Abstract:

In order to deal with the large quantity of low quality intrusion detection alerts, the alert verification and aggregation technic based on multi-source security information is developed. The model of alert verification is based on logic predication. The spatial, temporal properties and attack type are analyzed to aggregate the alerts. The method put forward can get rid of non-relevant positive alerts and eliminate redundant alerts timely.

Key words: Intrusion detection, Alert verification, Alert aggregation

摘要： 针对网络入侵检测系统产生大量低质量告警的问题，提出了基于多源安全信息的告警校验与聚合技术，采用一阶谓词逻辑对告警校验进行了建模，并综合分析告警的时间、空间、攻击类型三维属性，对告警进行聚合。提出的方法能够实时、有效地滤除无关告警，消除冗余度，实现告警的精简。

关键词: 入侵检测, 告警校验, 告警聚合