基于博弈论的入侵检测与响应优化综述

张杭生; 刘吉强; 梁杰; 刘海涛; 李婷; 耿立茹; 刘银龙

引用本文：

张杭生,刘吉强,梁杰,刘海涛,李婷,耿立茹,刘银龙.基于博弈论的入侵检测与响应优化综述[J].信息安全学报,2024,9(4):163-179 [点击复制]
ZHANG Hangsheng,LIU Jiqiang,LIANG Jie,LIU Haitao,LI Ting,GENG Liru,LIU Yinlong.A Survey on Optimizing Intrusion Detection and Response Based on Game Theory[J].Journal of Cyber Security,2024,9(4):163-179 [点击复制]

本文已被：浏览 83次下载 51次	码上扫一扫！
基于博弈论的入侵检测与响应优化综述
张杭生^1,2, 刘吉强³, 梁杰^1,2, 刘海涛^1,2, 李婷^1,2, 耿立茹¹, 刘银龙^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所北京中国 100093;2.中国科学院大学网络空间安全学院北京中国 100049;3.北京交通大学智能交通数据安全与隐私保护北京市重点实验室北京中国 100044)

摘要:

当前网络规模急剧增加, 各类入侵过程也逐渐向复杂化、多样化的趋势发展。网络攻击带来的损失越来越严重, 针对各类安全事件的检测发现以及查处响应也变得日益困难。为了快速识别各类网络安全事件并做出相应的响应, 入侵检测与响应技术变得越来越重要。入侵检测系统(IDS)能否识别复杂的攻击模式以及分析大量的网络流量主要取决于其精度和配置, 这使得入侵检测与响应的优化问题成为网络与系统安全的重要需求, 并且成为一个活跃的研究主题。现有的研究成果已经提出了很多可以优化入侵检测和响应效率的方法, 其中, 将博弈论应用在入侵检测与响应的研究日益增多。博弈论提供了一种框架去捕获攻击者和防御者的交互, 采用了一种定量的方法评估系统的安全性。本文在分析了入侵检测与响应系统和博弈论的基本原理的基础上, 介绍了当前基于博弈论的入侵检测与响应优化问题的现有解决方案, 并且讨论了这些解决方案的局限性以及给出了未来的研究方向。首先, 详细介绍了入侵检测与博弈论的背景知识, 回顾了常用的入侵检测系统基本原理, 评估方法, 常用的数据集以及经典的安全领域中的博弈论模型。其次, 按照基于博弈论的入侵检测与响应优化问题的类型进行了分类介绍, 根据攻击的先后顺序对网络安全架构优化、 IDS 配置与效率优化、 IDS 的自动化响应优化以及分布式入侵检测架构优化等技术的研究现状进行归纳、分析、总结, 并分析了现有方案的优缺点, 进而分析可能的解决方案。然后针对将博弈论应用于入侵检测与响应中面临的挑战进行了分析与讨论。最后展望了未来的研究方向以及发展趋势。

关键词: 博弈论入侵检测入侵响应多智能体强化学习网络安全

DOI：10.19363/J.cnki.cn10-1380/tn.2022.12.06

投稿时间：2020-06-17修订日期：2020-11-02

基金项目:本课题得到中国国家重点研发计划(No. 2021YFB2910108)和2021年重庆市属本科高校与中科院所属院所合作项目(No. HZ2021015)资助。

A Survey on Optimizing Intrusion Detection and Response Based on Game Theory

ZHANG Hangsheng^1,2, LIU Jiqiang³, LIANG Jie^1,2, LIU Haitao^1,2, LI Ting^1,2, GENG Liru¹, LIU Yinlong^1,2

(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyberspace Security University of Chinese Academy of Sciences, Beijing 100049, China;3.Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing 100044, China)

Abstract:

In recent years, cyber-attacks have caused an increasing number of serious losses. It has become increasingly important to use intrusion detection and response technology in order to identify various security incidents quickly and respond accordingly. Detecting complex attack patterns and analyzing large volumes of network traffic depends largely on the accuracy and configuration of an intrusion detection system (IDS). In this context, intrusion detection and response optimization are important security requirements for networks and systems, and have become an active research topic. Many methods have been proposed in the research literature that can enhance intrusion detection and response efficiency. There has been a rapid growth in the use of game theory among these applications of intrusion detection and response. A quantitative method of evaluating the security of a system is based on the game theory, which provides a framework for capturing the interaction between attackers and defenders. Based on an analysis of the basic principles of intrusion detection and response systems and game theory, the paper discusses existing approaches to improving intrusion detection and response using game theory, discusses their limitations, and offers directions for future research based on these solutions. First of all, the background knowledge of intrusion detection and game theory is presented in detail, reviewing the basic principles of commonly used intrusion detection systems, evaluation methods, commonly used datasets and classical game theoretic models in the security domain. Second, the types of intrusion detection and response optimization problems based on game theory are categorized and introduced. According to the order of attacks, the research status of technologies such as network security architecture optimization, intrusion detection system configuration and efficiency optimization, IDS automated response optimization, and distributed intrusion detection architecture optimization is summarized, analyzed, and concluded. Meanwhile, the advantages and disadvantages of existing solutions are also analyzed, and then possible solutions are analyzed. We then analyze and discuss the challenges associated with applying game theory to intrusion detection and response. Finally, we look forward to the future direction of research and development.

Key words: game theory intrusion detection intrusion response multi-agent reinforcement learning cyber security