Towards Identifying True Threat from Network Security Data

The growing deployment of network security mechanisms has brought great challenges to network security management. One most serious problem among them is that it is becoming increasingly difficult to identify the security incidents which pose true threat to the protected network system from tremendous volume of raw alerts. This paper presents our work on integrated management of network security data for true threat identification within the SATA (Security Alert and Threat Analysis) project. An algorithm for real-time threat analysis of security alerts named AlertRank is proposed in this paper and an alert aggregation algorithm is also employed. Experiments performed in a branch network of CERNET (China Education and Research Network) including an attack testing sub-network have shown that our approach can effectively identify true threats from various security alerts. ⊗ This work is patially supported by NSF Grant of China #60573120