Alerts Fusion In Distributed Intrusion Detection System

With the development of Internet, computer network security is becoming more and more concerned question. To enhance the security capability of computer network. people have adopted many security technologies including encryption, identity recognition, and access control. With the development of intrusion detection technology. IDS (Intrusion Detection System) has become an important method in network security system.In the practical environment, IDS always produces a lot of false positives, false negative alerts and duplicate alerts, which can not enable administrator to distinguish the alerts effectively, thereby reducing the effectiveness of IDS. Therefore, it is necessary to adopt an efficient method to delete redundant alerts, reduce false positive ratio and false negative ratio in order to raise the efficiency of IDS.In this paper, we deeply analyze the architecture, data source and detection technology of the present IDS. We take a research on the alert management in the distributed intrusion detection environment, and the main content is as follows:1) Introducing a distributed intrusion detection system, and describing its architecture and functionality completely.2) Emphasizing on the research of alert fusion technology, designing and implementing the module of alert fusion, which consists of two sub-modules: alert aggregation and alert correlation.3) The adaptive alert aggregation algorithm can effectively aggregate duplicate alerts and reduce network traffic caused by them.4) The alert correlation algorithm based on fuzzy comprehensive evaluation can not only correlate the alerts from different IDS, but also the alerts from different stages of the invasion, which is represented by an alert thread in the model. The algorithm can reduce the false positive alerts and false negative alerts, and also, the model could provide some compound parameters for further online risk assessment and intrusion response decision.5) Introducing the concept and role of alert confidence learning and alert verification algorithm.This paper first introduces the model structure, general features and different classification of IDS, then describes the distributed intrusion detection system alerts fusion model in detail, which is the key content of this paper. This paper puts its emphasis on two core sub-modules of alert fusion model: alert aggregation and alert correlation. Finally, the experimental result on the system is presented.