An Alert Correlation And Analysis Algorithm Of Distributed Intrusion Detector System

With the rapid development of computer and communication technology, computers have been applied more and more widely and deeply. But the security of computer networks has also become a hot focused problem. Intrusion detection is one of the methods to guarantee the security computers and networks. It has become the second protection for computer systems. Since new attack methods occurred continually, especially some cooperated intrusions, there are many new problems to be faced and solved when doing research on intrusion detection. The early developed centralized intrusion detection systems cannot prevent this type of attacks effectively. Now the research trend on intrusion detection systems is to design and build distributed intrusion detection systems. In a distributed intrusion detection system, multiple detection entities monitor different hosts and networks. The entities cooperated with each other to perform the detection task. Therefore, the study on distributed intrusion detection systems has high theoretic importance and practical value. It has become one of the most important problems to be solved in the world.In distributed intrusion detection systems, there often exist such problems as:(1) there are too many data to be processed; (2) intrusion detection components always focused on capturing single intrusion behavior and ignored the relationship among alerts such that useful information among the alerts cannot be obtained; (3) The false alert rate is high, resulting in that large quantity false alerts fused with true alerts. At the same time, several steps are usually needed for an intruder to perform an attack. And several hosts in the network are often involved in an attack. Therefore, the alerts from different analyzers should be fused and correlated to detect intrusions more effectively. Most of the existing correlation methods are off-line and slow. The efficiency of correlation is low and it is difficult to response timely to the attacks. On the other hand, for a system, the ability to tolerant general attacks is also important. But the intrusion tolerance technique is not considered in existing researches.In the dissertation, firstly an alert correlation and analysis algorithm based on CLOSET frequent close pattern mining algorithm is proposed. Then the algorithm is improved. The messages are preprocessed according to a minimum suspicious degree and a minimum support. Then the modified algorithm is applied to mine the alert messages and obtain frequent close pattern sequences. The algorithm is fast and incorporated with intrusion tolerance idea. So it is more propitious to protect the system.