摘要
入侵检测系统的广泛使用产生了许多告警信息流,这些告警事件信息流基本上都是基于低层的攻击步骤检测,且具有较大的误告警率;各种分布式攻击进一步加剧了入侵检测系统告警事件信息流的复杂性。研究介绍了关联分析的基本原因、关联分析的基本概念,然后提出智能化入侵检测关联分析层次模型。该模型从误告警验证和抑制,到一个攻击一个告警,再到一个攻击过程对应一个场景刻画,形成一个层次。在不同的层次上,防御者对攻击的视图越来越清晰,从而为响应措施提供了精确的决策依据,进一步提高了整个入侵检测系统的智能性和可用性。
As the intrusion detection systems are widely used by the practitioners, many alert information are produced, which just indicate low level attack steps and may have many error reports. Furthermore, various distributed network attacks enhance the complexities of the intrusion detection system alert information flows. This paper studies the basic reasons of the intrusion alert correlation and proposes an intelligent intrusion detection alert correlation hierarchy model, which can implement the hierarchy of alert verification and restrainment, correlation of attack alert to an attcak, corresponding of a macro alert with attack scenario. In the different hierarchy, the defender can acquire the more details of attackers so that the decision of defending response can be more correct. The research results of this paper can improve the intelligence and usability of all kinds of intrusion detection systems.
出处
《微型电脑应用》
2011年第8期36-38,73,共4页
Microcomputer Applications
基金
2011年度上海市博士后科研资助计划重点项目(项目编号:11R21421700)的资助
关键词
入侵检测
告警关联分析
智能模型
层次模型
Intrusion Detection
Alert Correlation Analysis
Intelligent Model
Hierarchy Model