基于空间和时间密度的入侵报警聚合研究

系统仿真学报 ›› 2016, Vol. 28 ›› Issue (6): 1336-1343.

基于空间和时间密度的入侵报警聚合研究

张靖, 王衡军, 李俊全, 郁滨

解放军信息工程大学,河南郑州 450004

收稿日期:2015-04-29 修回日期:2015-07-24 出版日期:2016-06-08 发布日期:2020-06-08
作者简介:张靖(1991-),男,安徽滁州,硕士生,研究方向为仿真、信息安全技术;王衡军（1973-）,男,湖南衡阳,博士,副教授,研究方向为人工智能、信息安全;李俊全(1965-),男,河北涿州,博士,研究员,博导,研究方向为密码学、信息安全。

Research of Intrusion Alert Aggregation Based on Spatial and Temporal Density

Zhang Jing, Wang Hengjun, Li Junquan, Yu Bin

PLA Information Engineering University, Zhengzhou 450004, China

Received:2015-04-29 Revised:2015-07-24 Online:2016-06-08 Published:2020-06-08

摘要/Abstract

摘要： 针对分布式入侵检测系统在实际应用中存在大量重复报警和高误报率的问题,在研究DBSCAN算法的基础上,引入时间密度,提出一种基于空间和时间密度的抗噪声聚合算法(DBS&TCAN)。基于空间密度聚合局部报警信息和时间密度对局部聚合结果进行合并,可以有效减少重复报警并降低误报率。实验采用数据集测试的方法对算法进行了测试,并与相关研究工作进行比较和分析。结果表明,该算法具有较好的聚合效果,并在实时性方面体现出优势。

关键词: 入侵检测系统, 报警聚合, 时间密度, DBSCAN, DBS&TCAN;, 实时性

Abstract: Distributed Intrusion Detection System has created the problem to investigate a mass of duplicate alerts and high false positive rate in practical applications. Based on DBSCAN, density based spatial and temporal clustering of applications with noise (DBS&TCAN) algorithm was proposed by introducing temporal density. The approach aggregated partial alerts based on spatial density, and merges partial aggregation on the basis of temporal density. The effectiveness of the algorithm was demonstrated by the intrusion detection evaluation dataset. The comparative experiments and analysis show that the algorithm is effective in alert aggregation and gives better results in terms of real time.

Key words: Intrusion detection system, alert aggregation, temporal density, DBSCAN, DBS&TCAN;, real time

中图分类号:

TP393.08

张靖, 王衡军, 李俊全, 郁滨. 基于空间和时间密度的入侵报警聚合研究[J]. 系统仿真学报, 2016, 28(6): 1336-1343.

Zhang Jing, Wang Hengjun, Li Junquan, Yu Bin. Research of Intrusion Alert Aggregation Based on Spatial and Temporal Density[J]. Journal of System Simulation, 2016, 28(6): 1336-1343.

参考文献

[1] 卿斯汉, 蒋建春, 马恒太, 等. 入侵检测技术研究综述[J]. 通信学报, 2004, 25(7): 19-29.
[2] 穆成坡, 黄厚宽, 田盛丰. 入侵检测系统报警信息聚合与关联技术研究综述[J]. 计算机研究与发展, 2006, 43(1): 1-8.
[3] T Kanungo, N S Netanyahu, A Y Wuan.An Efficient k-Means Clustering Algorithm: Analysis and Implementation[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence(S0162-8828), 2002, 24(7): 881-892.
[4] Hadi Bahrbegi, Ahmad Habibizad Navin, Amir Azimi Alasti Ahrabi. A New System to Evaluate GA-based Clustering Algorithms in Intrusion Detection Alert Management[C]// 2010 Second World Congress on Nature and Biologically Inspired Computing. Kitakyushu (Japan): Institute of Electrical and Electronics Engineers( IEEE ), 2010: 115-120.
[5] A Hofmann, D Fisch, B Sick.Identifying Attack Instances by Alert Clustering[C]// Proc. IEEE Three-Rivers Workshop Soft Computing in Industrial Applications. USA: IEEE, 2007: 25-31.
[6] G C Tjhai, S M Furnell, M Papadaki, et al.Preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm[J]. Computers & Security(S0167-4048), 2011, 29(6): 712-723.
[7] Emmanuel Hooper.An Intelligent Intrusion Detection and Response System Using Hybrid Ward Hierarchical Clustering Analysis[C]// Multimedia and Ubiquitous Engineering. Crete(Greece): Institute of Electrical and Electronics Engineers( IEEE ), 2010: 1187-1192.
[8] C Tsai, C C Yen.Unsupervised Anomaly Detection Using HDG-Clustering Algorithm[C]// Neural Information Processing, Germany: Springer Berlin (Heidelberg), 2009: 356-365.
[9] M Ester, H P Kriegal, J Sander, et al.A density-based algorithm for discoverying clusters in large spatial databases with noise [C]// KDD96 Proceedings of 2nd International Conference on Knowledge Discovery and Data Mining. Portland(Oregon): AAAI Press, 1996, 96(34): 226-231.
[10] Tran Manh Thang, Juntae Kim.The Anomaly Detection by Using DBSCAN Clustering with Multiple Parameters[C]// Information Science and Applications (ICISA), 2011 International Conference (IEEE). USA: IEEE, 2011: 1-5.
[11] Alexander Hofmann, Bernhard Sick.Online Intrusion Alert Aggregation with Generative Data Stream Modeling[J]. IEEE Transactions on Dependable and Secure Computing(S1545-5971), 2011, 8(2): 282-294.
[12] Xfocus Team. Bro: 一个开放源码的高级NIDS系统. [EB/OL]. (2003-10-12) [2015-04-29]. http://www.xfocus. net/articles/200310/624.html.
[13] M V Mahoney, P K Chan.Learning rules for anomaly detection of hostile network traffic [C]// Proc. 3rd IEEE Int’l Conf. Data Mining Los Alamitos, CA, USA. USA: IEEE Computer Society Press, 2003: 601-604.
[14] Caswell B, Roesch M. Snort: The open source network intrusion detection system [EB/OL]. (2009-04-21) [2015-04-29]. http://www.snort.org/
[15] 穆成坡, 黄厚宽, 田盛丰. 入侵报警管理与入侵响应系统&中的自适应报警聚合[J]. 计算机科学, 2007, 34(12): 73-77.
[16] 胥小波, 蒋琴琴, 郑康锋, 等. 基于混沌粒子群的告警聚类算法[J]. 通信学报, 2013, 34(3): 105-110.