Abstract: To reduce the number of alerts in Intrusion Detection System (IDS) and uncover attack purposes and motivations, a new alert correlation model was proposed, in which alerts with similarity relationship were correlated by event correlation and stored as meta-alerts, then transformed into hyper-alerts according to the knowledge base rules, and finally hyper-alerts with casual relationship were correlated by attack correlation and an attack correlation graph was formed. The experimental results show that the model raises alert processing efficiency and contributes to attack purposes identification and alert accuracy improvement.

Key words: intrusion detection, alert information, multistep attack, event correlation, hyper alert

摘要： 为精简入侵检测系统产生的大量报警信息和分析攻击者的目的和动机,提出了新的报警信息关联模型。该模型通过事件关联把具有相似关系的报警信息关联后存储为元报警,然后根据报警类型知识库转换为超报警,最后根据超报警之间的因果关系进行攻击关联,构建出攻击关联图。实验表明,该模型提高了报警处理效率,对识别攻击意图和提高报警准确性有较好的效果。

关键词: 入侵检测, 报警信息, 多步攻击, 事件关联, 超报警