The Research And Implementation Of Attack Model And Event Correlation Technology In Network Security

Along with the rapid development of network and gradual enhancement of informationization of the society, network security problems present the tendency of diversity and complication, and the network attacks run towards large-scale, multi-stage and coordinated. To defend the intrusions, firewall, intrusion detection system, vulnerability scanner tools and etc are widely employed in the network. Of course, these products give protection to network system in different aspects. However, these relatively independent deployed security devices generate huge amounts of security events, some of which are rather redundant and unreliable, sometimes they even form "alert flooding"; at the same time, these events are low level without effective fusion and correlation, then it is difficult for the administrators to identify potential threats and grasp the overall security situation. For the unmanageable situation of security incidents generated by the multi-source heterogeneous safety equipments, unified network security management has been proposed and become the research hotspot of network security management.Unified network security combines multi-source data collection, alert verification and event correlation in an integrated security information and event management platform. As the core of event correlation, an attack knowledge base including attack description, attack verification, attack detection, attack correlation and attack reaction is absolutely essential to provide knowledge supports for various data sources' information sharing and event correlation, and it has a direct impact on the ultimate effect of event analysis. However, there is still yet to be an efficient solution for attack model in network security.In this thesis, security events are used to abstract and describe attack, which eliminates the disadvantages brought by low-level coarse-grained event, and realizes a more accurate and comprehensive description of complex attack; besides, an XML-based multi-leveled association rule is put forward, which achieves practicability, re-useability and extendibility; moreover, a verification-based intrusion detection mechanism is proposed to identify true intrusions accurately from the large number of security events; for the multi-step attack with phase characteristics, the thesis uses a scenario-oriented attack reasoning to establish attack scenario, which achieves an overall network security; in addition, reconstruction of attacks' chain can further find the internal relationship of the elementary events which belong to the same compound attack, and identify the intrusion intention and predict the attack activity.Finally, we use Netpoke to reply DARPA data sets in an experimental environment, and the experimental results verify the feasibility and effectiveness of our proposed attack model and event correlation techniques.