Design And Implementation Of Threat Awareness And Assessment Based On Multi-device Alerts

With the rapid development of Internet technology,the Internet has become a necessary part society.While the continuous advancement of technology has changed a lot in people's lives,it also brought so many problems which attracted more and more attention to network security.In order to safeguard network security,a variety of security devices are used to detect threats in the network.The data generated by these devices can be used to detect security threats,assess the threat situation,and predict the threats.However,most of researcher focused on the analysis and processing of various alerts,the association and correlation between data cannot be effectively used.The assessment results obtained cannot appropriately reflect the current security threat situation,In the process of analysis of alerts,the commonly used methods either focus on processing efficiency or focus on more rational results.Based on the network threat awareness technology,this paper proposes a threat awareness and threat assessment technology based on multi-device alert information.Through the alert logs of a variety of security devices,the awareness and assessment of the internal and external threats of the system can be achieved.The research objectives of this paper is Improve threat awareness method based on IDS alert;Research on the threat assessment method through multi-device security data generated by multiple security devices;Design and implement a threat awareness and assessment system based on the above research.This paper studies the key technologies in cyber threat awareness and assessment,mainly including the following contents:First,the threat awareness method based on alerts,in this part alert aggregation technology,association analysis technology and pattern matching is used.In alert aggregation,alert text similarity aggregation method is proposed.In association analysis,an attack pattern is constructed through the association analysis of the aggregated alerts,and an attack phase judgment method based on matching and searching is proposed.Then the paper elaborates multi-device information threat assessment method,which determines an assessment system that reflects external attack threats with alerts,also reflects the internal risk with vulnerabilities and ports.Based on the above threat awareness and assessment methods,the design and implementation of threat awareness and assessment system is described.The system uses IDS alerts as front-end data,combined with alert analysis technology,vulnerability scanning technology,port scanning technology,crawler technology,etc.Threats are perceived and evaluated,and a defense implementation module is adopted for adaptive active defense.Experimental results show that this system guarantees higher efficiency and better accuracy through aggregation and matching methods in threat awareness,can identify the type of current attack and the phase,and threat assessment data can also adapt to threats.