Study on a comprehensive attack case learning system
攻击案例综合学习系统研究

With the widespread deployment of Intrusion Detection Systems (IDS) in network security community, intrusion alert learning and analysis has increasingly become an active research area. Due to some problems such as alert flooding and lack of knowledge about attack scenario etc, a comprehensive attack case learning system composed of two learning phases: similar alerts aggregation and typical attack instance learning was presented. Firstly, an improved density-based clustering algorithm was introduced to aggregate huge volume of similar alerts to numbers of alert clusters. Secondly, some representative alerts were chosen to represent the overall alert clusters according to some reduction rules. Eventually, sequence pattern mining approach is used to mine frequent intrusive incidents. Furthermore, an evaluation approach based on execution ordering of attacks was proposed to identify valuable attack instances from frequent sequences of intrusive incidents. A real intrusion alert dataset was used to test our learning system. The experimental results show that our learning system can not only effectively reduce the large amount of alerts but also correctly learn the valuable attack cases.