ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2006, Vol. 43 ›› Issue (1): 1-8.

• •    下一篇

入侵检测系统报警信息聚合与关联技术研究综述

穆成坡 黄厚宽 田盛丰   

  1. (北京交通大学计算机与信息技术学院 北京 100044) (combinatorics@126.com)
  • 出版日期: 2006-01-15

A Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques

Mu Chengpo, Huang Houkuan, and Tian Shengfeng   

  1. (School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044)
  • Online: 2006-01-15

摘要: 报警的聚合与关联是入侵检测领域一个很重要的发展方向.阐述了研发报警聚合与关联系统的必要性通过对报警的聚合与关联可以实现的各项目标;重点讨论了现有的各种报警聚合与关联算法,并分析了各算法的特点;介绍了在开发入侵报警管理系统(IDAMS)中如何根据算法特点选择算法的原则;总结了现有聚合与关联系统的体系结构;简要介绍了IDMEF标准数据格式以及它在报警关联中的作用;最后,介绍了现有聚合与关联系统的发展现状,并提出了研发入侵报警聚合与关联系统所面临的重要技术问题和发展方向.

关键词: 入侵检测, 报警聚合, 报警关联, 网络安全

Abstract: The significances and goals of alert aggregation and correlation techniques are surveyed comprehensively in this paper. Algorithms of aggregation and correlation and their features are discussed in detail. Meanwhile, the ideas of choosing algorithms in developing the intrusion detection alert manage system are summerized, (IDAMS) are presented. The architectures of all the existing aggregation and correlation systems, with emphasis on a brief introduction of the function of the intrusion detection message exchange format (IDMEF) on alert aggregation and correlation. Finally, the future development of this research domain is presented.

Key words: intrusion detection, alert aggregation, alert correlation, network security