| As the computer develops continuously, people rely on the computer on more and more aspects, the computer has played an important role in every aspects of the society. The security of the network and information are to be the focus, as the development of a computer's performance and the rich of the software's species recently, there are many attacks which caused of the vulnerability of software and protocol, and these attacks seem to be upgraded. From the twentieth century, eighties, as the focus of the information security field, the Intrusion Detection System (IDS) can defense and detect the attack which is going to be happened or is already happened on the Internet, after the detection of the IDS, it also can do some corresponding response. But the classical IDS only can detect the single step attacks, for the multiple steps attacks, the IDS seem to be a little weak. For this weakness, in this paper, we analyze the alerts which are detected by the IDS, we correlate these single steps alter, identify them as a multiple attacks.In this paper, the main work is methods and algorithms of the correlation of IDS alerts, we use Choquet Fuzzy Integral, and express the process on Fuzzy Cognitive Maps, design a correlation engine of Intrusion Detection System. After inputting the single attack alerts into the correlation engine, the DRDOS attack and LLDOS 1.0 attack will be correlated. As for the alerts correlation, we mainly focus on the study of the training of the hyper alerts and the correlation of the hyper alerts. Though two experiences, it is proved that the alert correlation in this paper could correlate the alerts with high feasibility, availability and completeness, validity, timeliness. At last we prospect the future of the alerts correlation, using different methods of alerts correlation, using different techniques to the security of the network can protect the network and information much more better, the correlation between them is not instead but ancillary.In section one, first we introduce the background and status of the IDS. Then we introduce the theory and types of the IDS, we mainly introduce the Distributed Intrusion Detection System (DIDS), and clarify that our study is relied on the DIDS. Next we analyze some problems of the IDS, for some multiple attacks the IDS can not detect them in the network, and point out the importance of the alerts correlation.In section two, there are two theory which support this paper, fuzzy integral and Fuzzy Cognitive Maps. For Fuzzy Integral, we introduce the conception and types, through a example, we analyze the reason we use it to correlate the information and alerts. For Fuzzy Cognitive Maps, we introduce the conception and types of it which contains classical Fuzzy Cognitive Maps, Fuzzy Cognitive Maps, extended Fuzzy Cognitive Maps, Fuzzy Cognitive Maps based on Neuron, Fuzzy Cognitive Maps based on Probability and Fuzzy Cognitive Maps based on rules, then we clarify that we use the Fuzzy Cognitive Maps based on Probability in this paper.In section three, we mainly study the alerts correlation and multiple attacks. First we analyze the principals of the alerts correlation, then introduce some methods of alerts correlation which contains alerts correlation based on similarity of the alerts, alerts correlation based on sinario, alerts correlation based on causality, alerts correlation based on rules, alerts correlation based on time series, and we point out that the algorithm in this paper is the combination of alerts correlation based on similarity of the alerts, alerts correlation based on causality and alerts correlation based on rules. Then according to the principal of the classification of the alerts, we use DARPA IDS data sets, classify the attacks and analyze the DRDOS and LLDOS attacks.Section four is the core of this paper, in this section, we mainly design the algorithm of alerts correlation based on Choquet Fuzzy Integral. First we explain the application of Fuzzy Cognitive Maps in IDS, how to use the Fuzzy Cognitive Maps to express the ideas of algorithm and how to build the hyper alerts queue and correlation the hyper alerts in the queue. Then we explain how to use Choquet Fuzzy Integral in IDS which mainly in two aspects, the training of the hyper alerts and the correlation the alerts, also we design some property transfer function and show how to use these function to train the alerts and correlate the alerts. Next we design some structures of the data, the algorithm of the alert correlation and the authentication of the alerts correlation. For the structures of the data, it contains the structure of the attacks, the structure of the alerts, the structure of hyper alerts; for the training of the hyper alerts, it contains the generation and the management of the hyper alerts queue and the algorithm of the alerts correlation; for the hyper alerts correlation, it contains the correlation the DRDOS attack; then according to some strategy, we verify the result of alerts correlation of DRDOS attack. There are two experiments which are designed to verify the feasibility, availability, completeness, validity and timeliness of the algorithm in this paper. The first experiment is test in the real environment of the network, we code the DRDOS attack, and use snort as the IDS to detect the alerts, and then we use these alerts to correlate the DRDOS attack. The result is the alerts correlation based on Choquet fuzzy integral can be used to the alerts correlation of multiple attacks. In experiment two, we use the IDS data sets DARPA 2000 as the standard data sets, and compare the result of the alerts correlation with TIAA who used the same data sets, it verify that the algorithm in this paper has a good completeness, validity, timeliness..In section five, we evaluate the advantage, disadvantages and improvement method of the algorithm. Then we prospect the future of the alerts correlation, if we combine the algorithm in this paper with other algorithm of alerts correlation together, there will be a much higher completeness, validity and timeliness. If we combine the alerts correlation with Traceback together, the real hacker of the attack will be found. If we combine the alerts correlation with Intrusion Tolerance together, when the machine is attacked, it still can provide the basic service. |
PDF Full Text Request