Network Security Situation Quantification Awareness And Evaluation Based On Multi-source Fusion

With the popularization of computer technology, network provides great impetus for the advancement of society. However, the development of the network technology faces with great challenges under the unceasing rigorous network situation and traditional single-point heterogeneous security defense technologies, such as IDS, Firewall and VPN, can enhance security performance of network system to a certain degree, but among which lack of effective collaboration leads to being unable to monitor the whole network security situation. Under this circumstance, the research about Network Security Situation Awareness (NSSA) has upper academic value and comprehensive practical value.But the researches related to NSSA are still far away from maturation at present. Most of situation awareness models are based on single-source environment, quantification awareness methods mainly depend on quantifying the raw alerts of the security sensor and they can not actualize the awareness of attcak steps and sequences. The research aobut situation evaluation mainly focuses on the construction of index system and is lack of deep study in evaluation model and method. Aiming at these problems, a research scheme of NSSA based on multi-source fusion is proposed in which the framework model, attack track acquisition, quantification awareness and the situation evaluation related to this study are also discussed deeply.Firstly, facing with the technology requirements, a NSSA hierarchy model based on muti-source fusion (MsFHM) is studied. This model is divided into three layers which called information acquisition layer, quantification awareness layer and situation evaluation layer from bottom to top. The components of every layer are desciribed in detai and the ralations between blayer and layer, component and component are illuminated clearly. The analysis of model components shows that MsFHM can meet the demands of research in multi-source fusion, attack track oriented complicated situation awareness and situation evaluation. And this model also constructs a kind of research line from information acquisition and quantification awareness to situation evalutaion. The results of the model application validate that the model is effective. It can be used to guide the development of engineering practice and also establish the foundation for successive research contents.Secondly, based on MsFHM and the requirements of fusion methods in reasoning precision, prior knowledge and robustness, the PSO-DS multi-source fusion algorithm is studied using the alerts aggregation and Bit Map collision evidence elimination as the preprocessing. The fusion algorithm reduces the uncertainty and generates accurate alerts. After that, the hyper-alerts are created according to the aggregation algorithm based on the fusion alerts,and a attack track reconsturction method is put forward based on the hyper-alert correlation composite difference (HACCD). The HACCD method reaches the goal of information acquisition in fine-grained by step and also provides the necessary condition for hierarchy quantification awareness in next step. The simulation experiments show that the PSO-DS multi-source fusion algorithm can increase the detection rate and decrease the false detection rate. According to this, the track reconstruction method based on HACCD has the higher correctiveness and soundness.Thirdly, the network security situation quantification awareness method based on the threat gene generation is explored and this method includes two aspects which consist of situation factors extraction and quantification awareness. In first aspects, a situation factors model is constructed and in this model the situation factors are attack intensity, attack step, event threat degree and et.al. The threat gene is achieved through the reasoning of the function relation between the threat gene and the threat level. In second aspects, a threat gene weighted quantification awareness method is proposed that accomplishes the quantification awareness of the attack step, the attack track and the network. The simulation experimental results show that this quantification awareness method can reflects dynamic evolvement of attack track situation and the network system situation in a parallel, intuitionistic and accurate way. And this method can not only monitor and manage the network effectively, but also provide evidence for decision-making.Finally, a NSSA evaluation method based on optimization linear assignment is presented. First of all, the evaluation indexes include alert purity, track confidence, awareness precision and application timeliness are established which are divided into information acqusition layer and quantification awareness layer. Then a NSSA evaluation model is constructed. According to the evaluation model and linear assignment theory, the network security situation evaluation method is proposed based on optimal linear assignment ultimately and the quantitative evaluation is realized using the indexes of information acqusition layer and quantification awareness layer. The simulation experiments demonstrate that the evaluation method is able to satisfy the evaluation requirements and reflect the awareness performance of NSSA from the aspects of alert, attack track, quantification awareness and environment.