| With the development of network and its application, people are becoming more and more reliable to network and the capital connected to network incredibly increased as well. Meanwhile network security field confronts demanding challenges and security accidents resulted from vicious attacks have accounted for tremendous losses. In order to protect company and organization network, security application devices such as IDS (intrusion detection system), firewalls and AVS (anti-virus system) have been deployed; however, the effect is far from expectation and novel problems are brought about. Security events generated by these security devices, such as various alert data and security audit data, appear in huge volumes and are accompanied by serious intrusion false positives and fasle negatives, which disables it for direct knowledge for attack responses. Ultimately it is hardly possible to identify a real dangerous situation among overwhelming security events or to discover and predict any attack in a real-time way.At present although different correlation technologies which aim at solving these issues above are somehow effective, serious deficiencies still exist. First, conceptions are indefinite, lacking of considerations or definitions from a holistic correlative angle of view. Second, there is lack of an effective real-time correlation method. Some aggregation methods either work off-line or are unable to confirm parameters while working on-line, let alone effective real-time alert. Third, there is no real-time dynamic quantitative risk evaluation system which is based on relative high grade security event. Thus, it is significant in network security field to analyze huge security event through a real-time correlative method and to effectively recognize genuine security risk and threat.In this paper, network security event correlation methods are concluded and classified into five categories: classification correlation, aggregation correlation, sequence correlation, cross correlation and other correlation. Relevant conceptions in network security event correlation are defined from a holistic correlative angle of view. Network security event correlation can be called broad sense intrusion detection, i.e. high level intrusion detection or post intrusion detection. It is a specific data correlation method targeting at problems in network security event treatment in which transverse security event, i.e. from different sources and lengthwise security event, i.e. with temporal sequence relation, are integrated with specific network environment. Relationships among network security event and relationships between security event and environment are analyzed to reduce intrusion false positive, discover miss detection and confirm attack. There are four main types of relationships concerning security event, namely, abundance, sequence, coordination and environment match. The existence significance of correlation system is pointed out and typical OSSIM is under deep analysis. These fundamental works provide the theoretical basis for a real-time correlation design of network security event.A systematical design of security event correlation system is proposed, namely NSICMS, which is based on a holistic view characterized by initiative, object-orientation and ever-updating and it aims at reducing quantity of security event, improving quality of security event, operating real-time detection and attack-prediction, and protecting controlled network. NCICMS inherits basic ideas of PDR dynamic model and makes several active strategies powerful basis of network security event correlation, reducing quantity of security event at upper correlation level. NSICMS is a security event correlation network consisting of different servers and real-time correlation methods for security event of different relationships, such as aggregation correlation, cross correlation, sequence correlation and risk evaluation.Network security event real-time aggregation method is proposed which targets at node in controlled network. It simplifies specific correlation content, adopts the expression of node super security event in cache guaranteeing property of being real-time and replaces time window with weak alignment length diminishing concept of time window so as to solve the indefiniteness of time parameter in normal aggregation arithmetic. This aggregation method is able to provide high-quality super security event for succeeding correlation in a real-time way without difficult parameters or ideas of aggregation rate. Several ideas and conceptions are brand new, for example, definition of aggregation granularity and replacement of time window with weak alignment window.A real-time correlation method of security event sequence is proposed. Aiming at correlating multi-stage attacks, this method is based on real-time aggregation and cross correlation results. It is able to predict attacks and to discover cooperative multi-stage attacks. It uses reliable multi-stage attack patterns obtained after mining and validation. Real time hyper security event is matched to realize attack alert. The attacking scene pattern mining arithmetic adopts brand new mining data collection, avoiding problems out of direct mining scene from alert data. Real-time hyper security event match alert arithmetic overcomes the problem of missing alerts caused by stereotype.A real-time dynamic risk evaluation method is proposed. It treats security events as inducements for the risk, considers real-time hyper security event risk as foundation and calculates node risk in a real-time dynamic quantitative way for the sake of risk reduction. Node risk is displayed in real-time dynamic way where nodes of different capital grades and categories are presented separately, offering security managers a real-time holistic sensibility of security situation in controlled network.
|
PDF Full Text Request