北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2008, Vol. 31 ›› Issue (6): 63-66.doi: 10.13190/jbupt.200806.63.wub

• 论文 • 上一篇    下一篇

Honeynet中的告警日志分析

武 斌, 郑康锋, 杨义先   

  1. (北京邮电大学 网络与交换技术国家重点实验室, 北京 100876)
  • 收稿日期:2007-12-10 修回日期:2008-07-09 出版日期:2008-12-31 发布日期:2008-12-31
  • 通讯作者: 武斌

Analysis of Alert Correlation in Honeynet

WU Bin, ZHENG Kang-feng, YANG Yi-xian   

  1. (State Key Laboratory of Networking and Switching Technology,
    Beijing University of Posts and Telecommunications, Beijing 100876, China)
  • Received:2007-12-10 Revised:2008-07-09 Online:2008-12-31 Published:2008-12-31
  • Contact: WU Bin

摘要:

提出一种带有告警日志分析的蜜网(honeynet)架构设计和告警日志分析模型. 将网络入侵检测和主机入侵检测的告警信息相结合,利用网络信息和告警相似度函数进行告警过滤和融合,采用改进的Apriori算法挖掘告警的关联规则,并通过匹配规则形成最终的攻击报告. 实验表明,该方法能有效减少honeynet中冗余的告警,分析出honeynet系统遭受攻击的关联关系,并展现攻击场景.

关键词: 蜜网, 入侵检测, 告警关联

Abstract:

A honeynet architecture with the analysis model of alerts is proposed. The new design of honeynet combines alerts of network intrusion detection system NIDS and HIDS to find out the correlations among them. The alerts are filtered and merged using the network information and similarity membership function. An improved Apriori algorithm is applied to discover the alert correlation knowledge which is matched to construct attack scenarios. Experiments demonstrate that with the analysis model of IDS alerts the redundant IDS alerts decrease efficiently and the correlation relationships of different attacks are constructed accurately

Key words: Honeynet, Intrusion detection, alert correlation

中图分类号: