Detection And Correlation Analysis System For Network Security Event

With the rapid expansion of the scale of Internet, the applications of network are developing and strengthening rapidly, and the Internet is suffering from a growing number of security threats. Network and information security has affected our normal life, economy and even national security. Therefore, network security equipments and systems are constantly developing, there are many network security technologies, such as Firewall(FW),Intrusion Detection System (IDS), anti-virus (AV),and so on, which play an active role on the network security.For a variety of network security equipments, particularly IDS and FW, we are facing many problems and challenges, which include massive alerts, high rate of false positive and false negative, low-level alerts, unavailable of security equipments cooperating and so on. To resolve these problems, the correlation techniques of events are being constantly paid attention to, especially the events correlation analysis for IDS become mainstreams.This thesis introduces the status of the network security technologies, which shows the necessary of events correlation. With presenting a summary and analysis of the event correlation technologies, the paper designs two correlation algorithms, one is based on the attack graph, and the other is based on the attributes similarity. The first algorithm relies on the distance of attack graph, It is certainly that the attacker will select the easiest attack for a same target, so the distance of attack graph can represent the relativity to correlate the multi-step attacks; The second algorithm is the application of clustering algorithm, With measuring the similarity of properties, we can decide the clusters, we also design an algorithm to measure the similarity of the new event and the overall cluster.The thesis also shows an event correlation model. With the combination of wiping off redundancy, the security evaluation, statistical analysis techniques and combined with the practical application of the two algorithms, we design and implement a detection and correlation analysis system for network security event. Using the DARPA data sets for testing, the system can correlate multi-step attacks, reduce the amount of alerts and reduce the rate of false positive and false negative. The prototype system achieves excepted aim.