﻿ 改进的基于隐马尔可夫模型的态势评估方法
 计算机应用   2017, Vol. 37 Issue (5): 1331-1334  DOI: 10.11772/j.issn.1001-9081.2017.05.1331 0

### 引用本文

LI Fangwei, LI Qi, ZHU Jiang. Improved method of situation assessment method based on hidden Markov model[J]. Journal of Computer Applications, 2017, 37(5): 1331-1334. DOI: 10.11772/j.issn.1001-9081.2017.05.1331.

### 文章历史

Improved method of situation assessment method based on hidden Markov model
LI Fangwei, LI Qi, ZHU Jiang
Chongqing Key Laboratory of Mobile Communications Technology (Chongqing University of Posts and Telecommunications), Chongqing 400065, China
Abstract: Concerning the problem that the Hidden Markov Model (HMM) parameters are difficult to configure, an improved method of situation assessment based on HMM was proposed to reflect the security of the network. The proposed method used the output of intrusion detection system as input, classified the alarm events by Snort manual to get the observation sequence, and established the HMM model, the improved Simulated Annealing (SA) algorithm combined with the Baum_Welch (BW) algorithm to optimize the HMM parameters, and used the method of quantitative analysis to get the security situational value of the network. The experimental results show that the proposed method can improve the accuracy and convergence speed of the model.
Key words: network security    Hidden Markov Model (HMM)    parameter optimization    Simulated Annealing (SA) algorithm    situation assessment
0 引言

Endsley[1]首先提出了态势感知的概念，Bass[2]将其运用到网络安全领域。国内方面陈秀真等[3]提出了层次化的网络安全态势评估模型，模型从局域网系统、主机、服务3个层次进行安全威胁态势评估，反映安全动态，管理员可以从安全动态曲线中调整相应的防范策略，提高系统的安全性；李伟生等[4]根据态势与安全事件之间的潜在关系建立贝叶斯网络评估模型，并阐述了相应的信息传播算法，最后以一个例子介绍了贝叶斯网络的计算过程；国外方面，Rahnavard等[5]将网络服务异常检测的过程转化为隐马尔可夫过程，并通过数据测试显示该模型对网络服务异常具有很好的识别率；Rnes等[6]提出了基于隐马尔可夫模型 (Hidden Markov Model, HMM) 网络风险态势评估方法，通过入侵检测系统 (Intrusion Detection System, IDS) 报警序列建模，得到每个主机处在不同安全状态下的概率，从而得到每个主机的安全风险值，进而累加得到整个网络的安全风险值。以上研究在网络安全态势评估方面具有各自优势，但也存在一些不足：一是HMM观测矩阵规模的问题，二是HMM参数配置的问题。

1 系统模型

1) 主机的状态空间。设主机有M种不同的安全状态，对应的集合表示为S={S1, S2, …, SM}，qt表示Markov链在t时刻所处的状态，则qt∈(S1, S2, …, SM)。

2) 观测序列的观测值。设有N种报警事件，则观测值集合为O={O1, O2, …, ON}，Vt表示在t时刻观测到的观测值，则Vt∈(O1, O2, …, ON)。

3) 主机的初始状态分布。表示主机所处的初始状态，记π=(πi)i=1, 2, …, M，其中πi=P(q1=Si)(1≤iM)，表示初始时刻系统处于状态Si的概率为πi

4) 主机的状态转移矩阵。主机处在不同安全状态相互转移的概率，记A=(aij)M×M，其中aij=p(qt+1=j|qt=i)(ij=1, 2, …, M)，表示系统在t时刻处于状态i，在下一时刻转移到状态j的概率。

5) 观测值概率密度矩阵。表示观测到某个观测值系统处于某种状态的概率，记B=(bik)M×N，其中bik=P(Vt=Ok|qt=Si)(1≤iM, 1≤kN)，表示系统处于状态Si，观测值Ok出现的概率，与所处的观测时间无关。

2 改进优化HMM参数的算法 2.1 改进思路

“前向-后向”算法[10]的参数学习过程是不断更新HMM的参数，从而使P(O|λ) 最大，其中$P\left( {O\left| \lambda \right.} \right){\rm{ = }}\sum\limits_{i{\rm{ = 1}}}^N {{a_t}\left( i \right)} {\beta _t}\left( i \right)$

