摘要
如何从IDS等安全产品每天产生的海量告警和日志中挖掘出有价值的信息,帮助管理员找到那些真正具有威胁的攻击,然后采取措施,有效地保护系统安全,这是入侵检测系统急待解决的问题。本文利用搜索树可以减少搜索空间和覆盖向量的特点提出了基于搜索树的高效告警聚类算法;考虑到把新来的告警事件归类到先前通过聚类得到的类中,让其与其他的告警事件可以关联起来,提出了基于贝叶斯事件分类器的告警分类方法。最后使用KDDCup1999Data的数据进行了性能测试。实验测试结果表明,此算法和方法是快速有效的。在原型系统“多信息源智能化安全强审计系统”中的实际应用也展现了其良好的应用前景。
How to effectively find out valuable abnormal behaviors from the numerous alarms and logs produced by all kinds of security products everyday, all of them must be analyzed and the true and non-redundant information should be extracted, which is helpful to find the real problem and then correcting actions can be taken to protect the safety of systern. This is one of the biggest challenges which IDS is facing. In this paper, taking into account search tree which can decrease searching space and overlay vector, an alert clustering algorithm based on search tree is presented. So as to classify new alert and can have correlation with other alert, an alert classified method based on Bayesian classifier is emphatically proposed. At last, KDD Cup 1999 Data is used to evaluate the performance of algorithm, and the experiment results show the high efficiency of the algorithm. The applications of them to Multi-information-source intelligential security auditing system indicate that they will have a good future for implementation.
出处
《计算机科学》
CSCD
北大核心
2006年第8期190-194,共5页
Computer Science
基金
国家863"网络安全管理和预警防御系统"(2002AA142030)
"多信息源智能化安全强审计系统"(2003AA148020)资助
"可信计算系统平台"(2005AA142030)资助
关键词
告警关联
贝叶斯分类器
搜索树算法
聚类
Alert correlation, Bayesian classifier, Search tree algorithm, Clustering
