Research On Causality Alerts Correlation Method Based On Bayesian Network

Cyber attack and illegal access rapid raising with the network prevalent, network security become rigorous.IDS was regarded as the second defense of computer.There is important to reduce the risk of intrusion and protect to be accessed the resource and data of system no privilege.meantime, the IDS produced large numbers of alerts,including both actual and false alerts,make it a very challenging task for human users or intrusion response systems to understand the alerts and take appropriate actions.So, it's necessary that apply alert correlation methods develop several IDS coordination modes to analysis alerts and build distinct attack scenarios and reduce the volume of false alerts. Firstly, this paper generally reviews the IDS technology and alert correlation technology, then summarize the current study achievements.After analyze and point out the limitation about the existing correlation methods, we put forward a new project.That is build the bayesian network mode,use probabilistic alert correlation to preprocess the raw alerts from the sensors then correlate the alerts again and output the correlative graphic based on causality method.. Secondly, this paper makes a detailed analysis of the design and implement of the bayesian network mode and the causality correlation method. It is include two modules. One is the alerts crosswise correlation.The preprocess based on bayesian network was used the similarity of alerts' attributes as the important parameter.The new alerts match features with the meta alerts then decided add to which type.So synthesis feature basicly similary raw alerts would fuse to a few advanced meta alerts. The other is the alerts vertical correlation.The alerts were not isolate,from the logical consider, alerts have causality relations each other.The former attack actions prepared for the later.so,we definited the hyper alerts represented the relation and correlated them used hyper alert types from the knowledge base. Finally,This paper integrated the causal and the cluster correlation methods to hypothesized and reasoned the missed attacks, improved the correlation graphs.