Research On Events Correlation Of Intusion Response System

Intrusion detection systems(IDSs)have reached a high level of sophistication and are able to detect intrusions with avariety of methods.Unfortunately,the majority of intrusion response systems(IRSs) react to attacks by generating reports or alarms. The slow response to multiple attacks may end up with serious damages beyond recovery.Manual response to computer attacks is inadequate by itself.Automatic response systems have to take over that task.In case of an identified intrusion,these components have to initiate appropriate actions to counter emerging threats.Based on the summary of related studies, this thesis presents a common framework for the Automatic Intrusion Response System.The IRS takes events from IDS as input .For its inherent limitation,a IDS may generate multiple events for a single attack.Thus we studied the problem of redudance elimination,which preprocesses the input by merging redundant events so as to prevent IRS from taking unnecessary responses.This paper first made a systematic analysis of the correlation features between the redundant events, including attack class constraint, special constraint, timing constraint. For special constraint,we enumerate all possibilities of attacks;while for timing constraint,we use relative mean aquare error model to describe this feature.The paper uses rule-based method to describe each redundance instance, and puts forward the Real-time Aggregation based Redundance Elimination algorithm (RARE) to eliminate redundant events in real time according to the rule set.The purpose of intrusion plan recognition is to realize alert correlation and early warning to compound atacks. The intrusion plan recognition algorithm presented by the paper correlates intrusion alerts and implements plan recognition based on causal relation, which is the main relation between the steps in a network compound attacks on the result of observation. The intrusion plan recognition algorithm has the advantages of low complexity and being prone to calculate condition parameter. From the experiment,the redudance Elimination algorithm can effectively eliminate the redundant events from the stream of primitive events,and the algorithm ratio for our testing data set is above 10.The experiment proves that the events correlation algorithm has strong event correlation capability,certain plan recognition capability and the data is based on two intrusion detection test datasets of DARPA.