高性能网络安全告警信息的关联分析方法  被引量：8

作　　者：付泽强 王晓锋[1] 孔军[1] FU Ze-qiang;WANG Xiao-feng;KONG Jun(School of Internet of Things Engineering,Jiangnan University,Wuxi,Jiangsu 214122,China)

机构地区：[1]江南大学物联网工程学院,江苏无锡214122

出　　处：《计算机科学》2019年第5期116-121,共6页Computer Science

基　　金：国家自然科学基金项目(61672264);国家重点研发计划项目(2016YFB0800803)资助

摘　　要：在网络安全防御体系中,入侵检测系统会实时产生海量冗余、错误的网络安全告警信息,因此有必要对告警信息的关联规则和序列模式进行频繁项模式挖掘,分辨正常的行为模式,筛选出真正的攻击信息。相对于Apriori和FP-growth等算法,COFI-tree算法虽然具有较大的性能优势,但仍无法满足大规模网络安全信息快速分析的需求。为此,基于COFI-tree算法,提出了一种改进的网络安全告警信息关联分析算法。该算法通过基于倒序链表的头表节点寻址方式和基于新的SD结构的频繁项处理方法,提升了COFI-tree算法的性能。基于Kddcup99数据集的实验结果表明,与传统的Cofi算法相比,该方法在基本保证准确率的同时,能大量降低计算开销,使处理时间平均缩短21%以上,解决了在海量网络告警信息下进行关联分析时速率不高的问题。In the network security defense system,the intrusion detection system will produce massive redundancy and wrong network security warning information in real time.Therefore,it is necessary to mine frequent item patterns from association rules and sequential patterns of alert information,distinguish normal behavior patterns,and screen out real attack information.Compared with Apriori,FP-growth and other algorithms,COFI-tree algorithm possesses bigger advantages of performance,but it still can not meet the needs of fast analysis on large-scale network security information.To this end,this paper proposed an improved network security alert information association analysis algorithm based on COFI-tree algorithm.The algorithm improve the performance of COFI-tree algorithm through node addressing mode based on reverse linked list and frequent item processing method based on new SD structure.The experimental results based on Kddcup99 dataset show that this method can basically guarantee the accuracy,reduce a lot of computing overhead,shorten processing time by more than 21%on average compared with the traditional Cofi algorithm,and solve the problem of low speed in association analysis under massive network alarm information.

关 键 词：COFI-tree 网络安全 频繁项目集 数据挖掘 关联分析 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]