Alert Collaboration System Based On Blackboard Architecture

With the rapid development of network security, intrusion detection system becomes animportant network security product. IDS can be divided into network-based intrusiondetection system (NIDS) and host-based intrusion detection system (HIDS). Due to thelimited scope of monitoring, NIDS and HIDS cannot find all the features of multi-stepnetwork intrusions or when all the features were found in the invasion, the invasion hadalready occurred. Therefore, how to find all the characteristics of multi-step networkintrusions as soon as possible becomes a key issue for intrusion detection.This paper studies the related work of collaborative alert and research status at home andabroad, and we design the alert collaboration system based on blackboard architecture. Thesystem mainly consists of three parts:1. Due to the current IDS are running independently and their alert information cannot beused interchangeably, intrusion detection feature from different IDS does not work outtogether. This paper presents a method for IDMEF alerts based specification. With thismethod, we manage all the IDS and it will result in more comprehensive network intrusionfeature. The alert from NIDS and HIDS output stores into the partition blackboard structure,so as to alert the cooperative system can identify each IDS alert provides support.2. Since there is a lot of redundant alert information generated by each IDS, This paperpresents a method for alert fusion based on process ID for HIDS. This paper also presents amethod for alert fusion based on similarity feature for NIDS. With the methods, the pluralityof alerts with the same signatures must be combined into a group which is called base alert.Each base alert represents an intrusion alert feature and in this way we can get the multi-stepnetwork intrusion original features.3. Due to the limited scope of monitoring, single IDS cannot find all the features ofmulti-step network intrusions. This paper presents a method for alert Collaboration. Therefore,we can joint all the base alerts from the whole IDS to find all the multi-step network intrusioncharacteristics. In this way we can solve the problem that single IDS cannot find all thefeatures of the network intrusion.Through experiments in a lab environment on the common multi-step data collection network attack detection which combine with SNORT and OSSEC alert information, andfinally we prove that collaborative alerts system based on blackboard can discover multi-stepnetwork intrusions more and earlier.For the purpose of the Blackboard architecture–based Alert collaborative system is toprovide an alert collaborative system based on Blackboard architecture for multi-stepintrusion detection from the network. Through collaboration with a host s suspiciousbehavior for micro issues and anomaly traffics on the network on a macro level, make aaccurate judgment of suspicious behavior from network and judge intrusions more timely andaccurately.