Abstract: The background of the network security information correlation technique is introduced, and the problem that it supposed to solve is clarified. And according to the different methods used in the technique, this paper classifies the methods into four categories: similarity-based analysis, attack-scenario based analysis, causality knowledge based analysis and statical causality based anaylsis. For each category, the basic idea and the existing techniques are introduced and analyzed, and the unsolved problems are pointed out. The development direction and future works are analyzed.

Key words: Network security, Information analysis, Alert clustering, Alert correlation

摘要： 介绍了网络安全信息关联分析技术的背景，指出了该技术解决的问题。根据分析方法的不同，将该技术的现有方法分为4类：基于网络安全信息相似性的分析技术，基于攻击场景识别的分析技术，基于网络安全信息因果关系的分析技术，基于网络安全信息统计因果关系的分析技术。对每类方法的基本思想、现有技术以及存在的问题进行了阐述和分析，对未来的一些工作方向进行了展望。

关键词: 网络安全, 信息分析, 告警聚集, 告警关联

CLC Number: 

• TP393.08