| With the growing popularization of network and rapid development of economic, secure network has become foundation of the country's political ,economic and military security, and also has placed important impact on people's life and commerce . Yet, while Internet develops prosperously, there's increasingly serious and complicated secure situation; hence, as a key techniques in the field of network security, anomaly correlation has been widely researched and used. Efficiency of anomaly correlation is affected by its uncertainty, which is a difficult problem to be solved and a breakthrough to make in its filed; Especially in backbone network, it becomes a difficult and important research that how to make better correlation within requested time.Until recently, researches focus on how to make efficient and robust representation model and reasoning method for uncertainty of anomaly correlation;they aim to not produce worse results of correlation due to inappropriate models or methods than that due to inherent uncertainty of correlation data. Yet, our work will concert on how to decrease uncertainty of anomaly correlation from its data source.First, for reducing uncertainty of anomaly correlation from the data source,we analyze causes of the uncertainty,and illustrate how the granularity of flow split and correlation parameters influence uncertainty of anomaly correlation.Second, using the actual backbone flow data, we analyze uncertainty of anomaly detection and identification in various specific flows and when using various kinds of correlation parameters. The analysis results can help network management personnel select appropriate flows and parameters to reduce uncertainty as much as possible while satisfying the real-time requirements. Through comparing uncertainty of anomaly detection and identification in different flows and when using different kinds of correlation parameters,it is concluded that the uncertainty can be reduced efficiently by flow split and adopting combination of different granularity of parameters.Thirdly, we propose an idea of using multi-flows and multi-parameters to reduce the uncertainty of anomaly correlation. Considering that using data after flow split the time expense of anomaly correlation will multiply, it uses process of introducing parameters of more fine granularity firstly and then splitting flows, which can cost least time to reduce uncertainty to satisfy level. Using it, network management staff can decide adopting what flows and what parameters in anomaly correlation to reduce the uncertainty to acceptable level in least time. |
PDF Full Text Request