| With the rapid development of information technology, the security of information and network system is becoming more and more important. But as the level of the intruders raise gradually, the behavior of intrusion also becomes increasingly serious. Intrusion detection attracts more and more attention of academic researchers, because it may overcome the shortcoming of traditional security technology. Although the intrusion detection system can provide real-time monitoring for the internal and external attacks, and also the incorrect operation, a single intrusion detection technology has been very difficult to meet the safety requirements, and various IDS will often produce a large amount of redundant alerts and false alerts, reduce the efficiency of the system. Therefore, this paper emphasize on the alert data processing technology based on the distributed IDS.Firstly, the architecture of the existing intrusion detection system is introduced, and analyses their characteristics and disadvantages, after through in-depth study at the present typical data fusion model, this paper designed and implemented a new alert data processing model based on the distributed IDS. This model process the alert data from multiple layers, unify the format of the alerts on the local agent, and adopt an adaptive method to merge the repetitive alerts; then, match the alerts to the relevant classification, and the alerts with high similarity will be clustered in a meta alert; use a new alert selection method based on time window to choose an amount of alert to compare, and construct the correlation knowledge base automatically to reveal the relationship between alerts, finally draw the alert correlation graph, and present the security administrator with the graphical interface.At last, this paper realizes the alert data processing model based on the distributed IDS, and test the functions of each module, proved that this model and the algorithm is effective. |
PDF Full Text Request