 $\mathit{\boldsymbol{\bar \pi }} = {\gamma _1}\left( i \right)$ (1)
 ${\bar A_{ij}} = \frac{{\sum\limits_{t = 1}^{T-1} {{\varepsilon _t}\left( {i, j} \right)} }}{{\sum\limits_{t = 1}^{T-1} {{\gamma _t}(i)} }};1 \le i, j \le M$ (2)
 ${\bar B_{ik}} = \frac{{\sum\limits_{t = 1{\rm{, s}}{\rm{.t}}{\rm{.}}{{{v}}_t} = {O_{{k}}}}^T {{\gamma _t}\left( i \right)} }}{{\sum\limits_{t = 1}^T {{\gamma _t}(i)} }};1 \le i \le M, 1 \le k \le N$ (3)

2.2 模拟退火算法的改进

Initialization：初始化模型参数π, A, B，退火初始温度T0，温度冷却系数k，终止温度Tend

2.3 算法可行性

2.4 安全态势量化方法

t时刻主机处于Si的概率γt(i)，公式如下：

 ${\gamma _t}\left( i \right) = P\left( {{q_t} = {s_i}|O, \mathit{\boldsymbol{\lambda }}} \right) = \frac{{{\alpha _t}\left( i \right){\beta _t}\left( i \right)}}{{P\left( {O|\mathit{\boldsymbol{\lambda }}} \right)}} = \frac{{{\alpha _t}\left( i \right){\beta _t}\left( i \right)}}{{\sum\limits_{i = 1}^N {{\alpha _t}\left( i \right){\beta _t}\left( i \right)} }}$ (4)

 $R{\rm{ = }}\sum\limits_{i = 1}^M {{r_i}{c_i}}$ (5)

 ${R_{{\rm{all}}}} = \sum\limits_{i = 1}^L {{R_i}}$ (6)

 图 1 改进的HMM态势评估流程 Figure 1 Process diagram of the improved HMM situation assessment
3 实验结果及数据分析

3.1 数据描述

3.2 滑动窗口

3.3 参数设置与优化

2.4节中确定了系统的4种状态，状态集合S={1, 2, 3, 4}，对应的四种状态分别为Good (良好)，Probed (被刺探)、Attacked (被攻击)、Compromised (已侵入)。实验中：Markov链的状态数M=4，观测值类型N=3，观测序列长度t=20，初始参数λ0={π0, A0, B0}，根据专家经验，具体取值如下：

π0=(0.7, 0.1, 0.1, 0.1)

${\mathit{\boldsymbol{A}}_{\rm{0}}}{\rm{ = }}\left[{\begin{array}{*{20}{c}} {0.8} & {0.1} & {0.07} & {0.03}\\ {0.1} & {0.8} & {0.06} & {0.04}\\ {0.07} & {0.05} & {0.85} & {0.03}\\ {0.03} & {0.05} & {0.07} & {0.85} \end{array}} \right]$B0均匀设置。

 图 2 不同算法的参数似然值变化情况 Figure 2 Parameter likelihood changes of different algorithms

π′=(0, 0, 1, 0)

 ${\mathit{\boldsymbol{A}}^{\bf{'}}}{\rm{ = }}\left[{\begin{array}{*{20}{c}} {0.6432} & {0.1897} & {0.1325} & {0.0346}\\ {0.0564} & {0.8128} & {0.1213} & {0.0095}\\ {0.0354} & {0.0265} & {0.8112} & {0.1269}\\ {0.0421} & {0.0339} & {0.0698} & {0.8542} \end{array}} \right]$
 ${\mathit{\boldsymbol{B}}^{\bf{'}}}{\rm{ = }}\left[{\begin{array}{*{20}{c}} {0.8532} & {0.0921} & {0.0547}\\ {\begin{array}{*{20}{c}} {0.6732}\\ 0 \end{array}} & {\begin{array}{*{20}{c}} {0.2456}\\ {0.7532} \end{array}} & {\begin{array}{*{20}{c}} {0.0812}\\ {0.2468} \end{array}}\\ 0 & {0.3422} & {0.6578} \end{array}} \right]$

