南京大学学报(自然科学版) ›› 2010, Vol. 46 ›› Issue (1): 5663.
刘志杰 , 王崇骏
L iu Zhi - J ie , Wang Chong -J un
摘要: 入侵检测系统作为保护计算机系统安全的重要手段其应用越来越广泛 , 然而随之产生的大量原始报警事件也带来了新的问题 : 数量巨大、 误报警多、 重复报警多 , 影响了对入侵检测系统的有效利
用 . 针对此问题 , 警报关联技术成为网络安全研究的一个热点问题 , 研究者尝试对低级的报警信息进行关联 , 从而达到降低误报率的目的 . 本文提出一个基于复合攻击路径图的报警关联算法 , 使用报警信息
在攻击中所处的攻击阶段并将其关联起来构建攻击场景从而达到揭示隐藏在大量攻击事件背后的入侵真实意图 . 该模型先对报警信息进行预处理 , 匹配到知识库中对应的攻击阶段 , 然后再将攻击链接起来 ,
根据攻击路径图的权值计算对应主机的受威胁程度 , 并决定是否报警 . 该模型可以实现对报警信息的实时处理 , 并能重现攻击行为的实施路径 , 最后通过实验证明了该算法的有效性 .
[ 1 ] Anderson J P. Computer security threat moni -toring and surveillance. Technical Report. Fort Washington , Pennsylvania : 1980. [ 2 ] Debar H , Wespi A. Aggregation and correla -tion of Intrusion Detection Alerts. Proceedings of the 4 th International Symposium on Recent Advances in Intrusion Detection ( RAID ) , 2001 , 2212 : 85 ~ 103. [ 3 ] Dain O , Cunningham R. Building scenarios from a heterogeneous alert system. Proceedings of the 2001 IEEE Workshop on Information As -surance and Security , 2001 , 231 ~ 235. [ 4 ] Porras P A , Neumann P G. EMERALD: Event monitoring enabling responses to anomalous live disturbances. Proceedings of the 20 th National Information Systems Security Conference , 1997 , 353 ~ 363 [ 5 ] Valdes A , Skinner K. Probabilistic alert corre -ation. Proceedings of the 4 th International Sym -posium on Recent Advances in Intrusion Detec -ion , 2001 , 2212 : 54 ~ 68. [ 6 ] Cuppens F , Mieqe A. Alert correlation in coop -erative intrusion detection framework. Proceed -ings of the 2002 IEEE Symposium on Security and Privacy , 2002 , 202 ~ 215. [ 7 ] Cuppens F , Autrel F , Miege A , et al . Recog -nizing malicious intention in an intrusion detec -tion process. Proceedings of the -nd Internation -al Conference on Hybrid Intelligent Systems , 2002 , 806 ~ 817. [ 8 ] Ning P , Cui Y, Reeves D S. Constructing at - tack scenarios through correlation of intrusion alerts. Proceedings of the 9 th ACM Conference on Computer and Communications Security , 2002 , 245 ~ 254. [ 9 ] Ning P , Xu D B , Christopher G, et al . Build -ng attack scenarios through integration of com -plementary alert correlation methods. Proceed -ings of the 11 th Annual Network and Distributed System Security Symposium , 2004 , 97 ~ 111. [10] Ning P , Cui Y, Reeves D S , et al . Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Securi -ty , 2004 , 7(2) : 274 ~ 318. [11] Huang M Y, Wicks T M. A large -scale distrib-uted intrusion detection framework based on at-tack strategy analysis. The International Journal of Computer and Telecommunications Networ -king , 1999 , 2465 ~ 2475. [12] Bao X H , Dai Y X, Feng P H , et al . A detec -tion and forecase algorithm for multi -step attack based on intrusion intention. Journal of Soft -ware , 2005 , 16(12) : 2132 ~ 2138. ( 鲍旭华 , 戴 英侠 , 冯萍慧等 . 基于入侵意图的复合攻击检测和预测算法 , 软件学报 , 2005 , 16 (212) : 2132 ~ 2138) . [13] MIT Lincoln Lab. 2000 DARPA intrusion de -tection scenario specific datasets. http :/ / www. ll. mit. edu/ IST/ ideval/ data/ 2000/ 2000 - data - index. html , 2000. [14] Long J , Yin J P , Zhu E , et al . Cost- sensitive active learning algorithm for intrusion detection. Journal of Nanjing University ( Natural Sci -ences) , 2008 , 44(5) : 527 ~ 535. ( 龙 军 , 殷建 平 , 祝 恩等 . 针对入侵检测的代价敏感主动学习算法 . 南京大学学报 ( 自然科学 ) , 2008 , 44(5) : 527 ~ 535) . |
No related articles found! |
|