Abstract:
With the development of the network in the scale and the bandwidth, security issues have become more and more complex and the requirement for correlation technology is rapidly increased. The causal correlation is one of the most popular correlation methods, whose basis is the judgment method for relation between two alerts. In this paper, a formal description for general causal correlation is given, which presents some limitations in the conventional approaches. Then the difficulty in correlation with implied restriction is analyzed, and some cases about this restriction and solutions are discussed. Sometimes an alert occurs for the duration of time, therefore how to distinguish the order for two alerts becomes mysterious, which is the problem about time restriction. In real world one host may have several interfaces, while an interface may have several addresses, and which type of problems may result in the location restriction. In the whole history of the modern OS, the issue of the access control is an important role, and the complex relation during subject, object and privilege is the most difficult part for correlation of two alerts, which involves access control restriction. Finally, a new correlation determine algorithm for implied restriction (CDAIR) is proposed, which solves these problems for the time restriction, the location restriction and the access control restriction. Also given are the process and the result of the corresponding experiment which proves the validity of the algorithm.