Computer Engineering and Applications ›› 2009, Vol. 45 ›› Issue (15): 81-85.DOI: 10.3778/j.issn.1002-8331.2009.15.025

• 网络、通信、安全 • Previous Articles     Next Articles

Modeling and definition of alert urgent degree in IDS

JIANG Shao-hua1,3,HU Hua-ping2   

  1. 1.Department of Computer,Hunan Normal University,Changsha 410081,China
    2.School of Computer,National University of Defense Technology,Changsha 410073,China
    3.Digital Engineer Center,Huazhong University of Science and Technology,Wuhan 430074,China
  • Received:2008-11-28 Revised:2009-01-12 Online:2009-05-21 Published:2009-05-21
  • Contact: JIANG Shao-hua

IDS警报危急度的定义与建模

蒋少华1,3,胡华平2   

  1. 1.湖南师范大学 计算机系,长沙 410081
    2.国防科技大学 计算机学院,长沙 410073
    3.华中科技大学 数字化工程中心,武汉 430074
  • 通讯作者: 蒋少华

Abstract: When lots of alerts are simultaneously presented to the administrator,the decisions are made according to the network attack severity,network attack classification and attack effect.But these concepts do not consider the response opportunity,the sequence of the invasion happening and so on.It only reflects the static information.Based on the status quo,the conception of Alert Urgent Degree(AUD) is proposed.This conception considers the following factors for the first time:(1)the trustworthy degree and the frequency of the alert.(2)the elapsed time from the beginning of alert.(3)the cost of responding to the intrusion.Furthermore,the direct factors which affect the AUD are considered and the indirect factors which relate the intrusion are introduced also.Lastly,based on the illation of mathematic,this paper presents the model of AUD.

Key words: Alert Urgent-Degree(AUD), Intrusion Detection Systems(IDS), alert, network attack severity, modeling

摘要: 当多个IDS的检测代理同时提交入侵警报时,现有的决策依据主要是警报危害度、网络攻击分类、攻击效果评价等,但这些概念并没有考虑响应时机和入侵发生的先后时间等因素,而只反映了静态信息。针对这种现状,首先提出了警报危急度的概念,警报危急度综合考虑了以下因素:(1)警报的可信度与报警的次数;(2)开始报警到目前的已逝去时间;(3)响应该入侵需要的代价。然后,分析了影响危急度的直接因素及其影响的方式和幅度,以及与攻击有关的间接因素及其影响程度;最后,文章基于数学推理,给出了警报危急度的数学模型。

关键词: 危急度, 入侵检测系统, 警报, 网络攻击, 模型