摘要
通常误用检测所定义之攻击特征仅限于单一信息,而经由单一信息所产生的警报,由于针对某些攻击无法精确做出判断,所以误报比例相对较高。在文中,针对误用网络型入侵检测系统建立一个警报过滤机制,该机制找出攻击成功时所需具备的环境条件。当入侵检测系统发现可疑入侵时,依据环境条件加以实时确认查核。根据这些环境异质信息,可明显减少误报的发生,并且不至于将重要的警报给删除。实验结果证明,所提出之过滤机制可以有效地减少误报,同时不影响检测率。
In intrusion detection systems adopting misuse detection methods,the attack signatures are mostly characterized with information from single data source.Without utilizing other available information,the accuracy of judgment made in generating alarm may not be satisfactory.This paper proposes an alarm filtering scheme to improve the efficiency of misuse-type network intrusion detection system.Through careful analysis,a preliminarily recognized attack threat can be verified against envrionment information in determining if an attack may really succeed before it is reported.The proposed scheme has been implemented.Experiment result shows,with the environment information,the occurrences of false alarm are obviously reduced and none of the real alarms are among those non-reported ones.
出处
《计算机工程与应用》
CSCD
北大核心
2005年第17期143-146,155,共5页
Computer Engineering and Applications
基金
国家网络与信息安全保障持续发展计划(编号:2004-研1-917-C-017)
关键词
入侵检测
误用检测
减少误报
报警过滤
环境信息
intrusion detection,misuse detection,false alarm reduction,alarm filtering,environment information
