一种基于多因素的告警关联方法

入侵检测系统作为保护网络安全的重要工具已被广泛使用，其通常产生大量冗余度高、误报率高的告警。告警关联分析通过对底层告警进行综合分析与处理，揭示出其中包含的多步攻击行为。许多告警关联方法通过在历史告警中挖掘频繁模式来构建攻击场景，方法容易受冗余告警、误报影响，挖掘出的多步攻击链在某些情况下不能反映出真实的多步攻击行为。为此，提出一种基于多因素的多步攻击关联方法。通过聚合原始告警以得到超级告警，降低冗余告警带来的影响；将超级告警构造成超级告警时间关系图，同时结合超级告警间的多因素关联度评价函数从时间关系图中挖掘出多步攻击场景。实验结果表明，该方法能克服冗余告警及大部分误报带来的负面影响、有效地挖掘出多步攻击链。

An Alert Correlation Method Based on Multi-factors

Intrusion detection system has been widely used as an important tool to protect network security, and they usually generate a large number of alerts with high redundancy and high false positive rate. Alert correlation analysis reveals the multi-step attack scenarios contained in it through the comprehensive analysis and processing of the underlying alarms. Many existing alert correlation methods rebuild attack scenarios by mining frequent patterns in historical alerts. Multi-step attack chains obtained by these methods are susceptible to redundant alerts and false positives, and can’t reflect the real multi-step attacks in some cases. Therefore, this paper proposes an alert correlation method based on multiple factors which reduces the impact of redundant alerts by aggregating the raw alerts to obtain hyper alerts, constructs hyper alerts into hyper-alert time relation graph and uses the multi-factor correlation evaluation function between hyper alerts to find multi-step attack scenarios from the time relation graph. The experimental results show that the proposed method can overcome the negative effects caused by redundant alerts and false positives and effectively mine multi-step attack scenarios.