摘要
入侵检测技术在网络安全防卫体系中变得越来越重要.在实际应用中,为了提高检测率通常采用基于多点的分布式数据采集或基于多引擎的协作式入侵检测,但是伴随而来的是警报数量和误报数量的海量增加,使管理员无法分辨警报的真伪并有效地管理入侵检测系统,从而降低了入侵检测系统的有效性和可用性.提出了一种基于密度的抗噪声时间聚类算法,将警报聚合和关联分析方法运用于分布式多引擎入侵检测场合来解决上述问题.实验采用数据集测试的方法对算法和原型系统进行了测试,并和相关研究工作进行了比较和分析.实验结果表明,系统对于分布式扫描有良好的检测效果,并在检测的实时性能上表现出优势.
Intrusion detection systems are receiving considerable attention and serving as an indispensable fortification for shielding networks against attackers. To improve the effectiveness of intrusion detection systems, distributed schemes are developed and implemented in real networks. The distributed schemes are classified into two major principles on the basis of data collection and detection engines. Both of them generate a mass of alerts and false positives that flood the administrators and thus impair the effectiveness of IDS. A two-stage real time solution based on DBTCAN (density-based time clustering of application with noise) algorithm is presented for alert aggregation and correlation in distributed contexts. The effectiveness of the approach and prototype on the intrusion detection evaluation dataset is demonstrated, where attacks can be detected more accurately with a low rate of false alarms and more succinct and informative alerts can be provided for administrators with the redundant alarms greatly reduced. The comparative experiments and analysis show that the approach is effective in distributed probing detection and the system gives better results in real time detection.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2006年第4期627-632,共6页
Journal of Computer Research and Development
基金
国家"八六三"高技术研究发展计划基金项目(2001AA142020)
关键词
入侵检测
IDS
警报聚合
数据集
测试
intrusion detection
IDS
alert aggregation
dataset
testing
