计算机科学 ›› 2019, Vol. 46 ›› Issue (8): 64-70.doi: 10.11896/j.issn.1002-137X.2019.08.010

• 大数据与数据科学* • 上一篇    下一篇

基于改进FP growth的告警关联算法

鲁显光, 杜学绘, 王文娟   

  1. (信息工程大学 郑州450001)
  • 收稿日期:2018-11-06 出版日期:2019-08-15 发布日期:2019-08-15
  • 通讯作者: 杜学绘(1968-),女,博士,教授,主要研究方向为网络与信息安全,E-mail:dxh37139@sina.com
  • 作者简介:鲁显光(1994-),男,硕士生,主要研究方向为数据挖掘、网络与信息安全;王文娟(1981-),女,博士生,副教授,主要研究方向为网络与信息安全、数据挖掘
  • 基金资助:
    国家重点研发计划(2016YFB0501901,2018YFB0803603)

Alert Correlation Algorithm Based on Improved FP Growth

LU Xian-guang, DU Xue-hui, WANG Wen-juan   

  1. (Information Engineering University,Zhengzhou 450001,China)
  • Received:2018-11-06 Online:2019-08-15 Published:2019-08-15

摘要: 入侵检测系统产生的原始告警存在层次较低、相互孤立、没有关联性等不足,使得安全管理人员难以从中发现未知的、高层次的安全威胁,从而无法了解目标网络的整体安全态势。为了利用低级别告警构建攻击场景,通过分析现有的告警关联知识,针对基于数据挖掘的告警关联算法处理稀疏数据时性能较差的不足,提出了一种新的基于数据挖掘的告警关联算法。首先对现有的告警关联算法进行了分析比较;然后阐述了经典的Apriori算法和FP growth算法的机制及优缺点,并基于二维表对FP growth算法进行了改进;最后使用改进算法挖掘告警之间的关联规则,继而进行告警关联。为了验证所提方法的可行性和性能,使用Darpa数据集进行了相关的仿真测试,实验结果表明该方案可以较好地实现告警关联。

关键词: FPgrowth算法, 告警关联, 关联分析, 入侵检测

Abstract: The original alerts generated by intrusion detection system have some shortcomings,such as low level,mutual isolation and irrelevance,which makes security managers be difficult to find unknown and high-level security threats and cannot understand the overall security situation of the target network.In order to make use of low-level alerts to construct attack scenarios,this paper analyzed the existing alert correlation knowledge,and proposed a new alert correlation algorithm based on data mining to solve the problem of poor performance of existing algorithms when dealing with sparse data.In this paper,firstly,the existing alert correlation algorithms were compared,then the principles and merits and demerits of classical Apriori algorithm and FP growth algorithm were elaborated,and the FP growth algorithm was improved based on two-dimensional table.Finally,the improved algorithm was used to mine the association rules between the alerts,and thus the alert correlation was proceeded.In order to verify the feasibility and performance of the proposed method,the Darpa data set is utilized to carry out relevant simulation tests.The experimental results show that the proposed scheme can achieve better alert correlation.

Key words: Alert correlation, Correlation analysis, FP growth algorithm, Intrusion detection

中图分类号: 

