現今的IDS架構，主要以Signature技術為主，透過攻擊特徵比對技術來偵測攻擊行為。但此技術存在一些問題，如無法偵測新型攻擊與未知攻擊。因而有專家學者，提出以智慧型方法為基礎的Anomaly技術來改善此議題，但這些技術常衍生因正常行為模式不易界定，而容易產生誤判。
本文提出以多設備為基礎的三種關連演算法來加強單純以Signature Based 之IDS之網路安全防護，藉此解決無法偵測新型攻擊與未知攻擊的問題。第一種為IDS與Proxy[1]為基礎之演算主要可分為IDS-Proxy Correlation1(IPC1)關連演算法，可用在撰寫惡意攻擊特徵之規則參考依據。第二種IDS-Proxy Correlation2 (IPC2)關連演算法，則可應用於驗證企業級安全政策之正確性。第二種以IDS與Firewall為基礎之演算法，可用於追蹤可疑攻擊事件的來源資訊和驗證Firewall Policy，第三種則是以IDS與Router為基礎之演算法，可用於查詢可疑攻擊事件的IP位址和確認Router ACL。
本文最後規劃測試場景來加以驗證我們所提出的系統架構和演算法，在IDS-Proxy關連部份，透過惡意網站測試結果可呈現偵測惡意網站的正確性。另外藉由多型變種攻擊、後門與木馬程式、郵件伺服器攻擊測試則可呈現IDS-Firewall關連針對攻擊事件資訊的參考性，最後透過網頁伺服器攻擊測試，可呈現IDS-Router關連針對攻擊來源追蹤的可用性，本文顯示出這些演算法可適用於大型安全分析平台的有效性。

Current IDS is based on signature matching technique. However signature technique can not detect novel and unknown attack, if it lacks corresponding attack signatures. Many anomaly techniques based on intelligent method are then proposed to tackle with it. Unfortunately these anomaly detection algorithms are still suffered from large false positives, because the normal profiles are difficult to define.

We propose three multi-devices correlation algorithms to improve the security of enterprise with a signature based IDS deployed. The first one IDS-Proxy Correlation 1 (IPC1) algorithm, which correlate the IDS alert logs from proxy server more informations for experts. Another IDS-Proxy Correlation having IPC2 algorithm is proposed to verify the effectiveness and correctness of enterprise security policy. The second algorithm based on IDS-firewall correlation can trace source on network security incident and verify correctness of firewall policy. The IDS-Router correlation is our third proposed algorithm which aims at correctness of router’s ACL (Access Control List).

Our test results demonstrate some of malicious web sites focus by IDS-Proxy correlation algorithm. Our tests based on polymorphic, backdoor, Trojan, E-mail server and Web Server attack which do show some useful by IDS-Firewall and IDS Router correlation. From these experiments, we believed that three there algorithms can be applied to large scale security analysis platform.

[1]曾龍, 李崇誠, 黃培軒, 鄭郁翰, 黃悅民 "Detection of Malware Attack via IDS Proxy Correlation Algorithm", U-Home Conference 2008
[2]賽門鐵克網路安全威脅研究報告,2008/04
[3]A. Valdes and K. Skinner. Probabilistic Alert Correlation. In Recent Advances in Intrusion Detection. Volume 2212 of Lecture Notes in Computer Science, Springer-Verlag, 2001.
[4]Bro, http://bro-ids.org/
[5]C. Abad, J. Taylor, C. Sengul, Y. Zhou, W. Yurcik, and K. Rowe. Log Correlation for Intrusion Detection: A Proof of Concept. In Proc. of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, December 2003.
[6]D. Andersson, M. Fong, and A. Valdes. Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis. Presented at IEEE Information Assurance Workshop, June 2002.
[7]F. Cuppens and A. Miege. Alert Correlation in a Cooperative Intrusion Detection Framework. In IEEE Symposium on Security and Privacy, May 2002.
[8]Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee, "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation", in Proceedings of the 16th USENIX Security Symposium, August 2007.
[9]Iptables,http://www.netfilter.org/
[10]RFC3164 - The BSD Syslog Protocol
[11]Snort, http://www.snort.org/
[12]Squid,http://www.squid-cache.org/
[13]X. Qin and W. Lee. Statistical Causality Analysis of INFOSEC Alert Data. In Recent Advances in Intrusion Detection, September 2002.
[14]Yinglian Xie, "A Spatiotemporal Event Correlation Approach to Computer Security" Thesis of Ph.D. August 2005
[15]Yousof Al-Hammadi and Uwe Aickelin, "Detecting Botnets Through Log Correlation", IEEE / IST Workshop on "Monitoring, Attack Detection and Mitigation" Thursday 28 / Friday 29 September, 2006.
[16]Yousof Al-Hammadi, Uwe Aickelin, “Detecting Bots Based on Keylogging Activities”, 3rd International Conference on Availability, Reliability and Security (ARES2008)