计算机科学 ›› 2019, Vol. 46 ›› Issue (4): 203-209.doi: 10.11896/j.issn.1002-137X.2019.04.032

• 信息安全 • 上一篇    下一篇

基于层次聚类的警报处理方法

吴祎凡, 崔艳鹏, 胡建伟   

  1. 西安电子科技大学网络行为研究中心 西安710071
  • 收稿日期:2018-03-21 出版日期:2019-04-15 发布日期:2019-04-23
  • 通讯作者: 崔艳鹏(1978-),女,博士,副教授,主要研究方向为网络攻防、智能终端安全与防护,E-mail:ypcui@mail.xidian.cn(通信作者)
  • 作者简介:吴祎凡(1994-),女,硕士,主要研究方向为网络安全,E-mail:543665029@qq.com;胡建伟(1973-),男,博士,副教授,主要研究方向为网络安全与网络对抗。

Alert Processing Method Based on Hierarchical Clustering

WU Yi-fan, CUI Yan-peng, HU Jian-wei   

  1. Network Behavior Research Center,Xidian University,Xi’an 710071,China
  • Received:2018-03-21 Online:2019-04-15 Published:2019-04-23

摘要: 针对入侵检测系统普遍存在冗余警报从而影响攻击类型判断的问题,文中提出了一种基于改进层次聚类的警报处理方法,其能减少冗余警报,提高攻击类型检测的准确性。该方法在层次聚类的基础上,使用警报的内容作为聚类的唯一属性值,增加了具有先验知识支撑的有效Alert占比来作为聚类阈值选取的标准,并改进了常规聚类直接抛弃高于阈值的类的处理方法,使用余弦相似度算法计算高于阈值的类的代表Alert,有效避免了有用警报的丢弃。在通过合适的阈值聚类后,按照时间轴的顺序来展示时间窗口内去重且聚类后的警报结果,以便对攻击者的攻击类型进行快速判断。实验结果表明,改进后的聚类方法有较好的去冗效果。

关键词: Snort, 层次聚类, 警报, 相似度计算, 阈值选取

Abstract: Aiming at the problem that there generally exist redundant alarms in intrusion detection system and it affects the judgment of attack types,this paper processed an alert processing method based on improved hierarchical clustering,so as to reduce redundant alarms and improve the accuracy of attack type detection.On the basis of hierarchical clustering,this method uses the content of alarm as the unique attribute value of cluster,increases the percentage of effective alert with prior knowledge as the criteria for the selection of clustering thresholds,and improves the processing method of directly discarding the class whose value is higher than threshold in conventional clustering.The improved method uses the cosine similarity algorithm to calculate the representative alert above the threshold class,effectively avoiding discarding useful alarms.After clustering through suitable thresholds,the deduplicated and clustered alarm results within the time window are displayed in the order of the time axis to quickly determine the attacker’s attack type.The experimental results show that the improved clustering method has better deduplicated effect.

Key words: Alert, Hierarchical clustering, Similarity calculation, Snort, Threshold selection

中图分类号: 

