| With the development of network made an extraordinary progress. Today, the network hasplayed an indispensable part in everything, from personal daily life to the government andenterprises. It not only stores all kinds of personal private information, but also loaded with avariety of essential service. When these resources are exposed to the network, how to keep thenormal order to make sure the security of reading and writing information becomes asignificant subject.In order to maintain the security of network, the network security has become a completeindependent discipline through continuous efforts of scientific researchers. Now thetechnologies include packet filtering, honey-pot, logging and auditing, intrusion immune,forensics, intrusion tolerance, privacy, network security situational awareness, intrusionprevention technology (IPS) and intrusion detection (IDS) and many other aspects. Fromactive protection to passive defense, from threats monitoring to automatically recovery, thereare multi-pronged work together to maintain the security of network.Although the level of security for your network has continuously improved, the behaviorof trying to carry out an attack on network to get illegal interest is also on the increase. Thefunctions of current hacker attacks software are developed and integrated that causes theattackers need less knowledge, less preparation time and gain more impact than before.Multistep intrusion is a new kind of intrusion patterns. Not done via a simple one-offattacks, this pattern achieves a full attack through organic combination of multiple simpleattacks. Such attacks in the traditional attack detection which based on single step are not veryclear. Hence, there comes alert correlation means that integrates the extraction of attack datafrom all single steps to find the full sequence of attacks, to enable the early warning of theattack and the position of the attacker’s.Currently associated alert has a variety of methods based on different properties of alertcorrelation purposes, such as the measurement of alert property similarity, causal analysis,scenario analysis and data mining, and other ways. In this paper, with the introduction of analysis methods of time series, we make the time as the property to achieve the associatebetween the alerts.Time series analysis is widely used in economics. With this method you can model fordata collected in accordance with time, according to the results of modeling for data analysis.We take common methods of time series modeling for classification and analysis.Grainger algorithm is a method based on correlation analysis of time series. Apply thismethod to the alert can achieve the purpose of alert correlation in the data analysis. In order torealize this, we first give a multi-step attack detect process, then combine the process withGrainger algorithm to come up with a multi-step attack intrusion detection framework basedon Grainger algorithm.We complete code on the basis of the framework to implement the basic algorithm. As aresult of this algorithm exists on vulnerability in specific applications for delayed alarmhandling, we make improvements to algorithms. Finally, through three experiments, we verifythe effectiveness of the basic and improving algorithm.In the actual environment, changing data is on the network. To accommodate this change,the algorithm also needs to improve on self-adaption further. So at the end of the article, basedon current research, we give improvement recommendations based on rules and test process. |
PDF Full Text Request