Computer Science ›› 2019, Vol. 46 ›› Issue (4): 203-209.doi: 10.11896/j.issn.1002-137X.2019.04.032

• Information Security • Previous Articles     Next Articles

Alert Processing Method Based on Hierarchical Clustering

WU Yi-fan, CUI Yan-peng, HU Jian-wei   

  1. Network Behavior Research Center,Xidian University,Xi’an 710071,China
  • Received:2018-03-21 Online:2019-04-15 Published:2019-04-23

Abstract: Aiming at the problem that there generally exist redundant alarms in intrusion detection system and it affects the judgment of attack types,this paper processed an alert processing method based on improved hierarchical clustering,so as to reduce redundant alarms and improve the accuracy of attack type detection.On the basis of hierarchical clustering,this method uses the content of alarm as the unique attribute value of cluster,increases the percentage of effective alert with prior knowledge as the criteria for the selection of clustering thresholds,and improves the processing method of directly discarding the class whose value is higher than threshold in conventional clustering.The improved method uses the cosine similarity algorithm to calculate the representative alert above the threshold class,effectively avoiding discarding useful alarms.After clustering through suitable thresholds,the deduplicated and clustered alarm results within the time window are displayed in the order of the time axis to quickly determine the attacker’s attack type.The experimental results show that the improved clustering method has better deduplicated effect.

Key words: Alert, Hierarchical clustering, Similarity calculation, Snort, Threshold selection

CLC Number: 

