Please wait a minute...
浙江大学学报(理学版)
Journal of Zhejiang University (Science Edition)  2022, Vol. 49 Issue (2): 131-140    DOI: 10.3785/j.issn.1008-9497.2022.02.001
Intelligent Recognition and Visualization     
SEMMA-Based visual exploration of cyber security event
Ying ZHONG,Song WANG(),Hao WU,Zepeng CHENG,Xuejun LI
School of Computer Science and Technology,Southwest University of Science and Technology,Mianyang 621000,Sichuan Province,China
Download: HTML( 19 )   PDF(1324KB)
Export: BibTeX | EndNote (RIS)      

Abstract  

Nowadays,the feature of cyber-security can be extracted intuitively and the cyber-security situation can be perceived in all aspects through cyber-security visualization. However, macro control of the overall analysis process of cyber-security is still a research challenge. In this paper, a set of general cyber-security event analysis model is proposed combined with the cyber-security visualization and the classic SEMMA (sample-explore-modify-model-assess) analytic model in DM. In order to standardize the security event exploration analysis process, it divides the analysis process into several specific steps such as data processing, behavioral feature exploration, anomalous object localization, anomalous event description and behavioral pattern association analysis. Fuzzy C-Means is referenced in the analysis model to quantify host behavior and identify network asset structures in the process of feature exploration. PBNLD (protocol-based node link diagram), a new visual presentation, is presented to construct network communication model, which can enhance the rendering quality of massive scale of nodes. Guided by the security event analysis model, the cyber-security event visual exploration system is built for multi-source security log instance data. Network asset segmentation, network anomaly event extraction and attack event evolution are implemented through multi-views synergy and backtracking way. Experimental results prove the validity of the analytical model.

Key wordsSEMMA      fuzzy C-means algorithm      protocol-based node link diagram (PBNLD)      cyber-security visualization     
Received: 23 June 2021      Published: 22 March 2022
CLC:  TP 391.41  
Corresponding Authors: Song WANG     E-mail: wangsong@swust.edu.cn
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Ying ZHONG
Song WANG
Hao WU
Zepeng CHENG
Xuejun LI
Cite this article:

Ying ZHONG,Song WANG,Hao WU,Zepeng CHENG,Xuejun LI. SEMMA-Based visual exploration of cyber security event. Journal of Zhejiang University (Science Edition), 2022, 49(2): 131-140.

URL:

https://www.zjujournals.com/sci/EN/Y2022/V49/I2/131


基于SEMMA的网络安全事件可视探索

网络安全可视化可直观地提取网络安全特征、全方位感知网络安全态势,但如何宏观把控网络安全的整体分析流程仍是一大研究难题。为此,引入了数据挖掘中经典的示例-探索-修改-模型-评估(sample-explore-modify-model-assess,SEMMA)分析范式,并结合网络安全可视化提出了一套通用的网络安全事件分析模型,将分析过程划分为数据处理、行为特征探索、异常对象定位、异常事件描述与行为模式关联分析等步骤,规范安全事件探索分析流程。在行为特征探索环节,用模糊C均值算法量化主机行为,识别网络资产结构;提出了用基于协议的节点链接图(protocol-based node link diagram,PBNLD)可视化表征形式构建网络通信模型,以提升大规模节点的绘制质量;以安全事件分析模型为指导,面向多源安全日志实例数据,搭建了网络安全事件可视探索系统,通过多视图协同与故事线回溯的方式实现网络资产划分、网络异常事件提取和攻击事件演化。最后,通过实验证明了分析模型的有效性。


