Abstract: Support vector machine (SVM) is used to deal with alerts produced by intrusion detection system to reduce false positive alerts. A similar radial basis function, which is based on heterogeneous value difference metric and can exactly measure the distance of heterogeneous value, is applied due to the heterogeneous alert data. The experimental data is the alerts produced by Snort, a kind of network intrusion detection system, with the attack and normal data in testing environment. Six background attributes are added to the experimental data to enhance the accuracy of classification. The testing results confirm the good performance of this method: at the cost of false negative alerts not increased, true positive ratio is 100%, reduced false positive ratio is 99.729 1%, and the processing time of each data is 0.38ms.

Key words: Intrusion detection, False positive alert, Support vector machine(SVM)

摘要： 应用支持向量机处理入侵检测系统所产生的报警数据，以降低大量误报警。由于报警数据的异构性，在构造支持向量机时选择可以准确度量异构距离的类径向基核函数，以提高分类精度。实验数据是利用入侵检测器Snort对实验环境下获得的攻击和正常数据产生的报警数据集，并添加了6项背景属性以增强分类精度。测试结果表明了该文的方法具有良好的性能：在不增加漏报的前提下真报警率为100%，误报警消除率为99.729 1%，每条数据的处理时间为0.38ms。

关键词: 入侵检测, 误报警, 支持向量机

CLC Number: 

• TP393.08