一种基于One-Class SVM和GP安全事件关联规则生成方法研究

杜栋栋; 任星彰; 陈坤; 叶蔚; 赵文; 张世琨

doi:10.3969/j.issn.0372-2112.2018.08.001

您当前的位置：

首页 >

文章列表页 >

一种基于One-Class SVM和GP安全事件关联规则生成方法研究

学术论文 | 更新时间：2025-07-16

- 一种基于One-Class SVM和GP安全事件关联规则生成方法研究
- A Security Event Correlation Rule Generation Method Research Based on One-Class SVM and Genetic Programming
- 电子学报 2018年46卷第8期页码：1793-1803
- 作者机构：
  
  1. 北京大学信息科学技术学院,北京,100871
  2. 北京大学软件与微电子学院,北京,100871
  3. 北京大学软件工程国家工程研究中心,北京,100871
  4. 北京大学信息科学技术学院,北京,100871
  5. 北京大学软件与微电子学院,北京,100871
  6. 北京大学软件工程国家工程研究中心,北京,100871
- 作者简介：
- 基金信息：
  
  国家重点研发计划 (No.2017YFB0802900）;北京市自然科学基金 (No.4182024）;中国博士后基金 (No.2017M620524）
- DOI：10.3969/j.issn.0372-2112.2018.08.001
  中图分类号： TP311
- 网络出版：2018-08-25，
  
  纸质出版：2018
- 稿件说明：
移动端阅览
杜栋栋, 任星彰, 陈坤, 等. 一种基于One-Class SVM和GP安全事件关联规则生成方法研究[J]. 电子学报, 2018,46(8):1793-1803.

DU Dong-dong, REN Xing-zhang, CHEN Kun, et al. A Security Event Correlation Rule Generation Method Research Based on One-Class SVM and Genetic Programming[J]. Acta Electronica Sinica, 2018, 46(8): 1793-1803.
杜栋栋, 任星彰, 陈坤, 等. 一种基于One-Class SVM和GP安全事件关联规则生成方法研究[J]. 电子学报, 2018,46(8):1793-1803. DOI： 10.3969/j.issn.0372-2112.2018.08.001.

DU Dong-dong, REN Xing-zhang, CHEN Kun, et al. A Security Event Correlation Rule Generation Method Research Based on One-Class SVM and Genetic Programming[J]. Acta Electronica Sinica, 2018, 46(8): 1793-1803. DOI： 10.3969/j.issn.0372-2112.2018.08.001.

摘要

随着信息技术的快速发展，网络安全威胁造成的危害日愈严重.安全信息和事件管理（SIEM）在查找组织内部威胁，可疑行为及其它高级持续攻击（APT）中发挥了重要作用.SIEM的检测能力主要依赖于准确，可靠的关联规则.然而，传统的规则生成方式主要基于专家知识人工编写检测规则，因此成本高，效率低.本文给出了一种具备自适应能力的规则生成框架来自动生成关联规则.首先为了更好地识别未知攻击，提出一种基于单类支持向量机（One-Class SVM）的安全事件分类算法对安全事件进行有效分类，实验分类效果准确率高达97%.其次为了提高规则生成准确率，通过重新定义个体结构，交叉与变异方式，优化了基于遗传编程（GP）的规则生成算法，规则适应度高达94%.实验结果表明，本文提出的框架具备自适应能力来识别未知攻击，具备较高的检测准确率，可有效减少人工参与.同时该框架已经部署在实际生产环境中，和原系统相比可以检测更多攻击类型.

Abstract

With the rapid development of information technology

enterprise and orgnizations are suffering different kinds of cyber security threats.Security Information and Event Management (SIEM) is playing an essential role in finding insider threats

suspicious behaviors or other advanced attacks based on its correlation capability.The SIEM detection capability relies on accurate and reliable correlation rule

however

traditional way of generating rule depends on human expert knowledge

which is costly and time consuming with low efficiency.In this paper

we propose an adaptive rule generation framework to generate correlation rule automatically.First

in order to identify unknown attack in a better way

we propose a security event classification algorithm based on One-Class Support Vector Machine (One-Class SVM) to classify security events effectively

and results show that classfication rate reaches as high as 97%.Secondly

for purpose of improving rule generation accuracy rate

we propose and optimize Genetice Programming (GP) rule generation algorithm by redefining individual structure

cross and mutation operation

and results show that best individual fitness reaches as high as 94%.Experiments have been performed and results show that our approach has the ability of self-adaption to identify unkown attack

a competitive threat detection accuracy rate as well as reducing human labor engagement.We also implement our approach to a real production system and more attack type could be detected compared with existing system.

关键词

Keywords

references

浏览量

453

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据