| With the wide application and the gradual improvement of network information technology, it becomes particularly important to protect the network security. Although people have tried to use intrusion detection systems and firewall technology to discover and resist the attackers, however, currently most of the security device will not only generate massive duplication of alarm, but also difficult to provide the correlation between the different alarms, while the existing alert aggregation and correlation analysis have low efficiency. On the basis of study about alert aggregation and correlation analysis at home and abroad, some innovation work is carried out as follows:Firstly, this paper chooses the network alert aggregation algorithm as research object, and introduces a method of alert aggregation based on iterative self-organizing (Iterative Self-Organizing Data Analysis Techniques Algorithm, ISODATA). ISODATA is similar to K-means algorithm, that is, the location of cluster centers is also iteration through the sample mean of the decision. The difference is that in ISODATA the number of cluster centers is not fixed, it repeated changes. The essence is to use an algorithm to generate the initial class as a "seed ", then according to the rules of an automatic identification process of iterative clustering. Iterative process between the two previous iterations of the clustering of the data were analyzed, according to statistical parameters of the existing categories to cancel, split or merge, and continue to the next iteration, until more than the maximum number of iterations or to reach the threshold. Finally, the algorithm was verified the feasibility and accuracy by experiment.In addition, the paper proposed a reverse alarm correlation method based on the original causal association. In this method, single-step attack bases on the intention to classify the attacks, then it proposes an alarm information from the last item of the attack intent (for example in the context of privilege escalation in the type of attack). According to the causal association, it uses the alarm information as the basis, searches for signatures in the attack step with this line of attack prerequisite alarm information, and associates two alarm information which meet the required time window. By this way, it completes the steps associated with step alarm. And so on, it can restore the entire attack scenario and identify intruders intent. Finally, DARPA2000 data set is adopted to verify the feasibility and efficiency of this method. |
PDF Full Text Request