中文摘要：

入侵检测系统产生海量报警数据,造成报警关联时间长、关联结果结构复杂、难以理解。针对上述问题,提出一种基于因果关系的分层报警关联模型。该模型先根据攻击目标聚类报警,在因果关系的指导下以单步攻击作为节点构建主机层攻击路径,定义单步攻击相似度和攻击模式相似度,通过拓扑排序合并主机层攻击路径的相似节点得到攻击模式,计算攻击模式相似度实现预警,并以受害主机作为节点从空间上构建更高层面的网络层攻击场景。实验表明,分层关联结果结构简洁,有助于识别攻击策略、指导安全响应,而且先聚类后关联的方法能够有效提高报警关联效率。

英文摘要：

Intrusion detection systems generate a great deal of alarm data,causing alerts correlation time-consuming and correlation results too complicated to understand. To solve these problems,this paper developed a hierarchical alerts correlation model based on causality. Firstly,it classified alerts according to attack target＇s IP address,and performed causal correlation to reconstruct attack paths taking single-step attack as node. It defined the similarity of single-step attack and similarity of attack patterns,adopted topological sorting to merge similar nodes to abstract attack pattern. And it calculated the similarity of attack patterns to predict threat. Finally,it spatially correlated attack scenarios at a higher level taking victim as node. Experimental results show that the structure of hierarchical correlation results is simple,which helps to identify attack strategy and guide security response. Moreover,clustering before correlation is clearly efficient.