摘要
网络入侵检测系统是发现网络安全事件的有力工具.然而在实际的应用中它会产生大量的冗余告警,极大地增加了实时安全分析的难度.提出具有周期性告警是误告警的思想,并通过实际周期的寻找和确定来消除相关冗余告警.算法在中国教育科研网的一个分支网络测试,实验中能够实时去除90%以上的告警,同时对网络中部分周期性告警产生的原因也进行了分析,分析发现这些告警的确是误告警.
NIDS (Network Intrusion Detection System) is an effective device to discover network security events. Nevertheless it will produce a large number of false positives in real network, which makes security analysis in real-time very difficult. This paper puts forward a new idea that alerts with periodicity are false positives, and filters relevant redundant alerts by the discovery and determination of periodicity. This algorithm has been tested in a branch network of CERNET (China Education and Research Network), and over 90% alerts can be removed in this way. Meanwhile some root causes that trigger periodic alerts can be discovered, it can be validated that these alerts are false positives indeed.
出处
《小型微型计算机系统》
CSCD
北大核心
2009年第7期1336-1340,共5页
Journal of Chinese Computer Systems
基金
国家自然科学基金项目(60573120)资助
关键词
周期分析
误告警
入侵检测
重尾分布
period analysis
false positives
intrusion detection
heavy-tailed distribution
