【摘要】 大量误报引发的可信问题一直是入侵检测研究领域所面对的具有挑战性的未解技术难题之一.为了提高入侵检测系统的确定性和准确性,必须对其告警信息加以区分,滤除无效攻击导致的虚警,从而自动准确地识别有效攻击.由此,提出了一种基于上下文验证的网络入侵检测模型,结合环境上下文、弱点上下文、反馈上下文和异常上下文等多种上下文信息,构建了一个以上下文为中心、多种验证技术相结合的高效、稳定、完整、易管理、可扩充的虚警处理平台,实现了告警的自动验证以及攻击行为能否成功地自动判定,从而达到滤除虚警的目的,使入侵检测系统起到真正的预警作用.更多还原

【Abstract】 Network intrusion-detection systems (NIDSs) are considered an effective second line of defense against network-based attacks directed to computer systems. Because of the increasing severity and likelihood of such attacks, the NIDSs are employed in almost all large-scale IT infrastructures. The Achille’s heel of NIDSs lies in the large number of false positives. However, today’s NIDSs often try to detect not only intrusions, but also successful intrusion attempts. This is because it can be difficult for an NIDS to determine the result of an intrusion attempt. A popular approach of verifying intrusion attempt results is to let an IDS be aware of the environment and configuration of the systems under attack. Based on the above idea, in order to eliminate the negative influence on IDS stability caused by non-relevant alerts, a network intrusion detection model is designed based on context verification. With the combination of environment context, weakness context, feedback context and anomaly context, our model constructs an effective, stable, integrated, and extendable non-relevant alerts processing platform which focuses on context verification and integrates multiple security techniques. It achieves the automatic validation of alarming and automatic judgments of their effectiveness to eliminate the non-relevant alerts, and thus it establishes the reliable foundation for alerts association.更多还原