电子学报 ›› 2018, Vol. 46 ›› Issue (8): 1793-1803.DOI: 10.3969/j.issn.0372-2112.2018.08.001

• 学术论文 •    下一篇

一种基于One-Class SVM和GP安全事件关联规则生成方法研究

杜栋栋1,3, 任星彰2,3, 陈坤2,3, 叶蔚3, 赵文3, 张世琨3   

  1. 1. 北京大学信息科学技术学院, 北京 100871;
    2. 北京大学软件与微电子学院, 北京 100871;
    3. 北京大学软件工程国家工程研究中心, 北京 100871
  • 收稿日期:2017-06-27 修回日期:2018-02-28 出版日期:2018-08-25 发布日期:2018-08-25
  • 通讯作者: 赵文
  • 作者简介:杜栋栋 男,1983年生于河南安阳.2013级北京大学信息科学技术学院博士研究生,主要研究领域为网络信息安全,领域知识图谱,大数据与机器学习.E-mail:dudong@pku.edu.cn;任星彰 男,1993年生于山西孝义,2016级北京大学软件与微电子学院硕士生,主要研究领域为情景感知,网络安全,机器学习.
  • 基金资助:
    国家重点研发计划(No.2017YFB0802900);北京市自然科学基金(No.4182024);中国博士后基金(No.2017M620524)

A Security Event Correlation Rule Generation Method Research Based on One-Class SVM and Genetic Programming

DU Dong-dong1,3, REN Xing-zhang2,3, CHEN Kun2,3, YE Wei3, ZHAO Wen3, ZHANG Shi-kun3   

  1. 1. School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;
    2. School of Software and Microelectronics, Peking University, Beijing 100871, China;
    3. National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China
  • Received:2017-06-27 Revised:2018-02-28 Online:2018-08-25 Published:2018-08-25

摘要: 随着信息技术的快速发展,网络安全威胁造成的危害日愈严重.安全信息和事件管理(SIEM)在查找组织内部威胁,可疑行为及其它高级持续攻击(APT)中发挥了重要作用.SIEM的检测能力主要依赖于准确,可靠的关联规则.然而,传统的规则生成方式主要基于专家知识人工编写检测规则,因此成本高,效率低.本文给出了一种具备自适应能力的规则生成框架来自动生成关联规则.首先为了更好地识别未知攻击,提出一种基于单类支持向量机(One-Class SVM)的安全事件分类算法对安全事件进行有效分类,实验分类效果准确率高达97%.其次为了提高规则生成准确率,通过重新定义个体结构,交叉与变异方式,优化了基于遗传编程(GP)的规则生成算法,规则适应度高达94%.实验结果表明,本文提出的框架具备自适应能力来识别未知攻击,具备较高的检测准确率,可有效减少人工参与.同时该框架已经部署在实际生产环境中,和原系统相比可以检测更多攻击类型.

关键词: 安全事件, 关联规则生成, 日志管理, 安全信息和事件管理(SIEM), 单类支持向量机, 遗传编程

Abstract: With the rapid development of information technology,enterprise and orgnizations are suffering different kinds of cyber security threats.Security Information and Event Management (SIEM) is playing an essential role in finding insider threats,suspicious behaviors or other advanced attacks based on its correlation capability.The SIEM detection capability relies on accurate and reliable correlation rule,however,traditional way of generating rule depends on human expert knowledge,which is costly and time consuming with low efficiency.In this paper,we propose an adaptive rule generation framework to generate correlation rule automatically.First,in order to identify unknown attack in a better way,we propose a security event classification algorithm based on One-Class Support Vector Machine (One-Class SVM) to classify security events effectively,and results show that classfication rate reaches as high as 97%.Secondly,for purpose of improving rule generation accuracy rate,we propose and optimize Genetice Programming (GP) rule generation algorithm by redefining individual structure,cross and mutation operation,and results show that best individual fitness reaches as high as 94%.Experiments have been performed and results show that our approach has the ability of self-adaption to identify unkown attack,a competitive threat detection accuracy rate as well as reducing human labor engagement.We also implement our approach to a real production system and more attack type could be detected compared with existing system.

Key words: security events, correlation rule generation, log management, security information and event management(SIEM), one-class support vector machine, generic programming

中图分类号: