Please wait a minute...
浙江大学学报(理学版)
浙江大学学报(理学版)  2022, Vol. 49 Issue (2): 131-140    DOI: 10.3785/j.issn.1008-9497.2022.02.001
智能视觉与可视化     
基于SEMMA的网络安全事件可视探索
钟颖,王松(),吴浩,程泽鹏,李学俊
西南科技大学 计算机科学与技术学院,四川 绵阳 621000
SEMMA-Based visual exploration of cyber security event
Ying ZHONG,Song WANG(),Hao WU,Zepeng CHENG,Xuejun LI
School of Computer Science and Technology,Southwest University of Science and Technology,Mianyang 621000,Sichuan Province,China
 全文: PDF(1324 KB)   HTML( 19 )
摘要:

网络安全可视化可直观地提取网络安全特征、全方位感知网络安全态势,但如何宏观把控网络安全的整体分析流程仍是一大研究难题。为此,引入了数据挖掘中经典的示例-探索-修改-模型-评估(sample-explore-modify-model-assess,SEMMA)分析范式,并结合网络安全可视化提出了一套通用的网络安全事件分析模型,将分析过程划分为数据处理、行为特征探索、异常对象定位、异常事件描述与行为模式关联分析等步骤,规范安全事件探索分析流程。在行为特征探索环节,用模糊C均值算法量化主机行为,识别网络资产结构;提出了用基于协议的节点链接图(protocol-based node link diagram,PBNLD)可视化表征形式构建网络通信模型,以提升大规模节点的绘制质量;以安全事件分析模型为指导,面向多源安全日志实例数据,搭建了网络安全事件可视探索系统,通过多视图协同与故事线回溯的方式实现网络资产划分、网络异常事件提取和攻击事件演化。最后,通过实验证明了分析模型的有效性。
关键词: SEMMA模糊C均值算法基于协议的节点链接图(PBNLD)网络安全可视化    
Abstract:

Nowadays,the feature of cyber-security can be extracted intuitively and the cyber-security situation can be perceived in all aspects through cyber-security visualization. However, macro control of the overall analysis process of cyber-security is still a research challenge. In this paper, a set of general cyber-security event analysis model is proposed combined with the cyber-security visualization and the classic SEMMA (sample-explore-modify-model-assess) analytic model in DM. In order to standardize the security event exploration analysis process, it divides the analysis process into several specific steps such as data processing, behavioral feature exploration, anomalous object localization, anomalous event description and behavioral pattern association analysis. Fuzzy C-Means is referenced in the analysis model to quantify host behavior and identify network asset structures in the process of feature exploration. PBNLD (protocol-based node link diagram), a new visual presentation, is presented to construct network communication model, which can enhance the rendering quality of massive scale of nodes. Guided by the security event analysis model, the cyber-security event visual exploration system is built for multi-source security log instance data. Network asset segmentation, network anomaly event extraction and attack event evolution are implemented through multi-views synergy and backtracking way. Experimental results prove the validity of the analytical model.
Key words: SEMMA    fuzzy C-means algorithm    protocol-based node link diagram (PBNLD)    cyber-security visualization
收稿日期: 2021-06-23 出版日期: 2022-03-22
CLC:  TP 391.41  
基金资助: 国家自然科学基金资助项目(61802320);西南科技大学博士基金项目(19zx7144);西南科技大学素质类教改(青年发展研究)专项资助项目(20szjg17)
通讯作者: 王松     E-mail: wangsong@swust.edu.cn
作者简介: 钟颖(1998—),ORCID:https://orcid.org/0000-0002-4724-9394,女,硕士研究生,主要从事网络安全可视化研究.
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章  
钟颖
王松
吴浩
程泽鹏
李学俊

引用本文:

钟颖,王松,吴浩,程泽鹏,李学俊. 基于SEMMA的网络安全事件可视探索[J]. 浙江大学学报(理学版), 2022, 49(2): 131-140.

Ying ZHONG,Song WANG,Hao WU,Zepeng CHENG,Xuejun LI. SEMMA-Based visual exploration of cyber security event. Journal of Zhejiang University (Science Edition), 2022, 49(2): 131-140.

