| 引用本文: |
-
冯文英,顾钊铨,赵昂霄,罗翠,袁华平,胡宁.多源安全日志威胁量化分析[J].信息安全学报,已采用 [点击复制]
- Feng Wenying,Gu Zhaoquan,Zhao Angxiao,Luo Cui,Yuan Huaping,Hu Ning.Quantitative Threat Analysis of Multi-source Security Logs[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 入侵检测系统(Intrusion Detection System, IDS)是保障网络安全的重要组成部分,用于识别和响应恶意活动。IDS主要依赖预设规则或分类算法来检测异常。基于规则的入侵检测根据预设规则对网络流量进行规则匹配,但由于其难以自动化适应特定场景,通常伴随高误报率。基于分类的入侵检测通过机器学习算法对网络流量进行良性或恶意的分类。上述方法难以实现细粒度的威胁程度评估,因为它们难以处理海量的安全日志并从中挖掘关键信息,以至于重要的威胁线索和信息维度被忽略。针对这一局限,本研究创新性地引入回归模型,提出一种新颖的安全日志威胁量化分析框架Themis,以实现对多源安全日志中威胁实体的威胁程度的评估和分析。Themis首先从多源Web安全告警日志中自动抽取出核心威胁实体,包括安全事件及潜在的恶意IP地址。然后设计全面的威胁表示维度,对抽取出的威胁实体进行多维度特征表示。针对安全日志中普遍存在的标注数据稀少及类别分布不均衡问题,Themis采用无监督学习技术对威胁样本进行特征增强,以提升模型的学习效能。最后,利用增强特征集训练回归评估模型,进行精细的威胁程度量化和回归分析。通过回归分析,我们深入探讨并确定了若干对威胁评估具有显著影响的维度;进一步的消融实验验证了基于特征增强的威胁评估策略的有效性。此外,系统比较了多种回归算法在威胁评估任务上的性能差异,同时提供了基于算法效果和复杂度的权衡分析与应用建议。 |
| 关键词: 入侵检测 威胁评估 特征增强 回归分析 |
| DOI: |
| 投稿时间:2024-07-10修订日期:2024-12-31 |
| 基金项目:鹏城实验室重点项目,深圳市科技计划,国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| Quantitative Threat Analysis of Multi-source Security Logs |
|
Feng Wenying, Gu Zhaoquan, Zhao Angxiao, Luo Cui, Yuan Huaping, Hu Ning
|
| (Peng Cheng Laboratory) |
| Abstract: |
| Intrusion detection systems (IDS) are critical components of cybersecurity, tasked with identifying and responding to malicious activities. IDS primarily relies on the rules or classification methods to detect anomalies. Rule-based IDSs operate by comparing network traffic against a predefined set of rules to detect anomalies, but they often result in a high false positive rate because they cannot adapt to new scenes. Classification-based IDSs use machine learning algorithms to categorize network traffic as either benign or malicious. These systems often struggle with the granularity required for accurate threat assessment, because the amount of data can overwhelm these systems, leading to important threat indicators being overlooked. To address these limitations, this paper introduces Themis, a novel regression-based framework designed to evaluate and analyze threats present in multi-source security logs. Themis begins by extracting threat entities from web alert logs, which include critical information such as security events and threat IP addresses. These entities are then represented in a multidimensional space, where each dimension corresponds to a specific at-tribute of the threat entity. To overcome the challenges of data scarcity and class imbalance in security logs, Themis employs unsupervised learning techniques to enhance the features of threat entity samples. The core of Themis is a threat assessment model that leverages these enhanced features to perform threat regression analysis. This model is trained to predict the severity of threats, providing a more precise assessment than traditional intrusion detection methods. To validate the effectiveness of Themis, we conduct detailed regression analysis experiments to explore the dimensions that significantly impact threat severity, as identified through regression analysis. The ablation experiments that demonstrate the benefits of feature-enhanced threat assessment. Furthermore, we compares different regression algorithms used in threat assessment, discussing their respective advantages and disadvantages. Finally, we offers a complexity analysis and practical application recommendations for the various regression algorithms considered. |
| Key words: intrusion detection, threat assessment, feature enhancement, regression analysis |
