| Honeynet is a security defense system that is deliberately designed as a loophole to induce attackers to attack and capture the behavior of attackers.These captured data is helpfull for security manager to security maintenance in the future.However,there are many security devices in the honeynet,and a large number of alarm logs are generated every day.How to use these alarm logs fully and efficiently is a hot topic in current research.Therefore,this dissertation studies the key technologies of honeynet cooperation defense,and focuses on attack event fusion algorithm and attack scene construction algorithm in honeynet.The specific research content is as follows:(1)An attack event fusion algorithm based on collision coefficient is proposed.In Honeynet,there are large number of duplicated alarm logs and false alarm logs.In order to more accurately analyze the security threats faced by Honeynet,the useless alarm log must be removed first.The characteristics of the alarm log itself are used to clean the data.Excluding logs with incomplete and duplicate attributes,and then select the log attributes that can accurately describe the attack information.According to the feature that the similarity of the alarm logs generated by the security devices in the same attack is high,the log attribute similarity membership function is used.The alarm log is aggregated,which greatly reduces the number of false alarms and duplicate alarm logs,and these logs are all regulated to the same attack.Finally,based on the conflict between different security devices in the honeynet system,the fusion rules in data fusion are improved,and the attack event fusion algorithm based on the collision coefficient is proposed.The experiment verifies the efficiency and accuracy of this algorithm in multi-source network security device system.(2)Propose an attack scenario construction algorithm based on the attack process.Using the high-confidence attack event after data fusion to construct the attack scenario,due to the change of attack techniques and attack techniques,it is impossible to effectively connect each attack event to the logical level,resulting in the final construction of the attack scenario is broken or there is an isolated attack.The situation of the incident.In order to solve this problem,this thesis proposes an attack scenario construction algorithm based on the attack process in the honeynet environment.It can match the attack process model in the knowledge base and integrate the attack event association graph data structure proposed in this thesis.Accurately depict the attacker's attack intention and attack method at each step.The experiment verifies the efficiency and accuracy of this algorithm for the construction of attack scenarios in honeynet.(3)Based on the current third-generation honeynet system architecture,Honeynet cooperation defense system is designed and developed.In this system,the Honeynet-based attack event fusion algorithm and attack scenario construction algorithm are used to implement the cooperation defense function.In this thesis,the log access module,log processing module,event fusion module,and scenario building module in honeynet cooperation defense system are described in detail.This thesis presents the effectiveness of the two algorithms in practical applications through system testing. |
PDF Full Text Request