Research And Design Of Correlation Analysis Engine For Security Incident

In the information age, as the development of internet technology and the spread of applications, there are more and more attentions paid to network security. The safety equipments such as Firewall, Intrusion Detection System (IDS), Network auditing system, and so on are applied to protect the security of network. But, because of the huge safety equipments, the information produced by these equipments is mass, and it is difficult to deal with these data in the limited time for administrator, saying nothing of identifying the authenticity of the alarm. Moreover, due to the limitations of detection system, there are a lot of phenomena of missing reporting and misreporting. In addition, the information generated by various safety equipments has relation; this information can not be viewed in isolation to identify real attacks. Therefore , it is necessary to handle the security incident concentratively, including unified format of security incident, process of redundancy, correlation analysis, risk assessment ,and so on. And correlation analysis of security incidents management is the key point, which relates to the management and analysis of the security incident generated by the all kinds of security equipments, mining of security hidden in the network, evaluation and pre-alarm of the state of network.The definition of correlation analysis is: finding out the intrinsic relation from massive security incidents to identify real attacks, and recognizing the real alarm information. The pop technology of correlation analysis includes the technology based on pattern recognition ,technology based the Similarity probability, technology of probability finite state machine,technology of incident causal relation and technology machine study. These technologies get the illation by using the different express structures and algorithms, by using the causality of the security incident, by using the information of time occurred and the topological structure and soon. In this paper, we introduce the principium of these technologies, and show the advantages and disadvantages of each technology.The occurrence of security incident has a strong relationship with the technology used by the hacker. we analysis the hackneyed intrusion technology, including the DOS, worm intrusion, Trojan horse intrusion and so on, and we also give a conclusion about the process of the net intrusion. From the analysis ,we can find that each kind of intrusion has own special action, so we can know that the occurrence of security incident also has the disciplinarian, which can be show by that the security incident occurred in sequence, the content of the security incident has a special character and so on. We propose a new correlation method based on intrusion sequence. The idea of the new method is that first, we define the interdependent time sequence rule, which is the set used to recognize the intrusion.The correlation based on the intrusion sequence recognizes the intrusion by matching the rules with the intrusion. So, the establishment of rule is very important. In the paper, we give the description about the definition of the rule document. For the description of the rule, we use the XML document due to its hierarchy characteristic which can describe the complicated relationship; we can picture the whole process of the intrusion by hacker neatly.In addition, we propose a new approach of correlation analysis based on heuristic algorithm .The approach of correlation analysis based on heuristic algorithm takes advantage of CALM algorithm to estimate the risk of security incident and check this incident. This new approach can also estimate the risk state of host and network.This paper also studies the correlation between the security incident and the host-frangibility. By mapping the security incident to the frangibility bridged by the security .We check that whether the frangibility on which the security incident depend exist, if so ,we improve the reliability,if not we consider as the intrusion as a error.In this paper, we introduce the implement of the engine of correlation analysis which is based the three methods mentioned previously. The engine is composed of model of communication, model of preprocess, model of correlation analysis, model of task schedule, model of container of data. The model of communication mainly handles the communication between the agent and the console. The model of preprocess process the correlation of the security incident in advance. The model of correlation analysis correlates the security incident. The model of task schedule estimates security incident dynamically, and schedules the task and handle the correlation queue in the memory. The model of data container provide the operation of the base data including pushing , popping of event and alert queue , exporting of all kinds of document ,copying and deleting the rule and so on ,this model also provide the interface of operation of database . We describe the design of engine of correlation analysis from different view by the chart of structure, chart of class, chart of sequence. We also give a solution for improving efficiency of the engine of correlation analysis, which match the security incident with intrusion in the backlogs which is the subset of directives using the principle of incident first happening first match. At the same time we can avoid matching security incident the repeatedly by setting the sticky of the rule and the security incident .We show the availability of engine of correlation analysis by the experiment.The management of security incident mainly implements unification, redundancy, correlation and visualization of security incident. We proposed two approaches, the first can recognize the intrusion known, the second can describe the risk state of intrusion unknown .However, it is necessary to settle a few problems including construction of normalization of security incident, auto-definition of correlation rule, improving efficiency of the engine of correlation analysis, ascending and scouting the security incident. All these problems are very important for development of technology of security incident management, and also the key point for domestic and foreign academics in the field in the future.