| IDS(Intrusion Detection Systems) aims at detecting network intrusion behaviors. For the present, the IDS have the following disadvantages:(1)Flood Alert: An ordinary IDS almost produces hundreds of alerts per day, and most of them are false-negative and repetitive alerts. (2)Primitive Alert: most rule-based IDS will produce alert as long as certain packets was detected. With these primitive and individual alert information, it is hard to correlate and analyse the attacker's intention. (3) Independent Alert: For different large scale attacks, IDS can generate independent alerts, but it can not report attacks such as DDOS and Worm.For the Flood Alert and Primitive Alert problems, in this paper we make the following research:(1)Compare and discuss the existing alert similarity calculation methods.Determine similarity calculation methods of the IP address, port and alert category, and we do research on time similarity algorithm specially. Through experiments, the paper analyses the changing trend and mathematical model of time similarity, and then gives the time similarity algorithm and the value of parameters. These similarity algorithms constitute the fundamental modules of alert attribute similarity comprehensive algorithm.(2)Design attribute-similarity-based alert aggregation and correlation system. Aaimed at different problems, the paper gives different modules: using alert filter to filter repetitive alerts; using aggregators to aggregate low-level independent alerts; and using correlator to analyse the attack steps and intention of the attackers.(3)Implement the above system. Use DARPA1999 data to test independent modules, the system and gives analysis.Tests show that the alert aggregation and correlation system can reduce large amount of false-negatives and repetitive alerts of IDS, this system can aggregate and correlate similar alerts accurately, improve usability of the IDS system effectively. |
PDF Full Text Request