Abstract: In order to simplify the excessive alerts of IDS, so as to reduce the number of false positives, an alert verification scheme based on active D-S theory classifier is presented in this paper. This scheme adequately reflects the probabilistic relationships of the factors which influence the verification results, and effectively resolves the problem in the traditional methods that the verification method is too strict. Additionally, the scheme has the ability to study the behavior of the attacks to enhance the veracity of the verification. DARPA 2000 LLDOS1.0 from MIT Lincoln Lab is used to evaluate the verification scheme, and the experimental results show the efficiency of the scheme.

Key words: alert verification, D-S theory, classifier

摘要： 为精简IDS产生的海量告警信息、降低IDS的误报率，提出一种基于主动D-S理论分类器的告警校验方法。该方法反映影响校验结果的各因素之间的概率关系，有效地解决了传统校验方法中存在的校验过于教条的问题，并能够对攻击行为进行学习来提高校验的准确性。使用MIT Lincoln Lab 提供的DARPA 2000入侵检测攻击场景数据集LLDOS1.0对该方法进行性能测试，实验结果验证了该方法的有效性。

关键词: 告警校验, D-S理论, 分类器

CLC Number: 

• TP277