In order to deal with the shortages of traditional alerts aggregation and correlation methods on rationality and accuracy,an aggregation method based on multistage division and a correlation method based on Markov chains model were presented.Firstly,the network alerts were described by intrusion detection message exchange format.If the time internals of alerts were shorter than the predefined threshold,the alerts would be divided into the same time window,and the time windows were extended automatically based on the temporal relationship of alerts.Then,the alerts were divided respectively according to the attributes of attack types,time windows,subnet masks,IP addresses and ports.To aggregate the similar alerts generated by the attacks which used the same router,host or port,the aggregation processes on the stages of subnet,host and service were respectively carried out based on attributes matching.On this basis,alerts correlation graph was generated by using one-step Markov chains model.In the graph,the directed edges represented the conditional transition probabilities between attack types,and the transition probabilities were calculated by the number of adjacent alerts.Finally,in the experiment,DARPA2000 traffic data was handled by the intrusion detection system Snort which was been configured as the most strict mode.After generating intrusion alerts set of LLDoS1.0 attack scenario,the above aggregation and correlation methods were conducted on the alerts of five types.The most ideal internal threshold of the self-extending time windows was further determined by parameter optimization.In this way,the alerts were reduced by the multistage aggregation effectively,and the results of aggregation were in accordance with the distribution of alerts source IP and source ports.Moreover,the accuracy rate of alerts correlation was calculated by comparing the correlation results with the official description of LLDoS1.0.Experiments demonstrated that the accuracy rate of the proposed method was 97.94%,which was 2.29% higher than that of traditional method.
