When detecting network security threat incidents,various security devices generate a lot of redundant alarm information,which is easy to cause high false alarm rate and low degree of polymerization of log aggregation,bringing great difficulties to the log analysis.To solve this problem,an improved clustering algorithm of adaptive time threshold interval was proposed.By defining the aggregation rules and middle log,the interval threshold in the middle log was updated dynamically,which rea-lized the aggregation of multi-source log.Experimental results show that the proposed algorithm is much closer to the real attack time interval,and it can accurately analyze multi-source log aggregation,which can effectively reduce the number of alarm log information and improve the log of the polymerization degree and accuracy.%在检测网络安全威胁事件时,各种安全设备会产生大量冗余告警信息,易导致误报率高和日志聚合后聚合度低,给日志分析带来很大困难.为解决这一问题,采用一种自适应时间阈值间隔的聚类算法.通过定义聚合规则和中间日志,动态更新中间日志里的间隔阈值,实现对多源日志的聚合.实验结果表明,该算法的聚合时间阈值间隔更加接近真实攻击时间间隔,能准确对多源日志进行聚合分析,有效减少告警日志信息的数量,提高了日志的聚合度和准确率.
展开▼
