Research And Implementation Of Information Network Intrusion Detection And Alert Correlation Technology

In recent years,with the rapid growth of security incidents,network security has caused much concern of many countries.Since the first security breach was discovered in 1980,cyber-attacks have become increasingly complex and difficult to detect.Intrusion detection technology has been widely used as a protection measure for network attacks.Intrusion detection technology involves various techniques such as vulnerability detection,network security connection inspection and system or network log analysis.With the rapid development of machine learning(ML)technology,more and more attention has been paid to the application of ML technology to intrusion detection based on data analysis.Through practice,it has been proved that the use of ML technology to achieve intrusion detection is an effective means of system protection.However,with the development of increasingly complex and ever-changing means of cyber-attacks,some problems start to emerge gradually with the application of intrusion detection technology in the intrusion detection system.First of all,intrusion detection system work where the network layer is low and the original alerts issued are mostly isolated.The implied correlation between the alerts can not be reflected.Secondly,the data volume of the original alerts is huge and complicated.There lacks data exchange between different intrusion detection sensors.And the intrusion detection system can not process and analyze the low-level alerts.Therefore,the massive alets is a heavy burden to the system security administrator.Therefore,they can not understand the attacker's real intent timely and make corresponding response to defend the system.In order to solve the above problems,this paper focuses on the following aspects of network security: information network intrusion detection methods and alert correlation techniques.Aiming at the problem of intrusion detection in information network,we design a semi-supervised learning intrusion detection model based on feature selection.The semisupervised based approach uses a small amount of labelled data and a large amount of unlabelled data to train the detection model,thus avoiding the costly cost of labelling data.In the first stage,in order to remove the features that do not contribute much to the classification,the dataset is processed before the classification using the feature selection method based on information gain.These features whose information gain values are less than the threshold are removed.The processed data is then used as input for the second stage.In the second stage,we apply manifold assumption based Laplacian Support Vector Machines(LapSVM)which are well-applied in image classification as the core algorithm of the training model.The experiment results on NSL-KDD demonstrate that our framework is capable of achieving a high accuracy value of 97.8%,while the falsepositive rate is 2%.In order to solve the problem of alert correlation analysis,we design an alert correlation model based on causal correlation,use the causal correlation method with expert knowledge base to explore the relationship between alarms,restore the attack path of complex multi-step attack events,and further analyze the attacker's attack intention.The whole model is mainly divided into four modules: alert data collection,alert data preprocessing,alert correlation and alert correlation result display.The alert data preprocessing module changes the original alerts into uniform hyperalerts.The alert correlation module analyzes the causal correlation of the hyperalerts by using the causal correlation knowledge base to obtain a hyperalert sequence that can reflect the attack path of a complex attack.The alert correlation result display module visually displays the resulting hyperalert correlation graph to the system security administrator using the directed acyclic graph.Through the experimental verification and analysis with DARPA 2000 Intrusion Detection Data Sets,it is verified that the model proposed in this paper can restore the attack phases of DDoS attacks accurately.The hyperalert correlation result shows that the module can clearly and comprehensively reflect the complete attack scenario of complex attack events and help the system security administrator analyze attack strategies and intentions of the attacker and timely make corresponding response.In summary,we conduct a in-depth research on the semi-supervised learning intrusion detection methods and alert correlation techniques in this paper.We put forward theoretical models with great application value,and conduct experiments to verify the models,thus realizing the effective detection and in-depth analysis of network attack.