| 分布式入侵告警关联分析 |
| |
| 引用本文: | 李家春,李之棠.分布式入侵告警关联分析[J].计算机研究与发展,2004,41(11):1919-1923. |
| |
| 作者姓名: | 李家春 李之棠 |
| |
| 作者单位: | 1. 华南理工大学计算机科学与工程学院信息网络工程研究中心,广州,510640
2. 华中科技大学计算机科学与技术学院,武汉,430074 |
| |
| 基金项目: | 国家“八六三”高技术研究发展计划基金项目 (863 3 0 1 0 6 0 1),国家信息安全办公室基金项目 (2 0 0 1 研 1 0 0 4),武汉市科技计划基金项目 (2 0 0 10 1111) |
| |
| 摘 要: | 为了精简分布式入侵检测系统中重复性的、不完善的或不完整的告警数据,降低误告警率,解决具有因果关系和非因果关系共存的告警关联问题,提出了一种分级关联算法.利用告警数据的检测时间属性的接近度将关联分析分为两类:概率关联和因果关联.给出了自调节增量贝叶斯分类器和实时因果关联算法,从而实现了多种特征混合的告警关联,提高了告警关联率.使用MIT Lincoln Lab提供的2000 DARPA入侵检测攻击场景数据集LLDOS1.0对该算法进行了性能测试,实验结果验证了算法的有效性.
|
| 关 键 词: | 告警关联 贝叶斯分类器 因果关联 |
Correlation Analysis for Distributed Intrusion Alert |
| |
| LI Jia-chun,Li Zhi-tang.Correlation Analysis for Distributed Intrusion Alert[J].Journal of Computer Research and Development,2004,41(11):1919-1923. |
| |
| Authors: | LI Jia-chun Li Zhi-tang |
| |
| Affiliation: | LI Jia-Chun1 and LI Zhi-Tang2 1 |
| |
| Abstract: | In order to reduce duplicated or incomplete or unperfect alerts in distributed intrusion detection systems and false alert rate, so as to solve alert correlation mixing prerequisites and consequences of intrusions with characteristic similarity of intrusions, a hierarchical correlation algorithm is presented in this paper. Based on the detect time similarity, alert correlation analysis is divided into two class: probabilistic correlation and consequence correlation. Adjustable increment Bayesian classifier and real-time correlation algorithm based on prerequisites and consequences of intrusions are given. As a result, alert correlation mixing multi-character is implemented and the alert correlation rate is improved. 2000 DARPA LLDOS1.0 from MIT Lincoln Lab is used to evaluate the hierarchical correlation algorithm, and the experiment results show the efficiency of the algorithm. |
| |
| Keywords: | alert correlation Bayesian classifier consequence |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
