Research On Network Vulnerability Assessment And Intrusion Alert Analysis Technology

In recent years, with the rapid development of network technology and the expansibil-ity of network size, the network-related security events as well as intrusions are continually growing. Theory and practice indicate that these are due to the existence of security vulner-abilities in hosts and networks. Therefore, how to accurately evaluate the vulnerabilities of a network, and make the prompt judgment on security alerts becomes an important prob-lem. Now network security assessment has been one of the research focuses in the field of network security. From network vulnerability perspective, in this thesis we conduct the deep research to the key technologies of network vulnerability assessment and intrusion alert analysis involved in network security evaluation. It mainly includes the following four aspects:(1) Construct host-state attack graphAttack graph is commonly used in analyzing network security for its capability in reflecting all the network vulnerabilities and their inter relationship. In this paper we add state probability and previous state of every node to host-centric attack graph, and propose host state attack graph. The graph can not only help control the generation scale of attack graph, but also give the most likely attack path to the final state that could be taken by attacker, and provide decision support for subsequent network security analysis.(2) Based on cost model, use genetic algorithm based on multi-objective optimization to perform cost analysis on security hardening measuresHow to determine a minimum set of hardening measures, which is to minimize the impact of the vulnerabilities, thus ensuring the overall security of the network with mini-mum costs is becoming highlighting in the field of network security. We propose a multi-objective optimization model of hardening measures based on genetic algorithm. From the perspective of loss influence, the model firstly analyzes the potential losses of target network in the attack graph that would be caused by the attacks. Then after applying a series of security control measures, based on cost model, we try to find the balance in the residual loss and the total costs of those measures. On the basis of that, we can find the approximate optimal solutions through genetic algorithm based on multi-objective opti-mization. Then the administrator can patch the vulnerabilities with a definite purpose, and which undoubtedly would enhance the general security performance of the network.(3) Propose an intrusion analysis method based on feature distributionIn large-scaled network, network administrators face numerous challenges, the most one is that attack traces contain in alert flow can not be easily discerned by visual inspection as they are buried with overwhelming alerts of benign activities. Based on the principles that the relationship between alerts indicates in a sense the relationship between attack actions, we analyze the abrupt changes in feature distribution caused by anomalies, and take this detection as change detection problem in the alert features such as class type, signature, in addition to IP addresses and ports. The regularity between alert attributes indicates the patterns of attack actions, can serve as the basis of attack detection.On the basis of that, we propose a method of intrusion analysis based on relative entropy, and by computing KL distance of alert feature distribution under observation in comparison with reference distribution, which is the mixture of a distribution drawing a tread from historical alerts, and a distribution derived from expertise provided by system administrators. We employ our discovery method on real world alerts gathered from a large scaled network, and experimental results show that it can extract attack action patterns and effectively distinguish many kinds of anomalies in the alert flow including not only security events, e.g., port scanning, denial-of-service attack, but also network events, e.g., failures or mis-configuration.(4) Intrusion diagnosis and prediction based on certainty factor theoryBased on certainty factor theory, we propose a model for real-time assessing network threat. On the basis of attack graph, the model is used to calculate the attack threat the target network faces, assess the tread of attack ability and compromised level of the hosts. From that, it can analyze the threat of target networks, predict the next attack action and synthetically evaluate the security of network. The approach are evaluated with DARPA 2000 data, experiments show that the approach can predict the next attack actions.