Research And Design On An Alerts Merge Schme In Network Security Management System

Along with the spread of internet, the amount of network attack and illegal access is growing rapidly. The situation of network security is harder and harder day by day. In order to guarantee the security of intranet, the security governors build a defense system including firewall, anti-virus server, IDS, etc. These security devices reports large amounts of alerts. The features of these alerts include huge amount, high rate of mistakes, trivial information, hard to analysis and understand, etc. These alerts have bad influence on the analysis and handling of attacks and take lots of time of security governors. The duplicate alerts, fake alert and meaningless alerts bring many difficulties to the network security management witch nearly over the limit of human ability.In this situation, to efficient handling alert information, alert merge technology gets more and more attentions. Alert merge technology include combine duplicate alerts, filter the meaningless and fake alerts, associate fragmented alerts, define the risk level. The purpose of alert merge is enhancing alert information and accuracy, decrease alert amount. Researchers home and abroad are conducting extensive research and have achieved certain results recently. Methods based on probability theory can't reveal the relation between alerts, and is hard to find out priori probability. Methods based on state transition need to associate every kind of alerts, and bring large amount of workload. Methods based on Euclidean distance are hard to define threshold.Method proposed in this paper which includes categories alerts, then calculate the probabilities of every kind of alert and other data, merge alert based on FSM, at last build a Bayesian network according to the state of FSM and alerts probabilities, calculate reliability of merged alert, solve some problems in the alert merge system, and has the ability to learn new attacks.Chapter 1 introduced the developing of internet and network security situation in China. Chapter 2 introduced IDS technology and the developing of alert merge. Chapter 3 proposed an alert merge scheme based on FSM. Chapter 4 proposed a method of calculating alert reliability based on Bayesian network, and made lots of discussion on time window, alert probability, posterior probability, building Bayesian network according to attack scene. Chapter 5 implement the scheme in a network security management system and did some analysis. Chapter 6 summarized and forecasted the developing of alert merge technology.