###
Journal of Software:2011.22(5):996-1008

用于自动证据分析的层次化入侵场景重构方法
伏晓,石进,谢立
(计算机软件新技术国家重点实验室(南京大学),江苏 南京 210093;计算机软件新技术国家重点实验室(南京大学),江苏 南京 210093;南京大学 国家保密学院,江苏 南京 210093)
Layered Intrusion Scenario Reconstruction Method for Automated Evidence Analysis
FU Xiao,SHI Jin,XIE Li
(State Key Laboratory for Novel Software Technology (Nanjing University), Nanjing 210093, China;State Key Laboratory for Novel Software Technology (Nanjing University), Nanjing 210093, China; School of National Information Security, Nanjing University, Nanjing 210093, China)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 3873   Download 3256
Received:April 09, 2009    Revised:October 10, 2010
> 中文摘要: 为了能够自动分析入侵证据,提出了一种层次化入侵场景重构方法.其原理是:首先,基于报警关联技术重构出入侵者的抽象攻击步骤及步骤间关系;然后,基于攻击特征和依赖追踪技术重构出各步骤的行为细节;最后,通过两层重构结果的彼此映射,调整获得完整的入侵行为图.基于DARPA 2000 的实验结果表明,该方法的重构结果准确性和完备性均比较高,而且抽象与细节相结合的表示方法更易理解,也更适合作为法律证据.而与现有方法相比,该方法在重构场景的完整性、适用行为的复杂性以及方法安全性等方面也有一定的改善.
Abstract:In order to analyze intrusion evidences automatically, a layered method for reconstructing intrusion scenario is proposed. It includes 3 main phrases. First, the intruder’s abstract steps and the relationships between them are reconstructed by the alert correlation. Secondly, detailed behaviors of each step are reconstructed based on attack signatures and the OS-Level dependency tracking. Finally, the results are mapped and refined, and a behavior graph is generated. This graph can describe the completed intrusion process. The experiments on DARPA 2000 prove that the results are not only easy to understand, but are also full and accurate. Hence, it is fit to be presented in the court. Compared with current methods, this method shows more advantages. For example, it can process more complex scenarios.
文章编号:     中图分类号:    文献标志码:
基金项目:江苏省自然科学基金(Bk2009465) 江苏省自然科学基金(Bk2009465)
Foundation items:
Reference text:

伏晓,石进,谢立.用于自动证据分析的层次化入侵场景重构方法.软件学报,2011,22(5):996-1008

FU Xiao,SHI Jin,XIE Li.Layered Intrusion Scenario Reconstruction Method for Automated Evidence Analysis.Journal of Software,2011,22(5):996-1008