| The systems function of modern computer is becoming more and more complex, and that makes a huge profound impact on all sectors of society. As people become increasingly dependent on computer networks, computer network security issues become increasingly prominent. Trying to protect the network security, Network managers spend a lot to buy network security tools, which provide a large number of network security data in the form of logs and alarms. Therefore, in order to comprehensive monitoring network status, making a automated intelligence correlation analysis of these vast amounts of data is an extremely valuable and necessary protection measures.Against the one-sidedness of the security description flaws in the analysis procedure of the Internet Safety Information, a correlation analysis algorithm is proposed, including "alert preproceeding——alert aggregation——alert correlation——result feed back"In the alert aggregation step, we adopt similarity analysis method based on the parameters and temporal information. Large amount of event logs is aggregated according to the time value, reducing large number firstly, and then according to the similarity analysis based on the parameters, kick out the reboundant information. The correlation method is based on the rule. Correlation rule database consists of two parts, one is from man made by the expert, another is based on the inferred information using the machine learning method. Priomize result is sent to the visualization parts.And the correlation layer structure in the SOC platform, together with the realization of the correlation engine is discussed and resolved. The experimental results show that this analysis algorithm in the SOC platform not only effectively reduce the amount of the alerts, but also improve the rate of alerts.At last the works of the paper are summarized and a further view of the research and promotion is taken. |
PDF Full Text Request