| Intrusion detection technology is applied and studied widely, because it can collect and analyze the key points of information; find the behavior of security policy violations. However, the intrusion detection system has its shortages that contain large number of false alerts and high rate of redundancy, which restrains its further development. To solve these shortcomings, we introduce data fusion technology into network intrusion detection system to process alerts.This paper analyzes network intrusion detection problems; studies on the common data fusion methods, analysis their technical characteristics, merits and drawbacks. According to the characteristics of the original alert data, we discuss the classification of original alert data. Combining these studies, we summarize the function needs of the alert intrusion system model.Alert fusion for complex systems is difficult to achieve, we construct a hierarchical model fusion system by combining multi alert integration technology. The model contains four levels which are validation, aggregation, correlation and filtering. It improves the quality of alert information, simplifies the system implementation difficulty by deleting the non-related alerts, aggregating redundant alerts, associating with alerts which can be associated with, filtering the isolated alerts, fusing the original alert data step by step.For current polymerization methods are lack of scalability, we introduce the coefficient of variation model into the time properties determination to propose an alert aggregation method based on dynamic time threshold. We apply the method to the actual alert data aggregation. By simulating the network attack behavior of dynamic time delay, it triggers alerts of snort, we apply the method based on dynamic time threshold to fuse these alerts, and test the adaptability of the polymerization method.The experiment result shows that the experiment system can timely and reasonably conduct on the integration of the attack and reduce the number of repeated alerts greatly. The proposed alert polymerization method based on dynamic time threshold has a certain adaptability for the alerts triggered by persistent attacks, which has a better effect than the method based on fixed time threshold. The design objectives are achieved. |
PDF Full Text Request