| With the rapid development of network technology and information technology, the human society has entered the information era. and information security is an important subject of the new era. With the fact that the insider threats is becoming increasingly more serious, the passive defense products such as Firewall and Intrusion Detection System perform poorly in the aspect of defensing the insider threats. The proactive defense system composed of decoy resources has become the main defense measure against insider threats. However, the decoy network records massive attack logs which are valuable for attack analysis. How to collect and analyze those valuable information distributed in each decoy resource timely and effectively becomes an problem urgently need to be addressed in the field of network security analysis.In response to this issue, this thesis both designs and implements a visual analytic platform in order to accelerate the analyze progress of attack logs produced by decoy network. The main works are as follows:(1) By taking the diversity characteristic of decoy network security events into consideration, this thesis proposes a uniform description method which divides the attributes into public attributes and extensive attributes. In this way, events of different formats can be described uniformly.(2) By designing an extensible database, this thesis can store the extensive attributes of events with diverse formats effectively and uniformly in the database layer. Besides, by providing an access interface for the extensive attributes as well as taking advantage of the cache mechanism, data can be accessed conveniently and effectively.(3) Considering the fact that the honeypots and decoy documents are deployed in a distributed manner, a real-time events collector framework based on publish and subscribe mechanism is proposed in this thesis. With the help of this framework, events generated by each honeypots and decoy documents can be collected to the analysis center in real-time manner.(4) A visual analytic platform has been designed and implemented in this thesis, aiming at accelerating as well as simplifying the analysis progress of massive attack-event logs generated by the decoy network. The platform offers a real-time monitor interface for the occurrence of an attack. By providing friendly operation interface, the platform can help analyzers make thorough analysis timely and conveniently. A real attack analysis case has been given in this thesis, convincing that the platform can greatly help analyzers to understand the attack tools and methods, and to learn the intentions and motivations. |
PDF Full Text Request