Ming Of Attack Models In Security Alerts From High Speed Network The Method And The Implementation

The alerts produced by traditional intrusion detection technologies are level-low, inlarge amount of data, with high-redundancy, and lack of high-level analysis, while thetraditional intrusion detection systems are being improved, researchers proposed alertdata post-processing technologies. However, these technologies are facing a series ofproblems and challenges. This thesis contributes to three key technologies of complexnetwork threat behavior patterns’ extraction in a high-speeed network, proposing analert data redudancy reduction method based on the statistical characteristics of themassive alerts data, a network alerts correlation method based on the alert attributesimilarity clustering, and a network threat models extraction method based on the LooseLongest Common Subsequence (LLCS), with an implementation of a prototype systembased on these methods. The main innovations and work are listed as follows:Firstly, as one of the technical challenges the traditional intrusion detection systemin high-speed network environment produce massive events alerts data inhigh-redundancy, this thesis proposed a reduction method based on data redundancycharacteristics of mass alerts data with real-time online analysis. It characteristics thealert data redundancy by defining statistical parameters, imports the real-time alert datainto online redundancy estimation and reduction procedure. The reduction methodproposed in this thesis has a high alert data reduction rate, low computational overhead,attcak-targeted intensive. The test and comparing results on the data sets of theDARPA-1999and the real high-speed network shows that the method is superior toother methods on redundancy reduction rate.Secondly, the existing intrusion detection systems’ event alerts data about complexnetwork threat behavior is level-low, the alerts data is in bits and pieces, lacks ofhigh-level threat view analysis. This thesis puts forward a correlation method based onalert attributes similarity with parameters adaptive adjustment. It uses clustering methodto correlate attack behaviors by characteristing the similarity of the alerts data in timeand space. The method finds all multi-step attacks marked in DARPA-1999test datasets, and also finds alerts sequences in alerts data from a city network backbone withhighly behavioral relevence.Thirdly, it is a challenge that the network threat models’ update speed laggingbehind the threats behaviors’ arising. And the threats pattern extraction depends onexpert’s artificial participation, this thesis puts forward a pattern extraction methodbased on LLCS. The method makes a loosy matching on common subsequence stringsin the process of pattern extraction. It`s able to match alerts correaltion method based on the alerts attributes similarity better, and reduces the possibility of loss of informationon the threat model intermediate step.The method could extract the threat patternsthrough a LLCS extraction after a behavior analysis.Based on the above work, the method of each subsystem is organized into a system,and the experimental results show that this system is effective.