计算机应用 ›› 2016, Vol. 36 ›› Issue (2): 499-504.DOI: 10.11772/j.issn.1001-9081.2016.02.0499

• 网络空间安全 • 上一篇    下一篇

基于时间对抗的网络报警深度信息融合方法

邱辉, 王坤, 杨豪璞   

  1. 信息工程大学, 郑州 450001
  • 收稿日期:2015-06-26 修回日期:2015-09-30 出版日期:2016-02-10 发布日期:2016-02-03
  • 通讯作者: 邱辉(1990-),男,河南永城人,硕士研究生,主要研究方向:网络安全、态势感知。
  • 作者简介:王坤(1975-),男,河南周口人,副教授,博士,主要研究方向:网络安全、数据挖掘;杨豪璞(1993-),女,河南封丘人,硕士研究生,主要研究方向:网络安全、攻击检测。
  • 基金资助:
    国家自然科学基金资助项目(61309013)。

Network alerts depth information fusion method based on time confrontation

QIU Hui, WANG Kun, YANG Haopu   

  1. Information Engineering University, Zhengzhou Henan 450001, China
  • Received:2015-06-26 Revised:2015-09-30 Online:2016-02-10 Published:2016-02-03

摘要: 针对目前网络报警信息融合方法仅以单时间点为处理单元,无法适应网络攻击逐渐呈现出的隐蔽性强、持续时间长等特点,提出一种基于时间对抗的网络报警深度信息融合方法。面对多源异构报警数据流,首先采集并保存当前一个较长时间窗口内的报警信息,然后利用基于滑动窗口的流聚类算法对报警信息进行聚类,最后引入窗口衰减因子对聚类后的报警进行深度融合。真实数据的实验结果显示,与基本DS证据理论(Basic-DS)和指数加权DS证据理论(EWDS)融合方法方法相比,该方法有较高的检测率和较低的误检率,但因为采用了更长的时间窗口,精简率上略低;实际测试与性能分析也表明,该算法的时延较小,能更加有效地检测网络攻击,且能完成实时处理。

关键词: 异构数据流, 网络报警, 深度信息融合, 时间对抗, 衰减因子

Abstract: Due to using a single point in time for the processing unit, current network alerts information fusion methods cannot adapt to the network attacks with high concealment and long duration. Aiming at this problem, a network alerts depth information fusion method based on time confrontation was proposed. In view of multi-source heterogeneous alerts data flow, firstly, the alerts were collected and saved in a long time window. Then the alerts were clustered using a clustering algorithm based on sliding window. Finally, the alerts were fused by introducing window attenuation factor. The experimental results on real data set show that, compared with Basic-DS and EWDS (Exponential Weight DS), the proposed method has higher True Positive Rate (TPR) and False Positive Rate (FPR) as well as lower Data to Information Rate (DIR) because of longer time window. Actual test and theoretical analysis show that the proposed method is more effective on detecting network attacks, and can satisfy real-time processing with less time delay.

Key words: heterogeneous data flow, network alert, depth information fusion, time confrontation, attenuation factor

中图分类号: