Research On A Rule-Based Approach To Network Security Event Correlation

With speed development of complicated covert distributed attack methods and technologies, the network security management faces three major issues: the huge amount of security alert data, redundancy and false positives. It's impossible to analyse and manage these data manually. Only the network security event correlation analysis can correlate these data, and mine the essential relationships between alerts, and discover the latent attack intentions effectively and timely, then takc preventive measures, to ensre netork security.The rule-based approach to network security event correlation aggregates alerts through the similarity between those alerts, and eliminates false alerts by reliability scores of the alerts. Meanwhile the relation between nodes in tree-rules is used to correlate the scattered alerts to an attack scenario.The similarity between alerts is fixed on the feature similarity: these is a similarity function for each difference feature: for attack class similarity we maintain a matrix of similairty between attack classes, and IP address similarity is decided by the maximum number of 1 bits in an IPv4 subnet mask that could account for the two addresses. Only every feature threshold is exceeded , the alerts are similar and can be aggregated.Directives based tree-rule are created for each attack scenarios: the root node represent the beginning of attack, and the leaf is the end; the parent node is the premise of child node, and each child node express a trend of the attack. The more deeply directives match the alerts, the attack is more likely to succeed.The reliability of alerts depends on two factors: the first is the amount of alerts aggregated, the more alerts aggregated, the more credible; The second is the depth of directives matched, the triggering of each step shows that the attackers has reached the previous step, and may take the further attacks, and the reliability should be increased.The experiments show that the algorithm offers excellent performance in alert reduction and attack false negative rate, and is effective to reduce the amount of alerts and false positives, and correlate the alerts.