| Recently, with the rapid development of Internet technology, the network information data also shows explosive growth. At the same time, the network hacker activities and network intrusion which for enterprise or individual information are becoming more and more frequent, leading to a surge in network security incidents. However the Intrusion Detection System (IDS) to detect those network security incidents will produce a large number of independent, original alert information, which not only has the characteristics of enormous amount and scattered clutter, but also is difficult for network security administrator to find the attack process of intruder and dig out the security incident.In order to solve the above problems, dealing with massive alerts data and the difficulty to find the high-level intentions of the intrusion, this paper proposed a technology research based on cloud computing platform to construct intrusion scenarios through correlation of intrusion alerts, namely to research the parallelizable causal correlation analysis method.In this paper, we designed and implemented the intrusion scenarios reconstruction system based on cloud computing, at the same time, as the complement of the system on real-time processing, and then we discussed the stream computation model and implemented the intrusion scenarios reconstruction system based on stream computation.First of all, we designed and realized a parallel causal correlation analysis method based on the MapReduce framework, and proposed the alert fusion preprocessing module to reduce the redundancy of massive original alerts. Then, we took advantage of the cloud computing platform Hadoop building cluster to deal with the massive alerts information correlation analysis processing, and finally implemented the intrusion scenarios reconstruction system based on cloud computing.Secondly, in order to meet the possible real-time request for alerts analysis, this paper introduced the distributed real-time stream computation system Twitter Storm, and then, according to the characteristics of the stream computation, we designed and simply implemented the intrusion scenarios reconstruction system based on stream computation, and figured out a feasible way to realized the real-time alert correlation analysis method.Finally, through experimenting on the real alert data set and analyzing the experimental results, we turned out that the intrusion scenarios reconstruction method based on cloud computing which we designed and realized in this paper is feasible and has certain advantages. On the one hand, this method reduced the complexity of correlation analysis process by correlating the alerts parallel; on the other hand, this method can find out the correlative relationship between alerts, and can effectively avoid the lack of the alert correlation result. Meanwhile, we illustrated the relationship between the cloud computing Hadoop cluster’s size and efficiency, and figured out the capability of this implemented system to handle the massive alerts data. |
PDF Full Text Request