Research Of Network Security Event Management

As the development of network application and technology, network security threat like illegal access, malice attacks and virus spread etc become more and more serious. Therefore, to protect the security of network system, security equipment like firewall, IDS, anti-virus, identification, data encryption, security audit etc. are widely used in the network system. However, amount of network event appear though these security equipments have certain effect in particular aspect and they make technology of network security management especially technology of network security event management become the hot key of network management and security technologies research.Otherwise, too large number of security equipments produces too many security events which contain a lot of unrealiable and redundant events, which make the imformations collected from these equipments become valueless. But the network security management administrators not only control the special security condition in some aspects of the network, but also need to know the global security condition from all of security events. Security events management is the precondition and foundation of the whole security event management system.Only having mined real security attacks and threatens from enough security events, can the administer make the reasonable assessment to their network,establish more scientific security policy and response to the security attacks or threatens in time. Therefore, establishing a unified network security events management framework becomes very worthness today.Aim at the status of network security management, we bring forward a kind of autonomic network security management framework which can build dynamically and analysis network status from entire view (DASN).Through agent mechanism, DASN can spread its border dynamically. The DASN network use united policy to avoid potential risks which are imported by unassured node. The DASN autonomic model makes kinds of isomerous network security equipments work with united policy and configuration, and respond by consistent work flow. In DASN, we use real time risk evaluation technique to describe hosts and networks'security posture in all DASN network.The proposed solution of the security event collection, standardization and reduction based on distributed securiy management agent can resolve the unitary description problem of security events in a heterogeneous network, which can provide a kind of more reduced and precise elementary event flow to the later clustering and correlation. By classifying the heterogeneous security events and applying the different mechanism to collect them, these events can be encapsulated into a extended IDMEF standard which proposed to adapt the original IDMEF standard to the requirement of description of security event under heterogeneous environment. Attribute constrain based realtime reduction algorithm is applied to reduce the ducpicate or inaccurate events collected by the same agent. According to the security knowledge, an time interval correlation window is introduced to process the reasonable reduction of related events in the same time interval.Amoung the huge amount of security events collected from the heterogeneous network by the security management system, there exsit lots of similar, duplicate or missing occurrences of those events. Based on the improvement of increment bayesian classification algorithm, a hybrid data type oriented security clustering alrorithm is proposed to partially address this problem. By calculating the similarity between security events with hybrid data type of attributes, elementary security events with same properties or similar characteristics can be classified into a same security event cluster. Moreover, the event cluster can be aggregated into a hyper security event by using the aggregation method based on the predicate logic. By applying the fuzzy equality constrain based prerequisites and consequences oreinted correlation algorithm, causality analysis according to the security specific knowledge is introduced correlate the multiple hyper events. And the analysis method of fuzzy equality constrain between the security events helps to resolve the issue of missing events and imcompleteness of security domain knowledge in a large scenario reconstruction. Correlating the related security events according to the causality rules which are automatically generated, the security threat scenarios can be reconstructed which can provide the information about the security threat, global situation and the serverity to administrator to access and take proper action.One open problem in event correlation and attack plan recognition is the selection of correlation time window. Currently, many analyser use experiential value. Theoretically, a large correlation window includes more security events that can provide more helpful information for security analysts to identify attack strategies. However, a large correlation window can result in computation cost and bring more noise that can affect the correlation accuracy. How to scientifically set up an optimum correlation window is still a problem. We adopt wavelet technique to analyze network flow to find the attack behavior in network. Because of wavelet can process data at different scales which is similar with the real network flow presents fractal/self-similar nature in its scaling behavior. Wavelet technique can distinguish anomalys preferably (include long-term and short-term anomalys). Through analyze data more specifically, we can get the time window of event correlation and attack plan recognition by use of wavelet.According to the design principle and system architecture, DASN system presents different interesting features in the implemenmtation of modules of distributed agent, event collection, communication interface, IDMEF data parsing, clustering and correlation, data access and storage. In the algorithm functionality testing and system intergration testing, DASN system also satisfies the design requiment and presents preferable capabilities.