基于粗糙集-支持向量机理论的过滤误报警方法

肖云; 韩崇昭; 郑庆华; 赵婷

doi:10.3724/SP.J.1146.2006.00712

基于粗糙集-支持向量机理论的过滤误报警方法

doi: 10.3724/SP.J.1146.2006.00712

基金项目:

国家863计划项目(2004AA1Z2280)和国家973发展规划项目(2001CB309403)资助课题

计量
- 文章访问数: 3637
- HTML全文浏览量: 105
- PDF下载量: 1340
- 被引次数: 0
出版历程
- 收稿日期: 2006-05-25
- 修回日期: 2006-10-24
- 刊出日期: 2007-12-19

An Approach to Filter False Positive Alerts Based on RS-SVM Theory

摘要

摘要: 为过滤入侵检测系统报警数据中的误报警，根据报警的根源性和时间性总结出了区分真报警和误报警的19个相关属性，并提出了一种基于粗糙集-支持向量机理论的过滤误报警的方法。该方法首先采用粗糙集理论去除相关属性中的冗余属性，然后将具有约简后的10个属性的报警数据集上的误报警过滤问题转化为分类问题，采用支持向量机理论构造分类器以过滤误报警。实验采用由网络入侵检测器Snort监控美国国防部高级研究计划局1999年入侵评测数据(DARPA99)产生的报警数据，结果表明提出的方法在漏报警约增加1.6%的代价下，可过滤掉约98%的误报警。该结果优于文献中使用相同数据、相同入侵检测系统的其它方法的结果。
- 入侵检测;误报警;漏报警;粗糙集;支持向量机
Abstract: To filter false positive alerts generated by Intrusion Detection Systems (IDS), 19 related attributes for distinguishing false positive alerts from true alerts are summarized according to the root and timeliness of intrusion alerts, and an approach to filter these false positive alerts based on RS-SVM (Rough Set and Support Vector Machine) theory is proposed. First, redundant attributes are removed and 10 attributes are obtained utilizing rough set theory in the proposed approach. Then the problem of filtering false positive alerts on the dataset with those 10 attributes is transformed to classification problem, and the classifier is constructed using support vector machine theory. The experimental data is the alert dataset raised by Snort, a network intrusion detection system, monitoring the Defense Advanced Research Projects Agency 1999 intrusion evaluation data (DARPA99). The experimental results show that the proposed approach can reduce about 98% false positive alerts at the cost of increasing about 1.6% false negative alerts. The results of this method are better than those of the other methods that adopt the same dataset and same IDS reported in the literature.

HTML全文

参考文献(1)

Julisch K. Using root cause analysis to handle intrusion detec -tion alarms. [PhD thesis], University of Dortmund, 2003.[2]Manganaris S, Christensen M, and Zerkle D, et al.. A data mining analysis of RTID alarms[J].Computer Networks.2000, 34(4):571-577[3]Wang J and Lee I. Measuring false-positive by automated real-time correlated hacking behavior analysis. Information Security 4th International Conference, Koice, Slovakia, Heidelberg: Springer-Verlag, 2001: 512-535.[4]Alharby A and Imai H. IDS false alarm reduction using continuous and discontinuous patterns. Proceeding of Applied Cryptography and Network Security. New York, USA, Heidelberg: Springer-Verlag, 2005: 192-205.[5]Shin Moon Sun, Kim Eun Hee, and Ryu Keun Ho. False alarm classification model for network-based intrusion detection system. Proceeding of the 5th International Conference on Intelligent Data Engineering and Automated Learning, Exeter, UK, Heidelberg: Springer-Verlag, 2004: 259-265.Pietraszek T. Using adaptive alert classification to reduce positive in intrusion detection. Proceeding of the 7th Inter -national Symposium on Recent Advance in Intrusion Detection, Riviera, France, Heidelberg: Springer-Verlag, 2004: 102-124.[6]Zhang Z and Shen H. Suppressing false alarms of intrusion detection using improved text categorization method. Proceedings of the 2004 IEEE International Conference on e-Technology, e-Commerce and e-Service, Taipei, Taiwan, Estats Units: IEEE Computer Society Press，2004: 163-166.[7]Law Kwok Ho and Kwok Lam For. IDS false alarm filtering using KNN classifier. Proceeding of the 5th International Workshop on Information Security Applications, Jeju Island, Korea, Heidelberg: Springer-Verlag, 2004: 114-121.[8]Walczak B and Massart D L. Rough sets theory[J].Chemomet -rics and Intelligent Laboratory Systems.1999, 47(1):1-19[9]Vapnik V N. An overview of statistical learning theory[J].IEEE Trans. on Neural Networks.1999, 10(5):988-999

施引文献

资源附件(0)

访问统计