Security Event Center
merge algorithm pseudo code
Merge Algorithm
output: correlated_event queue
global: event_scenario , MO_win_size
1. pull the top event
2. if OO_events queue == NULL
3. new OO_events as event_scenario in event queue
4. OO_events inherit event
5. while event-queue ≠ NULL
{
6. pull the top event
7. if event.timestamp < ( OO_events.end_time + win_size )
8. Search a correlated_event in correlated_event queue that correlated_event.{ IP_dst,
port_dst,signature } == event.{ IP_dst, port_dst, signature }
9. correlated_event _event.endtime max(event.endtime, MO_event.endtime)
10. correlated_event.reference append (event.id )
11. correlated_event.IP_src correlated_event. IP_ src ∪ event. IP_ src
correlated_event t.port_src correlated_event. port_src ∪ event. port_ src
12. else
13. new OO_events as event_scenario in event queue
14. OO_events inherit event
}
15 return correlated_event queue
…
php real code
<?
function merge($timesize)
{
global $object,$obj_ctr,$DB;
$mo_base_ctr=0;
$mo_ptr = 0; //mo pointer
$i = 0; //tmp
//----------------database check----------------
$str="SELECT start_time,end_time,reference,ip_proto,
event_name,ip_dst,ip_src,sid,dport,sport,sig_class_id,
signature,sig_priority FROM accident_ticket
WHERE end_time >= \"".$object[0]->start_time."\" ORDER BY start_time ASC";
$DB->query($str);
$fixed_num = mysql_num_rows($DB->result);
if($fixed_num == null )
{
$fixed_num = 0;
$obj_ptr=1;
$mo_ctr=1;
}
else
{
$obj_ptr=$fixed_num;
$mo_ctr=$fixed_num;
}
$mo[0] = new scenario(null,null,null,null,null,null,null,null,null,null,null,null,null);
if($fixed_num > 0)
{
while(list($start_time,$end_time,$reference,$ip_proto,$event_name,$ip_dst,
$ip_src,$sid,$dport,$sport,$sig_class_id,$signature,$sig_priority)
= mysql_fetch_row($DB->result) )
{
$mo[$mo_base_ctr]->start_time = $start_time;
$mo[$mo_base_ctr]->end_time = $end_time;
$mo[$mo_base_ctr]->reference = $reference;
$mo[$mo_base_ctr]->ip_proto = $ip_proto;
$mo[$mo_base_ctr]->event_name = $event_name;
$mo[$mo_base_ctr]->ip_dst[0] = $ip_dst;
$mo[$mo_base_ctr]->ip_src = split(",",$ip_src);
$mo[$mo_base_ctr]->sid = split(",",$sid);
$mo[$mo_base_ctr]->dport[0] = $dport;
$mo[$mo_base_ctr]->sport = $sport;
$mo[$mo_base_ctr]->sig_class_id = $sig_class_id;
$mo[$mo_base_ctr]->signature = split(",",$signature);
$mo[$mo_base_ctr]->sig_priority = $sig_priority;
$mo[$mo_base_ctr]->cmp_time=nor_time($end_time);
$mo_base_ctr++;
}
$object=array_merge($mo,$object);
$str="DELETE FROM accident_ticket WHERE end_time >= \"".$object[0]->start_time."\"";
$DB->query($str);
$DB->reset_auto("accident_ticket");
}
//if($DB->result) $DB->free_result();
//----------------database check----------------
//echo "timesize:".$timesize."<br>";
while( $obj_ptr < $obj_ctr )
{
$object[$obj_ptr]->cmp_time=chk_time($object[$obj_ptr]->start_time,$timesize);
//----remove timeout class----
for($i=$mo_ptr; $i<$mo_ctr ;$i++)
{
if( strcmp($object[$obj_ptr]->cmp_time,$object[$mo_ptr]->cmp_time) > 0 ) $mo_ptr++;
else
{
$i=$mo_ctr;
}
}
//----remove timeout class----
//====many2one check===
for($i=$mo_ptr; $i<$mo_ctr ;$i++)
{
if($object[$obj_ptr]->ip_dst[0] == $object[$i]->ip_dst[0])
{
// if($object[$obj_ptr]->dport[0] == $object[$i]->dport[0])
// {
if($object[$obj_ptr]->signature[0] == $object[$i]->signature[0])
{
//-------------------------merge----------------------------
$object[$i]->reference=($object[$i]->reference).", ".($object[$obj_ptr]->reference);
if( $object[$i]->ip_proto!=$object[$obj_ptr]->ip_proto ) $object[$i]->ip_proto="multiproto";
$object[$i]->ip_src=arr_merge($object[$obj_ptr]->ip_src,$object[$i]->ip_src);
$object[$i]->sid=arr_merge($object[$obj_ptr]->sid,$object[$i]->sid);
if( $object[$i]->sport!=$object[$obj_ptr]->sport ) $object[$i]->sport="multiport";
if( $object[$i]->sig_class_id != $object[$obj_ptr]->sig_class_id ) $object[$i]->sig_class_id=0;
if( $object[$i]->sig_priority > $object[$obj_ptr]->sig_priority ) $object[$i]->sig_priority=$object[$obj_ptr]->sig_priority;
if((time_smaller($object[$obj_ptr]->start_time,$object[$i]->start_time))==1)
{
$object[$i]->start_time = $object[$obj_ptr]->start_time;
}
if((time_smaller($object[$i]->end_time,$object[$obj_ptr]->end_time))==1)
{
$object[$i]->end_time = $object[$obj_ptr]->end_time;
}
$object[$i]->cmp_time=nor_time($object[$i]->end_time);
$i=$mo_ctr;
//-------------------------merge----------------------------
}
// }
}
}
if($i!=$mo_ctr+1)
{
$object[$mo_ctr]->start_time=$object[$obj_ptr]->start_time;
$object[$mo_ctr]->end_time=$object[$obj_ptr]->end_time;
$object[$mo_ctr]->reference=$object[$obj_ptr]->reference;
$object[$mo_ctr]->ip_proto=$object[$obj_ptr]->ip_proto;
$object[$mo_ctr]->event_name=$object[$obj_ptr]->event_name;
$object[$mo_ctr]->ip_dst=arr_cover($object[$obj_ptr]->ip_dst,$object[$mo_ctr]->ip_dst);
$object[$mo_ctr]->ip_src=arr_cover($object[$obj_ptr]->ip_src,$object[$mo_ctr]->ip_src);
$object[$mo_ctr]->sid=arr_cover($object[$obj_ptr]->sid,$object[$mo_ctr]->sid);
$object[$mo_ctr]->dport=arr_cover($object[$obj_ptr]->dport,$object[$mo_ctr]->dport);
$object[$mo_ctr]->sport=$object[$obj_ptr]->sport;
$object[$mo_ctr]->sig_class_id=$object[$obj_ptr]->sig_class_id;
$object[$mo_ctr]->signature=arr_cover($object[$obj_ptr]->signature,$object[$mo_ctr]->signature);
$object[$mo_ctr]->sig_priority=$object[$obj_ptr]->sig_priority;
$object[$mo_ctr]->cmp_time=nor_time($object[$mo_ctr]->end_time);
$mo_ctr++;
}
//====many2one check===
$obj_ptr++;
}
$obj_ctr=$mo_ctr;
};
?>
