Alarm Correlation And Verification For IDS

Intrusion detection system(IDS) plays an important role in security resistence area, to detect intrusion activities and warm user by the manner of alerts. However, alerts which are generated by intrusion detection system, are not always correct. Actually, there are a lot of alerts are useless false alerts which need to be removed. When the administrator is dealing with alerts, it takes him tremendous time on dealing with useless false alerts. For these true alert, they are always loosed and without well orderred, it is hard for the administrator to make sense from the huge number of alerts. So there is an essential requirement for intrusion detection sytem, to make classification for these alerts. Based on the current status, the solution is make alert correlation and alert verification for alerts. Alert correlation puts similar alerts togethor, and alert verification verifu alerts and remove false alerts. These two parts are important parts in alert management.This article based on existing security requriement CIA (Confidentiality -Integrity - Availity), according to Del-yao attacker model, make investigation and research about risk and threat on network. This design successfully corrected and made classification of existing computer security requirement, attacker technique, alert correlation and alert verification. Based on existing intrusion detection system, the main job of this article is makeing alert correlation and alert verification. The mainly purpose of alert correlation and verification is reducing false alerts which are generated by intrusion detection system, and make correlation for all these seperated alerts. This design combine technique of anamony detection, vulnerability verification, alert information confirm into alert correlation and alert verification. In this design, a waterfall model of data flow architecture is introduced in order to combine to different alert verification and correlation technique, with the purpose of taking advantage of each technique and make efficiency of each technique. At the end of this article, network attack is simulated to test the effiency of this deisgn. These previous alert evaluation methods focus on improving one sole technique to make deep research and improvement, to make the efficiency of this technique and strength the advantage of this technique. This design adopt a integration method to combine several well-performed mothod, with the purpose of improving the current situation by coopration. After test and verification, illustrated by data corrected from this article, this design successfully removed false alerts and set up the connection of seperated alerts and reduced the missed alerts. It is proved that, this design improved the accuracy of alerts generated by intrusion detection system, and provides administrator with more simple, derectly and well-orgnized information.