The Research And Implementation Of Alert Fusion Method Based On Snort

Network security issues become increasingly prominent. And it advancesthe network security technology research. The intrusion detection technologyis the hotspot in recent years, which can effectively complement theshortcomings of security products such as firewall, along with other securityproducts to create a multi-level, multi-faceted securitysystem.At this stage intrusion detection system is in face of two issues. The first,the alert information is flooding. Alot of attack makes use of TCP / IP protocol.It occupies a large number of system resources until the normal user can notprovide services. At this time, intrusion detection system will generate a lot ofalert information. On the one hand the resource is occupied by IDS. On theotherhand the performance degenerated, because it hasno time totake off allalerts, and so that more dangerous alert can go into the system. Anotherproblem is that alert information is isolation, and now more attackers use amulti-step attack. Intrusion detection systems use the low-level data for eachanalysis, and without considering whether there is correlation between thealert information.The information fusion technique is a kind of latter intrusion detectiontechnique, which is an effective solution to figure out the two problems. Thecurrent alert information fusion method: based on property alert integration,based on matching of the attack process integration, based on cause andeffect of the warning alert integration and based on the statistical causes andconsequences of the alert integration. Based on property alert integrationmethod does not require a priori knowledge, the algorithm is simple and easyto achieve.Fuzzy integral is defined on the basis of fuzzy measure. Widely used inthe multi-classifier information fusion. The nonadditivity of fuzzy measure caneffectively reflect the interaction between properties. This interaction can bedivided into three categories: redundant or negative cooperation, complementarity, or active cooperation, and active cooperation. Comparedwithotherinformationfusionmethods,suchastheweightedaveragemethods,fuzzy integral method has great advantages. So I raised the method of theproperty-based alert fusion, which usesthefuzzyintegral.In the implementation of process, the first problem is the fuzzy measureidentification. There are two main methods. One is the domain experts give afuzzy measure using their knowledge. This approach has the advantage oftaking into account the characteristics of attack. The disadvantage is theinclusion of the idea of man-made subjective. Another method is getting thefuzzymeasure from the data sets through machine learning. The advantage ofthis method is more accurate, more objective, and no interference by people.The drawback is that it is difficult to find a suit training data sets. There aremany methods to determine the fuzzy measure by machine learning. Such asneural networks, genetic algorithms, linear programming and so on. Geneticalgorithm is a simulation of natural biological evolution process, and is anoptimized search method. This method is simple and easy to implementationby computer program and it is easily used in distributed parallel computing.Therobustisstrong.Ithasaverywiderangeof using.Algorithmisdividedintocoding, initial population generation, fitness evaluation, selection, crossoverand mutation. The selection, crossover and mutation are the main operation ofgenetic algorithm process. They are also known as genetic operator. They arethe core processesof evolution.Basing on property-based alert fusion method, it is necessary to judgewhether similar of these two alerts, if judge whether the two alerts can beintegrated. We must use an algorithm to calculate their similarity. And then wejudge whether this similarity is more than the threshold. Because each alerthasalotofproperties,thenwehavetodotheworkonthefirstisthatselecttheproperties which are important. We give the similarity algorithm of propertybased the data structure. Fuse some property similarity through the fuzzyintegral. Duringnormalcircumstanceswe will select the sourceIP,source port,destination IP, destination port, protocol type, alert type, time stamp and otherimportant properties.We set an alert match template. There is a configurable parameter N,which indicatesthe numberof alert template.The initialtime of the system, the template is empty. When a new alert can not match the template for all alerts,this alert will be inserted into the alert templates. When the number of alerts inthe alert match table is equal to n, it deletes one or several alerts by usingreplace algorithm, then adds a new alert. Replace algorithm are: FIFOalgorithm, LRM algorithm, LFM algorithm, NMR algorithm. They can beselected according to the need of system.In the alert messages, there are some false alerts, but the administrator isdifficult to judgethe alert istrueorfalse.Soadegree of alert israised, which isconvinced according to the condition of system real-time. It is used by theadministrators to dealwith alert information easily.The process of calculating the degree of alert relates to false alertjudgment. False alert is the normal network data packet. But it is reported asaalert. Or a data packet is reported as A-alert, but IDS puts it into B-alert.According the experience, network attacks usually sent to the target a largenumber of data packets, which have the same or similar properties. If an alertin a time window, no other alert have similar properties. Then we believe thatthe alert may be a false alert. The shortcoming of this approach is that anumber of slow-scan will be determined as false alerts. In order to solve thisproblem,afalsealerttableinthedatabaseiscreated.Inatimewindow,ifthereare no similar properties to other alerts, it is called Suspicious False Alert. Indetermining whether the suspected false alert is a false alert, we mach thisalert with the alerts in the false alert table. If they can not match, wedetermined that the alert is a false alert and insert the alert information into thefalse alert table. If they can match, and the number is more than the thresholdset by us, then we determine that the alert is generated by a slow-scan, thentrigger a response unit according to circumstances. Set a trigger in database.Remove the overdue false alerts everyinterval.Base on the above study, such a specific alert fusion tool is designed. Itfurther processes the warning information which output by IDS. The toolreceivesa newalert, at firstmatch each alertin templatetable byusingofASAand fuzzy Integral. Compare the maximum with threshold. If it is greater thanthe threshold, we will make it and the alert in the template table as one alert.Otherwiseitwillbeinsertedintothetemplatetable,andcalculatethedegreeofalert convinced at this time. If the template is full, we will use replace algorithms to delete an alert.And then judge whether the alert isa false alert.After the tools completed,we use the data set to do an experiment.Through the depth analysis of the experimental results, the method use fuzzyIntegral is availability. And administrator can adjust the fusion rate by settingthealertthreshold.The processissimple.Integrationprocessdoesnotrequireprior knowledge of experts.