Virtual Network Security Control Mechanism based on Multi-level Alerting and Linkage Defense

Abstract

The intrusion detection system can effectively detect network attacks dynamically by analyzing network traffic or data packets. However, for complex multi-step attacks with high concealment and persistence, traditional intrusion detection systems generally have the problems of large redundancy of alert data and poor data readability, which seriously affects the security administrators to quickly identify attack behaviors and intentions. To address the above problems, this paper proposes a multi-level alert aggregation method based on software-defined security and linked correction defense based on the Markov chain model. This method designs the reporting message format between the data plane security component and the control plane security controller, and automatically extends the time window by using the temporal proximity relationship of alarms. Multi-level alert aggregation is performed based on the attack attribute matching method, resulting in the effective aggregation of similar alarms. Further, the control plane uses the Markov chain model to generate alert association graphs to obtain the transfer probability between attack types, which is sent down to the security components for linkage defense. The experiments show that this mechanism can effectively achieve multi-level alarm aggregation and alarm information association linkage.