面对入侵检测系统(IDS)产生的海量警报,提出了一种基于协议解析和传输控制协议(TCP)有限状态机的伪警报去除方法.对于无连接的请求/应答协议,同时分析请求数据包的攻击特征和应答数据包的返回状态码来去除伪警报;对于TCP,在协议分析的基础上建立TCP数据包的有限状态机的模型,通过判断系列数据包是否为同一TCP连接、是否包含攻击序列来去除伪警报.在DARPA2000的数据集上的实验结果表明,此方法的误警率平均降低了59.47%,对TCP和请求/应答协议的警报的识别率达到76.67%.该方法简单又有效,依赖IDS的攻击特征库,可以插件的形式在线实现.%Concerning the enormous alerts produced by Intrusion Detection System (IDS), a method based on protecol parse and Transfer Control Protocol (TCP) Finite State Machine (FSM) model was proposed to remove the false alerts.To the alerts produced by connectionless request/response protocol, the method made judgement through the analysis of the attack features of the request packets and return status code of response packets; to the alerts produced by the TCP, the paper parsed the packets and built up TCP FSM model to make judgement whether the series packets came from the same TCP connection,whether the TCP connection included attack sequences to remove the false alerts.Lastly the experiments made on DARPA 2000 datasets show that the proposed method can reduce the false alert more than 59.47% on average, and the alerts recognition rate of the TCP and the request/response protocol reaches 76.67%.This method is simple and efficient which depends on the attack features database of IDS, and can be implemented on line by plug-in.
展开▼
