Clustering And Consolidation In The Intrusion Detection System

As the network environment of complex and diverse technology hacker attacks, single network security products have been difficult to deal with the invasion of so many new ways. So people, especially medium-sized network administrators often work simultaneously with multiple security products in order to achieve the purpose of defense of all attacks. And because of various security products for independent alarm, and thus a redundant alarm event.The research aims to make clustering and consolidation analysis of these redundant alarm events, to eliminate duplicate information. The processed data can show the current state of the network very clearly, so that the network administrator can take targeted preventive measures conveniently. Also the workload accessing associated module to make deep association has been greatly reduced to help do correlation analysist.Article is mainly aimed at clustering and merging the alarm information which is generated by the host-based detection of Ossec and the network-based detection of Snort.By comparative study of several domestic and international mainstream clustering methods,also taking into account of the actual background, the paper use alarm events on the Ossec ID as the entry to the type of alarm as the basis for clustering and merging the alarm information. The information on Snort's alarm protocol-based approach is taken to complete the alarm attribute clustering and similarity-based reverse manner with the time to complete the merger on the redundant information and strong support for the system of real-time performance. In clustering, achieved on the Snort rule-based intelligent alarm information clustering storage, easy Snort alert data is based on the expansion of the agreement. In addition, a standardized format model is designed , alarm information of other products can be stored, easy to expand.Finally, the paper uses realistic network equipment to set up experimental network environment,also uses three experiments of the combined effects test of clustering and testing, stress test and overall performance test to verify the performance. Experimental results show that the clustering and merging method can greatly compress and merge redundant information, when facing with a large number of alarm data it has certain resistance to stress.