增量挖掘实时报警关联研究

入侵检测技术通过实时获取网络攻击报警信息,对网络安全实施检测、分析和动态防御,有效弥补了防火墙的不足。通过有效处理网络报警信息提高入侵检测的检测率、精确度是当前入侵检测技术研究的重要课题之一。提出了一种实时的增量挖掘入侵检测报警关联方法。该方法使报警事件的聚合操作和报警关联分析控制在小规模数据范围内进行,有效克服了一些数据挖掘算法应用到入侵检测过程中存在的多遍扫描、误报率高和报警信息关联度低问题。实验结果表明,该方法不但可以处理大容量实时网络报警信息,而且在报警信息关联分析和报警事件约减都体现了良好的性能。

Research on real-time alert correlation based on increment mining

Intrusion detection technology can remedy effectively the shortcoming of firewall by obtaining the alert information of net- work attacks, and detecting, analyzing and dynamically defending in according with network security. It is an important research task of intrusion detection technology that improving the detection and accuracy rate by effectively dealing with network alerts information. This paper proposes a novel method of network alert correlation based on real-time increment mining. In this method, the procession of alert aggregation, alert correlation and alert analysis is carried out in the small scale scope. This method effectively overcomes the short- coming of some data mining methods applied the intrusion detection process, such as： multi-scanning; high false positive rate; low as- sociation rate in the alerts information. The experimental results show that this method not only can treat large capacity network alerts information, but also reflects the good performance in the alerts information analysis and alerts event reduction.