An IDS Alarm Analysis Method for Intrusion Warning Based on Time Series Theory
一种基于时间序列面向预警的警报分析方法

It is a wel-1-known fact that intrusion detection systems create large amounts of alarms and most of them are false alarms. How to analyze alarms automatically and find useful information from them has attracted a lot of interests. Although many approaches have been proposed, most of them focus on the relationship of different types or attributes of alarms, and they have deficiency in the large-scale network environments. This paper pays attention to the relation between alarm nnmbars and presents a novel alarm analysis method based on time series theory. Using the self-similar characteristic of alarms under normal conditions, a season model of alarms is constructed. With this model and the relationship of alarm number, warning information is quickly given when large-scale network intrusions, such as DDoS and worms, occur. This method has been tested on real world data, and experimental results demonstrate that the approach has a high degree of warning accuracy when largescale network intrusions happen and can be integrated with IDS easily.