链接本文:

https://www.zjujournals.com/sci/CN/10.3785/j.issn.1008-9497.2022.02.001        https://www.zjujournals.com/sci/CN/Y2022/V49/I2/131

图1  基于SEMMA范式的网络安全事件分析模型
图2  PBNLD模型传统网络关系图 基于通信协议的节点链路图
图3  基于主机行为关系聚类图的交互操作
图4  系统界面概览(a)异常流量事件提取案例 (b) 用户异常操作过程推演案例A.Timeline图;B.嵌套饼图;C.流量折线图;D.PBNLD图;E.流量双折线图;F.Sankey图;G.热力图;H.密码气泡图;I.词云图;J.主机行为聚类图。
图5  某企业网络资产结构
图6  基于用户的异常行为探索
图7  基于网络流量的异常行为探索
编号任务
1探索并定位异常流量发生的时间及对应的主机节点
2探索并定位异常用户的操作行为
3探索并实现对安全事件的回溯
表1  用户实验任务
图8  实验任务完成率对比
1 FAN X, LI C L, YUAN X R, et al. An interactive visual analytics approach for network anomaly detection through smart labeling[J]. Journal of Visualization, 2019, 22(5): 955-971. DOI:10. 1007/s12650-019-00580-7
doi: 10. 1007/s12650-019-00580-7
2 赵颖, 樊晓平, 周芳芳, 等. 网络安全数据可视化综述[J]. 计算机辅助设计与图形学学报, 2014, 26(5): 687-697. doi:10.3969/j.issn.1003-9775.2014.05.002
ZHAO Y, FAN X P, ZHOU F F, et al. A survey on network security data visualization[J]. Journal of Computer-Aided Design & Computer Graphics, 2014, 26(5): 687-697. doi:10.3969/j.issn.1003-9775.2014.05.002
doi: 10.3969/j.issn.1003-9775.2014.05.002
3 SEUNGHO L, WONSUK C, HYO J J, et al. How to securely record logs based on ARM TrustZone[C] //Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS). New York: Association for Computing Machinery, 2019: 664-666. DOI:10.1145/3321705.3331001
doi: 10.1145/3321705.3331001
4 GOODALL J R, RAGAN E D, STEED C A, et al. Situ: Identifying and explaining suspicious behavior in networks[J]. IEEE Transactions on Visualization and Computer Graphics, 2019, 25(1): 204-214. DOI:10.1109/TVCG.2018.2865029
doi: 10.1109/TVCG.2018.2865029
5 HE L K, TANG B B, ZHU M, et al. NetFlowVis: A temporal visualization system for netflow logs analysis[C]//Proceedings of the 13th International Conference on Cooperative Design, Visualization and Engineering (CDVE). Cham: Springer, 2016: 202-209. DOI:10.1007/978-3-319-46771-9_27
doi: 10.1007/978-3-319-46771-9_27
6 KARANDE V, BAUMAN E, LIN Z Q, et al. SGX-Log: Securing system logs with SGX[C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS). New York: Association for Computing Machinery, 2017: 19-30. DOI:10.1145/3052973. 3053034
doi: 10.1145/3052973. 3053034
7 TATSUAKI K, WATANABE A, TSUYOSHI T, et al. Proactive failure detection learning generation patterns of large-scale network logs[C]//Proceedings of the 2015 11th International Conference on Network and Service Management (CNSM). Washington: IEEE Computer Society, 2015: 8-14. DOI:10.1109/CNSM.2015.7367332
doi: 10.1109/CNSM.2015.7367332
8 STANGE J, D?RK M, LANDSTORFER J, et al. Visual filter: Graphical exploration of network security log files[C]//Proceedings of the Eleventh Workshop on Visualization for Cyber Security (VizSec). New York: Association for Computing Machinery, 2014: 41-48. DOI:10.1145/2671491. 2671503
doi: 10.1145/2671491. 2671503
9 BRAM C M C, JARKE J V W. Understanding the context of network traffic alerts[C]//2016 IEEE Symposium on Visualization for Cyber Security (VizSec). New York: IEEE, 2016: 1-8. DOI:10.1109/VIZSEC.2016.7739579
doi: 10.1109/VIZSEC.2016.7739579
10 SUN Y Z, GUO S M, CHEN Z W. Intelligent log analysis system for massive and multi-source security logs: MMSLAS design and implementation plan[C]//Proceedings of the 2019 15th International Conference on Mobile Ad-Hoc and Sensor Networks (MSN). Hong Kong: IEEE, 2019: 416-421. doi:10.1109/msn48538.2019.00085
doi: 10.1109/msn48538.2019.00085
