基于EBLOF算法的攻击者IP分析系统及应用

为了协助安全运营人员从海量威胁入侵告警日志中快速准确定位到高优先级、亟需处理的攻击者IP，缓解告警疲劳，提出了一种基于EBLOF（Ensemble-based Local Outlier Factor）算法的攻击者IP分析系统。该系统一方面通过提取和归并范式化安全告警日志，并从攻击者IP属性维度和攻击行为维度构建特征工程，使用集成学习的思路对异常检测算法LOF进行改进，进而发现攻击者IP。另一方面通过批实时学习技术构建了一套在线学习架构，从系统层面而非算法层面确保模型能够在线更新。最后，在公共数据集中验证了EBLOF算法的鲁棒性，并在真实攻防应用场景中验证了所提系统的有效性和可行性。

Attacker's IP analysis system based on EBLOF algorithm and its application

In order to help security operators quickly and accurately locate the high priority and urgent to deal with the attacker IP from the massive threat intrusion alarm log, and alleviate the fatigue of the alarm, an attacker IP analysis system based on EBLOF (Ensemble-based Local Outlier Factor) algorithm is proposed. On the one hand, the system extracts and merges the normal security alarm log, constructs feature engineering from the IP attribute dimension and the attack behavior dimension of the attacker, and improves the LOF algorithm of anomaly detection by using the integrated learning method, and then discovers the attacker IP. On the one hand, a set of online learning architecture is built by batch real-time learning technology, which ensures that the model can be updated online from the system level rather than the algorithm level. Finally, the robustness of EBLOF algorithm is verified in the public data set, and the effectiveness and feasibility of the proposed system are verified in the real attack and defense application scenarios.