Research And Applications On Key Technologies In The Security Event Management System

As information security threats increasingly diverse and complex, a single security device has been difficult to fully guarantee the security of information systems, therefore, firewall, intrusion detection systems, antivirus software and other kinds of security products have been deployed to the network. These products enhance the security of information systems security, but also to the system of information security has brought new problems. First, it is increasingly difficult to manage a variety of security products, second, the security products are lack of coordination and integration, and third it is difficult to acquisition and processing the mass data generated by these products.To address these issues, security event management system came into being. It is aimed to identify and deal with security incidents occur in information system by collecting event information, aggregating security events, event alarming and many other aspects of analysis, while seeking to effectively integrate the security products at the same time. Study how to build an effective security event management system and how to utilize new technology to solve these problems is significant for improving the security of information systems.This paper researched the safety function and role of event management system in-depth, proposed a basic model of security event management system. This paper mainly analyzed the event information acquisition and the alarm redundancy problems in security event management system, and investigated techniques and methods for solving them.To address security event information acquisition difficulties, this paper designed and implemented an intelligent event agents based on intelligent agent technology. The agent use the security plug-in as interface, achieving a good compatibility; use"middleware of message"as the communications carrier, achieving a good scalability. Independent event handling is the main features of the agent, it can complete pre-processing, filtering, priority determination, alarms merging, event caching and other tasks, according to the knowledge of safety rules, which effectively reduced the burden of security event management center, prohibited the root cause of massive data handling problem for the center.To address the security alarm redundancy problem, this paper designed a frequent alarm mining method. The method first dig out frequent alarms based on frequent set mining algorithm, generating candidate frequent alarm rules, then the alarm attribute similarity-based clustering method is used for checking the validity of the rules, producing final frequent alarm rules. These frequent alarm rules can not only help administrators to find the causes quickly, but also can be used as filter to reduce the workload.This paper built a prototype security event management system based on the OSSIM open source project, functions of the intelligent event agent was tested on it. The data collected during 2010 Shanghai World Expo is used to verify effectiveness of the frequent alarm mining method, which achieved a good result.