摘要
为过滤入侵检测系统报警数据中的误报警,根据报警的根源性和时间性总结出了区分真报警和误报警的19个相关属性,并提出了一种基于粗糙集-支持向量机理论的过滤误报警的方法。该方法首先采用粗糙集理论去除相关属性中的冗余属性,然后将具有约简后的10个属性的报警数据集上的误报警过滤问题转化为分类问题,采用支持向量机理论构造分类器以过滤误报警。实验采用由网络入侵检测器Snort监控美国国防部高级研究计划局1999年入侵评测数据(DARPA99)产生的报警数据,结果表明提出的方法在漏报警约增加1.6%的代价下,可过滤掉约98%的误报警。该结果优于文献中使用相同数据、相同入侵检测系统的其它方法的结果。
To filter false positive alerts generated by Intrusion Detection Systems (IDS), 19 related attributes for distinguishing false positive alerts from true alerts are summarized according to the root and timeliness of intrusion alerts, and an approach to filter these false positive alerts based on RS-SVM (Rough Set and Support Vector Machine) theory is proposed. First, redundant attributes are removed and 10 attributes are obtained utilizing rough set theory in the proposed approach. Then the problem of filtering false positive alerts on the dataset with those 10 attributes is transformed to classification problem, and the classifier is constructed using support vector machine theory. The experimental data is the alert dataset raised by Snort, a network intrusion detection system, monitoring the Defense Advanced Research Projects Agency 1999 intrusion evaluation data (DARPA99). The experimental results show that the proposed approach can reduce about 98% false positive alerts at the cost of increasing about 1.6% false negative alerts. The results of this method are better than those of the other methods that adopt the same dataset and same IDS reported in the literature.
出处
《电子与信息学报》
EI
CSCD
北大核心
2007年第12期3011-3014,共4页
Journal of Electronics & Information Technology
基金
国家863计划项目(2004AA1Z2280)
国家973发展规划项目(2001CB309403)资助课题
关键词
入侵检测
误报警
漏报警
粗糙集
支持向量机
Intrusion detection
False positive alert
False negative alert
Rough Set (RS)
Support Vector Machine
