【作者】 郑孝遥；

【导师】 陆阳；

【作者基本信息】 合肥工业大学 ， 计算机应用技术， 2005， 硕士

【摘要】 随着网络入侵行为变得越来越普遍和复杂,入侵检测系统在网络安全中的作用也越来越重要,然而现有的入侵检测系统都没有能很好的解决其虚警率过高的弊端,因而出现了入侵检测系统存在信任危机的尴尬的局面。 针对当前形势,本文首先介绍了常用的安全手段和技术,在此基础上分析了当前入侵检测系统产生虚警的原因,并给出入侵检测系统可信度的数学定义,另外,指出了必须从系统的整体架构,检测算法及策略方面入手才能解决虚警和可信性的问题。 本文在设计系统时采用在Snort的基础上增加警报分析器,从而可以对报警数据进行二次分析过滤,另外根据网络数据流之间可能存在的内在联系,提出了三个关联性的定义。在整个系统设计中,增加了关联性分析模块,在警报分析器中,使用了属性分析,概率分析和聚类分析这三种处理手段来对警报数据进行过滤。最后给出了警报分析器对采集的警报数据的仿真和数据分析结果,通过实验证明此系统是可以有效地降低虚警。更多还原

【Abstract】 Network-based attacks have become common and sophisticated. Intrusion detection system becomes more important. However, existing intrusion detection system can’t solve the defect that the rate of false alarm is too high, so it came out the embarrassed scene that the intrusion detection system was not reliable.Under this situation, firstly, some means and technique for security are introduced which are in common use. After this, the reasons of false alarm of existing intrusion system are analyzed and mathematical definition of the degree of credibility is given. Furthermore, this paper points out that solving the problem of false alarm and credibility must proceed with the system architecture, detection algorithm and policy.This paper uses a policy of adding Alarm Analysis system to Snort while designing this system. Consequently, the alarm data can be analyzed and filtrated again, In addition, three definitions of interrelation are given according to some interrelations among the network data stream. During the designing of whole system, an interrelation analysis module is added, and in the alarm analysis system, this paper uses attribute analysis, probability analysis and clustering analysis to filtrate the alarm data. Finally, the experimental result is given that the alarm data is simulated and analyzed by the alarm analysis system, and then this system is proved that could depress false alarm effectively.更多还原