| With the continuous development of network malicious attacks and network intrusion behaviors,as well as the continuous expansion of the scale and complexity of modern network systems,the number of network security incidents generated by various security devices to protect network assets has increased rapidly.The log analysis method that traditionally relies on manual analysis has become a time-consuming and error-prone task,and it has become increasingly unacceptable to companies that currently have urgent needs for the ability to manage network assets and monitor network attacks in real time.On the other hand,traditional security control technologies,such as firewalls,intrusion detection systems,intrusion prevention systems,honeypot systems,etc.,with the deepening of related research and the introduction of new-generation commercial products,can help protect sensitive information and equipment in their respective areas of concern,but security analysts cannot use a single device to grasp the network security situation in the system in real time.Therefore,an all-in-one integrated solution is needed to centrally manage the security logs generated by each security device by connecting them,and use the advantages of different devices to help security analysts analyze the current network status and perform testing on malicious activities in the network.This thesis focuses on the security information and event management system(SIEM),and conducts in-depth research and analysis on the composition and principles of the SIEM system.Specific research directions include network security incident analysis and security data visualization.In the direction of network security event analysis,this thesis studies the composition and event processing flow of the SIEM system,and focuses on the core of the SIEM system event correlation—the correlation analysis technology.Through OSSIM,the open source SIEM software,the functional modules and design principles of the SIEM system software are analyzed,and the correlation analysis algorithms used by the correlation engine are compared and analyzed.In the direction of security data visualization,this thesis addresses the shortcomings of the SIEM system generated event management,and the security analysts cannot use SIEM alarm events to understand the current state of the network that triggers the alarm rule and the detailed information of the network entity.This thesis designs an OSSIM-based network security knowledge graph helps network managers intuitively grasp the complete attack chain overview of the attack in real time when a network attack occurs,and detect the reasons behind the incident,thereby significantly enhancing the real-time and effective monitoring capabilities of the SIEM system. |
PDF Full Text Request