Research On Alert Correlation Technology Of Intrusion Detection System

Intrusion Detection System had some problems in practical application, such as high falsepositive rate, high false negative rate, isolated alert information and massive alert informationthat could not be analyzed in time, etc. In order to overcome these problems above, theresearch of alert correlation techniques improve the accuracy and the availability of alertinformation by digging the associated relationship out of intrusion attacks, and reconstructingthe intrusion path of attacker.The paper analyzes and contrasts common alert correlation method and their advantagesand disadvantages. The alert correlation method was divided into two kinds: the method basedon expert knowledge and the method based on data statistics. The method based on expertknowledge could reconstruct attack scenario correctly, but it is influenced deeply by the falsepositive and the false negative. The method based on data statistics could find some newattacks, but it couldn’t reveal the internal connection between the alert correctly.By combining the advantages of two kinds of alert correlation method, a hybrid model ofalert correlation based on attack graph and alert similarity analysis was proposed. This modelconsists of three parts: alert preprocessing, alert correlation based on attack graph and alertcorrelation based on alert similarity. This model deletes the periodic alerts by using the Fouriertransformation and setting the rules. And then it removes duplicate alerts in the collection ofalerts, by adaptive algorithm based on dynamic detention time and multi-stage granularity ofaggregation. After that, it describes the causal relationship between alerts, according to theinitial attack graph which is defined by using the prior knowledge of intrusion attack. And then,it correlates the alerts by the similarity analysis of the alert data, to repair the defects of theinitial attack graph and improve the results of the alert correlation.Prototype system is established by the above model, the results of system show that themodel can display the path of intrusion in the alert data set clearly. It can find the attackpurpose of intruder, and make the strategy of intrusion response in time. At the same time, thismodel reduces the reliance on expert knowledge, and it is able to fully repair the absence of a single attack step in the attack graph.