Research Of Multi Security Log Event Correlation Combined With Fuzzy Reasoning

Based on the development of computer technology and at the mean time network continues to expand, making a large number of hosts and transmission equipment in the network at higher and higher risk. The log information of different devices can be very useful to help us detect intrusion and attack, but the log information in the single data source is limited. If we just do the analysis based on the log information of a single data source without combine and associate the log information of different data source to analysis, the results obtained will not accurately reflect the current state of the network. In order to show the network situation better and reduce the false alarm rate and missing alarm rate, this paper do the research and analyzes the characteristics of data in different data sources, proposed a multisource log fusion model which combined fuzzy reasoning and alarm event correlation, breaks the limitations of the characteristic of one single data source.This paper first analyzes the current state of international network, expounds the purpose and significance of the topic, and do the research focused on log analysis of research situation at home and abroad, summarizes the current research results and deficiencies, and puts forward the main research contents and work of this paper.Secondly, introduce the technologies of fusion multi-source security log and give out a comprehensive classification. Analysis the characteristics of log data of different data sources and lists the different current fusion models. Summarize the existing methods of data fusion, and analysis and study the correlation between different log data sources of each other.Next, proposed a fusion method point at log event correlation, introduces the event alert correlation algorithm. At the same time put forward the method of adding fuzzy reasoning and clustering in multi-source log analysis, doing theory research and analysis of the method. In this part, three contents have been made. First one is doing the event correlation calculation and analysis according to do the correlation and fusion of the log event. Second one is give the definition of alert correlation method. Third one is proposed adding fuzzy clustering to the alert correlation method. In the end finish the structure analysis focusing on the system’s fusion processing.Then, conduct the design and implementation of the fusion system which combined the fuzzy clustering and alarm correlation fusion method presented in the previous paper. Give out the design and implementation of four functional modules after doing the requirement analysis of this system, those are as followed: log information acquisition module; log preprocessing module; rules lab; log event correlation fusion module.Finally, setting up an experimental environment to get different results one with the improved association fusion model and the other one without, and compare the two results. Verifying that the proposed model that this paper give out can effectively reduce the problem to a single data source in the false alarm rate and false negative rate, better reflect the network situation.