Large-scale Network Intrusion Visualization Based On Rules Tree

Today, it can be said that we can not be inseparable from the network in various fields.While network information resources bring convenience to our society, the security issuesare constantly exposed. Because of the huge economic interests, the interest of the publicsand the enterprises is endangered by the chain of black at any time. The network securitytechnology also improves with the invasion means. The network security technologygradually moves to the network protocol stack and application layer for responding to thenew network attack, for example Web2.0application layer, instant messaging attacks,economic activity attacks. How to protect computer security has become an extremelyviable field. Threat research, security policy and mechanism, protocol security,cryptography, audit, security products and so on, all of them make a contribution to thefield of network security.In this paper, we research the field of intrusion detection and find the existenceproblem in the following aspects:(1) The lack of correlation between alarm data. With the different focus of eachdetection technologies, the alert data form of them is also different. This lead to that thealert data of a variety of technologies is often not very good association analysis.(2) Multi-step attacks detection effect is bad. Many steps of multi-step attacks isimplemented by protocol vulnerabilities. Intrusion detection system is difficult to find them.Multi-step attacks detection research is very necessary at this stage.(3) The alarm data’s log analysis is difficult. The alert log analysis tools have becomenecessary to understand the network environment status. But responsing to the differentneeds of the effectiveness and performance, tools require a specific design.The multi-step attack is more and more in today’s computer networks attacks, and ithas characteristics of a strong concealment and great harm. Multi-step attacks detection isbecoming increasingly more and more important. Especially, for the fields of high demandfor network security,because multi-step attacks is often very clear to the purpose of theattack, so it’s more harmful.The starting point of this paper work has two parts. One is that how to detectmulti-step attacks in the field of the intrusion detection with rule tree method, and the otheris that how to be a good form of visualization interaction with users for the result ofmulti-step attacks detection.Firstly, describing many kinds of network security technology, focusing on the intrusion detection that the most important part of network internal defense. Thenintroducing many feasible methods of intrusion detection field today. However, the waysand means of network attacks are gradually tending to multi-stage, protocol vulnerabilitiesand multi-source in recent years, those give the detection demand of multi-step attacks. Themulti-step attacks detection becomes very important in higher demand for network security.Because the multi-step attacks threat serious, hidden strong. We base on existing networkintrusion detection system, design a multi-step attacks detection method with the rule tree,we define the rule reference to the CVE standard libraries, describe several main structuresprocess of the system. Then we design experimental and analysis experimental results,prove the rule tree method can effectively detect multi-step attacks.The other part, the large-scale network intrusion log is difficult to analyze, and is poorto understand for the presenting result. Security visualization technique becomes a hotmethod to resolve this issue. Because it presents alarm data with graphical form, and canhelp administrator to analyze the current status of the network, even to help them to findhidden attacks. We analyze a variety of security visualization softwares, summarize securityvisualization methods comprehensively. And we analyze specially visualization methodsbased on vector, level, global map. We compare and analyze those methods throughexperimental, evaluate the pros and cons of those methods for the presentation of multi-stepintrusion detection logs.