Intrusion Alert Correlation Based On Multi-source Heterogeneous Security Data Fusion

With the popularity of the Internet and the advance of computer technology, the society is developing rapidly and people's life are becoming more convenient. When benefiting from the advantages of high speed development of information technology, people also are suffering the network attack everywhere. Network attacks are becoming more and more secret, deceptive and latent. Traditional safety systems such as firewall, intrusion detection system, vulnerability scanning system produce a vast of data every day. These data has different syntax format and different semantic. Moreover, the results of IDS contains a large amount of false alarm and redundant alarm. These factors lead that the security administrator can't understand of the current safety status intuitively and accurately. Therefore, researching on multi-source heterogeneous security data fusion and on intrusion alarm correlation analysis will help to reconstruct attack scenario accurately and reflect network security status intuitively.On the foundation of summary and analysis of existing researching on the heterogeneous data fusion and intrusion alarm correlation technology, on the basis of ontology, artificial immune algorithm, description logic reasoning theory, we put forward a method of intrusion alert correlation based on of multi-source heterogeneous security data fusion. This method can effectively fuse the results of multiple safety system and reconstruct attack scenario accurately. Existing data fusion methods can't effectively solve the problem of semantic fusion of multi-source heterogeneous security data. Aiming to solve this problem, the paper draw lessons from the semantic Web and use ontology to express the multi-source heterogeneous security data, thus forming the several application-ontology. Then use ontology mapping and properties correlation to merge several application-ontology into a task-ontology. Then we put forward a hybrid intrusion alert correlation method. This method firstly uses the artificial immune algorithm to cluster the intrusion alerts so that alerts which belong to the same attack scenario will get together. This method secondly uses ontology reasoning to determine alert's credibility in order to remove the false alert, find out missing alert and eventually reconstruct the attack scenario.We realize the system of intrusion alert correlation based on multi-Source heterogeneous security data fusion in the final, and design an experiment to verify the effectiveness and accuracy of the system.