| With the rapid development of network application and complexity, novel attack means presenting fast, wide and automatic emerge in endlessly. Network security threat grows increasingly gravely. Traditional passive defense technology responds independently when attack happened, which results in response delay, incapable of dealing with coordinated attack, and single defense invalidation. To protect the network system security furthest, active defense is needed. In order to stop attack in time even take precautions, based on network security situation assessment, comprehending the current security status, threat evolution rules and its trend in the near future are achieved. Taking the Defense Pre-Research Projects in the"Eleventh Five-Year-Plan"of China as the background, along time line as"past alerts, current status, future trend"and hierarchical structure as"service, host, subnet, whole network", this paper does some researches on situation assessment and high-level security defense, which are listed as follows:(1) Present a complex attack oriented hierarchical space-time alerts correlation model. IDSs (Intrusion Detection Systems) usually produce huge number of alerts, which make correlation time-consuming and correlation results too complicated to understand. At service level, alerts are classified according to destination IP, and causal correlation is carried out to reconstruct attack paths happened on single host; at host level, source IP and destination IP belonging to the same alert are spatially correlated to reconstruct attack paths happened between different hosts. The time complexity of hierarchical alerts correlation algorithm is better than causal correlation. Experiments on DARPA 2000 Dataset show that this model reconstructs attack scenario accurately, and correlation results at dual levels help to recognizing attack patterns and vital steps.(2) Put forward a hierarchical network security threat situation assessment model to estimate confidentiality, integrality and availability. This model includes a suit of security threat situation indices which is composed of service, host, subnet and whole network. The service-level situation is assessed by applying DREAD (Damage potential & Reproducibility & Exploitability & Affected users & Discoverability) model on each alert; the host-level confidentiality & integrality situation is calculated by accumulating service-level situation along with attack paths based on Markov model; the host-level availability situation is estimated by fusing bandwidth usage and response delay based on D-S evidence theory; the subnet-level and the whole network situation equal to the weighted sum of their junior situation respectively. Experiments in real local network validate the feasibility of this model.(3) Develop a network worm propagation direction prediction model. Traditional worm propagation models deal with the total number of infected hosts during a period of time, but cannot indicate worm's spread path. This model divides network into areas and puts forward the time and probability of victims in single area to increase based on common characteristics of worm diffusion and the relationship between packets passing rate and bandwidth usage. Considering the two indices above as input, fuzzy reasoning is adopted to deduce the real-time alert level for each area. The area with high alert level is likely to be infected in short time. Simulation experimental results show that this model estimates worm propagation direction dynamically with acceptable accuracy, and the valid predicting time is more sufficient for slow worm.(4) Propose a distributed multi-step delegation defense method. Delegation mechanism in access control field is introduced into distributed security defense system. Multi-step vertical delegation defense is adopted to overcome single defense invalidation, and single step horizontal delegation defense is used to realize cooperation. This method adopts Signcryption to ensure delegation message confidential and creditable, and evaluate delegation request based on XACML (eXtensible Access Control Markup Language) framework. The delegation defense process is described in flowchart and formal way. Delegation characteristics exhibited in delegation defense are discussed. A demonstration is given to illuminate the specific realization of this method.Large-scale network security situation assessment and defense technology provides network security situation and evolution trend from different hierarchies, and locates worm propagation into certain subnet, which provides important decision-making support for active security defense; in addition, multi-step delegation mechanism applied to distributed security response initiates favorable theory for constructing dynamic cooperative network security defense system.
|
PDF Full Text Request