Applications Of Fuzzy Cognition And Correlative Fusion In Information Security Assurance

Due to the comprehensive uncertainties in a network information security system and its living environment, constructing and improving a network information security assurance architecture becomes a complicated system engineering. For there are numerous uncertain factors and complex correlative relations among the factors, it is difficult to solve some key security problems with the traditional approaches, such as, general analysis and quantitative evaluation of system security risk, alert fusion and correlation of intrusion detection and monitor system, security situation assessment of network information system, etc.Based on the actual project background of an dynamic network information security assurance system, and financially supported by several related programs, by focusing on the ambiguity of system cognition and inference, and the complexity of correlative relations, this dissertation researches the fuzzy cognition and correlative fusion approaches and their applications to the risk evaluation, the alert correlation, as well as the security situation assessment, in order to provide theoretical and technical supports for the actual project. The main contributions and innovations of this dissertation are shown as follows:1. Fuzzy Cognitive Maps based on Correlative Fusion: To eliminate the drawbacks of the existing FCM models, the OWA/WOWA operator families are introduced into the FCM to represent the various certain or fuzzy AND/OR relations, such that two frameworks named OWA-FCM and WOWA-FCM are constructed. Furthermore, OWA-PFCM model and HFCM model are proposed respectively under the frameworks. The OWA-PFCM can represent uncertainties of node states, uncertainties of causal relationships, and uncertainties of AND/OR relations effectively, therefore has more powerful and agile simulation performance. The HFCM enhances linguistic information and simulative capability of the traditional FCM, avoids the combinatorial rule explosion problem, and improves the representation and inference performance. The HFCM combines the advantages of numeric FCM and linguistic FCM.2. Hierarchical Network Risk Evaluation based on Fuzzy Correlative Fusion: A framework of information security assurance architecture for risk analysis and evaluation is established. To improve the vulnerability scan efficiency and effect, a level-by-level scan strategy based on information hierarchy is presented. For the uncertainty and subjectivity in the network risk evaluation, ambiguity and complexity of relations among the factors, and the difficulty of acquiring the correlative fusion weights of attributes in practice, a hierarchical risk evaluation model based on Shapley entropies and Choquet integrals is proposed. By introducing the Shapley value concept of n-person cooperative game theory into the assessment model, this approach solves the information security risk evaluation problem under poor information conditions by using the analytic hierarchy process with Choquet integrals from bottom to top, based on the maximum Shapley entropy principle. The effectiveness of the proposed approach is verified via an actual information security risk evaluation for four subnets of an intranet.3. Intrusion Alert Correlative Fusion based on Fuzzy Cognition: To solve the problems in the network distributed IDS, a fuzzy intrusion alert fusion and correlation framework based on attack intention analysis and cause-effect cognition is presented. The framework consists of alert normalization, alert aggregation, alert verification, and alert correlation, which simplifies the conventional intrusion alert correlation process, and provides with a better adaptability. An alert aggregation algorithm based on characteristic attribute similarity, an alert verification algorithm based on environmental attribute relativity, and an alert correlation approach for multi-stage attack based on WOWA-FCM are proposed respectively. Under the WOWA-FCM model, the proposed approaches are not only able to reduce the alert amount and improve the alert quality remarkably, but also able to recognize the individual stages of a multi-stage attack, construct the whole attack scenario, evaluate the global attack process and the security states of the target system dynamically. The effectiveness of the approach and model are verified by the DARPA 2000 LLDOS dataset experimental results.4. Network Security Situation Assessment oriented to Intrusion Response Decision-making: For the practical purposes of network intrusion response decision-making and security management, a hierarchical network situation assessment framework is constructed. A WOWA-FAHP approach and a network security situation assessment model based on WOWA-FAHP are proposed. Besides preserving the merits of the FAHP, the WOWA-FAHP approach takes into account both objective and subjective associations among the attributes, and is able to adapt various decision preferences. The assessment model based on WOWA-FAHP combines static and dynamic assessments; utilizes multiple information sources, such as system security risk evaluation, intrusion alert fusion and correlation, anomaly monitor and security audit; considers multiple aspects, such as intrusion alerts, anomalies, vulnerabilities, and attack effects; and handles the complex relations with the WOWA-FAHP approach according to different security policies. The effectiveness of the approach and model is illustrated via a security situation assessment example for a network application service system.