A Comprehensive Approach To Alerts Correlation In Network Security Management System

In the field of network security, contradiction between network attackers and users goes on and on. Meanwhile, a great variety of tools and a mass of information make a high request for network security managers, especially when facing current trend of comprehensive attacks, with which traditional single security management modes fail to deal. And with increasing requirements of network users for intelligent security management, a new integrated solution for network security management, or in other words, network security management system has become a fashion.A network security management system is desired to realize centralized monitor, uniform policy management, intelligent audit and interaction among various security function modules. At the same time, Intrusion Detection System (IDS) has evolved as an important tool for network security monitor, while a remarkable development trend of network security management is the adoption of an IDS-centric correlation manner. But the detection mechanisms of traditional IDSs has weaknesses including too fine grain, isolated alarming, lack of environmental consciousness and high rate of fals alarms. As a matter of fact, researches on comprehensive alert correlation become a focus, aiming in collaborate many kinds of correlation methods for the sake of solving different kinds and differnet level alerts.This paper discusses issues related to the application of a comprehensive approach to alerts correlation in network security management system, which includes alerts normalization, alerts reduction, alerts verification and alerts causal correlation. After introducing each component of the comprehensive correlation approach respectively, this paper focus on the alerts verification and alerts causal correlation components in the comprehensive framework. Alerts verification aims at reducing the rate of false alarms using the heterogeneous contextual information. And using the knowledge base with prerequisite and consequence, alerts causal correlation is to find the inner sequence of low-level alerts which come from the alerts verification part.