一种基于数据挖掘的多步入侵警报关联模型

基于传统网络入侵检测系统, 提出一种基于数据挖掘的多步入侵警报关联模型. 该模型能将多个入侵检测系统的警报信息进行融合, 对大量、 无序的警报信息进行分析, 发现其中的内在联系, 精简攻击事件警报, 并通过不断更新场景知识库发现融合后警报中的多步入侵行为. 与已有模型进行对比的结果表明, 该模型的关联分析方法及多步入侵知识库的建立有助于更好地结合系统的特征实现多步入侵的警报关联.

An Intrusion Alert Correlation Model Based on Data Mining

According to the researches of traditional network intrusion detection, we proposed a multi step intrusion alert collaborative model based on data mining, by which the alert information of several intrusion detection systems can be integrated so as to find the inner contacts by analysing themassive, disordered alert information, the attack alert can be simplified, and the multi step intrusion in the integrated alert information can be found through the constantly updated knowledge database. Comparison of the model with the existing model shows that the correlation analysis method of this model and the build of the multi step intrusion knowledge base really do help to the combination of the characteristics of different systems so as to realize multi step intrusion alert collaborative researches.