首页 | 本学科首页   官方微博 | 高级检索  
     

一种基于多因素的告警关联方法
引用本文:吴东,郭春,申国伟. 一种基于多因素的告警关联方法[J]. 计算机与现代化, 2019, 0(6): 30. DOI: 10.3969/j.issn.1006-2475.2019.06.005
作者姓名:吴东  郭春  申国伟
作者单位:贵州大学计算机科学与技术学院,贵州 贵阳 550025;贵州省公共大数据重点实验室,贵州 贵阳 550025;贵州大学计算机科学与技术学院,贵州 贵阳 550025;贵州省公共大数据重点实验室,贵州 贵阳 550025;贵州大学计算机科学与技术学院,贵州 贵阳 550025;贵州省公共大数据重点实验室,贵州 贵阳 550025
基金项目:国家自然科学基金资助项目(61540049,61802081); 贵州省科技计划项目([2017]1051,[2018]3001); 贵州省公共大数据重点实验室开放课题(2017BDKFJJ025); 河南省科技攻关计划项目(182102210123)
摘    要:入侵检测系统作为保护网络安全的重要工具已被广泛使用,其通常产生大量冗余度高、误报率高的告警。告警关联分析通过对底层告警进行综合分析与处理,揭示出其中包含的多步攻击行为。许多告警关联方法通过在历史告警中挖掘频繁模式来构建攻击场景,方法容易受冗余告警、误报影响,挖掘出的多步攻击链在某些情况下不能反映出真实的多步攻击行为。为此,提出一种基于多因素的多步攻击关联方法。通过聚合原始告警以得到超级告警,降低冗余告警带来的影响;将超级告警构造成超级告警时间关系图,同时结合超级告警间的多因素关联度评价函数从时间关系图中挖掘出多步攻击场景。实验结果表明,该方法能克服冗余告警及大部分误报带来的负面影响、有效地挖掘出多步攻击链。

关 键 词:告警关联  多步攻击序列  超级告警  关联度评价
收稿时间:2019-06-14

An Alert Correlation Method Based on Multi-factors
WU Dong,GUO Chun,SHEN Guo-wei,. An Alert Correlation Method Based on Multi-factors[J]. Computer and Modernization, 2019, 0(6): 30. DOI: 10.3969/j.issn.1006-2475.2019.06.005
Authors:WU Dong  GUO Chun  SHEN Guo-wei  
Abstract:Intrusion detection system has been widely used as an important tool to protect network security, and they usually generate a large number of alerts with high redundancy and high false positive rate. Alert correlation analysis reveals the multi-step attack scenarios contained in it through the comprehensive analysis and processing of the underlying alarms. Many existing alert correlation methods rebuild attack scenarios by mining frequent patterns in historical alerts. Multi-step attack chains obtained by these methods are susceptible to redundant alerts and false positives, and can’t reflect the real multi-step attacks in some cases. Therefore, this paper proposes an alert correlation method based on multiple factors which reduces the impact of redundant alerts by aggregating the raw alerts to obtain hyper alerts, constructs hyper alerts into hyper-alert time relation graph and uses the multi-factor correlation evaluation function between hyper alerts to find multi-step attack scenarios from the time relation graph. The experimental results show that the proposed method can overcome the negative effects caused by redundant alerts and false positives and effectively mine multi-step attack scenarios.
Keywords:alert correlation  multi-step attack sequence  hyper alert  relevance evaluation  
本文献已被 万方数据 等数据库收录!
点击此处可从《计算机与现代化》浏览原始摘要信息
点击此处可从《计算机与现代化》下载全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号