在开放的互联网环境下,大规模分布式网络恶意行为日益增多.发生在不同地理位置、不同时间段的安全事件可能存在潜在的隐藏关系.作者基于通用图灵机思想,提出了一个处理大规模网络安全事件的协同联动模型(Coordinative Running Model,CRM).在形式定义的基础上,从人机交互角度分析模型层次结构,由不同部件构建模型系统结构,并实现了面向基础网络的协同联动系统(Coordinative Running System,CRS),且与基于安全域的安全操作中心(Security Operating System,SOC)模型进行了对比分析.在僵尸网络的检测和追踪、DDoS攻击事件关联以及僵尸网络与DDoS攻击源关系分析三个应用实例中,CRS协调骨干网上不同类型安全设备共同工作.典型数据的分析结果表明,CRS为分析不同时间及不同空间安全事件之间关系,挖掘各事件关联后的更深层次安全隐患提供了有力平台.
Internet is an open network environment,large-scale distributed malicious behaviors is increasing day by day on the internet.Potential relationships may exist among network security incidents which occur at different positions and time.In order to deal with those troubles,this paper presents a Coordinative Running Model(CRM) based on Universal Turing Machine.Formal mathematical definition of the model is proposed.Architecture of the model is hierarchy,and the model consists of several important components,which include storage component,interface system and coordinative running engine etc.On the basis of the above work,a Collaborative Running System(CRS) is implemented for analyzing distributed incidents of backbone network.Furthermore,this model is compared with the Security Operation Center(SOC).For three application scenarios,namely botnet tracking,correlation analysis for alerts of Distributed Denial-of-Service(DDoS) attack and relationship analysis between DDoS attack source and botnet,different types of monitoring devices of the backbone network work together through CRS.The analysis results of typical security incidents data show that CRS is efficient and effective to collaboratively analyze the relations of large-scale security incidents at different time and space,and CRS is a powerful platform for analyzing hidden danger among different incidents.