中文摘要：

针对网络安全事件不断增加带来的手工添加和维护网络安全事件关联规则的不足,该文提出了一个基于攻击流量的网络安全规则自动生成系统NSRAG(Network Security Rule Automatically Generation Framework),该框架利用真实的攻击流量来触发网络安全检测和监控软件,收集它们产生的告警和目标状态信息,以此为数据源自动产生网络安全事件关联规则。NSRAG系统中关联规则自动生成算法有两种,在攻击模式已知的情况下采用基于攻击模式的规则自动生成算法,在攻击模式未知的情况下采用基于序列挖掘的规则自动生成算法。测试和实际应用表明,NSRAG可以根据网络攻击流量自动生成网络安全事件关联规则,减少了对网络攻击知识的依赖,提高了网络安全事件关联规则增加的效率。

英文摘要：

With the continuously growing of network security incidents, it is becoming insufficient to manually modify and main-tain network security event correlation rules. This paper proposes a framework to automatically generate security rule based on network attack traffic, NSRAG (Network Security Rule Automatically Generation Framework). The framework uses real net-work attack traffic to trigger network security testing and monitoring software, and collects alarms and target state information generated by the software. Then the framework uses these data to automatically generate the network security event correlation rules. There are two algorithms associated to generate rules in NSRAG:attack mode-based automatic generation algorithm for known attack mode, and sequence mode mining-based automatic generation algorithm for unknown attack mode. Test and practi-cal application show that NSRAG can automatically generate rules based on network attack traffic, and it improves efficiency of network security rules generation.