计算机工程 ›› 2007, Vol. 33 ›› Issue (21): 122-124,.doi: 10.3969/j.issn.1000-3428.2007.21.043

• 安全技术 • 上一篇    下一篇

基于聚类和报警先决条件的网络入侵关联分析

吴正桢1,陈秀真2,李建华1,2   

  1. (1. 上海交通大学电子工程系,上海 200240;2. 上海交通大学信息安全工程学院,上海 200240)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2007-11-05 发布日期:2007-11-05

Correlation and Analysis of Intrusion Alerts Based on Clustering Algorithm and Alerts’ Prerequisite-consequence Attribute

WU Zheng-zhen1, CHEN Xiu-zhen2, LI Jian-hua1,2   

  1. (1. Department of Electronical Engineering, Shanghai Jiaotong University, Shanghai 200240; 2. Department of Information Security and Engineering, Shanghai Jiaotong University, Shanghai 200240)
  • Received:1900-01-01 Revised:1900-01-01 Online:2007-11-05 Published:2007-11-05

摘要: 分析了聚类算法和报警先决条件关联方法,在二者的基础上提出了一种基于聚类和报警先决条件的网络入侵关联分析模型。使用DARPA 2000数据的测试结果表明,提出的模型可对报警信息进行有效预处理。与仅用报警先决条件关联方法相比,成功排除了3个错误报警关联,有效提高了关联效果。

关键词: 入侵检测, 聚类算法, 先决条件及结果关联方法

Abstract: After analysing the clustering algorithm and alerts’ prerequisite-consequence attributes, a novel approach of correlating and analysing intrusion alerts based on the combination of both is proposed. Experimental result on DARPA 2000 dataset proves that this approach can pre-process alerts successfully. Compared with the result of using only the prerequisite-consequence alert correlation method, the proposed approach can successfully eliminate three correlation errors, thus improve the efficiency of the correlation.

Key words: intrusion detection, clustering algorithm, prerequisite-consequence alert correlation method

中图分类号: