Reasearch On The Key Technologies In The Security Information And Event Management

Aiming at all kinds of security threats, firewall, vulnerability scanner, intrusion detection system (IDS), and anti-virus software and other security devices are deployed in the network. To some extent, these security devices improve system security, but there have been lots of serious security problems. It is too difficult and complex to manage a variety of security devices. And, each security devices are lack of coordination and integration. So, independent security device is hard to cope with the increasingly complicated, advanced and persist attack.Security information and event management (SIEM) technology integrate security information of the host and network, the security event generated by security devices. On the basis of information sharing, it presents filtration, integration and correlation to dig out hidden attack intention behind such information, and make real-time, rapid response to attack, and predict possible ongoing attack. In the security information and event management, the critical problem is how to correlate the actual completed or ongoing attacks from a large number of alarms, which to reflect the network security situation.In this paper, through the research on the key technology of security information and event management——event correlation, proposes an security event correlation algorithm based on attack intention. This algorithm adopts a hierarchical goal tree to represent the attack logic; abstracts attack intention from low-level alerts, and then match with the attack scenario. This algorithm achieves security event correlation based on attack intention, and advanced composite attack detect from a lot of noise security information and event.This paper researches OSSIM (open-source security information management) platform, and build a security information and event management system based on attack intention. And then, it implements a typical advanced composite attack simulation in a small enterprise intranet to test this system’s effective. The result shows that security information and event management system based on attack intention can detect advanced composite attack effective and accurately.