摘要
针对入侵检测系统普遍存在冗余警报从而影响攻击类型判断的问题,文中提出了一种基于改进层次聚类的警报处理方法,其能减少冗余警报,提高攻击类型检测的准确性。该方法在层次聚类的基础上,使用警报的内容作为聚类的唯一属性值,增加了具有先验知识支撑的有效Alert占比来作为聚类阈值选取的标准,并改进了常规聚类直接抛弃高于阈值的类的处理方法,使用余弦相似度算法计算高于阈值的类的代表Alert,有效避免了有用警报的丢弃。在通过合适的阈值聚类后,按照时间轴的顺序来展示时间窗口内去重且聚类后的警报结果,以便对攻击者的攻击类型进行快速判断。实验结果表明,改进后的聚类方法有较好的去冗效果。
Aiming at the problem that there generally exist redundant alarms in intrusion detection system and it affects the judgment of attack types,this paper processed an alert processing method based on improved hierarchical clustering,so as to reduce redundant alarms and improve the accuracy of attack type detection.On the basis of hierarchical clustering,this method uses the content of alarm as the unique attribute value of cluster,increases the percentage of effective alert with prior knowledge as the criteria for the selection of clustering thresholds,and improves the processing method of directly discarding the class whose value is higher than threshold in conventional clustering.The improved method uses the cosine similarity algorithm to calculate the representative alert above the threshold class,effectively avoiding discarding useful alarms.After clustering through suitable thresholds,the deduplicated and clustered alarm results within the time window are displayed in the order of the time axis to quickly determine the attacker’s attack type.The experimental results show that the improved clustering method has better deduplicated effect.
作者
吴祎凡
崔艳鹏
胡建伟
WU Yi-fan;CUI Yan-peng;HU Jian-wei(Network Behavior Research Center,Xidian University,Xi’an 710071,China)
出处
《计算机科学》
CSCD
北大核心
2019年第4期203-209,共7页
Computer Science
关键词
SNORT
层次聚类
警报
阈值选取
相似度计算
Snort
Hierarchical clustering
Alert
Threshold selection
Similarity calculation
