摘要
当前入侵检测系统产生的报警洪流往往使管理员无法处理,大大降低了IDS系统的有效性.对原始报警事件的关联分析可以从大量报警中提取出有效的攻击事件;分析攻击者的真正意图,对大规模分布式入侵检测系统有重要意义.为此综合分析了现有报警关联算法的优点和不足,提出了一种基于地址关联图(ACG)的报警关联算法.该算法用地址关联图模型对分布式IDS原始报警事件进行分析,以得到不同攻击之间的关联和发生步骤,得到攻击者的攻击路径,进而分析攻击者的意图.该算法无需提前制定关联知识库或提前训练关联模型,因此易于实现.
The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.
出处
《大连理工大学学报》
EI
CAS
CSCD
北大核心
2005年第z1期126-131,共6页
Journal of Dalian University of Technology
基金
国家自然科学基金资助项目(60203004)
国家高技术研究发展计划863资助项目(2003AA142080)