A novel real-time aggregation method on network security events

Purpose – The purpose of this paper is to show how to ensure a real‐time precise aggregation processing of network security events without difficultly determined parameters.Design/methodology/approach – The aggregation method includes the choice of aggregation granularity, consistency of abstraction layer, the expression of all hyper security events (HSEs) of a node in cache, and aggregation algorithm based on classification, etc.Findings – The aggregation method is capable to provide a real‐time way for good HSEs for next correlation processing with weak and easy parameters to determine.Research limitations/implications – The cost of space is not discussed in the method.Practical implications – The aggregation method is suitable for real‐time management of difficult issues to resolve massive security events.Originality/value – Many ideas and concepts of the paper are proposed for the first time, such as the expression of all HSEs of a node in cache, weak queue length instead of the weak‐time window and s...

[1]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2]  Jie Lei,et al.  The Global Synthetical Processing of Network Security Events , 2007, Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007).

[3]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.