The Research And Implementation Of Alert Correlation In Distributed Intrusion Detection System

The openness of Internet offers great convenience of information sharing and exchange, accompanied with crucial challenges to Information Security. Security issues have evolved into the key problem of information systems.As a kind of active measure of Information Assurance, Intrusion Detection acts as the effective complement to traditional protection techniques. The dynamic security circle, including policy, protection, detection and response, can greatly contribute to improving the assurance ability of information systems and reducing the extent of security threats.With the development of computer and network technologies, the widely-adoptive distributed computing environment, and the popularization of wide-band transportation, traditional centralized intrusion detection systems based on stand-alone computer are unable to meet the security requirements. As a result, Distributed Intrusion Detection (DID) has developed into the focus of Intrusion Detection and the whole realm of Network Security.In this thesis, we study several critical problems in Distributed Intrusion Detection. After introducing the research status on Intrusion Detection and Alert Correlation, considering the existing problem of them, we propose an alert correlation method based on knowedge accumulation and a filter based on Intrusion Type Logic Transition, which is adapted in the distributed intrusion detection environment.This new alert correlation method can avoid miss some intrusion process correlation by use the accumulated knowledge with new alert to do correlation analysis. When analyzing , we consider that there are two correlation condition:full correlation and partial correlation, so it can identity the intrusion process with branch. In addition, we can use Correlation Degree to evaluate correlation condition of intrusion process.The filter have define a Intrusion Type Logic Transition Matrix. Before alert correlating, we analyse the logic transition relationship between accumulated knowledge and new alert. If the result is true, then go on the correlation analysis, else do nothing. so it can greatly decrease the amount of alert to correlate, and enhance the availability of alert correlation component.