LI Hong-jiang; ZHOU Bao-qun; ZHAO Bin
It is necessary to install some security equipment or system, such as IDS, firewall, integrality check system etc. to ensure network security. But, in this situation, not only would actual alerts be mixed with false alerts, but the amount of alerts would also be too much to manage. This paper presents a framework for security events, which is mainly composed of following steps: event collection, event preprocess, event condensation, event aggregation, attacks reconstruction and the result analysis. Through this process, the rate of false and miss alert to some extent can be reduced. The aggregation algorithm and attack reconstruction technology are described simply.