关键词: SEMMA,  模糊C均值算法,  基于协议的节点链接图(PBNLD),  网络安全可视化 
Fig.1 SEMMA-based analysis model of cyber-security event
Fig.2 Protocol-based Node Link Diagram
Fig.3 Interactive operation of behavioral relationship diagram based on host clustering
Fig.4 System interface(a) Extraction case of abnormal traffic event (b) Deduction case of user abnormal operation process
Fig.5 Network asset structure of an enterprise
Fig.6 User-based exploration of abnormal behavior
Fig.7 Traffic-based exploration of abnormal behavior
编号任务
1探索并定位异常流量发生的时间及对应的主机节点
2探索并定位异常用户的操作行为
3探索并实现对安全事件的回溯
Table 1 User experiment tasks
Fig.8 Comparison of experiment task completion rates
[1]   FAN X, LI C L, YUAN X R, et al. An interactive visual analytics approach for network anomaly detection through smart labeling[J]. Journal of Visualization, 2019, 22(5): 955-971. DOI:10. 1007/s12650-019-00580-7
doi: 10. 1007/s12650-019-00580-7
[2]   赵颖, 樊晓平, 周芳芳, 等. 网络安全数据可视化综述[J]. 计算机辅助设计与图形学学报, 2014, 26(5): 687-697. doi:10.3969/j.issn.1003-9775.2014.05.002
ZHAO Y, FAN X P, ZHOU F F, et al. A survey on network security data visualization[J]. Journal of Computer-Aided Design & Computer Graphics, 2014, 26(5): 687-697. doi:10.3969/j.issn.1003-9775.2014.05.002
doi: 10.3969/j.issn.1003-9775.2014.05.002
[3]   SEUNGHO L, WONSUK C, HYO J J, et al. How to securely record logs based on ARM TrustZone[C] //Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS). New York: Association for Computing Machinery, 2019: 664-666. DOI:10.1145/3321705.3331001
doi: 10.1145/3321705.3331001
[4]   GOODALL J R, RAGAN E D, STEED C A, et al. Situ: Identifying and explaining suspicious behavior in networks[J]. IEEE Transactions on Visualization and Computer Graphics, 2019, 25(1): 204-214. DOI:10.1109/TVCG.2018.2865029
doi: 10.1109/TVCG.2018.2865029
[5]   HE L K, TANG B B, ZHU M, et al. NetFlowVis: A temporal visualization system for netflow logs analysis[C]//Proceedings of the 13th International Conference on Cooperative Design, Visualization and Engineering (CDVE). Cham: Springer, 2016: 202-209. DOI:10.1007/978-3-319-46771-9_27
doi: 10.1007/978-3-319-46771-9_27
[6]   KARANDE V, BAUMAN E, LIN Z Q, et al. SGX-Log: Securing system logs with SGX[C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS). New York: Association for Computing Machinery, 2017: 19-30. DOI:10.1145/3052973. 3053034
doi: 10.1145/3052973. 3053034
[7]   TATSUAKI K, WATANABE A, TSUYOSHI T, et al. Proactive failure detection learning generation patterns of large-scale network logs[C]//Proceedings of the 2015 11th International Conference on Network and Service Management (CNSM). Washington: IEEE Computer Society, 2015: 8-14. DOI:10.1109/CNSM.2015.7367332
doi: 10.1109/CNSM.2015.7367332
[8]   STANGE J, D?RK M, LANDSTORFER J, et al. Visual filter: Graphical exploration of network security log files[C]//Proceedings of the Eleventh Workshop on Visualization for Cyber Security (VizSec). New York: Association for Computing Machinery, 2014: 41-48. DOI:10.1145/2671491. 2671503
doi: 10.1145/2671491. 2671503
[9]   BRAM C M C, JARKE J V W. Understanding the context of network traffic alerts[C]//2016 IEEE Symposium on Visualization for Cyber Security (VizSec). New York: IEEE, 2016: 1-8. DOI:10.1109/VIZSEC.2016.7739579
doi: 10.1109/VIZSEC.2016.7739579
[10]   SUN Y Z, GUO S M, CHEN Z W. Intelligent log analysis system for massive and multi-source security logs: MMSLAS design and implementation plan[C]//Proceedings of the 2019 15th International Conference on Mobile Ad-Hoc and Sensor Networks (MSN). Hong Kong: IEEE, 2019: 416-421. doi:10.1109/msn48538.2019.00085
doi: 10.1109/msn48538.2019.00085
[11]   SHI Y, ZHAO Y, ZHOU F F, et al. A novel radial visualization of intrusion detection alerts[J]. IEEE Computer Graphics and Applications, 2018, 38(6): 83-95. DOI:10.1109/MCG.2018.2879067
doi: 10.1109/MCG.2018.2879067
[12]   NGUYEN H H, PALANI K, NICOL D M. An approach to incorporating uncertainty in network security analysis[C]//Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp. New York: Association for Computing Machinery. 2017: 74-84. DOI:10.1145/3055305.3055308
doi: 10.1145/3055305.3055308
[13]   LIU J, GU L Z, NIU X X. A correlation analysis method of network security events based on rough set theory[C]//Proceedings of the 2012 13rd IEEE International Conference on Network Infrastructure and Digital Content. Piscataway: IEEE, 2012: 517-520. DOI:10. 1109/ICNIDC.2012.6418807
