Network Security Situational Awareness

As the the scale of network has rapidly grown and the architecture has been complex day by day. Network viruses, distributed denial of service attacks(Dos/DDos) has threaten the network security. The traditional network security management model based only on firewall, anti-virus, Intrusion Detection System (IDS), a single network security protection technology to achieve passive network security management has failed to meet the requirement of the current network security.There is an urgent need for new technologies to achieve real-time monitoring and early alarming of the network security. Network security situation awareness system (NSSAS) is a new technology to monitor and early alarm network security situation timely.This data used for situational awareness is from netflow traffic.The flow of information include the source/destination IP, source/ destination port, the number of packets.Based on the flow of information to achieve network security situation awareness. In this paper, the work as following:First, as each of netflow data packets contains tens of thousands or even hundreds of thousands of flow of information.Direct such massive data processing is very difficult. The address of netflow data can been seen as a group of random events, we can carry out its sample entropy analysis. Sample entropy can be more effective illustration of the attributes of the corresponding data on the concentration and dispersion.Second, aiming at the ambiguity, random and uncertainty of the future network security situation, this paper proposed a way of network security situation awareness base on grey model. Using the grey model has less sample and simple calculation advantages to forecast sample entropy in short-term. The method adopts by GM (1, 1) model to get sample entropy forecast sequence, and calculate the network risk exponential.Using network risk exponential that this paper proposed achieve network security situation awareness purpose. The simulation proved that this method can sense the future of network security situation and achieve real-time warning for future network security situation. Thirdly, for the present large-scale network, the data mining algorithm Apriori can find potential association rules from multiple sequence samlie entropy. Through attacks known on the network has the effect for sequence of sample entropy.The association rules are divided into normal and abnormal space. Network security situation can be divided security, medium, dangerous levels.Fourthly, because the Apriori algorithm repeatedly scans time series database, making the efficiency of this algorithm in real application is not high. It is difficult to meet the real-time requirement of network security situational awareness. So this paper propose the rapidly mining algorithm based on the matrix, and through sorting matrix and trees to reduce the number of candidate sets. Raising the efficiency of the multiple time series data mining on the time.In large-scale network and massive data circumstances can still achieve the purpose of the security situation awareness.