| In recent years, Internet plays a more and more import role in people’s daily life with the development of network technology, but the network security issue has already become a focus that is attracting people’s attention. Traditional network defense technologies, such as intrusion detection systems and firewalls, wait for the arrival of the attack passively, so they cannot play a proactive role in intrusion detection.As an active defense technology, honeynet not only can capture and analyze network intrusions on its own initiative, but also can capture unknown attacks activities, has been used widely in network security research and engineering practice in recent years. Current research on honeynet system mostly concentrates in the deployment and data capture technology, how to analysis of the captured data accurately in real-time is still a major difficulty in the research of honeynet. There are various logs in honeynet, including alarms from Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS). A huge number of low-level alarms which were captured by honeynet system cannot be shown to users directly as they are high-redundancy, low-level semantic and cannot be intuitionist to show the attacker’s behavior. Correlation analysis is the method used mostly to solve this problem in current research. Correlation analysis requires a large amount of frequent sets, the training cycle is long, and cannot indentify unknown attacks effectively.Support Vector Machine (SVM) has good generalization ability, through the training of small samples to determine the classification of unknown data, making up for the deficiency of correlation analysis effectively. This paper proposed an analysis method of honeynet alarms based on SVM theory, and deigned a relevant model. This model can handle false alarm filtering and alarm classification accurately, and reduces the difficulty of alarm analysis effectively. In the realization of this model, firstly use BSVM and rough sets to distinguish the real alarms and false alarms, then use MSVM to classify the alarms.Based on the method proposed by this paper, we design a honeynet system which supports distributed alarm processing. Finally, we verify the effectiveness of the research method and model proposed by this paper. |
PDF Full Text Request