| With the increasing complexity of network applications, the network has showed features of multiplex, multi-service, multi-application and so on. Hence it is very difficult for single detection method and detection system to detect all kinds of complex attacks, and it is necessary to integrate multiple detection technologies (misusing detection, abnormal detection) and multiple detection systems to effectively improve the accuracy of the detection. However, in the detection process varieties of Intrusion Detection System (IDS) will produce a large amount of independent, original warning information, which not only have the characteristics of enormous amount, but also have a comparatively high rate of false positives and omitting. According to real attacks are often hidden in a large number of mistaken warnings, it is very difficult to identify real attacks and react to them timely. Consequently, it is necessary to process the results derived from different detection methods and different detection systems through data fusion, and eventually obtain a comprehensive evaluating result. Meanwhile, data fusion technology should be utilized to process the warning information derived from multiple detection systems which experience a large span of time and space to meet the high-level requirements of warning of attacking and the evaluating of secure states in computer networks.This paper first investigate the status quo of the fusion of warning information in IDS, and through comparison among all kinds of data fusion technologies, we propose a system prototype which process the fusion of information from IDS. The major work of this paper is discussed as following:①According to the shortcomings and characteristics of original warning information in IDS, we design a fusion algorithm for original warning information based on the preprocessing on it.②On the basis of the fusion processing on original warning information, we propose a completely new fuzzy correlation method based on analysis of attack intent and causal relationship. On the basis of the rule-based fuzzy cognitive map (RBFCM), this method can associate the invasion warning with the security strategy and can also associate the intrusion alarms with the vulnerability and configuration of the computer system. The new correlation method proposed in this paper can not only identify the various phases of the complicated attacks and build a complete view of the attacks, but also judge the consequences of the attacks at every stage.③Based on the algorithm proposed in this paper, we design a fusion model which integrates the warning information in IDS. The model consists of preprocessing, fusion, merging and associating component. The four components are corresponding to four steps in the algorithm.④We eventually implement the algorithm and test it with standard data of RBFCM. The test results reveal our fusion model can decrease the rate of false positives and distinctly reduce the amount of warning information required by administrator. The correlation method proposed in this paper can find the composite attacks successfully, and can judge the consequences of them in different phase. |
PDF Full Text Request