11 SHI Y, ZHAO Y, ZHOU F F, et al. A novel radial visualization of intrusion detection alerts[J]. IEEE Computer Graphics and Applications, 2018, 38(6): 83-95. DOI:10.1109/MCG.2018.2879067
doi: 10.1109/MCG.2018.2879067
12 NGUYEN H H, PALANI K, NICOL D M. An approach to incorporating uncertainty in network security analysis[C]//Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp. New York: Association for Computing Machinery. 2017: 74-84. DOI:10.1145/3055305.3055308
doi: 10.1145/3055305.3055308
13 LIU J, GU L Z, NIU X X. A correlation analysis method of network security events based on rough set theory[C]//Proceedings of the 2012 13rd IEEE International Conference on Network Infrastructure and Digital Content. Piscataway: IEEE, 2012: 517-520. DOI:10. 1109/ICNIDC.2012.6418807
doi: 10. 1109/ICNIDC.2012.6418807
14 赵颖, 王权, 黄叶子, 等. 多视图合作的网络流量时序数据可视分析[J]. 软件学报, 2016, 27(5): 1188-1198. doi:10.13328/j.cnki.jos.004960
ZHAO Y, WANG Q, HUANG Y Z, et al. Collaborative visual analytics for network traffic time-series data with multiple views[J]. Journal of Software, 2016, 27(5): 1188-1198. doi:10.13328/j.cnki.jos.004960
doi: 10.13328/j.cnki.jos.004960
15 HE X D, LIU J B, HUAGN C, et al. A security analysis method of security protocol implementation based on unpurified security protocol trace and security protocol implementation ontology[J]. IEEE Access, 2019, 7: 131050-131067. DOI:10.1109/ACCESS. 2019.2940512
doi: 10.1109/ACCESS. 2019.2940512
16 LóPEZ-TORRES S, LóPEZ-TORRE H, LóPEZ-TORRE J, et al. IoT monitoring of water consumption for irrigation systems using SEMMA methodology[C]//Proceedings of the International Conference on Intelligent Human Computer Interaction. Cham: Springer, 2019: 222-234. DOI:10.1007/978-3-030-44689-5_20
doi: 10.1007/978-3-030-44689-5_20
17 AZIZ H I T, SOHAIL A, ASLAM U, et al. Loan default prediction model using sample, explore, modify, model, and assess (SEMMA)[J]. Journal of Computational and Theoretical Nanoscience, 2019, 16(8): 3489-3503. DOI:10.1166/jctn.2019.8313
doi: 10.1166/jctn.2019.8313
18 ZHANG M Y, WANG L Y, JAJODIA S, et al. Network diversity: A security metric for evaluating the resilience of networks against zero-day attacks[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(5): 1071-1086. DOI:10.1109/TIFS.2016.2516916
doi: 10.1109/TIFS.2016.2516916
[1] 方于华,叶枫. MFDC-Net:一种融合多尺度特征和注意力机制的乳腺癌病理图像分类算法[J]. 浙江大学学报(理学版), 2023, 50(4): 455-464.
[2] 虞瑞麒,刘玉华,沈禧龙,翟如钰,张翔,周志光. 表征学习驱动的多重网络图采样[J]. 浙江大学学报(理学版), 2022, 49(3): 271-279.
[3] 祝锦泰,叶继华,郭凤,江蕗,江爱文. FSAGN: 一种自主选择关键帧的表情识别方法[J]. 浙江大学学报(理学版), 2022, 49(2): 141-150.
[4] 朱强,王超毅,张吉庆,尹宝才,魏小鹏,杨鑫. 基于事件相机的无人机目标跟踪算法[J]. 浙江大学学报(理学版), 2022, 49(1): 10-18.
[5] 杨猛,丁曙,马云涛,谢佳翊,段瑞枫. 基于纹理特征的小麦锈病动态模拟方法[J]. 浙江大学学报(理学版), 2022, 49(1): 1-9.
[6] 傅汝佳, 冼楚华, 李桂清, 万隽杰, 曹铖, 杨存义, 高月芳. 面向表型精确鉴定的豆株快速三维重建[J]. 浙江大学学报(理学版), 2021, 48(5): 531-539.
[7] 余鹏, 刘兰, 蔡韵, 何煜, 张松海. 基于单目摄像头的自主健身监测系统[J]. 浙江大学学报(理学版), 2021, 48(5): 521-530.
[8] 桂志强, 姚裕友, 张高峰, 徐本柱, 郑利平. 3D-power图的快速生成方法[J]. 浙江大学学报(理学版), 2021, 48(4): 410-417.
[9] 徐敏, 王科, 戴浩然, 罗晓博, 余炜伦, 陶煜波, 林海. 基于电子病历的乳腺癌群组与治疗方案可视分析[J]. 浙江大学学报(理学版), 2021, 48(4): 391-401.
[10] 邹北骥, 杨文君, 刘姝, 姜灵子. 面向自然场景图像的三阶段文字识别框架[J]. 浙江大学学报(理学版), 2021, 48(1): 1-8.
[11] 陈园琼, 邹北骥, 张美华, 廖望旻, 黄嘉儿, 朱承璋. 医学影像处理的深度学习可解释性研究进展[J]. 浙江大学学报(理学版), 2021, 48(1): 18-29.
[12] 邓惠俊. 排序支持的交互数据分类算法及其应用[J]. 浙江大学学报(理学版), 2021, 48(1): 9-17.
[13] 李华飙, 侯小刚, 王婷婷, 赵海英. 基于规则学习的传统纹样统一生成模式研究[J]. 浙江大学学报(理学版), 2020, 47(6): 669-676.
[14] 檀结庆, 曹宁宁. 一种四边形网格上的Midedge细分格式[J]. 浙江大学学报(理学版), 2019, 46(2): 154-163.