Distributed Intrusion Detection System Alarm Data Fusion Technology Research And Implementation

The problem of huge number of similar or false alarms, can be called alarm flood, is ubiquitous in most network-based intrusion detection system (NIDS). Because the administrator will very difficult to identify the hidden true positives when there are alarm flood, it is very important to reduce the flood. Multisensor data fusion is a continuous process dealing with the association, correlation, and combination of information from multiple sources. This process is used to achieve refined condition estimation of machinery and to complete timely assessments of resulting consequences and their significance. The thesis apply multisensor data fusion technology to Distributed Intrusion Detection System (DIDS) and propose a data fusion model in which the filter and merging is combined and the expert rule is applied. The model can be used to handle problems of false positive, false negative and too much number of similar alarms and it is easy to be implemented. The algorithm of standardization, filter, merging and statistic autoanalyzer of the module has been designed and implemented. The application of IDMEF in the implemented system can enhance the interoperability between open resource system and the researched system.The expert filter rules are created automatically by the statistic analyzer. The particular distributing character of the false alarms is added to the expert rule, so the leaching is more careful and avoid filtering the true alarms at best. The use of dynamic merging-time window and dynamic merging-count window in the algorithm of merging make the alert merging effective as well as real-time.The implemented system has been applied to the DARPA data set that generated from MIT Lincoln Lab. The test results of tentative application show that the system can reduce more than 80 percent similar alarms when alarm flood comes forth.Through research application of data fusion in the DIDS, the system model of multisensor data fusion can be used to reduce most of the similar alarms and make the administrator analyze the alarms more efficiently. Furthermore, the module can fuse the alarms that come from different IDS to decrease the rate of false negative alarms and increase the rate of accuracy.