入侵检测中基于序列模式的告警关联分析

Analysis of Alert Correlation Based on Sequential Pattern in Intrusion Detection

  • 摘要: 提出一种基于序列模式的告警关联分析模型,实现对攻击告警的分析。该模型预处理部分利用网络拓扑信息和告警属性相似度隶属函数对原始告警进行过滤和融合;在WINEPI算法的基础上,考虑告警数据库增长的情况,提出一种告警的增量式序列模式挖掘算法,用于关联规则发现;在线关联模块匹配规则库形成攻击场景图,并预测未知攻击事件。使用2000 DARPA攻击数据集测试表明,该模型能够明显改善入侵检测系统的性能,验证了模型和算法的有效性。

     

    Abstract: An alert correlation model based on sequential pattern is presented for the analysis of attacker alarm. Alerts are filtered and merged by means of the network information and similarity membership function first. In the alert correlation module, an incremental sequential algorithm based on WINEPI is employed aiming at the correlation rule mining when the rule database increases. The online correlation module matches rules and constructs attack scenarios. The experiment results with the 2000 defense advanced research projects agency (DARPA) intrusion detection scenario specific datasets indicate that the proposed alert correlation model can improve the performance of intrusion detection system (IDS) efficiently.

     

/

返回文章
返回