摘要
入侵检测系统的大部分报警事件之间都存在某种联系,通过对这些报警的聚合与关联能够消除或减少重复报警,降低误报率及发现高层多步攻击策略。论文设计并实现了一种报警聚合与关联系统,系统主要包括报警聚合、报警校验、多步攻击报警关联和报告分析与规则控制等部分。实验证明:该系统能够减少报警数量,并能识别攻击意图,达到预警的目的。
The alert events detected by Intrusion Detection System are usually interrelated in certain respects. Through aggregating and correlating of these alerts , the system can eliminate or reduce numbers of the same alerts , decrease false positive rate,and discover the high level multi-step attack policy. This paper presents an intrusion alerts aggregating and correlating system, which is mainly composed of aggregation analysis, alerts verification and multi-step attack correlatlon,etc. Experiments show that the system is effective in reducing the number of alerts.and can warn according to attack intention identified.
出处
《微计算机信息》
北大核心
2007年第36期47-49,共3页
Control & Automation
关键词
入侵检测
报警聚合
报警关联
报警校验
Intrusion detection,Alerts aggregation, Alerts Correlation, Alerts verification