摘要
大部分攻击事件都不是孤立产生的,相互之间存在着某种联系,如冗余关系和因果关系等.大多数入侵检测系统忽略了上述关联性,从而暴露出高误报率的严重问题.在分析比较了目前较为流行的几种告警关联方法的优缺点基础上,提出了一种基于模式挖掘和聚类分析的自适应告警关联模型A3PC.以告警的行为模式概念为中心,A3PC将异常检测思想引入告警关联的问题上,通过提取关联规则和序列模式生成告警的分类模型,对误报进行自动鉴别,同时采用模式挖掘和聚类分析算法相结合的处理思想以及人机交互的半自动处理模式,从而形成真实有效、精简的管理员告警视图.使用MIT Lincoln实验室提供的DARPA入侵检测攻击场景数据集进行了测试,实验分析表明,A3PC较传统方法在告警关联准确程度、实时性和自适应性等方面更具优势.
Multi-step attack is one of the primary forms of the current attacks. There are some relationships among each step of attacks, such as redundancy relationship and causality relationship. But the relationships among security events are often ignored by the current intrusion detection systems (IDS), and an important problem in the field of IDS is a large volume of false positive which tends to overwhelm human operators. On the basis of analyzing the evolution and drawbacks of current alert correlation systems, a self-adapted alarming association method, A3PC, is presented based on anomaly detection ideas and centering on the concept of behavior patterns generated by alerts. The alert classification model is created by extracting association rules and series patterns in order to automatically discriminate the false alerts. At the same time, effective and condensed alerts view for administrators can be shaped based on the combinative idea of pattern mining and clustering analysis and the semiautomatic interactive processing approach. The accuracy of intrusion detection systems is thus enhanced. The DARPA intrusion scenario dataset from MIT Lincoln Lab is used to evaluate the function and performance of A3PC. The experiments results indicate that A3PC is superior to the traditional methods in accuracy, real-time and adaptivity.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2009年第8期1304-1315,共12页
Journal of Computer Research and Development
基金
国家"八六三"高技术研究发展计划基金项目(2009AA012437)
教育部高等学校博士后科学点基金项目(20070410640)~~
关键词
入侵检测
告警关联
模式挖掘
聚类分析
误报率
intrusion detection
alert correlation
pattern mining
clustering analysis
false positive
