一种通用可扩展的在线警报关联方法

With the large-scale dynamic network, high-speed network alert dataflow generated by diverse kinds of attack post a high demand on generality, efficiency and overhead control to alert correlation system. The present alert correlation methods are mainly restricted to decentralized algorithm; some simple algorithm parallelization methods do not consider load balancing and overhead. In this paper, we propose CACDS, a general online scalable alert correlation method. CACDS applies "dispatch-aggregate" scheme based online alert correlation framework via distributed stream processing. On the basis of the framework, CACDS employs a causal correlation method to detect diverse attack types based on looseness prerequisite and consequences matching. To provide scalable correlating, a hybrid correlation graph partition solution is proposed to assign the alerts to different servers based on the overhead caused by alerts. A prototype deployment on Storm platform shows that CACDS has good scalability and load balancing. Moreover, CACDS has higher throughput and lower overhead than existing methods.