东北大学学报(自然科学版)

东北大学学报(自然科学版) ›› 2005, Vol. 26 ›› Issue (11): 27-30.DOI: -

• 论著 • 上一篇    下一篇

入侵报警模式挖掘分析算法研究

董晓梅;于戈   

  1. 东北大学信息科学与工程学院;东北大学信息科学与工程学院 辽宁沈阳110004
  • 收稿日期:2013-06-24 修回日期:2013-06-24 出版日期:2005-11-15 发布日期:2013-06-24
  • 通讯作者: Dong, X.-M.
  • 作者简介:-
  • 基金资助:
    国家高技术研究发展计划项目(2003AA414210);;

Algorithm to mine and analyze intrusion alert patterns

Dong, Xiao-Mei (1); Yu, Ge (1)   

  1. (1) School of Information Science and Engineering, Northeastern University, Shenyang 110004, China
  • Received:2013-06-24 Revised:2013-06-24 Online:2005-11-15 Published:2013-06-24
  • Contact: Dong, X.-M.
  • About author:-
  • Supported by:
    -

RichHTML

0

PDF (PC)

471

摘要: 为有效地缩减报警的数量,提取报警中的有用信息,提出了一个基于CLOSET算法的入侵报警模式挖掘分析算法,在分布式入侵检测系统中,帮助响应部件对入侵检测部件的报警消息进行挖掘分析,挖掘出报警中的频繁闭模式,以此为依据进行响应.为了发现潜在的入侵行为,扩展了IDMEF格式,提出了怀疑度概念.为了不忽略出现不频繁但怀疑度高的报警,对该算法进行了改进,增加了最小怀疑度参数.实验结果表明,两个算法都可以有效地缩减报警的数量,而改进的算法能够更好地提取报警中的有用信息.

关键词: 入侵检测, 协作, 报警, 频繁模式, 数据挖掘

Abstract: To reduce effectively the frequency of alerts and extract useful information from them, an algorithm was proposed to mine and analyze the patterns of intrusion alert streams on the basis of CLOSET algorithm. In a distributed intrusion detection system, the algorithm can help the response component mine and analyze the alerts especially their frequently closed patterns from its detection components so as to response in reference to the patterns. To find latent intrusion, the intrusion detection message exchange format (IDMEF) was extended with a concept of suspicion level proposed. To study further those alerts which are highly suspicious but less frequent, the algorithm as above was improved by adding a parameter of lowest suspicion level to it. Experimental results showed that both algorithms are effective in reducing the frequency of alerts but the improved one is better at mining useful information.

中图分类号: