The Design And Implementation Of Network Security Events Management System

At present, there are many types of network security devices in network environment. However, the devices are separate so that network security events that are collected from the devices are separate and lack of uniform management, which leads network administrators not to judge the real characters of security events that influence and destroy network quickly and correctly, consequently network users suffer large losses. So this thesis discusses a new Network Security Events Management System (NSEMS) that can be used in many types of network security devices. The NSEMS can collect, store, enrich, correlate, watch and control security events on real-time, and also make statistics and risk evaluation to security events from many types of network security devices.This thesis introduces the design model of the NSEMS that consists of Event Collection Center(ECC), Event Analysis Center(EAC), Event Store Center(ESC), Event GUI Center(EGC) and System Management Center(SMC). The ECC collects and classifies network security events from network security devices, and then the EAC correlates, enriches and evaluates the events, and the ESC can store all data and the SMC can manage and configure the NSEMS, finally the EGC shows analysis results that help network administrators watch and respond to network. The NSEMS is designed and implemented based on Netcool Network Management Product of Micromuse Corporation. This thesis mainly finishes the following work that is to classify and compress original network security events in order to reduce the pressure of databases; to enhance real-time rate of databases and finish structure design of tables in databases including class one security events description table and mapping table of class one security events database, class two security events description table of class two security events database, and rules table, rule items table, correlation event items table and direct correlation events table of correlation rules database; to use hierarchical structure correlation rules to correlate and analyze security events that are connected logically in order to find the real characters of events and respond effectively; to enrich security events in detail description, solution and risk.Finally, this thesis introduces the test experimentation and conclusion, and also the further work on the NSEMS.