| Intrusion detection system is one of the fast developing system security technologies in recent years. It has become the second security barrier after the firewall. However, the traditional intrusion detection system has two major disadvantages: (1)it usually pays attention to some basic alerts and abnormal, generates corresponding individual alerts, and is unable to discover the logic relation and attack strategies.(2)Traditional intrusion detection system generates a great number of false alarms, mixed with real alerts.In this paper, a novel approach of correlating and analyzing intrusion alerts based on the modularization and analyzing the alerts by layers is proposed. Using alert property probabilistic method to aggregate alerts and combining of prerequisite-consequence alert correlation method to model the attackers'capabilities to correlate the alerts.First, after the model formats alerts by their properties and reduces the repetitive alerts, alerts are sent to center server; then the model wipes off repetitive alerts generated by different intrusion detection systems; by using probabilistic method and modeling the attackers'capabilities to aggregate and correlate the alerts; finally, the model outputs attack intrusion track and informs administrators. The experiment tests the model and the arithmetic. Compared with the result of using only the prerequisite-consequence alert correlation method, the proposed approach can enhance the detection rate and descend the misdetection rate, thus proves that this approach can analyze alerts successfully. The approach provides solution to initiative recovery system proposed by our lab based on intrusion detection system, honey-pot system, and firewall system. |
PDF Full Text Request