| Nowadays,with the rapid development of information technology and Internet technology,we continue to enjoy a series of convenience brought by technological progress,at the same time,it has also brought some problems.From the enterprise server group to ordinary personal computer,they are all exposed to the vision of network attacks.Although there are a variety of network security devices on the market,however,due to the attacker’s means of attack is becoming increasingly complex,so the security log generated by each device is becoming more and more complex,readability is getting worse.The useful information is hidden in these massive IDS alerts.Therefore,through reducing false positives,correlating analysis,mining hidden attack mode,restoring the attack scene,so as to find the real intention of the attack,can be more effective to prevent attacks.In view of these problems,this paper makes a thorough study,and proposes a system based on correlation analysis of IDS:(1)This paper analyzes the distinguishing characteristics of false positives and real alarms,and preliminary screen the false positives.(2)Then use the method of attribute similarity clustering to the alarms and further reduces the amount of alarms.(3)According to the characteristics of multi-step attack,associated it by the causal relationship.The paper also proposed a reverse causation algorithm based on the attack association method proposed by the predecessors,turning alarm information into a complete attack path.(4)Design and build an IDS alert correlation analysis system.Based on the correlation analysis technology,this system can complete the whole process from the initial alart of the IDS to the attack rules.Experiments show that the algorithm simplifies the number of alarms,improve the efficiency of alarm processing,and contribute to attack purposes identification and alarm accuracy improvement. |
PDF Full Text Request