| As the development of network security management, integrated and centralized management has gradually become hot spot. Various types of network security devices have a huge number and wide variety of security alerts. To reduce redundancy and identify potential incidents of threats, centralized management platform analyzes the alerts issued from security devices of different locations and different types by correlation associated analysis. While each type of security devices has its own emphasis, the correlation engine processes macro-analysis on network security state and trend using association rules or statistical information based on various devices.The thesis studies the network alert correlation analysis, then it comprehends, learns and compares various algorithms of correlation engines with associated knowledge of various fields such as attack modeling, pattern matching, risk assessment and data mining. After that, correlation method and the acquisition of associated rules are improved and implemented.Rules correlation method and inventory correlation method are integrated by applying the statistic to rules correlation, and the integrated correlation algorithm is designed. Experiments prove that the algorithm improves the analysis of real-time, not affecting the failed reporting rate and the error rate. Moreover, the thesis improves the sequences-oriented data mining algorithm WINEPI to achieve the candidates of association rules. By deploying the integrated correlation algorithm and the rules mining algorithm, taking advantage of the centralized management can strengthens the network security monitoring. |
PDF Full Text Request