Research On Alert Information Processing Technology Of Network Security

In the defense system of network, different security devices will produce a large number of alerts for identifying malicious activities. However, those alerts consist of lots of wrong alerts that are either not related to malicious activity (false positives) or not representative of a successful attack (non-relevant positives). The high volume and the low quality of intrusion alerts make it a very challenging task for network system managers to understand the alerts and take appropriate actions. Furthermore, the isolated alerts can not reflect the current security state of network appropriately. To solve these problems, this dissertation does research on the several key techniques of alert information processing. The main research content in the thesis is as follows:1. Alert information pre-processAn alert normalization description method is given, which extends IDMEF data model and uses binary code to implement the IDMEF. An alert filter mechanism based on rules is designed and implemented. It is flexible and convenient to process alerts. Then, an alert clustering method for reducing data redundancy based on multi-character is presented. To improve the clustering efficiency, the method uses the hiberarchy of alert character to reduce comparing space.2. Alert verification and fusion based on multi-source informationAn alert verification method based on predicate logic is showed, which depends on the matching of alert attribute and target network system information. There are uncertain factors that influence accuracy of alert verification. One factor is the quality of the gathered information. Another factor is its timeliness. To ensure the rationality of the verifying results, an approach using fuzzy comprehensive judgement to analyze the uncertainties is given. An alert confidence fusion framework fusing information from diverse sensors is presented, which results in a decrease in false positives while achieving an improved level of detection.3. Attack scenario construction based on alertsBased on the model of attack strategy, a muli-scale alert correlation approach is put forward, which makes use of the cause-effect relationship of alerts to construct different scale attack scenarios. The approach utilizes the abstraction relationship of the attribute of alert type on different scales to restrict the searching space. The experiment results show that this approach can improve the efficiency of alert correlation evidently. In some conditions, the alert correlation graph will be split because of loss of causal information. To solve this problem, an algorithm based on fuzzy clustering is proposed to reconstruct attack scenario that uses the similarity of alert attributes to measure the cause-effect relationship of alerts.4. Security situation assessment based on alerts Developing the research on network security situation evaluation based on received alerts at macroscopical level and microcosmic level. At macroscopical level, a security situation quantitative assessment method based on mission is given, which show the threat level of attack to quantify the network security situation. At microcosmic level, a security situation quantitative assessment method based on attack scenario is advanced. Using the attack scenario as assessed object, the method provides the threat and impact of a series attack with cause relationship from whole process.5. Realization of the alert information processing systemA prototype of security management platform is designed, which has the component characteristics and provides an underlying data and running environment for the implement of alert information processing. The component event process module is designed and implemented in detail, which adopts publish/subscribe mode served to distributed system for real-time transmission of alerts.