Research On The Network Security Threat And Situation Assessment

The traditional network security techniques have shown their drawbacks in the increasingly complex and severe network security environment. The intrusion detection tools can only deliver alerts on limited knowledge of attacks, while the alert stream is always poor in quality and can easily be over-whelming, which makes it very hard to know how much threat the detected attacks pose to the network and which security states the hosts are in. Meanwhile, the traditional security assessment approaches can not assess the real time security situation. These problems make the security operators very difficult to know the current security threat and situation by the traditional security tools.Network security threat and situation assessment aims to extract knowledge of current security threat and situation from raw security data reported by traditional security tools, through the techniques of data fusion, and predict the future security situation based on historical security information and the present attacks. This paper studied the approaches of threat assessment, situation assessment and situation prediction.The threat of a network attack is determined by six aspects of factor: attack severity, attack environment, probability to succeed, statistical factors, correlation factors and attack effect. Based on this conclusion, a framework to threat assessment is proposed, which comprises of six steps. The approaches of every step are introduced in the paper and implemented in SATA (Security Alert and Threat Analysis) system. The approach of qualitative attack hazard gradation and the CVSS mechanism are used in severity assessment. The values of assets and security policies are set to evaluate the environmental factors. The Bayesian Network is used to calculate the reliability of the alerts. In statistical assessment, a novel approach is proposed to find the periodicity of alerts based on time series analysis techniques. A language of alert correlation is implemented in the system. And an experiment of qualitative attack effect assessment is introduced.HMM (Hidden Markov Model) is used to assess the network security situation. The problems of observation event classification and parameter configuration lying in the approach are solved. To the first problem, the result of threat assessment is used to classify the alerts based on their threat scores, which can limit the scale of the Obs matrix of HMM and improve the accuracy of observation classification. To the latter, the genetic programming algorithm is used. A mechanism of quantitatively evaluating the fitness of situation assessment result is proposed. A set of risk description rules are defined and the matching degree between the result of situation assessment and rules is calculated, which determines the fitness of the result. The honey net alerts are used to construct risk description rule set. The comparative tests validated the effectiveness of the approach.Five characteristics of the network situation prediction problem are defined: 1) there is relationship of causality between the future attacks and the past attacks; 2) the possibility of different attack types to have following attacks are different; 3)the evidence of future attacks can reflect important information of future attacks by itself; 4) the attack plan can be recognized based on the accumulation of evidence; 5)there is relationship between the evidence of future attacks and the trend of network situation. Based on the characteristics, an approach to situation prediction is proposed.First, the evidence of future attacks is extracted from IDS alerts according to the attack sequence patterns and the predictability of attack types. The predictability of attack types represents the possibility of the attacks to be the evidence of future attacks. The attack sequence patterns are generated by a data mining algorithm. The AprioriAll algorithm is modified so that it can calculate the probability of sequence patterns occurring in the opening or middle of other sequence patterns, which determined the predictability of the attack sequences. Then the future security situation can be predicted based on the evidence. D-S evidence theory is used for plan recognition, and the HMM model between the evidence and the trend of security situation is constructed to predict the probability distribution of future security states. The experiment with DARPA data sets shows the effectiveness of the approach.