计算机应用研究2016,Vol.33Issue(3):848-850,859,4.DOI:10.3969/j.issn.1001-3695.2016.03.047
基于因果关系的分层报警关联研究
Research on hierarchical alerts correlation based on causality
摘要
Abstract
Intrusion detection systems generate a great deal of alarm data,causing alerts correlation time-consuming and corre-lation results too complicated to understand.To solve these problems,this paper developed a hierarchical alerts correlation model based on causality.Firstly,it classified alerts according to attack target’s IP address,and performed causal correlation to reconstruct attack paths taking single-step attack as node.It defined the similarity of single-step attack and similarity of attack patterns,adopted topological sorting to merge similar nodes to abstract attack pattern.And it calculated the similarity of attack patterns to predict threat.Finally,it spatially correlated attack scenarios at a higher level taking victim as node.Experimental results show that the structure of hierarchical correlation results is simple,which helps to identify attack strategy and guide se-curity response.Moreover,clustering before correlation is clearly efficient.关键词
报警关联/报警聚类/因果关系/攻击模式/单步攻击相似度/攻击模式相似度Key words
alerts correlation/alerts aggregation/causality/attack pattern/similarity of single-step attack/similarity of attack patterns分类
信息技术与安全科学引用本文复制引用
朱丽娜,张作昌..基于因果关系的分层报警关联研究[J].计算机应用研究,2016,33(3):848-850,859,4.基金项目
国家自然科学基金资助项目(61431008,61562004);高等学校博士学科点专项科研基金资助项目(20130073130006);广西自然科学基金资助项目(2013GXNSFBA019274);广西高等学校高水平创新团队及卓越学者计划资助项目;广西高校科研项目 ()
