作　　者： ; ; ;

机构地区： 清华大学信息科学技术学院计算机科学与技术系

出　　处： 《计算机研究与发展》 2006年第4期627-632,共6页

摘　　要： 入侵检测技术在网络安全防卫体系中变得越来越重要.在实际应用中,为了提高检测率通常采用基于多点的分布式数据采集或基于多引擎的协作式入侵检测,但是伴随而来的是警报数量和误报数量的海量增加,使管理员无法分辨警报的真伪并有效地管理入侵检测系统,从而降低了入侵检测系统的有效性和可用性.提出了一种基于密度的抗噪声时间聚类算法,将警报聚合和关联分析方法运用于分布式多引擎入侵检测场合来解决上述问题.实验采用数据集测试的方法对算法和原型系统进行了测试,并和相关研究工作进行了比较和分析.实验结果表明,系统对于分布式扫描有良好的检测效果,并在检测的实时性能上表现出优势. Intrusion detection systems are receiving considerable attention and serving as an indispensable fortification for shielding networks against attackers. To improve the effectiveness of intrusion detection systems, distributed schemes are developed and implemented in real networks. The distributed schemes are classified into two major principles on the basis of data collection and detection engines. Both of them generate a mass of alerts and false positives that flood the administrators and thus impair the effectiveness of IDS. A two-stage real time solution based on DBTCAN （density-based time clustering of application with noise） algorithm is presented for alert aggregation and correlation in distributed contexts. The effectiveness of the approach and prototype on the intrusion detection evaluation dataset is demonstrated, where attacks can be detected more accurately with a low rate of false alarms and more succinct and informative alerts can be provided for administrators with the redundant alarms greatly reduced. The comparative experiments and analysis show that the approach is effective in distributed probing detection and the system gives better results in real time detection.

关 键 词： 入侵检测 警报聚合 数据集 测试

领　　域： [自动化与计算机技术] [自动化与计算机技术]