Hierarchical Filtering Method of Alerts Based on Multi-Source Information Correlation Analysis

Abstract

Nowadays, the threats of Internet are enormous and increasing, however, the classification of huge alert messages generated in this environment is relatively monotonous. It affects the accuracy of the network situation assessment, and also brings inconvenience to the security managers to deal with the emergency. In order to deal with potential network threats effectively and provide more effective data to improve the network situation awareness. There is almost no alerts filtering in the existing network situation assessment and decision making process. Or existing job processing has a large alerts filter granularity and there are many redundant alert data. It is essential to build a hierarchical filtering method to prevent the threats. In this paper, it establishes a method for data monitoring, which can filter systematically from the original data to get the grade of threats and be stored for using again. Firstly, it filters multi- source alerts based on the vulnerable resources, open ports of host devices and services. Then calculate the performance changes of the host devices at the time of the threat occurring, and filter the data using the difference of performance entropy again. At last, it sorts the changes of the performance value at the time of threat occurring. The alerts and performance data are collected in the real network environment, and the comparative experimental analysis shows that the threat filtering method can effectively filter the threat alerts.