doi: 10. 1109/ICNIDC.2012.6418807
[14]   赵颖, 王权, 黄叶子, 等. 多视图合作的网络流量时序数据可视分析[J]. 软件学报, 2016, 27(5): 1188-1198. doi:10.13328/j.cnki.jos.004960
ZHAO Y, WANG Q, HUANG Y Z, et al. Collaborative visual analytics for network traffic time-series data with multiple views[J]. Journal of Software, 2016, 27(5): 1188-1198. doi:10.13328/j.cnki.jos.004960
doi: 10.13328/j.cnki.jos.004960
[15]   HE X D, LIU J B, HUAGN C, et al. A security analysis method of security protocol implementation based on unpurified security protocol trace and security protocol implementation ontology[J]. IEEE Access, 2019, 7: 131050-131067. DOI:10.1109/ACCESS. 2019.2940512
doi: 10.1109/ACCESS. 2019.2940512
[16]   LóPEZ-TORRES S, LóPEZ-TORRE H, LóPEZ-TORRE J, et al. IoT monitoring of water consumption for irrigation systems using SEMMA methodology[C]//Proceedings of the International Conference on Intelligent Human Computer Interaction. Cham: Springer, 2019: 222-234. DOI:10.1007/978-3-030-44689-5_20
doi: 10.1007/978-3-030-44689-5_20
[17]   AZIZ H I T, SOHAIL A, ASLAM U, et al. Loan default prediction model using sample, explore, modify, model, and assess (SEMMA)[J]. Journal of Computational and Theoretical Nanoscience, 2019, 16(8): 3489-3503. DOI:10.1166/jctn.2019.8313
doi: 10.1166/jctn.2019.8313
[18]   ZHANG M Y, WANG L Y, JAJODIA S, et al. Network diversity: A security metric for evaluating the resilience of networks against zero-day attacks[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(5): 1071-1086. DOI:10.1109/TIFS.2016.2516916
doi: 10.1109/TIFS.2016.2516916
[1] Yuhua FANG,Feng YE. MFDC-Net: A breast cancer pathological image classification algorithm incorporating multi-scale feature fusion and attention mechanism[J]. Journal of Zhejiang University (Science Edition), 2023, 50(4): 455-464.
[2] Ruiqi YU,Yuhua LIU,Xilong SHEN,Ruyu ZHAI,Xiang ZHANG,Zhiguang ZHOU. Representation learning driven multiple graph sampling[J]. Journal of Zhejiang University (Science Edition), 2022, 49(3): 271-279.
[3] Jintai ZHU,Jihua YE,Feng GUO,Lu JIANG,Aiwen JIANG. FSAGN:An expression recognition method based on independent selection of video key frames[J]. Journal of Zhejiang University (Science Edition), 2022, 49(2): 141-150.
[4] Qiang ZHU,Chaoyi WANG,Jiqing ZHANG,Baocai YIN,Xiaopeng WEI,Xin YANG. UAV target tracking algorithm based on event camera[J]. Journal of Zhejiang University (Science Edition), 2022, 49(1): 10-18.
[5] Meng YANG,Shu DING,Yuntao MA,Jiayi XIE,Ruifeng DUAN. Dynamic simulation method of wheat rust based on texture feature[J]. Journal of Zhejiang University (Science Edition), 2022, 49(1): 1-9.
[6] FU Rujia, XIAN Chuhua, LI Guiqing, WAN Juanjie, CAO Cheng, YANG Cunyi, GAO Yuefang. Rapid 3D reconstruction of bean plant for accurate phenotype identification[J]. Journal of Zhejiang University (Science Edition), 2021, 48(5): 531-539.
[7] YU Peng, LIU Lan, CAI Yun, HE Yu, ZHANG Songhai. Home fitness monitoring system based on monocular camera[J]. Journal of Zhejiang University (Science Edition), 2021, 48(5): 521-530.
[8] GUI Zhiqiang, YAO Yuyou, ZHANG Gaofeng, XU Benzhu, ZHENG Liping. An efficient computation method of 3D-power diagram[J]. Journal of Zhejiang University (Science Edition), 2021, 48(4): 410-417.
[9] XU Min, WANG Ke, DAI Haoran, LUO Xiaobo, YU Weilun, TAO Yubo, LIN Hai. Visual analysis of cohorts and treatments of breast cancer based on electronic health records[J]. Journal of Zhejiang University (Science Edition), 2021, 48(4): 391-401.
[10] ZOU Beiji, YANG Wenjun, LIU Shu, JIANG Lingzi. A three-stage text recognition framework for natural scene images[J]. Journal of Zhejiang University (Science Edition), 2021, 48(1): 1-8.
[11] CHEN Yuanqiong, ZOU Beiji, ZHANG Meihua, LIAO Wangmin, HUANG Jiaer, ZHU Chengzhang. A review on deep learning interpretability in medical image processing[J]. Journal of Zhejiang University (Science Edition), 2021, 48(1): 18-29.
[12] DENG Huijun. Ranking-supported interactive data classification method and its application[J]. Journal of Zhejiang University (Science Edition), 2021, 48(1): 9-17.
[13] LI Huabiao, HOU Xiaogang, WANG Tingting, ZHAO Haiying. An unified generation scheme of traditional patterns based on rule learning[J]. Journal of Zhejiang University (Science Edition), 2020, 47(6): 669-676.
[14] TAN Jieqing, CAO Ningning. A new Midedge scheme of quadrilateral mesh[J]. Journal of Zhejiang University (Science Edition), 2019, 46(2): 154-163.