基于场景重构和报警融合的异常数据分析

本文提出了一种包含报警标准化、去冗余、场景重构和报警融合的异常数据分析方法 ,通过去除攻击失败的报警,减少了对场景重构的干扰。在场景重构中,通过反向关联,减少了不必要的报警,同时通过对孤立报警的补充,保证了场景图的完整性。在报警融合中,提出了融合同一攻击步骤的不同报警的方法,以抽象层和具体层两个层次重构入侵场景。最后通过实验验证了所提出方法的有效性。

This paper proposes an abnormal data analysis method which contains alarm standardization, eliminating redundancy, scene reconstruction and alarm fusion . The interference of scene reconstruction is reduced by removing the alarm of failed attacks. In the reconstruction of the scene, through reverse link, reduced the unnecessary evidence, at the same time through the addition to the isolated alarm, to ensure the integrity of the scene graph .Herein, to reconstruct intrusion scenario in abstract and concrete layer, we also developed different alerting methods based fusion of the same attack steps in the alarm fusion. Finally the effectiveness of the proposed method is verified by experiment.