Research On Multi-source Security Event Correlation Analysis On The Bases Of Attack Graph

With the development of Internet technology and the popularity of computer networks, the security vulnerabilities and network malicious behaviors have sprung up, and security events emerge one after another, the situation of network security is becoming more and more serious. To protect network security, traditional security devices, such as firewall, intrusion detection system are deployed into the network environment, which could ail-roundly protect network system, but also bring some problems to administrators:the security devices run independently, lack of cooperation and data interaction between each other. It is hard for administrator to manage number of heterogeneous security devices. Increasing devices in the network could lead to the amount of the data growing in geometry level, the overwhelming worthless data may cover the meaningful network information. In addition, if the alerts of different devices are operated dividedly, administrators could miss the key information because of the information island phenomenon. Consequently, it is a hot issue to integrate and manage the network devices.This paper proposes the multi-source security event correlation analysis method based on attack graph, and the method is consisted of the alert fusion, alert validation, alert aggregation and alert correlation analysis. Based on rough set theory, we first min the relationship between the attributes of alert and put forward weights calculation method, then we design and implement the multi-level characteristics analysis method to reduce the redundancy and false alerts. After that, we design the tree-like attack model, which is extensible, general and easy-understanding rules. Based on the hierarchical rule, we could associate multi-step alerts and construct attack scenario, identify attack intention and forecast the next step of attack.Finally, we deploy the system’s platform, and adopt DARPR data sets and real network alert data set to conduct an experiment, the result verify the effectiveness of the proposed analysis method...