网络与信息安全学报 (Oct 2021)
Using rule association to generate data collection policies
Abstract
Collecting security-related data of devices effectively is the foundation of analyzing network threats accurately.Existing data collection methods (full data collection, sampling based data collection and adaptive data collection) do not consider the validity of the collected data and their correlation, which will consume too much collection resources, resulting in low collection yield.To address this problem, considering the factors (relationship between node attributes, network topology relationship, threat status, node resource and node similarity) that impact collection costs and benefits, a rule association method to generate collection policies was designed.In the method, two types of association rules (inter-node association rules and inter-event association rules) were adopted to generate candidate data collection items and reduced the scope of data collection.Then, a multi-objective program was designed to maximize collection benefits and minimize collection costs.Further, a genetic algorithm was designed to solve this program.Proposed method was compared with existing data collection methods.The experimental results show that the number of the collected data records of proposed method is 1 000~3 000 less than that of others per 12 hours, and the validity of the collected data of proposed method is about 4%~10% higher than others, which proves the effectiveness of the proposed method.