Security Event Supervising System Research Based On Rule-event Stream Process Engine

Complex and various network attacks have occurred frequently, this makes people begin to realize the importance of real time supervising to network security. No doubt, process and analysis abilities on alert events directly reflect performance of security supervising platform. How to process the extensive network attacking events promptly and high efficiently is the key point of this kind of supervising.Instead of traditional event process technology based on database, this paper applies the Event-Stream technology to process the security events, which makes good advantage of immediate processing speed, meanwhile, it integrates rule engine into Event-Stream framework. Resorting to its optimizing rule distribution method and complex logic administration capability, we implement parallel computing, deeply mining and analysis abilities to mass events. Based on two aboved technologies, this paper designs a rule Event-Stream process engine R-ESPE (Rule-Event Stream Process Engine) and successfully apply this engine into security supervising system proposed in this paper.This system does Standardization on multiple network security devices at the input port. Thus, it has the function of collecting and parsing alert events from different network security devices. When the input Event-Stream goes through under R-ESPE, this rule engine integrated EQL interface language to manage event-stream, could perfectly satisfy the need of real time query and analysis to extensive network events, which further make sure this system can work promptly and efficiently.However, along with deep research in Event-Stream technology, we discover a problem related to rule scheduler control chaos. The more complicated the operation is, the more difficult time control is. So, at the end of the paper, an improved R-ESPE structure is brought forward. It adds workflow mechanism into Event-Stream process, pre-defines the whole rule execution flow by utilizing process model of workflow, and let workflow engine decides when and which rule will be chosen to help query, analyse and calculate on events, all the work solves the problem of rule scheduler control and got more flexible event process capability.