安全报警关联技术研究

Security Alert Correlation:A Survey

安全报警关联技术是近年来安全领域中的热点之一,它能够有效地解决目前困扰安全管理者的海量报警以及误报、漏报报警等问题。近年来该领域出现了大量有价值的研究成果,但已有工作大多集中在个别子领域,整个领域的发展并不均衡。对这一技术的研究现状进行了综述,介绍了其处理过程及体系结构,重点总结比较了报警聚类及融合、攻击场景重建和攻击意图识别这3个关键阶段的已有算法,之后又总结评述了目前报警关联的主要应用、技术难点及现有解决方案,最后对该领域面临的问题加以分析,并展望了未来方向。

Alert correlation is a new promising technology and has drawn more and more attentions in recent years. It can efficiently solve many problems bothering security managers now, such as high false positives （i. e. alerts mistakenly triggered by benign events） , high false negatives （i. e. intrusions mistakenly missed by security mechanisms） , and large amounts of alerts created by security products per day. In the past several years, a lot of vulnerable researches were done in this field,but most of them only focused on few issues. And there are still many challenging problems that have not been addressed wcll,or even not been touched. Researchers of this field need put more efforts into them in the future.This paper gave an overview of the research progress in this area. Firstly, we introduced the common process and the popular architectures of current alert correlation systems. hhen we summarized and compared the main algorithms of three key phases （i. e. alert aggregation and fusing, attack scenarios constructing, and attack plan recognition） in the common process. After these, the main applications of this technology were introduced, and the difficulties and corresponding methods were summarized. At the end of this paper, we analyzed the shortages of current work and the possible new directions in this field.