| With the rapid development of computer network, network and host security issues have become increasingly prominent. New attacking means emerge in endlessly. Therefore, to study how to protect the network security is" very important. Due to the widespread use of firewalls and intrusion detection technology, network attacks been curbed to some extent. Today, attacks are becoming increasingly diversified and higher requirements for network security. Traditional passive means of defense has been unable to fully meet the needs of modern network security. In this environment, the active defense technology more and more get the attention of experts and scholars. The technical feature of active defense is that it can set the bait to attract attacks. The Honeynet can analysis these attacks, to achieve the purpose of protection of real resources for attack purposes and methods of attack.Honeynet is a discovery and effective tool to study these malicious attacks. It can trick the intruder attack, so as to protect the real network from attacks, but also be able to monitor ant track the behavior of the intruder. Then log analysis, Master intruders strategies and methods to improve network security. How log analysis to extract useful information in a large number of log data and the inner relationship between the data information, is particularly important to analyze the intrusion. Honeynet is the active defense equipment, which produces a large number of alarms, and mixed with false positives and redundant alarms. How to analysis these original alarms accurately, real-time, effectively, is the difficulty of the Honeynet research.This article mostly researches the alert analysis in Honeynet. Data stream mining technology is applied to the Honeynet alert analysis, to meet the real-time needs of the alert analysis. The main contents of this paper include: analysis of the alert analysis based on the data stream mining key algorithms, the Honeynet alert analysis model research, the Honeynet alert analysis interface research, research of the alert analysis result showing. According to the characteristics of Honeynet has large number of original alarms, and real-time requirements in order to meet the log analysis, the algorithm of time complexity and space complexity are strictly limited. Therefore, this paper proposes a tree structure-based mining maximum frequent set algorithm, and this algorithm is applied to the log analysis of the Honeynet, a Honeynet log analysis based on the MFI-WT algorithm. Experimental data show that the log analysis based on this method has the very good real-time, and the results of the analysis contents high information which can truly reflect attack scenario in Honeynet. |
PDF Full Text Request