| There exist various security prevention tools such as the Firewall, the Intrusion Detection System (IDS) and the Antivirus software, etc. While running in the network environment, these security tools will generate numerous security events which are often different in grammar and semantics. Besides, limited by the imperfectness of the security prevention technologies, there exist many false alarms within the original security events. Puzzled by these numerous and low-grade raw security events, the administrators are often busy doing meaningless things, and the effectiveness of the security tools are suppressed largely. To address these, we start the research of the Security Event Management System (SEMS).The purpose of the SEMS is that, by using the automated security analysis tools, the numerous raw security events generated at many locations within the network will be filtered, aggregated and correlated into some global-alerts which can describe the current security risks of the network. By doing so, the administrator can be free from processing the numerous raw security events and grasp the security situation of the network correctly.The research of the SEMS is a new topic in both the academe and the industry, and the standards, methods and technologies to be studied are much. As a research topic, there exist several innovations in this paper, such as:We present a SEMS architecture based on the mobile agent technology. Based on the analysis of the traditional architecture, the function requirements and the performance requirements of the SEMS, we present the mobile agent-based architecture and a new security event processing strategy which includes three phases, namely the distributed security events collection, the distributed security events filtering and aggregation, and the centralized security events correlation analysis. We design different Agent roles which are responsible for different security event processing tasks, by virtue of the inference capabilies, the mobility and the sociability of the mobile agent, the original security events can be detected, filtered, aggregated and correlated efficiently, and the goals of the SEMS can be achieved.We present an IDS alert verification technique based on multi-source security information. Considering that the intrusion detection system is the main rootstock of the many false alarms within the security events, we mainly concentrate on the IDS security events verification. By utilizing the vulnerability information, the configuration information and the system state inspection information of the target system comprehensively, the effectiveness of the IDS alerts can be verified. In view of the characteristics of the IDS alarms themselves, we design an IDS alert queue verification algorithm and an IDS alert verification algorithm, by these two verification algorithms, both the correctness and the efficiency of the verification engine have been improved. We present a security event clustering technique based on Principle Component Analysis (PCA) and the Learning Vector Quantization neural network (LVQ). For the kddcup99 dataset, we firstly use the PCA technique to reduce the dimension of the connection records while maintaining the original information as much as possible. Then, we use the LVQ neural network to perform cluster analysis on the dimension-reduced connection records and cluster them into different cluster centers to which they should belong. The experimental results have shown that the PCA-LVQ model used for cluster analysis is correct and efficient.We present a layered correlation algorithm. Based on the layered characteristics of the security events and the general pattern of the attacker's behaviors, we present a three-layer correlation algorithm including Vulnerability Correlation, Spatil-Tempoal Correlation and Intention Correlation one after the other. By vulnerability correlation, the false alarms within the original security events will be deleted, by spatial-temporal Correlation, the security events which are close in spatial-temporal relations will be correlated to step-alerts which can represent one attack step, and by intention correlation, the step-alerts will be correlated to global-alert which can represent the whole attack pattern. By using the layered correlation algorithm on the LLDOS1.0 dataset, the attacker's behaviors and intentions can be found correctly.Based on the methods and the key techniques discussed above, we develop a security event management system prototype based on the mobile agent technology, which is called MA-SEMS. In the MA-SEMS, the security event management tasks have been partitioned, and several different agent roles have been designed to perform different security event management tasks respectively and cooperatively. The experimental results have shown that the MA-SEMS is correct and effective.
|
PDF Full Text Request