  • TP393.08
[1]VALDES A,SKINNER K.Probabilistic Alert Correlation [C]∥ International Symposium on Recent Advances in Intrusion Detection.Springer-Verlag,2001:54-68.
[2]GAO H S,LI Y M.An ASON Alarm Correlation Method Based on Hierarchical Attribute Similarity Clustering[J].Science Technology and Engineering,2015(6):210-214.(in Chinese) 高会生,李英敏.一种基于分层属性相似度聚类的 ASON 告警关联分析方法[J].科学技术与工程,2015(6):210-214.
[3]ZHU L N,ZHANG Z C.Research on hierarchical alerts correlation based on causality[J].Application Research of Computers,2016,33(3):848-850(in Chinese) 朱丽娜,张作昌.基于因果关系的分层报警关联研究[J].计算机应用研究,2016,33(3):848-850.
[4]TEMPLETON S J,LEVITT K.A requires/provides model for computer attacks[C]∥Proceedings of the 2000 workshop on New security paradigms.ACM,2001:31-38.
[5]MORIN B,MÉ L,DEBAR H,et al.A logic-based model to support alert correlation in intrusion detection[J].Information Fusion,2009,10(4):285-299.
[6]JAJODIA S,NOEL S,KALAPA P,et al.Cauldron mission-centric cyber situational awareness with defense in depth[C]∥MILCOM.2011:1339-1344.
[7]YU D,FRINCKE D.Improving the quality of alerts and predicting intruder’s next goal with Hidden Colored Petri-Net[J].Computer Networks,2007,51(3):632-654.
[8]WANG S,TANG G M,KOU G,et al.Attack path prediction method based on causal knowledge net[J].Journal on Communications,2016,37(10):188-198.(in Chinese) 王硕,汤光明,寇广,等.基于因果知识网络的攻击路径预测方法[J].通信学报,2016,37(10):188-198.
[9]ZHANG J,LI X P,WANG H J,et al.Real-time alert correlation approach based on attack planning graph[J].Journal of Compu-ter Applications,2016,36(6):1538-1543.(in Chinese) 张靖,李小鹏,王衡军,等.基于攻击规划图的实时报警关联方法[J].计算机应用,2016,36(6):1538-1543.
[10]NURBOL.Research on Anomaly Detection Based on Data Mi- ning and Multi-stage Intrusion Alert Correlation[D].Changchun:Jilin University,2010.(in Chinese) 努尔布力.基于数据挖掘的异常检测和多步入侵警报关联方法研究[D].长春:吉林大学,2010.
[11]SONG S S.Study of Integrated alert correlation based on data mining and attack graphs[D].Shanghai:Shanghai Jiao Tong University,2009(in Chinese) 宋珊珊.基于数据挖掘及攻击图的告警综合关联研究[D].上海:上海交通大学,2009.
[12]MEI H B,GONG J,ZHANG M H.Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J].Journal on Communications,2011,32(5):63-69.(in Chinese) 梅海彬,龚俭,张明华.基于警报序列聚类的多步攻击模式发现研究[J].通信学报,2011,32(5):63-69.
[13]LIU J.Research on Key Technologies of Intrusion Detection and Alert Association Based on Machine Learning[D].Beijing:Beijing University of Posts and Telecommunications,2016.(in Chinese) 刘敬.基于机器学习的入侵检测和告警关联关键技术研究[D].北京:北京邮电大学,2016.
[14]LI H C,WU X P.Network Intrusion Correlation Method with Differential Privacy Protection of Alerts Sequence[J].Computer Engineering,2018,487(5):134-138.(in Chinese) 李洪成,吴晓平.支持告警序列差分隐私保护的网络入侵关联方法[J].计算机工程,2018,487(5):134-138.
[15]AGRAWAL R,IMIELIN'SKI T,SWAMI A.Mining association rules between sets of items in large databases[C]∥Acm Sigmod Record.ACM,1993,22(2):207-216.
[16]HAN J,PEI J,YIN Y.Mining frequent patterns without candidate generation[C]∥ACM Sigmod Record.ACM,2000,29(2):1-12.
