| With the advent of the "Internet+" era,the widespread use of information technology has had an increasingly profound impact on the economic,military,manufacturing and cultural sectors of society,but the growing amount of heterogeneous security data from complex cyber attacks has also made it difficult for analysts.The use of visualization technology to convert massive security data into intuitive visual images and build a bridge between data and cognitive analysis to explore possible potential risks is now an important research topic.Based on security analysis theory and visual analysis principle,for a variety of attack types,this paper focuses on summarizing the extraction steps of security events to standardize the analysis ideas.It helps analysts deduce attack paths from two perspectives: network attack process and feature exploration,understand and trust the output results of machine learning,and discover anomalous checkpoints that may affect decision results.The contributions of the text on interpretable research around feature exploration of cybersecurity events mainly include:(1)SEMMA-based visual exploration of security events.To address the macro control of the overall analysis process of multi-type anomalous events,this paper integrates the classical SEMMA(Sample,Explore,Modify,Model,Assess)analysis paradigm in data mining,divides the anomalous event detection process into five specific steps: data pre-processing,feature exploration,anomaly localization,event description and evaluation,and realizes the analysis of multi-source log The paradigm analysis of multi-source logs.Combined with the fuzzy C-mean algorithm to identify network assets,a novel visualization component,PBNLD(Protocol-based Node Link Diagram),is designed to construct network communication links and complete the progressive exploration of anomalous events.(2)Explainability study of XGBoost-based decision process.To address the problem that security practitioners cannot understand the complex decision basis and trust the output results of XGBoost algorithm,this paper aims to balance model integrity and interpretation by using FP-Growth algorithm to extract association rules between features and fuse features to explore malware behavior;designing visual components such as decision bubble diagram and feature matrix to present the workflow of the algorithm;using the "central class" idea to analyze the workflow of XGBoost algorithm."The design of the visualization components,such as decision bubble diagram and feature matrix,presents the workflow of the algorithm.The experimental evaluation results show that the design scheme can effectively guide users to understand the flow of data in the algorithm,diagnose and track key decision nodes.(3)Explanatory visual analysis system based on SEMMA security analysis model.Based on the above analysis scheme,this paper designs and implements a SEMMA-based anomalous event interpretation analysis system(SXVis),which contains two modules:SEMMA-based anomalous event analysis and the interpretable XGBoost algorithm.Based on web log data and malware dataset,the feasibility and effectiveness of this topic is proved by two user cases and two user evaluations. |
PDF Full Text Request