Network Security Event Management

Nowadays, there are many false positives caused by the network intrusion detection and intrusion prevention systems, which make the real security events submerged and ignored. This paper presented an active security event management framework, according to the active security reference model, based on the researches and analysis of network intrusion. And it studied and realized the security event collection agents based on the SNMP and Syslog protocol. Also it designed an active security event correlation engine. All these methods were used to manage the security events and help to find out the real security events.The correlation engine presented verified the security events based on the rules of attack scenarios to automate the correlation of security events and eliminate the false positives. And this correlation algorithm considered the vulnerabilities, the asset value of the hosts, reliabiltiy of the security equipment and could make the real-time, active risk assessment.To compensate for the weaknesses of scenario-based methods, it analyzed the normalized events using the data mining algorithms for discovering the potential attacks and root causes.