摘要
在检测网络安全威胁事件时,各种安全设备会产生大量冗余告警信息,易导致误报率高和日志聚合后聚合度低,给日志分析带来很大困难。为解决这一问题,采用一种自适应时间阈值间隔的聚类算法。通过定义聚合规则和中间日志,动态更新中间日志里的间隔阂值,实现对多源日志的聚合。实验结果表明,该算法的聚合时间阈值间隔更加接近真实攻击时间间隔,能准确对多源日志进行聚合分析,有效减少告警日志信息的数量,提高了日志的聚合度和准确率。
When detecting network security threat incidents,various security devices generate a lot of redundant alarm information,which is easy to cause high false alarm rate and low degree of polymerization of log aggregation,bringing great difficulties to the log analysis.To solve this problem,an improved clustering algorithm of adaptive time threshold interval was proposed.By defining the aggregation rules and middle log,the interval threshold in the middle log was updated dynamically,which realized the aggregation of multi-source log.Experimental results show that the proposed algorithm is much closer to the real attack time interval,and it can accurately analyze multi-source log aggregation,which can effectively reduce the number of alarm log information and improve the log of the polymerization degree and accuracy.
出处
《计算机工程与设计》
北大核心
2017年第7期1702-1708,共7页
Computer Engineering and Design
基金
民航局科技基金项目(MHRD20140205
MHRD20150233)
中央高校基本科研业务费中国民航大学专项基金项目(3122013Z008
3122013C004
3122015D025)
中国民航大学科研启动基金项目(2013QD24X)
关键词
网路安全
多源日志
聚合规则
自适应间隔阈值
日志聚合
network security
multi-source log
aggregation rules
adaptive interval threshold value
log aggregation