| With speed development of Internet technologies, network security has become more and more sensitive and important, the complicated secret distributed attack methods and technologies have made the intrusion intention recognition more difficult. The occurrence of vast redundant inessential alerts gave system administrator enormous pressure and misconception even neglect. Lacking associate and forewarning technologies result in false negative or false positive. It's difficult to exactly recognize intrusion intention and give corresponding counterattack, and the situation brings the system a great loss.The goals of SATA(Security Alerts & Threat Analysis) system is reducing intrusion false positive and exactly intrusion intention recognition. The system collects and formats the original alerts, and then transmits them to the server process for correlation. It was designed and realized by the the reasearch of various correlation technology. The main content includes: presenting a hiberarchy of alert correlation system, the realization of the four function module, the design and experiment analysis of probabilistic correlation algorithm AlertRank based on Bayesian network which called events severity ranking, and the realization of correlation algorithm based on rulebase.The main contribution of the Agent function module is the pretreatment of the original alerts. The module extracts the needed attributes of the alerts and gives the same attribute the same name. The consolidation of format provides guarantee for storing and correlating the alerts of server module.The AlertRank algorithm is a special cross-correlation method. It correlates the alert and the leaks, network topology, system assets, security policy in true network environment via probabilistic correlation algorithm based on Bayesian network. Performance testing proves that the algorithm can reduce alerts and false alert rates great, and exactly go to intrusion intention. |
PDF Full Text Request