【摘要】 因果关联法是当前报警关联所普遍采用的方法之一,这种方法的基础在于判断两条报警之间的关联性.然而,此项研究所面对的一个重要问题是判别报警之间的间接联系.因此,首先对报警关联的一般方法进行形式化描述,以此阐述传统的因果关联算法存在的局限性,并分析存在隐含约束关系时关联的难点所在,讨论各种隐含约束关系的存在形式,最终提出针对隐含约束关系的报警关联判别算法(CDAIR),特别是针对时间约束、定位约束和访问控制约束的判别方法.对该算法给出了相应实验的实验过程以及实验结果,证实了算法的有效性.更多还原

【Abstract】 With the development of the network in the scale and the bandwidth, security issues have become more and more complex and the requirement for correlation technology is rapidly increased. The causal correlation is one of the most popular correlation methods, whose basis is the judgment method for relation between two alerts. In this paper, a formal description for general causal correlation is given, which presents some limitations in the conventional approaches. Then the difficulty in correlation with implied restriction is analyzed, and some cases about this restriction and solutions are discussed. Sometimes an alert occurs for the duration of time, therefore how to distinguish the order for two alerts becomes mysterious, which is the problem about time restriction. In real world one host may have several interfaces, while an interface may have several addresses, and which type of problems may result in the location restriction. In the whole history of the modern OS, the issue of the access control is an important role, and the complex relation during subject, object and privilege is the most difficult part for correlation of two alerts, which involves access control restriction. Finally, a new correlation determine algorithm for implied restriction (CDAIR) is proposed, which solves these problems for the time restriction, the location restriction and the access control restriction. Also given are the process and the result of the corresponding experiment which proves the validity of the algorithm.更多还原