Research On Key Technology In Large-Scale Network Security Situation Awareness

With the development of internet technology and social informatization, the importance of network security has been acknowledged, and various network security devices are used to product multi-source security data. Existing network security or management systems can collect lots of security data, but lack the mechanism of effective data fusion and cooperative management. Network Situation Awareness (NSA) as next-generation network management system gets more and more attention and becomes the new hot topic of network security area.Almost all the traditional NSA methods take the intrusion detection alert records as the data source. But it is difficult to deploy intrusion detection systems on the large-scale and high speed network. This situation makes existing NSA research results limited to middle-small networks. Large-scale NSA is researched in this thesis, which not only uses alert records but tend to use NetFlow records to get awareness of the high speed backbone. Some innovative contributions of the thesis are enumerated as follows:1. A"Hierarchical Large Scale Network Situation Awareness Model"is proposed for large scale network situation awareness. Its low level uses alert records as the data source to get awareness of the branch networks,and its high level uses the NetFlow records as the data source to get awareness of the backbone. The awareness of branch networks is object oriented,and the awareness of backbone is feature oriented.2. A theory named"Anomaly Detection Based on Network Module Structure"is proposed to solve the problem that the detection efficiency and accuracy decreasing when existing NetFlow analysis methods are applied in large scale and high speed networks. In this theory the relations between network partition strategy and network detection accuracy are modeled. The partition strategy which based on network modularity is selected by introducing the complex network module theory into network partition. The network is divided to"modules"and do parallel detection respectively. Further more, the NetFlow features which have the module characteristics are designed. After extract non-redundancy feature set,the wavelet analysis and deviation score are used to do fine-gain detection. The simulation results show that this theory can obviously increase the efficiency and accuracy of the backbone situation awareness.3. A"Similarity based Macro-Network Alerts Awareness Algorithm"is proposed. This algorithm improve existing alert correlation algorithm by redefining the similarity and the weights of attributes, and redesigning the threshold choice methods, and making the correlation results can offer the steps and scope of the attacks understood by people. Forth more, a concise and applicable emergency response mechanism is proposed to restrain the spread of local anomalies by pre-configure strategy templates and creating emergency response strategy in time.