摘要： 传统入侵检测系统虽然可以根据特征匹配的方法检测出攻击企图，却无法验证攻击企图是否成功，生成的报警不仅数量巨大而且误警率很高。该文提出一种结合漏洞扫描工具对入侵检测系统生成的报警进行验证的方法，根据被攻击主机是否包含能使攻击成功的漏洞来判定攻击能否成功，对攻击的目标主机不存在对应漏洞的报警降低优先级，从而提高报警质量。说明了报警验证模型各部分的设计和实现方法，系统运行结果显示该方法能有效地压缩报警量，降低误警率，帮助管理员从大量数据中找到最应该关注的真实报警。

关键词: 报警验证, 入侵检测系统, 网络安全

Abstract: Traditional intrusion detection system detects intrusion attempts using signature-based method，but it can hardly determine if the attempt is successful. As a result, alerts generated by IDS are not only huge in number but also poor in data quality, i.e. containing false positive alerts. This paper presents a method to verify alerts using vulnerability-scanning tools. The idea of alert verification is to check if the destination host has the necessary vulnerability that can make the intrusion successful. According to the result of alert verification process, attacks that possibly failed are degraded in priority. The experimental result shows that the alert verification model in distributed IDS can compress the duplicated alerts, reduce false positives efficiently, which helps network administrators focus on actual alerts from overwhelming amount of data.

Key words: alert verification, Intrusion Detection System(IDS), network security

中图分类号: 

• TP393.08