基于频繁模式挖掘的报警关联与分析算法

提出了一个入侵检测与响应协作模型,结合入侵容忍的思想扩展了入侵检测消息交换格式IDMEF,增加了怀疑度属性.除了发现的入侵事件外,一些可疑的事件也会报告给协作部件.提出了一个基于修改的CLOSET频繁闭模式挖掘算法的报警关联与分析算法,在分布式入侵检测与响应协作系统中,帮助协作部件对收到的IDMEF格式的报警消息进行关联和分析,以便做出合适的响应.为此,修改了CLOSET算法来按照最小支持度和最小怀疑度来得到频繁闭模式.实验结果表明,应用该算法可以很好地缩减报警数量,同时对于所有可疑的和入侵事件,都可以做出适宜的响应.

An Alert Correlation and Analysis Algorithm Based on Frequent Pattern Mining

An intrusion detection and response cooperation model was proposed.Incorporating the intrusion tolerance idea,the Intrusion Detection Message Exchange Format (IDMEF) was extended and a suspicious degree attribute was added.So suspicious events as well as intrusions can be reported to the cooperation components.An alert correlation and analysis algorithm was proposed,which was based on the modified CLOSET frequent close pattern mining algorithm.The algorithm can help the cooperation components in a distributed intrusion detection and response cooperation system to correlate and analyze the alerts received to make appropriate responses.To meet this purpose,the CLOSET algorithm was modified to obtain frequent close patterns according to a minimum support and a minimum suspicion degree.Experimental results show that when applying the algorithm,the amount of alerts can be effectively decreased.And appropriate responses can be made according to all the suspicious and intrusion events.