基于改进的进化型自组织映射的攻击实例挖掘

针对从入侵检测系统产生的复杂报警数据中难以获取有意义的攻击实例的问题,提出了一种基于改进的进化型自组织映射（IESOM）的攻击实例挖掘方法。IESOM算法给出了基于获胜神经元和其它神经元的距离的连接强度初始值,解决了进化型自组织映射（ESOM）算法中的连接强度初始值的选择问题。基于IESOM的攻击实例挖掘方法先对报警数据进行IESOM聚类,再使用合并规则得到初步的攻击实例,最后使用筛选规则获取有意义的攻击实例。对XJTU-sensor的报警数据的攻击案例获取结果表明了提出的基于IESOM的攻击实例挖掘方法能够从大量的报警数据中高效地获取典型的攻击实例。

Mining Attack Instances Based on Improved Evolving Self-organizing Maps

To solve the problems of obtaining interesting attack instances from complicated alerts generated by intrusion detection system, an attack instances mining method based on improved evolving self-organizing maps (IESOM) was proposed. The initial connection strengths between the winning neure and other neures were defined on the basis of their distances in IESOM, which solve the problem of choosing the initial connection strengths in evolving self-organizing maps (ESOM). These alerts were firstly clustered using IESOM, and these clustering results were merged with the merging rule to obtain initial attack instances in attack instances mining method based on IESOM, then these significative attack instances were obtained after filtering those initial attack instances according to a few of filtering rules. The attack instances mining results on the alerts raised by XJTU-sensor show that the proposed method is effective to obtain attack instances from plentiful alerts.