Study And Implement Of Network Security Warning System Key Technologies Based On IDS

With the rapid development of Internet, sharing the global resource and information is becoming more and more efficient, meanwhile, it also brings new challenge to network security protection. Currently, the increasingly complex network architecture, distributed application environment, massive storage and broad bandwidth transport techniques are used widely, and these result in that the centralized intrusion detection technologies could not meet the requirements of network security. So it has become the advanced task in research of distributed IDS key technologies in large-scale network.Intrusion detection information share and alert information fusion are the key problems of Network Security Early Warning System based on IDS (NSEWSI), they are also the foundation for analysis, warning and counterattack of network intrusion. Under the direction of the network security protection architecture, our research just focuses on the key technologies of NSEWSI: general format of alert information for exchange and alert fusion, and the four major contributions have been made in the thesis.Firstly, the Scheme of Unified Alert Information Format (SUAIF). According to the complex situation of IDS alert information at home and abroad, the general requirement of standardized alert information is studied thoroughly and the content of intrusion detection alert is analyzed in detail, based on which the idea of using Schema on modeling alert information is proposed, subsequently, the Alert Information Schema Model(AISM) is constructed and optimized. The SUAIF is formed and implemented with the Extensible Markup Language (XML) . All of these provide the ability in sharing intrusion detection information among different IDS products and other security equipments.Secondly, designing the alert correlation model. The definition of five dimensionality alert information correlation is presented. Based on it, a layered alert information correlation model with real-time response mechanism is constructed, which can reflect the illative relation of correlation clearly. Meanwhile the real-time response mechanism can reduce time for the response and the false negative alerts can be omitted by validation in fusion process effectively.Thirdly, designing and implementing the alert correlation. On layer of alert information merger, alert information is merged gradually in granularity partitioned order, which can not only reduce the amount of alerts, but also can improve the mergence efficiency. On layer of alert information fusion, the model and algorithm of creating attack track link is designed and realized according to the consequence correlation method of RBR(Rule-based Reasoning), which can resolve the problems of management of alerts, false negative and false positive better. On layer of system management, three kinds of fusion output views are provided, which are convenient for manager to integrate larger scale alert information and perform high-level analysis and illation.Finally, under the support of the "Network Intrusion Detection, Warning and the SecurityManagement Technology (stratagem warning)" (National High Technology (863) Program , No: 2001AA142030), the productions of intrusion detection alert information exchange and alert information fusion have been applied in the project: security events of warning agents are fully standardized according to the SUAIF, security events of local warning center are merged and fused effectively, communication messages of distributed security components are encoded accurately between warning agent and local warning center. All above lay the foundation for achieving the continuing support of 863 Project successfully.