| Recently, the data fusion technology is introduced into the Intrusion Detection System aiming to solve the problems in the traditional Intrusion Detection Systems, as the IDS often generates too many raw alerts, each of which contains very little useful information, in addition, IDS often has a high false negative rate and high false positive rate. However, all the research work done before never takes the alert confidence into consideration, and each of those old algorithms treats different IDS systems equally, in those algorithms each raw alert indicates a true attack. While in reality, all the IDS has a certain rate of false negative and false positive rate, some alerts are useless and even the same IDS will perform very differently in discovering different kinds of attacks. Thus in a large-scale network with many kinds of IDS installed, if we don't consider the different performances of IDS, the alert fusion result will not be as satisfying as we expected, and the benefits of data fusion technology will be lost.In order to address those problems, this dissertation brings about some new ideas on how to effectively fusion the alerts based on considering the alert confidence. The work of this dissertation mainly focused on the following two aspects:1. The author designed a very detailed alert fusion algorithm based on confidence, in this algorithm the confidence becomes an independent characteristic of the alert in this algorithm. Firstly, the algorithm assigns each raw alert an initial confidence according to the expert's knowledge, then the algorithm generates more advanced alerts and attacks scenarios after clustering, fusion, and correlating the raw alerts, and the confidence of the advanced alerts is calculated by the D-S evidence theory using the raw alerts confidence as the input. |
PDF Full Text Request