The Research Of Alert Correlation Analysis Technique Based On Ontology And Multi-Agent Framework

Although the internet can make us share the information and bring us greatly convenient, but its own security issues are becoming increasingly serious. Using the valid intrusion detection system (IDS) is becoming an important method to guarantee the system security. As a kind of positive initiative dynamic security measures, ID can detect the external aggression or internal unauthorized event before the network system be damaged by multi-level defence and on three-dimensional depth. But the traditional IDS problems are: (1) it usually focuses and finds low-level alarms and abnormal events, and issued isolated alarm, but cannot find the logic relation and the intrusion attack strategy. (2) The traditional IDS usually produce large amounts of error alarms which are mixed in the real alarm, and cannot be discerned.In order to solve the problems above, firstly, the paper adopts the ontology technology to build the alarm knowledge base which Combines two kinds of correlation technique based on attack sequence template relevance and based on the premise of the attack occurred consequences , and constructs attack knowledge framework contained basic concepts and relationship, and defines the 4 layers and 17 basic class and also multiple objects attributes and data attribute, and uses the RacerPro1.90 ontologies tools and procedures to make correlation inference and then verifies by experiment. Then the paper proposes a distributed mixed IDS model based on communication mechanism of autonomy agent. It unites the respective advantages of HIDS and NIDS, correlate the original alarm information according to the alarm knowledge base, eliminate the false alarms and identify the missing alarms to affirm the real attack strategy, and explore the collaborative high-level alarm information. The system adopts the communication mechanism based on autonomous agents which fits the distributed environment, and uses the subscription ideas which combines with the tree structure to spread alarm information and response action efficiently in real time. Finally, the paper carries out a simulation experiment based on the above model, that illustrates the intrusion detection model and its construction method are reasonable and effective.