摘要
告警关联技术是入侵检测领域中一个新的发展方向,它对解决目前入侵检测系统存在的告警数量大、告警信息含量少、虚警数量大等问题具有十分重要的意义。文章介绍了在我们设计开发的分布式协同入侵检测系统(DACIDS)中通过对入侵行为模式的匹配而进行告警关联的方法。入侵行为模式是定义在时间基础上的一组谓词公式,其实质是通过时间限制联系在一起的入侵事件的集合。该方法在对大量告警进行关联的同时,对虚警的处理尤为有效。
The technology of alerts correlation is a new trend for intrusion detection. It is very useful to solve problems, such as alarm overload, poorness of the alarms semantics and false negatives, in current intrusion detection system. In this paper, we propose to use intrusion action pattern to correlate alerts in our Distributed Active Collaboration Intrusion Detection System (DACIDS). Intrusion action pattern are sets of propositions related on times. In other words, it' s a set of events, linked together by time constraints. Our method has been proved to address the problems coneemed.
出处
《微电子学与计算机》
CSCD
北大核心
2005年第7期103-106,共4页
Microelectronics & Computer
关键词
入侵检测
告警关联
入侵行为模式
Intrusion Detection System (IDS), Alert correlation, Intrusion Action Pattern (IAP)
