| With the widespread adoption of computer networks,the number of network attacks is increasing,making network security threats a risk that cannot be ignored in various fields.Intrusion Detection System(IDS)is a widely utilized network security defense method capable of real-time detection of abnormal traffic and generating corresponding alarms.However,during the detection process,IDS often misidentify normal user behavior as an attack and trigger alerts for unsuccessful attack attempts,leading to erroneous assessments of security threats and consuming the time and effort of security administrators.The existing IDS false alarm detection methods,which rely on group characteristics,suffer from the issue of lacking contextual information.Additionally,the existing methods for identifying irrelevant alarms do not fully consider the correlation between alarm data and the asset information of the target system.To address these challenges and enhance the accuracy of IDS false alarm detection,this thesis proposes a feature fusion-based IDS false alarm detection method that analyzes alarm attribute characteristics and group characteristics.Furthermore,it employs a network security knowledge graph to identify irrelevant alarms.The primary contributions of this thesis are as follows:(1)A feature fusion-based IDS false alarm detection method is proposed.To address the lack of contextual information in existing IDS false alarm detection methods,this method constructs a detection model by combining group characteristics and semantic features of alarm data.On one hand,group characteristics of IDS alarms are extracted through statistical analysis of a large volume of alarm data.On the other hand,word embedding and deep learning models are employed to extract alarm attribute features from original alarms.Subsequently,the method fuses the alarm attribute features and group features,and utilizes a deep learning model to learn discriminative features for distinguishing true alarms from false alarms.Experimental results on the DARPA 2000 public dataset demonstrate that the proposed method achieves high accuracy in detecting IDS false alarms.(2)A network security knowledge graph-based method for identifying irrelevant alarms is proposed.This method establishes a network security knowledge graph to assess the correlation between alarm data and asset information of the target system.Leveraging the constructed network security knowledge graph,the method actively probes the assets of the target system to gather supporting information.It then correlates entities across five dimensions including scenario,asset,vulnerability,attack,and alarm.Based on the correlation results,the method determines whether an alarm is irrelevant.Experimental results on the EPIC dataset demonstrate the high accuracy of the proposed method in identifying irrelevant IDS alerts. |
PDF Full Text Request