基于不确定性知识发现的入侵报警关联方法

针对入侵检测系统报警信息量大、琐碎和分散的问题，提出了一种基于不确定性知识发现的入侵报警关联方法。该方法的知识发现部分采用提出的不确定性序列模式发现算法—CWINEPI对报警数据进行序列模式发现，并将经过筛选后获得的入侵报警序列模式转化成入侵报警精简规则；再对入侵报警序列模式进行关联以获取攻击模式，并转化为入侵场景重建规则。入侵报警关联部分利用获取的入侵报警精简规则和入侵场景重建规则，以模式匹配方法构造报警关联引擎，对多个入侵检测系统上报的入侵报警进行关联。美国国防部高级研究计划局2000年入侵评测数据（DARPA2000）的报警数据验证了知识发现部分的良好性能；测试环境中的入侵报警的关联结果表明了该方法是高效、可行的。

Intrusion alert correlation method based on uncertain knowledge discovery

To solve the problems of huge number, trivialness and dispersedness of intrusion alerts raised by intrusion detection systems, an intrusion alert correlation method based on uncertain knowledge discovery is proposed. A new uncertain sequence patterns discovery algorithm, named CWINEPI, is used to discover the sequence patterns of intrusion alerts in the knowledge discovery part. After filtered, the sequence patterns of intrusion alerts are translated into intrusion alerts condensed rules. The attack patters are obtained with correlating sequence patters, and converted into intrusion scenarios building rules. In the intrusion alerts correlation part, the alert correlation engine is constructed to correlate alerts produced by multi intrusion detection systems using patter matching with the rules obtained from knowledge discovery part. The alerts from Defense Advanced Research Projects Agency 2000 intrusion evaluation data (DARPA2000) validate the good performance of the knowledge discovery part. The correlation results of the alerts from real testing environment show the proposed method is efficient and feasible.