Design And Implementation Of Correlation Engine In Network Security Situation Analysis System

With the development of information technology in modem society, various departments depend on the network to carry out daily work and management. Although schools and departments were deployed some network security devices, various anomaly detectors do not recognize normal behavior and trigger false alarms because of their limitations. It is urgent to give a professional security incident analysis and find out the real threat from vast amounts of security events. It makes users know of network security situation well and improves the efficiency of safety management.Network security situation analysis system can obtain related data from different kinds of security devices and software. Then security event correlation is proposed and it focus on collecting alarm information from a variety of network security devices, merging the repeated alarms, finding the correlation between alarms and making a right response to the attack that is detected.First of all, the paper introduced the background and the current situation of the research in network security situation analysis technology field. It also introduces the related technology and research of situation analysis, including data pretreatment, event correlation and situation assessment etc.Secondly, the paper has carried on the demand analysis on the data collection and correlation engine, completed design on function and system databases. Then, make design and implement on data collection and solve out the technical difficulties including data collection and normalization, correlation analysis. For data collection, active acquisition and passive acquisition are designed. For normalization, a unified security incident data model was given. Data collection framework scalability keeps reserved extensible of event data model and dynamic loading.Again, make design and implement on the correlation engine. After study the correlation algorithm, select sequence of events association algorithm and heuristic association algorithm. Sequence of events association algorithm is good at familiar attack and heuristic association algorithm is for unknown attack. Then discussed the association rules based on XML language implementation, correlation analysis process, and the communication between the module design and implementation.Finally, the experiments have been carried out to verify the validity of the correlation engine.