The Design And Realization Of The Event Alarm Analysis Engine

The rapid increase on the network scale and the network-based applications has contributed to the enhancement of network activities, to compete the security problem accompanying with it, people employ a good many technologies, such as firewall, IDS(Intrusion Detection System) and AV(AntiVirus). In fact, in a normal implementation of network infrastructure, all such security devices or products are included, besides routers, web servers ftp servers,PCs, etc. On the one side, the special aimed security devices appease some special security requirements, on the other side, multiple styled products bring big problem for the security management of the network. In traditional security analysis, analysts read the device logs, made comparisons and investigations, and then gave their suggestions. But, in modern network environment, gigabytes of data per day produced by the multiple devices makes this analysis style obsolete, it's really an urgent task to provide an automated, systematic security solution no matter for the Local Area Network or for the World Wide network.However, it is not so easy to set up a consolidated security management platform, including so many different products lacking inter-communications. We must deal with challenges such as how to select interesting information from the multi-formatted events, how to analyze these information and locate what is going on, how to response to the detected security scenario, etc.This paper presents a scheme to address the above problems from the respect of event correlation analysis. Starting from the point of traditional detecting technologies (IDS), the paper makes deep research into current event correlation technologies, such as the coding method, the reasoning method and the describing language method. After this is a discussion and analysis on the fault and disadvantage of current technologies. To make up for the rareness of practical implementations on correlation technology, this paper designs a set of concrete solutions., it tries to emphasize the major correlating concerns on the accuracy, generality, real-timing and self-security. The whole scheme concludes repeated events aggregation, heterogeneous events correlation and combined analysis between security events and...