现在大部分针对IDS警告的因果关联分析、攻击图等入侵检测方法,在警告有大量误报、漏报时不能够很好地进行攻击场景还原.针对该问题,提出使用来源于多种设备的警告日志进行入侵检测的方法,将多种设备日志进行关联分析,构建包含大量攻击场景的攻击图.攻击图中每个攻击场景包含来源于不同设备的警告,每当有新警告产生时,将该警告与攻击图中场景匹配,发现新的攻击过程.实验结果表明,该方法在进行攻击场景还原,尤其是在IDS警告有大量误报、漏报的情况下,攻击场景的还原率明显高于其它同类检测方法.%Most existing improved methods for IDS use association analysis,attack graph on IDS alerts,and these methods can not reconstruct the attack scenarios well,when the large number of the IDS alerts are lost or false positive.To solve this issue,a method based on the multi-source alert log was proposed,and the association analysis method used the multi-source log to build an attack graph containing lots of attack scenarios.Each attack scenario in the attack graph had alerts from different devices,whenever a new alert occurred,the new alert would be matched with the attack scenarios in the attack graph to find new attack process.Experimental results show that this method can reconstruct the attack scenarios well,especially when lots of the IDS alerts are lost or false positive,the reduction rate of attack scenario is significantly higher than other similar detection methods.
展开▼
