摘要
随着入侵检测系统在安全领域的广泛应用,入侵报警学习和分析已经成为一个研究热点。针对目前入侵报警泛滥和知识贫乏等问题,设计了一个完整的攻击案例学习系统框架。该学习系统分为两个阶段:入侵报警精简和典型攻击案例挖掘。前者利用改进的密度聚类方法实现相似报警聚合以及报警聚类的自动精简表示,后者利用序列模式挖掘方法挖掘频繁入侵事件序列。进一步提出一种基于入侵执行顺序约束关系的攻击案例评估算法实现典型攻击案例的自动筛选。最后,利用真实入侵报警数据测试了该攻击案例学习系统,结果表明该系统能够实现高效报警精简和典型攻击案例的准确学习。
With the widespread deployment of Intrusion Detection Systems (IDS) in network security community, intrusion alert learning and analysis has increasingly become an active research area. Due to some problems such as alert flooding and lack of knowledge about attack scenario etc, a comprehensive attack case learning system composed of two learning phases: similar alerts aggregation and typical attack instance learning was presented. Firstly, an improved density- based clustering algorithm was introduced to aggregate huge volume of similar alerts to numbers of alert clusters. Secondly, some representative alerts were chosen to represent the overall alert clusters according to some reduction rules. Eventually, sequence pattern mining approach is used to mine frequent intrusive incidents. Furthermore, an evaluation approach based on execution ordering of attacks was proposed to identify valuable attack instances from frequent sequences of intrusive incidents. A real intrusion alert dataset was used to test our learning system. The experimental results show that our learning system can not only effectively reduce the large amount of alerts but also correctly learn the valuable attack cases.
出处
《计算机应用》
CSCD
北大核心
2007年第9期2177-2179,2183,共4页
journal of Computer Applications
基金
国家863计划项目(2003AA142060)
关键词
入侵检测
密度聚类算法
序列模式挖掘
攻击案例
intrusion detection
density-based clustering algorithm
sequence pattern mining
attack case
