Adaptive Feature-Weighted Alert Correlation System using Bayesian Network Model

• Main Author: 楊吉閔
• Other Authors: Chih-Hung Wang
• Format: Others
• Language: zh-TW
• Online Access: http://ndltd.ncl.edu.tw/handle/62943381943458887035

碩士 === 國立嘉義大學 === 資訊工程學系研究所 === 101 === 　　With the Internet and distributed computing technology advancing continuously, Cloud Computing brings more convenience for people and many companies setup their own private cloud because of the characteristics of Cloud Computing. Growing with the technology, there are many new attack techniques presented in the cloud environment. Different from the general server, once the cloud environment suffered from malicious attacks, people or companies will get caught in extreme dangers. Therefore, it is important for network security in Cloud, and we proposed the Adaptive Feature-Weighted Alert Correlation System using Bayesian Network Model to defense the attacks of intruders. 　　There are many network traffic include malicious packets, thus huge amounts of alerts will be generated by the intrusion detection system. Analyzing these alert data is time-consuming and it is difficult to obtain the attack steps and strategies immediately by directly performing these analyses. In recent year, the trend of research in this area is towards alert correlation. We can analysis these alerts and obtain the attack strategies of attacker, and then response and prevent the next step of the attacker intrusion. 　　In this thesis we proposed a new correlation method that employs a Bayesian Network to choose the features with high relevance and then build the Feature Weight Matrix (FWM) and adjusts the feature weights according to the statistics of Bayesian Network in a period of time. According to FWM, we choose the features of two alert types with high relevance to calculate the correlation probabilities. The correlation probability is recorded in the Alert Correlation Matrix (ACM). ACM is updated in each time correlation. Using the information in ACM, we can extract high level attack strategies and build up the attack graphs. The administrator can recognize the attack strategies of attacker and react the attack immediately. 　　We expect for our proposed correlation method can be implemented in the cloud environment. Face the huge number of network traffic, we hope that our proposed method can accurately report the network security situation in real-time.