Research On Network Alarm Data Aggregation And Intelligent Association Analysis

Information technology has become an indispensable part of social production.The continuous development and popularization of the network also makes the information security problem increasingly serious,more complex and hidden intrusion means are happening.In recent years,many security defense and control technologies have emerged to maintain the stable operation of the network.Due to the limitation of intrusion detection system and some practical reasons,a lot of redundant alarms are generated in network system in practical application.In addition,network security events generally have the characteristics of large-scale,coordinated and multi-stage.The existing technology can not fully excavate the correlation between alarms,resulting in the defect of attack scene identification.Based on the above reasons,the paper comprehensively considers the diversity of network alarm data and the complexity of the relationship between alarms,and combines the advantages of clustering method and deep learning method to carry out the study of network alarm data aggregation and association analysis.In order to provide a basis for network security assessment and more effectively eliminate redundant alarm data and association analysis to identify attack scenarios.The main research work is as follows:(1)A hierarchical model of network alarm data aggregation and intelligent association analysis was designed to solve the problems of redundant alarm and subjective association analysis in Intrusion Detection System(IDS),which made it difficult to maintain alarm association analysis system and incomplete security assessment.The model includes the basic processing flow of network alarm data,combines hierarchical clustering and Graph Neural Network(GNN)to process alarm data,makes full use of the redundancy and complementarity between data,and makes the processing of association analysis results more intelligent and efficient.Finally,a prototype system is designed and implemented to verify the availability and effectiveness of the proposed model.(2)The real alarms in the network system are often hidden in a large number of unclassified,unverified and misleading false alarms.In order to obtain simplified and effective data and improve the working efficiency of IDS,an alarm aggregation method based on improved hierarchical clustering is proposed.First,the method distinguishes nominal data from numerical data.Secondly,based on hierarchical clustering algorithm,the similarity between alarms is calculated by measuring the mixed similarity of Error Sum of Squares(ESS)increment and Jensen-Shannon Divergence(JS).Finally,the alarm data with high similarity is reduced to get simplified data.Experimental results show that compared with other clustering algorithms and similar alarm aggregation methods,the proposed method can reduce the information loss rate,improve the alarm simplification rate,and effectively reduce redundant data(3)In view of the increasingly complex network structure and intrusion means,the traditional association analysis method lacks objectivity,and it is increasingly difficult to find new attack scenarios.A GNN-based alarm association analysis method is proposed.First,the method uses causal association analysis to construct known attack scenarios and generate attack graphs.Then,the GNN model of the learning attack graph is built,and the Sparrow Search Algorithm(SSA)is used to automatically tune the model parameters.Experimental results show that SSA can search the optimal solution faster than other parameter optimization algorithms.Compared with similar methods,the proposed method can effectively learn the attack graph structure,improve the accuracy of attack scene identification,and reduce the false positive rate.