Purpose - The purpose of this paper is to show how to ensure a real-time precise aggregation processing of network security events without difficultly determined parameters. Design/methodology/approach - The aggregation method includes the choice of aggregation granularity, consistency of abstraction layer, the expression of all hyper security events (HSEs) of a node in cache, and aggregation algorithm based on classification, etc. Findings - The aggregation method is capable to provide a real-time way for good HSEs for next correlation processing with weak and easy parameters to determine. Research limitations/implications - The cost of space is not discussed in the method. Practical implications - The aggregation method is suitable for real-time management of difficult issues to resolve massive security events. Originality/value - Many ideas and concepts of the paper are proposed for the first time, such as the expression of all HSEs of a node in cache, weak queue length instead of the weak-time window and so on.

• 出版日期2011
• 单位华中科技大学