网络入侵检测系统中的警报聚类

Alarm clustering for intrusion detection systems in network

到目前为止,网络管理员对入侵检测系统(IDS)所产生的警报还是以在辅助工具下的手工操作进行整理,从而得到一个高级别的攻击描述。为了有效融合多种入侵检测系统报警信息,提高警告的准确性,警报聚类自动分析工具被建议使用来产生高级别的攻击描述。除此之外,警报聚类自动分析工具还可以有效地分析威胁,融合不同的信息源,例如来自于不同IDS中的信息源。该文提出了新的警报聚类系统,以便把来自于多种IDS所产生的警报进行警报聚类,产生攻击描述。实验结果表明,通过警报聚类模块有效地总结攻击可以产生高级别的警报,并大幅度地减少了要提交给管理员的警报数量。此外,以这些高级别警报为基础还可以进一步地进行威胁分析。

Until recently,network administrators manually arranged alarms produced by intrusion detection systems （IDS） to attain a high-level description. For fusing multi-kinds of IDS alerts can effectively improve warning veracity,automatic tools for alarm clustering have been proposed to provide such a high-level description of the attack scenarios. In addition,it has been shown that effective threat analysis requires the fusion of different sources of information,such as different IDS. This paper proposes a new alarm clustering system to perform alarm clustering which produces unified descriptions of attacks from alarms produced by multiple IDS. Experimental results show that the high-level alarms produced by the alarm clustering module effectively summarize the attacks,drastically reducing the volume of alarms presented to the administrator. In addition,these high-level alarms can be used as the base to perform further higher-level threat analysis.