| With the rapid development of the information technologies and the prevalence of internet, the researchers have agreed on the importance of information security. To protect the information and infrastructure, large-scale investigation on Network Situational Awareness (NSA) is very necessary, which can improve the emergency response capability, reduce the damage of the network attacks, find the underlying malicious activities and enhance the counterattack ability.As an emerging and promising technique, though a unified standard has not been formed presently, some common knowledge has achieved. The acquirement of NSA is such a process: merging, combining and fusing the low level security events, extracting the interesting information and providing the visualization results. Based on the visual analysis, the current status and trend of real network security situation can be obtained and then some effective measures can be taken. Hence, using data fusion to enhance the detection performance of low-level equipments and obtaining accurate and effective situation evaluation system become the important research direction.The index system of NSA originates from the fusion of security events captured by multiple intrusion detection (ID) systems, and the ability of NSA is influenced by the accuracy and efficiency of the ID. By investigating on the Dempster-Shafer Evidence Theory widely applied in event detection, the uncertainty assignment rule and the evidence combination theory, combining the identity reasoning with detection results from multi-sensor, introducing the definitions of the Subjective Uncertainty and Objective Uncertainty, the spatial combination rule and the uncertainty reassignment rule are proposed to eliminate the blind zone and improve the detection accuracy. Furthermore, to solve the issues about how to distinguish the anomaly in the selection of flow index, Unsupervised Learning is introduced to perform the optimal evaluation of feature selection and conclude that the flow statistics features can differentiate the flow status. The evaluation provides the theoretical basis for the proposed fusion detection method.The research on NSA focuses on the real-time security situation evaluation. The risk index is usually adopted as the evaluation index, and the scheme is implemented by the division of the network hierarchy, simple weighted coefficients and the fusion of the low-level risk. The purpose is to acquire objective and general evaluation results and eliminate the deficiency exist in the assignment of weighted coefficients. On the basis of the deep analysis of the network hierarchy, Analytic Hierarchy Process is employed in the whole situation analysis, which makes the service level, host level and network level correspond to scheme level, index level and target level of AHP, respectively. Several concepts such as Situation Meta, Situation Weight and Situation Base are introduced to standardize the situation evaluation. The process can be summarized in using an example how to construct the pairwise matrix, adopting the risk index of service as situation base, and achieving the evaluation results. The simulated results prove the scheme feasible, and the scheme can be extended.Different understandings on the Network Security Situation (NSS) among research organizations and the absence of the NSA standard lead to the diversity in the acquirement of NSA. As a classical model in the conventional SA field, Endsley situation model is provided with standard data processing and situation extraction, whereas the model is seldom employed in the NSS. At the same time, the earlier research focuses on the framework design of the situation evaluation without involving in NSS modeling. The NSS model and situation exaction framework based on Endsley model is proposed, which combines incident frequency, incident time and incident space together and form the fine-grained multi-dimensions structure. Three important knowledge bases, denoted as situation extraction assistance, can be employed to implement secondary analysis over temporal factor and spatial factor, to extract the interesting information and to aid decisions. By evaluating the scheme based on the data captured in HoneyNet and SJTU campus network, an effective and explicit visual graphics can be obtained for the convenience of analysis and management, especially emphases the details of lower severity attacks while highlighting the situation variation of higher severity attacks.The whole NSA can be divided into three phases: situation perception (event detection), situation evaluation and situation prediction, but the earlier research mainly concentrates on the former two phases. The strong randomicity and uncertainty of the network intrusions and attacks make the acquired situation variation a complicated non-linear process and restrict the employment of conventional models. The conventional grey Verhulst model is improved on the viewpoint that the 1-AGO curve of the situation risk value is characteristic of S type curve. In the proposed grey Verhulst model with adaptive parameters and equal-dimensions grey filling, the parameters are adjusted dynamically by virtue of the 1-AGO curve variation. Without increasing the computation complexity,the equal-dimensions grey filling method is adopted to overcome the defect of real-time update corresponding to curve tendency in the conventional prediction schemes. The simulation results prove that the precision is efficiently improved compared with the traditional GM (1, 1) and grey Verhulst model.Finally, on the basis of the summarization of the research work, the further development about the NSA is discussed. We present the application of Time Series Analysis in the future research on the NSA, and propose that Rough Sets Theory can be used to predict the future situation variation qualitatively.
|
PDF Full Text Request