Research On Model And Method Of Heterogeneous Data-source-oriented Network Security Situational Awareness

With the rapid development of network technology and its application, network has become an indispensable part for the society development. However, the continued deterioration of the network environment brings about severe security problems in networks. The traditional single-point single-source security defense systems such as IDS, Firewall and VDS, can only enhance security performance of network system to a certain degree.However,due to the lack of effective collaboration, the whole network security situation can not be monitored effectively. Under these circumstances, study of network security situation awareness (NSSA) is put forward as a key topic of network security research.Network security situation awareness means that the system can extract, understand, display the security elements and then predict the security situation in the future. Though there are a lot of research methods on situation awareness, NSSA is still in its infancy stage. There exist many technical problems such as heterogeneous data source-oriented architecture, situation element preprocessing, situation quantitative awareness, situation dynamic prediction. Combining with specific requirements of the project, an overall solution for heterogeneous data source-oriented network security situation awareness system (NSSAS) is proposed, and the core technologies are deeply studied in this dissertation.Firstly, considering the drawbacks of existed architecture such as single data source or multi-source with homogeneous data, long response delay, weak self-protection and lack of fault tolerance, a heterogeneous data source-oriented network security situation awareness system architecture based on mobile agents is studied. This architecture can be divided into information access layer, data preprocessing layer and situation decision layer which build a research way from information access to quantitative awareness and then to situation prediction. Every module in these three layers has been designed carefully and a systematic, dynamic, distributed and self-adapted NSSA architecture is built as last. The architecture is analyzed based on the formal modeling language PEPA. And then the rationality of this model is validated for the following research.Secondly, based on NSSA architecture, a three-step data preprocessing method is proposed for the heterogeneous data source network security information fusion. This method includes data classification based on the Undirected Graphs Model (UGM), information fusion based on Dempter-Shafer (DS) evidence theory and classification amendment for the conflict data. The experiment results show that the method have a high detection accuracy and fast speed which can guarantee the classification accuracy and eliminate the bad influence with the uncertain noise data. Our method can avoid the evidence conflict in the DS information fusion and enhance the ability of data classification for the next NSSA quantitative awareness and prediction.Thirdly, a network security situation quantitative awareness method is proposed. Combined with host vulnerability and states, our method extract the situation classification alarm information as the element of network security situation quantitative awareness and define the network security threat degree to demonstrate the network risk. To classify the different attacks, the network risk degree algorithm is applied and the network situation chart is generated for the whole network security state quantitative awareness. Experiment results show that our algorithm can evaluate network security threat degree from an alarm record effectively. The classification results on network attacks are truthful and objective which can reveal the security situation for the next network security situation prediction.Finally, to address the nonlinearity time series of network security situation a self-adapted prediction method based on Volterra model is proposed. In order to achieve dynamic self-adapted prediction of the network security situation, our method builds the Volterra self-adaptation model according to the Takens theory and Phase-Space Reconstruction theory. The experiment results show that when selecting the correct chaotic attractor neighboring track and controlling the scale of train set properly, our method have the ability of fast convergence speed and strong approximation. With high prediction accuracy, our self-adapted prediction can help the administrators to adjust the security policy.