signatures extracting by our algorithm are reasonable and effective.(3) Since there are problems of low efficiency in matching special characters to regular expression, we proposed two more efficient approaches. They are ISA algorithm with prefix searching, and IBNDM algorithm combined with factor searching and prefix searching. Both algorithms are based on bit-parallelism technique and machine words encoded parameters. By taking advantage of the intrinsic parallelism of the bit operations inside a machine word, we can pack many values in a single word and update them all in a single operation, via bit-operation simulating state transitions of a Nondeterministic Finite Automaton (NFA), which will reflect the influences of constructing NFA made by various special characters. Experimental results show that, under the circumstances that pattern string is no longer than the number of bits in the machine word W(in current architectures W is 32 or 64), both algorithms performed better than regular expression.(4) This paper describes the implementations of Security Event Collection Agents and Security Event Collection Server. Security Event Collection Server can receive and parse various types of equipment in real time, which do not need to re-compile the log parsing code and restart your system. First, it creates the appropriate log parser, dynamic loading device log parsing configuration files. Secondly, according to the type of log, it finds the appropriate log parser. If find the corresponding log parser, it parse the received device log and send the results are send to Security Management Kernel Server. When there is a new type of equipment to the system, the system can immediately receive and parse the new equipment type of the log without without parsing the code to compile or restarting system.(5) Some approaches (e.g. TIAA) have developed an available solution to correlate intrusion events using prerequisites of intrusions, which constructs attack scenarios by correlating events on the basis of prerequisites and consequences of attacks. The biggest defect of these approaches lies in the complexity of the relation of consequences so that the correlation graphs maybe very huge and unreadable. The phenomenon occurs mainly because these approach correlation all events on an equal footing, which aren't consider the influencing factors of different alerts on the same information system. We propose a model to achieve alert correlation which supplies information about the vulnerabilities. We use a hyper-alert type to encode our knowledge about each type of attacks. Our approach is differing with TIAA on the definition of hyper-alert type and correlation measure.In the analysis of event logs generated by security devices, our approache can optimize the correlation graphs constructed on on the basis of prerequisites and consequences of attacks through a more substantial compression of the size of the correlation graphs, which will improve the readability and usability.
|
PDF Full Text Request