The Design And Implementation Of Log-based Network Security Situational Awareness Sensors

Recently, with the rapid development of Information Technology, network has gradually become necessary means for people to complete some related works. But with the convenience, the Internet also brings us some severity of security problems. Network Security Situational Awareness (NSSA) is becoming an emerging topic in network security domain, which can generally reflect the situation of network security. As the trace of a computer runtime status, log file is useful for the maintenance of system status, the surveillance of system actions and the management system security situation. As an important data source reflecting the network security situation, Log file is also the basic data source to realize the NSSA system. The Log-based NSSA Sensor can collect and analyze the log data from multiple sources, process the log information and provide the security events with unified format to higher layers.Firstly, the status quo of network security is introduced, and the purpose and significance of this thesis is expatiated. The description and classification of log data sources are provided, in which the feature and format for each kind of log data source is analyzed in details. At the same time, some involved technology and systems are introduced.Secondly, the architecture of the Log-based NSSA Sensor is discussed, and the plan of sensors' deployment and the plan of sensors' structure are suggested. The function of each module in a sensor is highlighted in details. In the end, the estimation of the sensor is presented.Thirdly, according the source and the being of log file, author gives three means for logs' collection. With the snort' log being perfected, the collection of Windows' host log and snort' log are realized.Finally, for using Association Rules algorithm and Frequent Episodes Mining algorithm with data mining, the Windows-host-log-based NSSA Sensor is realized. The following part tests the effectiveness of the sensor to detect security events from normal activities, and the general solutions are suggested for some problems in the test. At last, the conclusion is drawn and the further researches on this issue are put forward.