基于可信报警事件的在线攻击场景重构算法

传统的入侵检测系统仅提供大量独立的、原始的攻击报警信息，不利于用户和入侵响应系统对攻击及时做出响应，迫切需要根据低层的报警信息，建立高层的攻击场景，提高安全管理员对当前发生的攻击的认知度。本文利用贝叶斯规则首先对多个安全设备产生的报警信息进行过滤，生成了可信的报警事件集，在此基础上完成攻击场景的重构工作，减少了安全设备产生的误报信息对关联算法的影响，提高了关联算法的健壮性和可扩展性。描述的关联方法可以使报警事件的聚合操作和攻击场景重构同时进行，实现了对报警事件的在线分析功能，弥补了现有算法的不足。试验结果表明，该算法在场景重构和报警事件约减两个方面都表现出了良好的性能。

An Online Attack Scenarios Construction Algorithms Based on Delievable Alarms

Traditional intrusion detection systems(IDSs) only provide large amount of independent, low-level attack alerts, though there may be logical connections between them. As a result, it is difficult for users or response systems to understand the alerts and take appropriate actions for these attacks. So it needs to deduce high-level attack scenarios and analysis the attack's objective from low-level attack alerts. This paper uses Bayesian rule to filter the alarm set,produces the believable alarm set and shows the most plausible ones among these possible scenarios based on this set,which decrease the effect of false negative alarm and improve this correlation algorithm's robustness and expansibility. This algorithm can also be used to analysis the online alarm set, which avoid the shortcomings of the existed algorithms. We evaluate this model with DARPA evaluation database, which shows good performance in attack scenario construction and alarm reduction.