Research And Implementation Of Alert Fusion Technology For Network Security Situational Awareness

With the increasingly serious network security problems,traditional single-point defense methods such as firewalls,intrusion detection systems and virus protection systems have become stretched.As a new generation of network security protection system,network security situational awareness plays an increasingly important role.Network security situational awareness extracts,senses,evaluates and predicts multi-source incidents in the current network to understand and control the overall network conditions.Data fusion technology is one of the key technologies for network security situational awareness.In this paper,based on the alarm event generated by intrusion detection system as data source,we proposed the alarm fusion model and the main work mainly around the following aspects:1)Investigated the current development of data fusion technology at home and abroad in depth,compared the advantages and disadvantages of various data fusion technologies.2)In this paper,the alarm fusion system is based on snort,inherited the shortcomings of the snort,such as alarm redundancy and low level of alarm events.Besides,there is a certain similarity between alarm events generated by the same attack events,a property and analytic hierarchy process based alarm fusion model is proposed.This model first calculates the similarity between each attribute field of two alarms,including attributes such as source/destination IP address,source/destination port address,attack type and detection time,and then uses AHP to determine the relative weight between the attributes,and finally get the overall similarity of the two alarms.Fusion occurs only if the similarity of two alarms exceeds a preset threshold;this threshold is learned through experimental data.3)Time attributes play a very important role in the alarm fusion process.In general,the time span of an attack is uncertain,and there is a small time interval between successive alarms generated by one continuous attack,but alarms generated by different types of attacks or different sub-steps of the same attack have a certain time gap.This paper proposed a partition based dynamic time window alarm fusion model exploiting this kinds of “close” relationship between such continuous attacks or alarms generated by the same operation during attack process.Firstly,sort all of the alarms in the alarm buffer in chronological order;Secondly,starting from the first alarm as a new time window,for each subsequent alarm,if the difference of time between the previous alarm and the current alarm is less than the preset adjacent alarm interval threshold,the current alarm is divided into the previous alarm time window,otherwise,end the last time window and open up a new time window based the current alarm time node.In this way,all alarms are divided into different time windows and then merges the alarms in a single time window.4)According to the proposed alarm fusion algorithms,a snort-based alarm fusion system is designed and implemented.The system consists of data acquisition module,alarm filtering module and alarm aggregation module.The data acquisition module is responsible for the alarm collection,data formatting and preliminary filtering of alarm events;the alarm filtering module uses the knowledge base of the target system to construct the filtering rules,and filters out the false alarms that are unrelated to the target system or don't pose a threat to the system;the aggregation module mainly uses the proposed algorithms to merge alarms.These three modules are cascaded and coordinated,which can effectively integrate redundant alarms,merge similar alarms,improving data quality and providing technical support for situation awareness.5)The experimental part of this paper is conducted on the DARPA 1999 dataset,which mainly search for appropriate some threshold parameters in the experimental setup.Then the fusion effects of the three fusion methods are also compared.The experimental results show that the proposed algorithm basically achieve the expected results.At the end of this article,the paper summarizes the work of this paper,and point out the future work plan.