Research And Implementation On Technology Of Network Security Events Correlation Rule's Automatic Generation

Network Security Events Correlation Rule (saying Correlation Rule for short in the following) defines and descripts the relation among different events. It implies a successfully launched attack s scenario. Correlation technology based on correlation rule is easy to perform and is effective to discover the relation among different network security events. This technology has been wide used in the current popular security products. The amount of correlation rules in these products is so less than that of the current attacks that correlation subsystem s further application is constrained seriously. So it is valuable to research on correlation rule s generation, which contributes much to correlation technology s performance.This thesis mainly research on the technology of automatic generation of correlation rules. The contribution of this thesis includes:1) Research and comparison have been performed in depth on the current method and technology of correlation rule s generation.2) A technology of correlation rule s automatic generation based on attack traffic is proposed. With the integration of some open-source penetration tools, attack traffic can be automatically generated. It can generate correlation rules against known attacks automatically by gathering the security events which are triggered by the attack traffic.3) We analyze and summarize the typical attack patterns based on scientific classification of network attacks, then propose an approach on automatic generation of correlation rule based on attack pattern. This approach decreases the difficulty of correlation rule s generation against known attacks and complement the above approach.4) Considering the feature of mass security events and appearance of unknown attacks in large-scale network, we develop a technology based on sequential pattern s mining. This technology can discover the correlation rules related to complex attack pattern and unknown attacks without any knowledge provided.5) A prototype system is developed for automatic generation of correlation rules. By combining the technologies above, each one s disadvantage is complemented by others. Correlation rules of different kinds will be generated.