Intelligent Recognition and Visualization |
|
|
|
|
SEMMA-Based visual exploration of cyber security event |
Ying ZHONG,Song WANG( ),Hao WU,Zepeng CHENG,Xuejun LI |
School of Computer Science and Technology,Southwest University of Science and Technology,Mianyang 621000,Sichuan Province,China |
|
|
Abstract Nowadays,the feature of cyber-security can be extracted intuitively and the cyber-security situation can be perceived in all aspects through cyber-security visualization. However, macro control of the overall analysis process of cyber-security is still a research challenge. In this paper, a set of general cyber-security event analysis model is proposed combined with the cyber-security visualization and the classic SEMMA (sample-explore-modify-model-assess) analytic model in DM. In order to standardize the security event exploration analysis process, it divides the analysis process into several specific steps such as data processing, behavioral feature exploration, anomalous object localization, anomalous event description and behavioral pattern association analysis. Fuzzy C-Means is referenced in the analysis model to quantify host behavior and identify network asset structures in the process of feature exploration. PBNLD (protocol-based node link diagram), a new visual presentation, is presented to construct network communication model, which can enhance the rendering quality of massive scale of nodes. Guided by the security event analysis model, the cyber-security event visual exploration system is built for multi-source security log instance data. Network asset segmentation, network anomaly event extraction and attack event evolution are implemented through multi-views synergy and backtracking way. Experimental results prove the validity of the analytical model.
|
Received: 23 June 2021
Published: 22 March 2022
|
|
Corresponding Authors:
Song WANG
E-mail: wangsong@swust.edu.cn
|
|
Cite this article:
Ying ZHONG,Song WANG,Hao WU,Zepeng CHENG,Xuejun LI. SEMMA-Based visual exploration of cyber security event. Journal of Zhejiang University (Science Edition), 2022, 49(2): 131-140.
URL:
https://www.zjujournals.com/sci/EN/Y2022/V49/I2/131
|
基于SEMMA的网络安全事件可视探索
网络安全可视化可直观地提取网络安全特征、全方位感知网络安全态势,但如何宏观把控网络安全的整体分析流程仍是一大研究难题。为此,引入了数据挖掘中经典的示例-探索-修改-模型-评估(sample-explore-modify-model-assess,SEMMA)分析范式,并结合网络安全可视化提出了一套通用的网络安全事件分析模型,将分析过程划分为数据处理、行为特征探索、异常对象定位、异常事件描述与行为模式关联分析等步骤,规范安全事件探索分析流程。在行为特征探索环节,用模糊C均值算法量化主机行为,识别网络资产结构;提出了用基于协议的节点链接图(protocol-based node link diagram,PBNLD)可视化表征形式构建网络通信模型,以提升大规模节点的绘制质量;以安全事件分析模型为指导,面向多源安全日志实例数据,搭建了网络安全事件可视探索系统,通过多视图协同与故事线回溯的方式实现网络资产划分、网络异常事件提取和攻击事件演化。最后,通过实验证明了分析模型的有效性。
关键词:
SEMMA,
模糊C均值算法,
基于协议的节点链接图(PBNLD),
网络安全可视化
|
|
[1] |
FAN X, LI C L, YUAN X R, et al. An interactive visual analytics approach for network anomaly detection through smart labeling[J]. Journal of Visualization, 2019, 22(5): 955-971. DOI:10. 1007/s12650-019-00580-7
doi: 10. 1007/s12650-019-00580-7
|
|
|
[2] |
赵颖, 樊晓平, 周芳芳, 等. 网络安全数据可视化综述[J]. 计算机辅助设计与图形学学报, 2014, 26(5): 687-697. doi:10.3969/j.issn.1003-9775.2014.05.002 ZHAO Y, FAN X P, ZHOU F F, et al. A survey on network security data visualization[J]. Journal of Computer-Aided Design & Computer Graphics, 2014, 26(5): 687-697. doi:10.3969/j.issn.1003-9775.2014.05.002
doi: 10.3969/j.issn.1003-9775.2014.05.002
|
|
|
[3] |
SEUNGHO L, WONSUK C, HYO J J, et al. How to securely record logs based on ARM TrustZone[C] //Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS). New York: Association for Computing Machinery, 2019: 664-666. DOI:10.1145/3321705.3331001
doi: 10.1145/3321705.3331001
|
|
|
[4] |
GOODALL J R, RAGAN E D, STEED C A, et al. Situ: Identifying and explaining suspicious behavior in networks[J]. IEEE Transactions on Visualization and Computer Graphics, 2019, 25(1): 204-214. DOI:10.1109/TVCG.2018.2865029
doi: 10.1109/TVCG.2018.2865029
|
|
|
[5] |
HE L K, TANG B B, ZHU M, et al. NetFlowVis: A temporal visualization system for netflow logs analysis[C]//Proceedings of the 13th International Conference on Cooperative Design, Visualization and Engineering (CDVE). Cham: Springer, 2016: 202-209. DOI:10.1007/978-3-319-46771-9_27