3.4 实验结果分析

 图 3 3台主机24 h的安全态势 Figure 3 Security situation of the 3 host in 24 hours

 图 4 主机安全态势预测曲线 Figure 4 Host security situation prediction curre

 图 5 网络24 h的安全态势 Figure 5 Security situation of the network in 24 hours

4 结语

 [1] ENDSLEY M R. Situation Awareness Global Assessment Technique (SAGAT)[C]//Proceedings of the IEEE 1988 National Aerospace and Electronics Conference. Piscataway, NJ:IEEE, 1988:789-795. [2] BASS T. Intrusion detection systems & multisensor data fusion:creating cyberspace situational awareness[J]. Communications of the ACM, 1999, 43(4): 99-105. [3] 陈秀真, 郑庆华, 管晓宏, 等. 层次化网络安全威胁态势量化评估方法[J]. 软件学报, 2006, 17(4): 885-897. ( CHEN X Z, ZHENG Q H, GUANG X H, et al. Quantitative hierarchical threat evaluation model for network security[J]. Journal of Software, 2006, 17(4): 885-897. ) [4] 李伟生, 王宝树. 基于贝叶斯网络的态势评估[J]. 系统工程与电子技术, 2003, 25(4): 480-483. ( LI W S, WANG B S. Situation assessment based on Bayesian networks[J]. Systems Engineering and Electronics, 2003, 25(4): 480-483. ) [5] RAHNAVARD G, NAJJAR M S A, TAHERIFAR S. A method to evaluate Web services anomaly detection using hidden Markov models[C]//Proceedings of the 2010 International Conference on Computer Applications and Industrial Electronics. Piscataway, NJ:IEEE, 2010:261-265. [6] RNES A, VALEUR F, VIGNA G, et al. Using hidden Markov models to evaluate the risks of intrusions[C]//Proceedings of the 9th International Conference on Recent Advances in Intrusion Detection. Berlin:Springer-Verlag, 2006:145-164. [7] 邓聚龙. 灰预测与灰决策:灰色预测与决策[M]. 武汉: 华中科技大学出版社, 2002 : 173 -212. ( DENG J L. Gray Prediction and Gray Decision:Gray Prediction and Gray Decision[M]. Wuhan: Huazhong University of Science and Technology Press, 2002 : 173 -212. ) [8] BOX G E P, JENKINS G M, REINSEL G C. Time Series Analysis[M]. NJ: John Wiley & Sons, 2013 : 137 -191. [9] DUGAD R, DESAI U B. A tutorial on hidden Markov models[J]. Proceedings of the IEEE:Applications in Speech Recognition, 2000, 77(2): 25-286. [10] 周东清, 张海锋, 张绍武, 等. 基于HMM的分布式拒绝服务攻击检测方法[J]. Journal of Computer Research & Development, 2005, 42(9): 1594-1599. ( ZHOU D Q, ZHANG H F, ZHANG S W, et al. A DDoS attack detection method based on hidden Markov model[J]. Journal of Computer Research & Development, 2005, 42(9): 1594-1599. ) [11] JUANG B H, RABINER L R. A probabilistic distance measure for hidden Markov models[J]. AT & T Technical Journal, 1985, 64(2): 391-408. [12] 康立山, 谢云, 尤矢勇, 等. 非数值并行算法-模拟退火算法[M]. 北京: 科学出版社, 1994 : 56 -59. ( KANG L S, XIE Y, YOU S Y, et al. Numerical Parallel Algorithm-Simulated Annealing Algorithm[M]. Beijing: Science Press, 1994 : 56 -59. ) [13] ROESCH M, GREEN C. Snort users manual[EB/OL].[2016-05-20].http://manual.snort.org/snort_manual.htlm [14] 李晓芳, 姚远. 入侵检测工具Snort的研究与使用[J]. 计算机应用与软件, 2006, 23(3): 123-124. ( LI X F, YAO Y. Master and use Snort tools for intrusion detection[J]. Computer Applications and Software, 2006, 23(3): 123-124. )