An intrusion detection system (IDS) is a security layer that is used to discover ongoing intrusive attacks and anomalous activities in information systems, which means usually working in a dynamically changing environment. Although increasing attention to IDSs is evident in the literature, network security administrators are still faced with the task of analyzing enormous numbers of alerts produced from different event streams, The intrusion detection model therefore needs to be continuously tuned, in order to reduce correlative alerts and help the administrator to accurately determine critical attacks. In this work, an alert correlation detection module is proposed to analyze the alerts produced by IDSs, providing a more succinct and comprehensive view of intrusions. An automatically-tuned IDS rule-generation module that is based on a type-2 fuzzy logic technique is used to block highly correlative alerts. The experimental results reveal that the proposed model is effective in achieving alert reduction and abstraction.

• 出版日期2012-4
• 单位清华大学; 中国科学院电工研究所; 东华大学