[17]LU X,DU X,WANG W.An Alert Aggregation Algorithm Based on K-means and Genetic Algorithm[C]∥IOP Conference Series:Materials Science and Engineering.IOP Publishing,2018,435(1):012031.
[18]LU X,DU X,WANG W.Network IDS Duplicate Alarm Reduction Using Improved SNM Algorithm[C]∥2018 IEEE 3rd International Conference on Image,Vision and Computing (ICIVC).IEEE,2018:767-774.
[1] 王馨彤, 王璇, 孙知信.
基于多尺度记忆残差网络的网络流量异常检测模型
Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network
计算机科学, 2022, 49(8): 314-322. https://doi.org/10.11896/jsjkx.220200011
[2] 周志豪, 陈磊, 伍翔, 丘东亮, 梁广升, 曾凡巧.
基于SMOTE-SDSAE-SVM的车载CAN总线入侵检测算法
SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm
计算机科学, 2022, 49(6A): 562-570. https://doi.org/10.11896/jsjkx.210700106
[3] 曹扬晨, 朱国胜, 孙文和, 吴善超.
未知网络攻击识别关键技术研究
Study on Key Technologies of Unknown Network Attack Identification
计算机科学, 2022, 49(6A): 581-587. https://doi.org/10.11896/jsjkx.210400044
[4] 魏辉, 陈泽茂, 张立强.
一种基于顺序和频率模式的系统调用轨迹异常检测框架
Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns
计算机科学, 2022, 49(6): 350-355. https://doi.org/10.11896/jsjkx.210500031
[5] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[6] 李思颖, 徐杨, 王欣, 赵若成.
基于关联分析的铁路旅客同行预测方法
Railway Passenger Co-travel Prediction Based on Association Analysis
计算机科学, 2021, 48(9): 95-102. https://doi.org/10.11896/jsjkx.200700097
[7] 孙林, 平国楼, 叶晓俊.
基于本地化差分隐私的键值数据关联分析
Correlation Analysis for Key-Value Data with Local Differential Privacy
计算机科学, 2021, 48(8): 278-283. https://doi.org/10.11896/jsjkx.201200122
[8] 李贝贝, 宋佳芮, 杜卿芸, 何俊江.
DRL-IDS:基于深度强化学习的工业物联网入侵检测系统
DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things
计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021
[9] 程希, 曹晓梅.
基于信息携带的SQL注入攻击检测方法
SQL Injection Attack Detection Method Based on Information Carrying
计算机科学, 2021, 48(7): 70-76. https://doi.org/10.11896/jsjkx.200600010
[10] 曹扬晨, 朱国胜, 祁小云, 邹洁.
基于随机森林的入侵检测分类研究
Research on Intrusion Detection Classification Based on Random Forest
计算机科学, 2021, 48(6A): 459-463. https://doi.org/10.11896/jsjkx.200600161
[11] 俞建业, 戚湧, 王宝茁.
基于Spark的车联网分布式组合深度学习入侵检测方法
Distributed Combination Deep Learning Intrusion Detection Method for Internet of Vehicles Based on Spark
计算机科学, 2021, 48(6A): 518-523. https://doi.org/10.11896/jsjkx.200700129
[12] 孙明玮, 司维超, 董琪.
基于多维度数据的网络服务质量的综合评估研究
Research on Comprehensive Evaluation of Network Quality of Service Based on Multidimensional Data
计算机科学, 2021, 48(6A): 246-249. https://doi.org/10.11896/jsjkx.200900131
[13] 贾琳, 杨超, 宋玲玲, 程镇, 李琲珺.
改进的否定选择算法及其在入侵检测中的应用
Improved Negative Selection Algorithm and Its Application in Intrusion Detection
计算机科学, 2021, 48(6): 324-331. https://doi.org/10.11896/jsjkx.200400033
[14] 王颖颖, 常俊, 武浩, 周详, 彭予.
基于WiFi-CSI的入侵检测方法
Intrusion Detection Method Based on WiFi-CSI
计算机科学, 2021, 48(6): 343-348. https://doi.org/10.11896/jsjkx.200700006
[15] 刘全明, 李尹楠, 郭婷, 李岩纬.
基于Borderline-SMOTE和双Attention的入侵检测方法
Intrusion Detection Method Based on Borderline-SMOTE and Double Attention
计算机科学, 2021, 48(3): 327-332. https://doi.org/10.11896/jsjkx.200600025
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!