IDS偵測入侵，並產生警告通知管理者，隨著網路的廣泛使用，許多重要服務透過網路提供，因此攻擊事件增多，警告數量大量增多，管理者需花費大量時間分析方能得知網路狀況。許多服務透過網路提供，服務日誌大量增加，管理者同樣要花費大量時間分析才能得知服務提供狀況。 為了解決IDS警告數量太多、誤判率太高，以及無法偵測所有攻擊的缺點，警告關聯使用屬性相似度、事先定義攻擊架構、定義兩兩攻擊類型間的關係，與利用驗證過濾誤判的警告等方法，解決這些問題。 網路攻擊由許多步驟組成，攻擊過程會留下紀錄在各種警告與日誌中，日誌中詳細記載服務細節，正常使用行為與攻擊行為皆混雜其中。本研究使用屬性相似度，將日誌與警告合併成meta-log與meta-alert，利用兩個特徵過濾meta-log，並利用日誌裡詳細記載的服務狀況，對每一筆meta-log給予不同的valid值，標明其危險層級，接著將meta-log與meta-alert進行關聯，得出報告給管理者。

IDS (Intrusion Detection System) detect intrusions and generate alerts to administrator. With Internet more and more popular, IDS products a lot of alerts make administrators spend much time to analyze to understand the network situation. Many online services record services details on the log, as the same administrators spend much time to analyze logs. IDS suffer from several limitations : amount of alerts, most of the alerts are false positive, certain attacks may not be detected by IDS. To solve limitations of IDS, four alert correlation techniques : alert attributions similarity, predefined attack scenarios, multi-stage approaches, verification to filter positive alerts. Network attack consist of multiple steps, each step may leave evidences on log or detected by IDS. Service logs record normal and abnormal detail behaviors, IDS alerts record single attack step. Alerts and logs first merge into meta-alert and meta-log. Second, we use two features to filter meta-log. Then, correlate meta-alert and filtered meta-log to produce report to administrators.

第一章 緒論 .................................. 1
第一節 研究背景 .............................................................................................................................................. 1
第二節 問題描述及目的 .................................................................................................................................. 3
第二章 相關研究 .............................. 4
第一節 聚合 ...................................................................................................................................................... 4
第二節 警告關聯相關文獻 .............................................................................................................................. 5
第三章 系統設計 ............................. 11
第一節 TYPE II資料聚合 ............................................................................................................................... 12
第二節 TYPE I 資料聚合................................................................................................................................ 14
第三節 META-LOG FILTERING ........................................................................................................................ 15
第四節 META-LOG與META-ALERT關聯 ........................................................................................................ 17
第四章 實驗與分析 ........................... 18
第一節 實驗一 ................................................................................................................................................ 19
第二節 實驗二 ................................................................................................................................................ 22
第三節 實驗三 ................................................................................................................................................ 26
第四節 實驗補充 ............................................................................................................................................ 31
第五章 結論 ................................. 34
第六章 參考文獻 ............................. 35

[1] H. Elshoush and I. Osman, ─Alert Correlation in Collaborative Intelligent Intrusion Detection systems—A survey,∥ In Soft Computing for Information System Security, Volume 11, Issue 7, October 2011, pp. 4349-4365
[2] D. Xu, P. Ning, ─Correlation analysis of intrusion alerts,∥ In R. Di Pietro, L.V.
Mancini (Eds.), Intrusion Detection Systems, Advances in Information Security,
vol. 38, Springer, 2008, pp. 65–92.
[3] H. T. Elshousha and I. M. Osmanb, ─Alert correlation in collaborative intelligent intrusion detection systems—A survey,∥ In Elsevier‘s Journal of Applied Soft Computing, vol. 11, issue 7 , October 2011, pp 4349-4365.
[4] P.Kabiri and A. Ghorbani, ─A Rule Based Temporal Alert Correlation System,∥ International journal of network security, 2007
[5] S. H. Ahmadinejad and S. Jalili, ─Alert Correlation Using Correlation Probability Estimation and Time Windows,∥ In 2009 International Conference on Computer Technology and Development
[6] F. Cuppens and A. Miege, ─Alert Correlation in a Cooperative Intrusion Detection Framework,∥ In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp.202-215
[7] F. Cuppens, ─Managing Alerts in a Multi-Intrusion Detection Environment,∥ In Proc. 17th Ann. Computer Security Applications Conf. (ACSAC ’01), pp. 22-31, 2001.
[8] F. Autrel and F. Cuppens, ─Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts,∥ In Proc. Fourth Conf. Security and Network Architectures, pp. 312-322, 2005.
[9] A. Valdes and K. Skinner, ─Probabilistic Alert Correlation,∥ Recent Advances in Intrusion Detection, W. Lee, L. Me, and A. Wespi, eds. pp. 54-68, Springer, 2001.
[10] F. Valeur, G. Vigna, C. Kruegel and R.A. Kemmerer, ─A Comprehensive Approach to Intrusion Detection Alert Correlation,∥ In IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, JULY-SEPTEMBER 2004
[11] Bin Zhu and Ali A. Ghorbani, ─Alert Correlation for Extracting Attack Strategies,∥ In International Journal of Network Security, Vol.3, No.3, PP.244–258, Nov. 2006
[12] Keisuke Takemori*, Yutaka Miyake*, Chie Ishida**, and Iwao Sasase** , ─A SOC Framework for ISP Federation and Attack Forecast by Learning Propagation Patterns,∥ Intelligence and Security Informatics, 2007 IEEE, pp. 172 – 179
[13] H. Ren, N. Stakhanova, and A. A. Ghorbani, ─An Online Adaptive Approach to Alert Correlation,∥ In Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment, DIMVA’10, pages 153–172, Berlin, Heidelberg, 2010. Springer-Verlag
[14] C. Kruegel, W. Robertson and G. Vigna, ─Using Alert Verification to Identify Successful Intrusion Attempts,∥ In Practice in Information Processing and Communication (PIK), Vol.27, No.4 , 2004 , pp. 219-227
[15] PhpMyAdmin, http://www.phpmyadmin.net/home_page/index.php
[16] Status Code Definitions, http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[17] NESSUS, http://www.tenable.com/products/nessus
[18]PMASA-2009-3, http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
[19]PMASA-2009-4, http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
[20] ISC Diary, ─w00tw00t,∥ http://isc.Zans.edu/diary.html?storyid=900
[21] J.M. Kizza, ─System Intrusion Detection and Prevention, ∥ A Guide to Computer Network Security, pp.273-293
[22] IDMEF, ─The Intrusion Detection Message Exchange Format,∥ http://www.ietf.org/rfc/rfc4765.txt