在传统网络防御手段抵御攻击的基础上,提出了一种利用机器学习的方法来达到网络安全态势感知的新方案。为了有效地获得告警事件,本文引入了告警关联分析的技术,通过分析多源告警信息的关联度从而降低误报率;为了准确地重建攻击场景,本文引入CEP技术处理海量告警信息,并利用基于马尔可夫性质的因果关联分析构建起知识库。分析表明,该方案具有可靠性强、适用性好、计算量小、准确度高的特点,特别适合于大数据环境。
On the basis of the traditional network defense means to resist the attack, a new scheme using machine learning method to achieve network security situational awareness is proposed. In order to obtain alarm events effectively, this paper introduces the technology of alarm correlation analysis, which reduces the false alarm rate by analyzing the correlation degree of multi-source alarm information. In order to reconstruct the attack scene accurately, this paper introduces the CEP technology to deal with the massive alarm information, and uses the causal association analysis based on Markov property to build the knowledge base. The analysis shows that the scheme has the characteristics of strong reliability, good applicability, small calculation amount and high accuracy, and is especially suitable for big data environment.