  • TP393
[1]ZOU N.Research on Active Dynamic Network Security Defense of Network Management .Changchun:Northeast Electric Power University,2008.(in Chinese) 邹楠.网络管理的主动式动态网络安全防御研究.长春:东北电力大学,2008. [2]祝世雄,陈周国,张小松,等.网络攻击追踪溯源[M].北京:国防工业出版社,2015:75-79.
[3]CONG H Z.Design and implementation of high speed Network intrusion detection system based on Snort[D].Jinan:Shandong University,2016.(in Chinese) 丛海滋.基于Snort的高速网络入侵检测系统的设计与实现[D].济南:山东大学,2016.
[4]JULISCH K.Clustering Intrusion Detection Alarms to Support Root Cause Analysis [J].ACM Journal Name,2002,2(3):111-138.
[5]CHEN X.Research on Intrusion Detection Alert Based on Conceptual Clustering Algorithm[J].Journal of Air Force Radar Academy,2004,18(2):28-30.(in Chinese) 陈新.基于概念聚类算法的入侵检测警报研究[J].空军雷达学院学报,2004,18(2):28-30.
[6]MEI H B.Research on discovering multi-stepattack patterns based on clustering IDS alert sequences[J].Journal on Communications,2011,32(5):63-69.(in Chinese) 梅海彬.基于警报序列聚类的多步攻击模式发现研究[J].通信学报,2011,32(5):63-69.
[7]XU X L.Intrusion Detection Alarms Filtering System Based on Ant Clustering Approach[J].Electronic Technology,2016(1):34-37.(in Chinese) 徐小龙.基于蚁群聚类的入侵检测警报过滤技术[J].电子技术,2016(1):34-37.
[8]Cisco.Snort- Network Intrusion Detection & Prevention System[EB/OL].(2017-01-08)[2017-11-06].https://www.snort.org/documents.
[9]GUO J F,ZHAO Y Y,BIAN W F,et al.Hierarchical clustering algorithm based on improved cohesion and separation[J].Computer Research and Development,2008,45(1):202-206.(in Chinese) 郭景峰,赵玉艳,边伟峰,等.基于改进的凝聚性和分离性的层次聚类算法[J].计算机研究与发展,2008,45(1):202-206.
[10]DU Q,SUN M.Research on Intrusion Detection System Based on Improved Clustering Analysis Algorithm.Computer Engineering and Applications,2011,47(11):106-108.(in Chinese) 杜强,孙敏.基于改进聚类分析算法的入侵检测系统研究.计算机工程与应用,2011,47(11):106-108.
[11]YANG B,LONG P F.Application of Condensed Hierarchical Clustering Algorithm in Intrusion Detection.Journal of Electric Power Science and Technology,2005,20(3):57-60.(in Chinese) 阳博,龙鹏飞.凝聚分层聚类算法在入侵检测中的应用.电力科学与技术学报,2005,20(3):57-60. [12]GU C Y.Text similarity calculation based on lexical semantic information[J].Application Research of Computers,2017,35(2):391-395.(in Chinese) 谷重阳.基于词汇语义信息的文本相似度计算[J].计算机应用研究,2017,35(2):391-395.
[13]DAVID G,BRIAN T.HTTP权威指南[M].陈涓,赵振平,译.北京:人民邮电出版社,2012:62-69.
[14]LI H C.Alert multi-level aggregation and association method based on self-expansion time window[J].Engineering Science and Technology,2017,49(1):206-212.(in Chinese) 李洪成.基于自扩展时间窗的告警多级聚合与关联方法[J].工程科学与技术,2017,49(1):206-212.
[15]QIN Z Y,ZHAO Z Y.Alarm clustering for intrusion detection systems in network[J].Journal of Computer Security,2008(5):27-30.(in Chinese) 秦子燕,赵曾贻.网络入侵检测系统中的警报聚类[J].计算机安全,2008(5):27-30.
[16]MEI H B,GONG J.Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J].Journal of Communications,2011,32(5):63-69.(in Chinese) 梅海彬,龚俭.基于警报序列聚类的多步攻击模式发现研究 [J].通信学报,2011,32(5):63-69.
[1] 吴子仪, 李邵梅, 姜梦函, 张建朋.
基于自注意力模型的本体对齐方法
Ontology Alignment Method Based on Self-attention
计算机科学, 2022, 49(9): 215-220. https://doi.org/10.11896/jsjkx.210700190
[2] 王毅, 李政浩, 陈星.
基于用户场景的Android 应用服务推荐方法
Recommendation of Android Application Services via User Scenarios
计算机科学, 2022, 49(6A): 267-271. https://doi.org/10.11896/jsjkx.210700123
[3] 王省, 康昭.
基于光滑表示的半监督分类算法
Smooth Representation-based Semi-supervised Classification
计算机科学, 2021, 48(3): 124-129. https://doi.org/10.11896/jsjkx.200700078
[4] 陈迎仁, 郭莹楠, 郭享, 倪一涛, 陈星.
基于特征相似度计算的网页包装器自适应
Web Page Wrapper Adaptation Based on Feature Similarity Calculation
计算机科学, 2021, 48(11A): 218-224. https://doi.org/10.11896/jsjkx.210100230
[5] 陈庆超, 王韬, 冯文博, 尹世庄, 刘丽君.
基于最长连续间隔的未知二进制协议格式推断
Unknown Binary Protocol Format Inference Method Based on Longest Continuous Interval
计算机科学, 2020, 47(8): 313-318. https://doi.org/10.11896/jsjkx.190700031
[6] 束云峰, 王中卿.
基于专利结构的中文专利摘要研究
Research on Chinese Patent Summarization Based on Patented Structure
计算机科学, 2020, 47(6A): 45-48. https://doi.org/10.11896/JsJkx.190500028
[7] 钟雅,郭渊博,刘春辉,李涛.
内部威胁检测中用户属性画像方法与应用
User Attributes Profiling Method and Application in Insider Threat Detection
计算机科学, 2020, 47(3): 292-297. https://doi.org/10.11896/jsjkx.190200379
[8] 张云帆,周宇,黄志球.
基于语义相似度的API使用模式推荐
Semantic Similarity Based API Usage Pattern Recommendation
计算机科学, 2020, 47(3): 34-40. https://doi.org/10.11896/jsjkx.190300053
[9] 许飞翔,叶霞,李琳琳,曹军博,王馨.
基于SA-BP算法的本体概念语义相似度综合计算
Comprehensive Calculation of Semantic Similarity of Ontology Concept Based on SA-BP Algorithm
计算机科学, 2020, 47(1): 199-204. https://doi.org/10.11896/jsjkx.181202351
[10] 刘长齐, 邵堃, 霍星, 范冬阳, 檀结庆.
基于加权质量评价函数的K-means图像分割算法
K-means Image Segmentation Algorithm Based on Weighted Quality Evaluation Function
计算机科学, 2019, 46(6A): 158-160.
[11] 夏英, 李刘杰, 张旭, 裴海英.
基于层次聚类的不平衡数据加权过采样方法
Weighted Oversampling Method Based on Hierarchical Clustering for Unbalanced Data
计算机科学, 2019, 46(4): 22-27. https://doi.org/10.11896/j.issn.1002-137X.2019.04.004
[12] 卢献华, 王洪俊.
基于大数据计算框架的分布式新闻聚类系统设计
Design of Distributed News Clustering System Based on Big Data Computing Framework
计算机科学, 2019, 46(11A): 220-223.
[13] 程宏兵, 王珂, 李兵, 钱漫匀.
一种高效的社交网络朋友推荐方案
Efficient Friend Recommendation Scheme for Social Networks
计算机科学, 2018, 45(6A): 433-436.
[14] 王树怡,董东.
基于聚类和偏序序列的API用法模式挖掘
Mining of API Usage Pattern Based on Clustering and Partial Order Sequences
计算机科学, 2017, 44(Z6): 486-490. https://doi.org/10.11896/j.issn.1002-137X.2017.6A.108
[15] 李锋,谢嗣弘.
基于无监督学习的移动心电信号异常诊断研究
Study on Abnormal Diagnosis of Moving ECG Signals Based on Unsupervised Learning
计算机科学, 2017, 44(Z11): 68-71. https://doi.org/10.11896/j.issn.1002-137X.2017.11A.013
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!