The Research Of Distributed Security Audit System And Technology Of Alerts Correlation

Network and information security problem is becoming more and more serious, the research of technology of security audit is one of effective ways to solve this problem, the research of security audit mainly focus on audit data collection, audit analyse and system architecture.Distributed is one trend of the architecture of security audit system. In this paper, we design and implement a distributed security audit model, the audit centre be designed to be service centre model, and provide services for other modules by interface. This model can meet the requirements of cross-platform and cross-programming language. An filter is integrated into this model, and can be set by static and dynamic, it's rare in other security audit system. In order to facilitate the management and analysis, we define a common audit log format and common audit event by researching other commonly log.About security audit analysis, we collaborate the technology of alerts correlation with other technology of security audit analysis.the technology of alerts correlation relates merger duplicate alerts, delete meaningless or wrong alerts, and combiate trivial alerts. In this paper we use capability to help to express the precondition and result of an attack,and establishs capacity model for origin alerts and correlat all alerts which belong to one attack with several phases using alert correlation. At last, design an alerts collaboration machine on the basic of common log format.