Research And Design Of Network Security Event Correlation Engine

With the development of information technology in modern society, information security has received more and more attention. Commonly used security tools such as IDS, firewall, various anomaly detectors do not recognize normal behavior and trigger false alarms because of their limitations. A single attack triggered multiple repeated alarms from various detectors. More importantly, the network attacks are becoming more sophisticated and distributed. Multiple steps attacks are entirely possible to implement in different places, as a result relying on a single event log can not reflect the whole sense of aggressive behavior. Therefore the system will not be able to capture those complexity attacks which are planned and carried out step by step. So it is difficulties for the administrator to make the right judgments. Then security event correlation is proposed and it focus on collecting alarm information from a variety of network security devices, merging the repeated alarms, finding the correlation between alarms and making a right response to the attack that is detected.This article summarizes the importance of security event correlation in security event management platform, and security event correlation techniques at home and abroad, including security event correlation based on cross-correlation, security event correlation based on prerequisite, security event correlation based on the similarity of probability and security event correlation based on statistical. On this basis, this article proposes a Security Event Correlation system based on multithread Master-Slave Matching Machine Cooperation, using of data mining methods such as association rules, through finding the frequent item-sets and the statistical relevance to build the rule database that is needed by the template-based security event correlation as priori knowledge; then introduces the architecture of the system and modules of which it is composed, and poses a reverse matching method to reduce the redundancy that is being in the matching steps. Finally, The experiments prove that this program has greatly enhanced the efficiency of the security event correlation matching and reduced the spending of the system.