Research And Implementation Of Alert Data Fusion Model In Distributed IDS

As a dynamic security mechanism,which can safeguard information of network automatically and real-timely, intrusion detection has been paid more and more attention. This thesis analyzes the deficiencies of current intrusion detection systems, such as IDS has no automatic analysis capability, and often provides the flooding of duplicate alerts and false positives. Aiming at these disadvantages, the technology of multisensor data fusion provides an important solution, which can assess the situation of network through the analysis and process of the data and information from multiple different distributed sensors.In this paper, the technologies of intrusion detection data fusion are summarized firstly. And then, based on the analysis and comparison of current technologies, the alert data fusion model in distributed IDS is proposed. In this model, IDS is designed as a tree-shape distributed hiberarchy. The model includes three important techniques: (1) The preprocess of alerts, which merges duplicate alerts and draws out feature vectors based on the features of attacks; (2) The algorithm of alert correlation based on address correlation graph, which correlates the alerts, analyzes the attack path and gets the attacker's intension; (3) The algorithm of quantitative assessment of network security situation, which divides the assessed objects into four security ranks based on the attack energy.The experimental result shows that the alert data fusion model in distributed IDS can compress the duplicated alerts, reduce the false positives efficiently. It can also provide the intrusion path of attackers and analyze the intension of attackers with the algorithm of alert correlation based on address correlation graph. Moreover, the scalability of IDS is increased with this data fusion model.The author of this paper has completed the designing and realizing of the prototype of the data fusion model mentioned above. At the last of this paper, the key process, important function module structure and data format of the system are introduced.