针对现有警报关联方法在关联来自多个IDS的警报时未考虑各IDS报告警报可信度的不足,利用证据理论提出了一种基于可信度对多个IDS的警报进行关联分析的方法.方法将各IDS报告警报的情况作为推测网络攻击是否发生的证据,并采用Dempster组合规则来融合这些证据,最后决策判断警报所对应的攻击是否发生,从而消除各IDS报告警报的模糊性和冲突性,达到提高警报质量的目的.在DARPA 2000测试数据集上的实验结果表明,该方法能有效降低误报率,减少警报数目60%以上.%To overcome the shortcoming of current alert correlation methods which didn't consider the confidence of IDS,an alert correlation method based on alerts confidence using the evidence theory was presented. Each alert was regarded as a piece of evidence of a network attack. Then multiple pieces of evidence were combined by the Dempster's combination rule, and used to infer whether the attack corresponding to the alerts took place. As a result, the ambiguity and confliction in alerts were eliminated, achieving the goal of improving alerts quality. Experimental results on the DARPA 2000 IDS test dataset show that the proposed method can efficiently decrease the false alert rate and reduce more than 60% of the alerts.
展开▼