Multi-Devices Correlation Algorithm in Large Scale Security Analysis Platform

• Main Authors: Chung-Cheng Lee, 李崇誠
• Other Authors: Yueh-Min Huang
• Format: Others
• Language: zh-TW
• Published: 2009
• Online Access: http://ndltd.ncl.edu.tw/handle/55123795563899309386

碩士 === 國立成功大學 === 工程科學系專班 === 97 === Current IDS is based on signature matching technique. However signature technique can not detect novel and unknown attack, if it lacks corresponding attack signatures. Many anomaly techniques based on intelligent method are then proposed to tackle with it. Unfortunately these anomaly detection algorithms are still suffered from large false positives, because the normal profiles are difficult to define. We propose three multi-devices correlation algorithms to improve the security of enterprise with a signature based IDS deployed. The first one IDS-Proxy Correlation 1 (IPC1) algorithm, which correlate the IDS alert logs from proxy server more informations for experts. Another IDS-Proxy Correlation having IPC2 algorithm is proposed to verify the effectiveness and correctness of enterprise security policy. The second algorithm based on IDS-firewall correlation can trace source on network security incident and verify correctness of firewall policy. The IDS-Router correlation is our third proposed algorithm which aims at correctness of router’s ACL (Access Control List). Our test results demonstrate some of malicious web sites focus by IDS-Proxy correlation algorithm. Our tests based on polymorphic, backdoor, Trojan, E-mail server and Web Server attack which do show some useful by IDS-Firewall and IDS Router correlation. From these experiments, we believed that three there algorithms can be applied to large scale security analysis platform.