doi: 10.1007/978-3-319-46771-9_27
|
|
|
[6] |
KARANDE V, BAUMAN E, LIN Z Q, et al. SGX-Log: Securing system logs with SGX[C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS). New York: Association for Computing Machinery, 2017: 19-30. DOI:10.1145/3052973. 3053034
doi: 10.1145/3052973. 3053034
|
|
|
[7] |
TATSUAKI K, WATANABE A, TSUYOSHI T, et al. Proactive failure detection learning generation patterns of large-scale network logs[C]//Proceedings of the 2015 11th International Conference on Network and Service Management (CNSM). Washington: IEEE Computer Society, 2015: 8-14. DOI:10.1109/CNSM.2015.7367332
doi: 10.1109/CNSM.2015.7367332
|
|
|
[8] |
STANGE J, D?RK M, LANDSTORFER J, et al. Visual filter: Graphical exploration of network security log files[C]//Proceedings of the Eleventh Workshop on Visualization for Cyber Security (VizSec). New York: Association for Computing Machinery, 2014: 41-48. DOI:10.1145/2671491. 2671503
doi: 10.1145/2671491. 2671503
|
|
|
[9] |
BRAM C M C, JARKE J V W. Understanding the context of network traffic alerts[C]//2016 IEEE Symposium on Visualization for Cyber Security (VizSec). New York: IEEE, 2016: 1-8. DOI:10.1109/VIZSEC.2016.7739579
doi: 10.1109/VIZSEC.2016.7739579
|
|
|
[10] |
SUN Y Z, GUO S M, CHEN Z W. Intelligent log analysis system for massive and multi-source security logs: MMSLAS design and implementation plan[C]//Proceedings of the 2019 15th International Conference on Mobile Ad-Hoc and Sensor Networks (MSN). Hong Kong: IEEE, 2019: 416-421. doi:10.1109/msn48538.2019.00085
doi: 10.1109/msn48538.2019.00085
|
|
|
[11] |
SHI Y, ZHAO Y, ZHOU F F, et al. A novel radial visualization of intrusion detection alerts[J]. IEEE Computer Graphics and Applications, 2018, 38(6): 83-95. DOI:10.1109/MCG.2018.2879067
doi: 10.1109/MCG.2018.2879067
|
|
|
[12] |
NGUYEN H H, PALANI K, NICOL D M. An approach to incorporating uncertainty in network security analysis[C]//Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp. New York: Association for Computing Machinery. 2017: 74-84. DOI:10.1145/3055305.3055308
doi: 10.1145/3055305.3055308
|
|
|
[13] |
LIU J, GU L Z, NIU X X. A correlation analysis method of network security events based on rough set theory[C]//Proceedings of the 2012 13rd IEEE International Conference on Network Infrastructure and Digital Content. Piscataway: IEEE, 2012: 517-520. DOI:10. 1109/ICNIDC.2012.6418807
doi: 10. 1109/ICNIDC.2012.6418807
|
|
|
[14] |
赵颖, 王权, 黄叶子, 等. 多视图合作的网络流量时序数据可视分析[J]. 软件学报, 2016, 27(5): 1188-1198. doi:10.13328/j.cnki.jos.004960 ZHAO Y, WANG Q, HUANG Y Z, et al. Collaborative visual analytics for network traffic time-series data with multiple views[J]. Journal of Software, 2016, 27(5): 1188-1198. doi:10.13328/j.cnki.jos.004960
doi: 10.13328/j.cnki.jos.004960
|
|
|
[15] |
HE X D, LIU J B, HUAGN C, et al. A security analysis method of security protocol implementation based on unpurified security protocol trace and security protocol implementation ontology[J]. IEEE Access, 2019, 7: 131050-131067. DOI:10.1109/ACCESS. 2019.2940512
doi: 10.1109/ACCESS. 2019.2940512
|
|
|
[16] |
LóPEZ-TORRES S, LóPEZ-TORRE H, LóPEZ-TORRE J, et al. IoT monitoring of water consumption for irrigation systems using SEMMA methodology[C]//Proceedings of the International Conference on Intelligent Human Computer Interaction. Cham: Springer, 2019: 222-234. DOI:10.1007/978-3-030-44689-5_20
doi: 10.1007/978-3-030-44689-5_20
|
|
|
[17] |
AZIZ H I T, SOHAIL A, ASLAM U, et al. Loan default prediction model using sample, explore, modify, model, and assess (SEMMA)[J]. Journal of Computational and Theoretical Nanoscience, 2019, 16(8): 3489-3503. DOI:10.1166/jctn.2019.8313
doi: 10.1166/jctn.2019.8313
|
|
|
[18] |
ZHANG M Y, WANG L Y, JAJODIA S, et al. Network diversity: A security metric for evaluating the resilience of networks against zero-day attacks[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(5): 1071-1086. DOI:10.1109/TIFS.2016.2516916
doi: 10.1109/TIFS.2016.2516916
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|