| With the rapid development of network technology, the increasingly complicated network intrusions lead to serious influence, which makes network security draw more attentions. However, traditional static security defending systems, such as firewall, are proved to be unsafe when facing new attacks. Intrusion detection systems (IDS), who can find intrusions from the trace and orderliness of their actions, gradually become a new part of network security system.However, IDS generates too many false positives and false negatives in wide band network environment. Besides, due to its elementary alerts, IDS can't accurate to be directly managed by a security administrator. Alerts analysis for IDS becomes a promising approach for these problems. Till now, there are many researches about alerts analysis for IDS, but some disadvantages, such as irrationality of clustering methods, low efficiency of data mining algorithm, insufficient use of information and lack of consideration for false negatives, influence their practicability.To solve the problems, a new kind of alerts analysis framework for multi-intrusion detection environment is proposed in this paper, constituted by alerts clustering and merging module, knowledge database off-line building module and intrusion online analyzing module. New kinds of clustering method, data mining algorithm and rule-matching method are used in the framework.An experimental system is built by implementing the framework. Experiments show that the number of false positives and false negatives of IDS can be reduced. More global and synthetic alerts can be generated also. |
PDF Full Text Request