| With speed development of Internet technologies, network security has become more and more sensitive and important. The Internet is suffering from a growing number of security threats. Network and information security has affected our normal life, economy and even national security. Therefore, network security equipments and systems are constantly developing, such as Firewall, Intrusion Detection System (IDS) and so on, which play an active role on the network security. Meantime, the IDS produced large numbers of alerts, including both actual and false alerts, make it a very challenging task for human users or intrusion response systems to understand the alerts and take appropriate actions. So, it's necessary that apply alert correlation methods develop several IDS coordination modes to analysis alerts and build distinct attack scenarios and reduce the volume of false alerts.Based on the summary and analysis for the status of the correlation technologies, this paper presents a multi-feature correlation method, which based on the hierarchical clustering. In accordance with the character of different clustering methods, this method achieves the correlation for the alarm events. It fully reflects the advantages of different algorithms. Furthermore, it also avoids the monotonic correlation results, which is caused by the monotonic methods. In addition, this paper makes a study of causality correlation method based on CAPABILITY model, and improves it. A detailed description for the CAPABILITY model is given. By the experimental results and comparative analysis, it validates the effectiveness of the multi-attack correlation. Adding the function for validating the host configuration information, it reduces effectively the number of the alarm events, improves the accuracy of the correlation. |
PDF Full Text Request