Security equipment such as intrusion prevention system is an important supplementary for security management. They reduce the difficulty of network management by giving alarms corresponding to different attacks instead of raw traffic packet inspection. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threating alarms from the massive alarm logs, and aim to provide fundamental and useful information for administrators to design efficient management policy. First, the alarms are divided into two parts based on their attributes, the first part mainly includes several kinds of famous attacks which are critical for security management, we proposed a similar alarm mining method based on Choquet integral to cluster and rank the frequently occurred attacks. The rest alarms constitute the second part, which are caused by the potential threats attacks, also include many false alarms. To reduce the effect of false alarms and rank the potential threats, we employ the frequent pattern mining algorithm to mine correlation rules and then filter false alarms. Following, we proposed a self-adapting threat degree calculation method to qualify the threat degree of these alarms after filtering. To verity the methods developed, an experimental platform is constructed in the campus network of Xi'an Jiaotong University. Experimental results based on the data collected verify the efficiency of the developed methods. For the first kind of alarms, the similar alarms mining accuracy is higher than 97% and the alarms are ranked with different processing urgencies. For the rest alarms, the proposed methods have filtering accuracy above 80% and can rank the potential threats. Based on the ranking results, administrators can deal with the high threats with their limited time and energy, in turn, keep the network under control.

• 出版日期2018
• 单位西安交通大学