[1]龚俭,梅海彬,丁勇,等.多特征关联的入侵事件冗余消除[J].东南大学学报(自然科学版),2005,35(3):366-371.[doi:10.3969/j.issn.1001-0505.2005.03.010]
 Gong Jian,Mei Haibin,Ding Yong,et al.Multi-feature correlation redundance elimination of intrusion event[J].Journal of Southeast University (Natural Science Edition),2005,35(3):366-371.[doi:10.3969/j.issn.1001-0505.2005.03.010]
点击复制

多特征关联的入侵事件冗余消除()
分享到:

《东南大学学报(自然科学版)》[ISSN:1001-0505/CN:32-1178/N]

卷:
35
期数:
2005年第3期
页码:
366-371
栏目:
计算机科学与工程
出版日期:
2005-05-20

文章信息/Info

Title:
Multi-feature correlation redundance elimination of intrusion event
作者:
龚俭 梅海彬 丁勇 魏德昊
东南大学计算机科学与工程系,南京 210096; 东南大学江苏省计算机网络技术重点实验室, 南京 210096
Author(s):
Gong Jian Mei Haibin Ding Yong Wei Dehao
Department of Computer Science and Engineering, Southeast University, Nanjing 210096, China
Key Laboratory of Computer Network Technology of Jiangsu Province, Southeast University, Nanjing 210096, China
关键词:
冗余消除 事件关联特征 入侵检测系统 网络安全
Keywords:
redundance elimination event correlation feature intrusion detection system network security
分类号:
TP393
DOI:
10.3969/j.issn.1001-0505.2005.03.010
摘要:
通过对事件的源地址、宿地址和宿端口3个空间属性进行分析,枚举出事件在空间属性上的所有可能的关联特征; 通过对相邻事件的时间间隔进行统计分析,提出了事件的时间关联特征可以用一个相对均方差模型描述.在此基础上给出了一种基于事件类型、空间和时间关联特征的冗余事件消除算法,它能根据冗余消除规则集实时处理入侵事件并进行冗余消除.实验结果表明,该冗余消除算法可以使冗余事件在总的事件中的比例低于1%,其冗余消除的准确性和消除程度均高于CITRA中提出的冗余消除方法.
Abstract:
All possible correlation features on spatial properties of events are enumerated by analyzing the three spatial properties of events: source address, destination address and destination port. A relative mean square deviation model is proposed by statistical analysis of events’ interval, which can be used to describe the temporal correlation features of events. After that, this paper puts forward a redundancy elimination algorithm based on event class, spatial and temporal correlation features, which can deal and eliminate redundant events timely according to the predefined rule set. The experiments show that this algorithm can reduce the rate of redundant events in all events to less than 1%, and is more efficient and accurate than the method used in cooperative intrusion traceback and response architecture(CITRA).

参考文献/References:

[1] 龚俭,陆晟,王倩.计算机网络安全导论[M].南京:东南大学出版社,2000.245-247.
[2] Mukherjee B,Heberlein L T,Levitt K N.Network intrusion detection [J]. IEEE Network,1994,8(3):26-4l.
[3] Julisch Klaus.Clustering intrusion detection alarms to support root cause analysis[J].ACM Transactions on Information and System Security,2003,6(4):443-471.
[4] Ning Peng,Cui Yun,Reeves Douglas,et al.Tools and techniques for analyzing intrusion alerts [J]. ACM Transactions on Information and System Security, 2004,7(2):273-318.
[5] 丁勇.自动入侵响应系统的研究[D].南京:东南大学计算机科学与工程系,2004.
[6] Schnackenberg Dan,Holliday Harley,Smith Randall,et al.Cooperative intrusion traceback and response architecture(CITRA)[A].In: Proceedings of the Second DPRPA Information Survivability Conference and Exposition [C].Anaheim,CA,2001, 1:56-68.
[7] Debar H,Wespi A.Aggregation and correlation of intrusion-detection alerts[A].In:Proceedings of the 4th Symposium on Recent Advance in Intrusion Detection(RAID),LNCS[C].Berlin:Springer Verlag,2001.85-103.
[8] Claffy K C.Internet traffic characterization [D].San Diego:University of California,1994.
[9] Ryu B,Cheney D,Braun H W.Internet flow characterization:adaptive timeout strategy and statistical modeling[A].In: Proceedings of Passive and Active Measurement Workshop[C].Amsterdam,2001.94-105.
[10] 张剑.可回卷的动态反馈自动入侵响应系统[D].南京:东南大学计算机科学与工程系,2004.

备注/Memo

备注/Memo:
基金项目: 国家自然科学基金资助项目(90104031).
作者简介: 龚俭(1957—),男,博士,教授,博士生导师,jgong@njnet.edu.cn.
更新日期/Last Update: 2005-05-20