| The development of computer science and related areas such as physics, electronics and materials science gives a strong impetus the (?)tion of computer infrastructure which includes microchips, high-speed network and powerful fundamental application platforms. With the rapid growth of these supporting technologies, computer becomes indispensible in every aspect of people's life, such as scientific research, education, business, entertainment and so on. The utilization of computer brings more and more benefits in every domain. As the carrier of information, computer becomes the basic tool in the information ear.With the development computer application and the Internet, the demand for network security raises a lot, which makes the traditional P2DR model insufficient. The concept of Honeynet was first proposed by an American scholar. Honeynet is a set of resources whose value lies in being attacked and exploited. The purpose of a Honeynet is to grasp the behaviors and malicious codes that an network attacker employed, so as to provide a solid basis for better defense. Besides, a proper deployed Honeynet can reduce the amount of attacks towards critical networks. Honeynet changed the situation of imbalance between network attack and defense in some extent.This thesis researches on the intrusion alert analysis in Honeynet. Intrusion alert analysis is the promotion of traditional Intrusion Detection System (IDS). Traditional IDS tends to generate large volume of alerts piece by piece which makes it hard for administrator to understand the security situation of the system. The purpose of the intrusion alert analysis is to solve the problem of high false positive alert rate and to reconstruct the attack scenario which reflects the actual attack process. The thesis summaries related work in the area and partitions current works into two categories, which are methods based on expert system and methods based on data mining. The thesis then formulates an intrusion alert correlation model based on data mining in which data mining is used in offline module to find correlation rules from training data. The online module then correlates and fuses alerts according to the rules and yields analysis result real-timely.Based on the fact that a typical intrusion process normally consist several steps, an intrusion alert analysis model based on finite automata is proposed. The model consists four parts which are alert formalization, alert filtering, alert fusion and correlation, and scenario visualization. Alerts are fused and correlated using approach based on finite automata. Three kinds of high-level views of attacks are generated, i.e. process-critical scenario, attacker-critical scenario, and victim-critical scenario. Experiments show that the approach can reduce the redundancy of intrusion alerts and correlate them well.The utilization of intrusion alert correlation makes the Honeynet more intelligent. The alert analysis model is realized according to the specific Honeynet application environment. Experiments show that alerts within the Honeynet are fused and correlated well. An administrator can better understand the security situation better through the alert analysis result. |
PDF Full Text Request