Research On Alert Data-processing Technology For Intrusion Detection System

As the increasing of network attacks and the development of the intrusion technology, the alerts of intrusion detection system exposes some limitations, such as huge amount, mass duplications, high false positive ratio and low level granularity of security events, most of which just reflects one step of complex attacks. As the result of these problems, the research on alert data-processing has become a front edge subject of intrusion detection system.Process in fusion and correlation can reduce the number of alerts, filter the repeat alerts, accurately reflect the attack behaviors and enhance the application value of intrusion detection system. Based on the technologies of data fusion and correlation, to the features of alert data for intrusion detection system, this thesis focuses on the research in holistic design and some key technologies in this area.The thesis designed a framework of the alert process system for multiple intrusion detection systems. Focused on the unclearness between the concept definitions of fusion data, lacking of level processing, it brings out the level processing method. Based on the characteristics of alert fusion, the author put forward four representative alert data correlation types, and designed the function of modules according to the relations between alerts. Therefore, it could reduce the complexity of alert processing. Especially in the merge module, the thesis uses the method of sampling, in contrast with other known algorithm. It doesn't depend on merge rule database and has less information loss details.Based on the classical plan recognition methods in the domain of artificial intelligence, to the wide searching range, loose time limitation, low efficiency and other problems in intrusion alert correlation, and considering the characteristics of alert correlation problem in intrusion detection system, this thesis extends the goal graph model and proposes the Extended Goal Graph model. Furthermore, this author proposes an alert-correlation algorithm of intrusion detection system based on Extended Goal Graph. After the alert-correlation, the results can reflect the intention of attacks as well as the strategy adopted.This research is helpful to reduce the cost of alert-processing for the network environment which deployed in multiple, especially lightweight intrusion detection systems, making the alerts more succinct and instructional to network security protection.