event is preprocessed and transformed to the standard
format, and each attribute field is set to the appropriate value.
During the phase of security situation data processing,
the standardized alert events are received as input, and
perform the simplification, filtering and fusion of the
standardized alert events. The objective of event
simplification is to merge the redundant alert events of the
identical attack detected from several sensors. A typical
example of event simplification is that the IDS may generate
many detection events for each port scanning packet when
perform the port scanning attack, and the amount of events
may be greatly reduced by simplifying the same type of
events from the same source and the same destination host
during a given time period. The objective of event filtering is
to remove those events dissatisfied with the constraint
requirements, and these constraint requirements are stored in
the knowledge base in the form of attribute or rule according
to the requirements of network security situation awareness.
For instance, the events can be removed if the key attributes
of these events are absent or out of the required ranges,
because they are meaningless for the analysis of network
security situation. Through the processing of simplification
and filtering, the repeated security events are merged, the
amount of security events is greatly reduced and the
abstraction degree is improved, at the same time the security
situation information implied are preserved.