Intrusion Alert Analysis Method for Power Information Communication Networks Based on Data Processing Units

Leveraging Data Processing Units (DPUs) deployed at network interfaces, the DPU-accelerated Intrusion Detection System (IDS) enables microsecond-latency initial traffic inspection through hardware offloading. However, while generating high-throughput alerts, this mechanism amplifies the inherent redundancy and noise issues of traditional IDS systems. This paper proposes an alert correlation method using multi-similarity factor aggregation and a suffix tree model. First, alerts are preprocessed using LFDIA, employing multiple similarity factors and dynamic thresholding to cluster correlated alerts and reduce redundancy. Next, an attack intensity time series is generated and smoothed with a Kalman filter to eliminate noise and reveal attack trends. Finally, the suffix tree models attack activities, capturing key behavioral paths of high-severity alerts and identifying attacker patterns. Experimental evaluations on the CPTC-2017 and CPTC-2018 datasets validate the proposed method’s effectiveness in reducing alert redundancy, extracting critical attack behaviors, and constructing attack activity sequences. The results demonstrate that the method not only significantly reduces the number of alerts but also accurately reveals core attack characteristics, enhancing the effectiveness of network security defense strategies.