| 摘要 |
The method for eliminating invalid intrusion alerts operates according to a set of filter rules that are generated from given firewall rules. As a filter that implements this method receives an intrusion alert, it directly matches the features of the alert against its own rules, and then decides the validity of the alert. By coupling with the method, various filter-rule sets could be generated for numerous firewalls that may be not on the same specification, and an on-line deployment method could be applied to deploy filter-rule sets for filters. By applying the invention, it is reachable to eliminate invalid intrusion alerts precisely and efficiently, and to deploy quickly and with less manpower.
|
