| With the application and development of network in many fields of society, the problem of network and information security became more and more outstanding. Everyday networks suffered from millions of attacks.Computer criminals, terrorists and hacks were expert in intruding government websites and private networks for spy activities, stealing important data and intruding key infrastruction. To defense network crisises and information disasters, all kinds of network security measures constantly emerged,in which intrsion detection is one of the core technologies. But administrators cost too much to manage alert data and treated intrusion detection system no exist because of lower level alerts, false negatives, high false positives rates, failing to produce high level attack strategies and multistep attack scenarios. However, alert correlation technology contributed to remeding the shortages and defects and already become one of focuses of research.This paper analysised the characteristics of network attacks such as time sequnce, uncertainty of attack step, attack distribution and collaborative. It analysised and evaluated the shortages and advantages of attack classifications based experience-term, single-attribute, two-dimension and multi-attribute, many-dimension and multi-attribute and vulnerability-threat from the viewpoint of practical application according to principles of attack classification.The description of attack classsification should be reflect in attributes of the alert data model. By the core attributes of alert data model and expert experiments alerts were classified into three kinds of granularity in conformity with the principles of granulation, synthesis, focus from the viewpoint of granular computing such as meeting redundancy-relation alerts, meeting similarity-relation ones and meeting causal-relation ones. The different alert granularities use different processing methods.The paper analysised existing alert correlation methods and models, compared their advantages and shortages and proposed a new alert correlation model in which alerts with similarity relationship were correlated by event correlation and stored as meta-alerts, then transformed into hyper-alerts according to knowledge base rules, and finally hyper-alerts with causal relationship were correlated by attack correlation and formed an attack correlation graph. In addition,a new attack correlation algorithm based on Ning P's one was improved and acquired real-time correlated ability.Experiments demonstrated that the model was able to reduce the number of alert and raise alert processing efficiency and contribute to identifying attack purposes and improving alert accuracy. |
PDF Full Text Request