| In recent years,the rapid development of the Internet has brought tremendous convenience to people.But the fields of network security protection,operation and maintenance also face enormous pressure.The traditional network has no ability to fundamentally solve this problem,but the Software-Defined Network(SDN)can break this bottleneck.The core idea of SDN is separating the control layer and data layer.And the independent control layer provides the possibility of centralized management and programmable control.Using the idea of SDN to the area of security generates the concept of Software-Defined Security(SDS).By abstracting the security mechanisms from the hardware level to the software level,SDS realized a flexible security solution.With the help of centralized management and global view of the SDS architecture,the security knowledge base in SDS stores and manages heterogeneous security threat intelligent information.The centrally-stored security threat intelligent information is informative and complementary and contains security situation about the entire network.However,these heterogeneous security threats are not effectively used,and a great deal of security information has not been excavated.This paper aims to use the security threats stored in the security knowledge base to detect anomalies on the network.We propose an anomaly detection algorithm based on heterogeneous security threat information.With the help of the centralized management and global vision of SDS architecture and the complementarities between heterogeneous security threat intelligence,anomaly detection is more accurate and effective.This paper further analyzes the alarm log information stored in the security knowledge base.An anomaly detection algorithm based on sequence pattern mining is proposed.The algorithm correlates alarms to form a structured attack scenario to help administrators find out multi-step attacks. |
PDF Full Text Request