  • TP393
[1]ZOU N.Research on Active Dynamic Network Security Defense of Network Management .Changchun:Northeast Electric Power University,2008.(in Chinese) 邹楠.网络管理的主动式动态网络安全防御研究.长春:东北电力大学,2008. [2]祝世雄,陈周国,张小松,等.网络攻击追踪溯源[M].北京:国防工业出版社,2015:75-79.
[3]CONG H Z.Design and implementation of high speed Network intrusion detection system based on Snort[D].Jinan:Shandong University,2016.(in Chinese) 丛海滋.基于Snort的高速网络入侵检测系统的设计与实现[D].济南:山东大学,2016.
[4]JULISCH K.Clustering Intrusion Detection Alarms to Support Root Cause Analysis [J].ACM Journal Name,2002,2(3):111-138.
[5]CHEN X.Research on Intrusion Detection Alert Based on Conceptual Clustering Algorithm[J].Journal of Air Force Radar Academy,2004,18(2):28-30.(in Chinese) 陈新.基于概念聚类算法的入侵检测警报研究[J].空军雷达学院学报,2004,18(2):28-30.
[6]MEI H B.Research on discovering multi-stepattack patterns based on clustering IDS alert sequences[J].Journal on Communications,2011,32(5):63-69.(in Chinese) 梅海彬.基于警报序列聚类的多步攻击模式发现研究[J].通信学报,2011,32(5):63-69.
[7]XU X L.Intrusion Detection Alarms Filtering System Based on Ant Clustering Approach[J].Electronic Technology,2016(1):34-37.(in Chinese) 徐小龙.基于蚁群聚类的入侵检测警报过滤技术[J].电子技术,2016(1):34-37.
[8]Cisco.Snort- Network Intrusion Detection & Prevention System[EB/OL].(2017-01-08)[2017-11-06].https://www.snort.org/documents.
[9]GUO J F,ZHAO Y Y,BIAN W F,et al.Hierarchical clustering algorithm based on improved cohesion and separation[J].Computer Research and Development,2008,45(1):202-206.(in Chinese) 郭景峰,赵玉艳,边伟峰,等.基于改进的凝聚性和分离性的层次聚类算法[J].计算机研究与发展,2008,45(1):202-206.
[10]DU Q,SUN M.Research on Intrusion Detection System Based on Improved Clustering Analysis Algorithm.Computer Engineering and Applications,2011,47(11):106-108.(in Chinese) 杜强,孙敏.基于改进聚类分析算法的入侵检测系统研究.计算机工程与应用,2011,47(11):106-108.
[11]YANG B,LONG P F.Application of Condensed Hierarchical Clustering Algorithm in Intrusion Detection.Journal of Electric Power Science and Technology,2005,20(3):57-60.(in Chinese) 阳博,龙鹏飞.凝聚分层聚类算法在入侵检测中的应用.电力科学与技术学报,2005,20(3):57-60. [12]GU C Y.Text similarity calculation based on lexical semantic information[J].Application Research of Computers,2017,35(2):391-395.(in Chinese) 谷重阳.基于词汇语义信息的文本相似度计算[J].计算机应用研究,2017,35(2):391-395.
[13]DAVID G,BRIAN T.HTTP权威指南[M].陈涓,赵振平,译.北京:人民邮电出版社,2012:62-69.
[14]LI H C.Alert multi-level aggregation and association method based on self-expansion time window[J].Engineering Science and Technology,2017,49(1):206-212.(in Chinese) 李洪成.基于自扩展时间窗的告警多级聚合与关联方法[J].工程科学与技术,2017,49(1):206-212.
[15]QIN Z Y,ZHAO Z Y.Alarm clustering for intrusion detection systems in network[J].Journal of Computer Security,2008(5):27-30.(in Chinese) 秦子燕,赵曾贻.网络入侵检测系统中的警报聚类[J].计算机安全,2008(5):27-30.
[16]MEI H B,GONG J.Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J].Journal of Communications,2011,32(5):63-69.(in Chinese) 梅海彬,龚俭.基于警报序列聚类的多步攻击模式发现研究 [J].通信学报,2011,32(5):63-69.
[1] WU Zi-yi, LI Shao-mei, JIANG Meng-han, ZHANG Jian-peng. Ontology Alignment Method Based on Self-attention [J]. Computer Science, 2022, 49(9): 215-220.
[2] WANG Yi, LI Zheng-hao, CHEN Xing. Recommendation of Android Application Services via User Scenarios [J]. Computer Science, 2022, 49(6A): 267-271.
[3] WANG Wen-juan, DU Xue-hui, REN Zhi-yu, SHAN Di-bin. Reconstruction of Cloud Platform Attack Scenario Based on Causal Knowledge and Temporal- Spatial Correlation [J]. Computer Science, 2021, 48(2): 317-323.
[4] CHEN Ying-ren, GUO Ying-nan, GUO Xiang, NI Yi-tao, CHEN Xing. Web Page Wrapper Adaptation Based on Feature Similarity Calculation [J]. Computer Science, 2021, 48(11A): 218-224.
[5] CHEN Qing-chao, WANG Tao, FENG Wen-bo, YIN Shi-zhuang, LIU Li-jun. Unknown Binary Protocol Format Inference Method Based on Longest Continuous Interval [J]. Computer Science, 2020, 47(8): 313-318.
[6] ZHANG Yun-fan,ZHOU Yu,HUANG Zhi-qiu. Semantic Similarity Based API Usage Pattern Recommendation [J]. Computer Science, 2020, 47(3): 34-40.
[7] ZHONG Ya,GUO Yuan-bo,LIU Chun-hui,LI Tao. User Attributes Profiling Method and Application in Insider Threat Detection [J]. Computer Science, 2020, 47(3): 292-297.
[8] XU Fei-xiang,YE Xia,LI Lin-lin,CAO Jun-bo,WANG Xin. Comprehensive Calculation of Semantic Similarity of Ontology Concept Based on SA-BP Algorithm [J]. Computer Science, 2020, 47(1): 199-204.
[9] LIU Jing, LAI Ying-xu, YANG Sheng-zhi, Lina XU. Bilateral Authentication Protocol for WSN and Certification by Strand Space Model [J]. Computer Science, 2019, 46(9): 169-175.
[10] LU Xian-guang, DU Xue-hui, WANG Wen-juan. Alert Correlation Algorithm Based on Improved FP Growth [J]. Computer Science, 2019, 46(8): 64-70.
[11] XIA Ying, LI Liu-jie, ZHANG XU, BAE Hae-young. Weighted Oversampling Method Based on Hierarchical Clustering for Unbalanced Data [J]. Computer Science, 2019, 46(4): 22-27.
[12] LU Xian-hua, WANG Hong-jun. Design of Distributed News Clustering System Based on Big Data Computing Framework [J]. Computer Science, 2019, 46(11A): 220-223.
[13] WANG Shu-yi and DONG Dong. Mining of API Usage Pattern Based on Clustering and Partial Order Sequences [J]. Computer Science, 2017, 44(Z6): 486-490.
[14] LI Feng and XIE Si-hong. Study on Abnormal Diagnosis of Moving ECG Signals Based on Unsupervised Learning [J]. Computer Science, 2017, 44(Z11): 68-71.
[15] XU Zhou-bo, ZHANG Yong-chao, GU Tian-long and NING Li-hua. Research on Pattern Matching Algorithm in Intrusion Detection System [J]. Computer Science, 2017, 44(9): 125-130.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!