基于网络安全知识库的入侵检测模型

在网络安全知识库系统的基础上，提出一个基于网络安全基础知识库系统的入侵检测模型，包括数据过滤、攻击企图分析和态势评估引擎。该模型采用进化型自组织映射发现同源的多目标攻击；采用时间序列分析法获取的关联规则来进行在线的报警事件的关联，以识别时间上分散的复杂攻击；最后对主机级和局域网系统级威胁分别给出相应的评估指标以及对应的量化评估方法。相比现有的IDS，该模型的结构更加完整，可利用的知识更为丰富，能够更容易地发现协同攻击并有效降低误报率。

Intrusion detection framework based on network security knowledge databases

A new intrusion detection framework based on the existing network security knowledge databases was This paper proposed a new intrusion detection framework based on the existing network security knowledge databa-ses. It included data filtering, attack attempt analyzing and threat evaluation engines. The evolving self-organizing map was used to find attacks with same source and multi targets. Time series analysis method was utilized to obtain correlation rules to correlate intrusion events on-line, so the complicated attacks with disperse attack times could be checked. Then the threat evaluation indexes and quantitative threat evaluation formulas for evaluating serves, hosts and local area network were given. The framework is more integrated and has more useful knowledge than existing intrusion detection system (IDS) and easier to find coordinated attacks with lower false positive rate.