摘要
在研究分类系统和语义相似度的基础上,给出了簇的凝聚度的概念,提出了一种基于凝聚度的报警处理算法。算法以凝聚度为基础,利用改进的二分K均值算法聚合报警,并对聚合结果进行异常提取。实验结果表明,提出的算法能有效聚合大量报警、发现异常报警,且聚合结果具有良好的语义和较高的准确性。
On the basis of intrusion taxonomies and semantic similarity, the concept of cluster cohesion as well as an algorithm was proposed to manage IDS alerts. Based on cohesion, the proposed approach used improved bisecting K-means to aggregate massive alerts, and extracted the abnormal alerts from clusters formed in aggregation. The experimental results show that the approach is effective in alerts aggregation and abnormal alerts detecting, and can generate understandable meta-alerts with higher accuracy.
引文
[1]穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述[J].计算机研究与发展,2006,43(1):1-8.(Mu Chengpo,Huang Houkuan,Tian Shengfeng.Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques[J].Computer Research and Development,2006,43(1):1-8.)
[2]王琢,范九伦,刘建华.入侵检测系统报警信息聚合方法的改进[J].计算机工程与应用,2010,46(7):107-109.(Wang Zhuo,Fan Jiulun,Liu Jianhua.Improved Aggregation Algorithm for Intrusion-Detection Alerts[J].Computer Engineering and Applications,2010,46(7):107-109.)
[3]郭帆,余敏,叶继华.一种基于分类和相似度的报警聚合方法[J].计算机应用,2007,27(10):2446-2449.(Guo Fan,Yu Min,Ye Jihua.Alert Aggregation Algorithm Based on Category and Similarity[J].Computer Applications,2007,27(10):2446-2449.)
[4]Klaus Julisch.Using Root Cause Analysis to Handle Intrusion Detection Alarms[D].Germany:University Dortmund,2003.
[5]Saad S,Traore I.A Semantic Analysis Approach to Manage IDS Alerts Flooding[C]//Information Assurance and Security(IAS),2011 7th International Conference on.USA:IEEE,2011:156-161.
[6]Siraj M M,Maarof M A,Hashim S Z M.Intelligent Clustering with PCA and Unsupervised Learning Algorithm in Intrusion Alert Correlation[C]//Information Assurance and Security 2009.Fifth International Conference on.USA:IEEE,2009,1:679-682.
[7]胥小波,蒋琴琴,郑康锋,等.基于混沌粒子群的IDS告警聚类算法[J].通信学报,2013,34(3):105-110.(Xu Xiaobo,Jiang Qinqin,Zheng Kangfeng,et al.IDS Alert Clustering Algorithm Based on Chaotic Particle Swarm Optimization[J].Journal on Communications,2013,34(3):105-110.)
[8]Ahrabi A A A,Navin A H,Bahrbegi H,et al.A New System for Clustering and Classification of Intrusion Detection System Alerts Using Self-Organizing Maps[J].International Journal of Computer Science and Security(IJCSS)(S1985-1553),2010,4(6):589-597.
[9]Steinbach M,Karypis G,Kumar V.A Comparison of Document Clustering Techniques[J].KDD Workshop on Text Mining(S2095-2236),2000,400(1):525-526.