计算机工程与应用 ›› 2012, Vol. 48 ›› Issue (13): 57-62.

• 网络、通信、安全 • 上一篇    下一篇

网络入侵报警信息实时融合处理模型

段祥雯,杨  兵,张  怡   

  1. 国防科学技术大学 计算机学院,长沙 410073
  • 出版日期:2012-05-01 发布日期:2012-05-09

Model of network intrusion alerts real-time fusion

DUAN Xiangwen, YANG Bing, ZHANG Yi   

  1. School of Computer Science, National University of Defense Technology, Changsha 410073, China
  • Online:2012-05-01 Published:2012-05-09

摘要: 针对分布式入侵检测和网络安全预警所需要解决的问题,对多传感器数据融合技术进行了研究。在分析IDS警报信息之间的各种复杂关系的基础上,提出了一个警报信息实时融合处理模型,并根据该模型建立警报信息融合处理系统。实时融合来自多异构IDS传感器的警报信息,形成关于入侵事件的攻击序列图,在此基础上进行威胁评估及攻击预测。该模型拓展了漏报推断功能,以减少漏报警带来的影响,使得到的攻击场景更为完整。实验结果表明,根据该模型建立的融合处理系统应用效果好,具有很高的准确率和警报缩减率。

关键词: 入侵检测, 警报关联, 警报融合

Abstract: To resolve the problem which distributed intrusion detection and network attack warning system has to confront, multi-sensor data fusion techniques are studied. Based on the analysis of various complex relationships of IDS alerts, this paper presents an alerts information real-time fusion model. An alerts information real-time fusion system based on it is realized, which can real-time fuse alarms from various heterogeneous IDS sensors, generate attack sequence view about intrusion, evaluate threaten and predict potential attacks. Furthermore, the function of reasoning false negative is introduced, which aims at reduce adverse effects of missed alerts and builds more integrated attack scenarios. Experimental results show that the real-time fusion system on this model works effectively, it has high accuracy and high alarm reduction rate.

Key words: intrusion detection, alert correlation, alert fusion