The Research On Network Security Situation Analysis And Survivability Assessment

The concept of Situation Awareness (SA) came from the research of human factors of aviation. After that, it was widely used in the military fields, nuclear reaction control, air traffic control and medical emergency scheduling. SA is becoming the research hotspot, for more rational decisions-making the decision-maker needs to show the continuous change in the dynamic and complex situation by using SA tools. Recently, SA was used in the area of network security that is called Network Security Situation Awareness (NSSA).Currently, network security administrators manually arranged alerts from intrusion detection systems, firewall, anti-virus software and scanner to attain a high level description of cyber attacks. Because of the large amount and unrelated alerts, security administrators cannot know the security threat situation of the system and so adopt appropriate measures in time. NSSA can resolve the problem effectively. Network security situation function model was presented based on the SA three level models. The dissertation was stated according to the following line: input of multi-source alerts information→alerts refinement→the output of network security situation→survivability assessment after attacks. This work provides a high and comprehensible result of the current network station for the administrators from alerts occurrence to attack analysis, from situation output to survivability assessment. To realize the model, the dissertation made three aspects researches.At the first step, multi-source data correlation is studied. ECPN (Extended Colored Petri Net) was described formally and figured modeled which was formed through adding observed set to CPN for describing alerts information from security tools. Then, ECPN-Scenario-Constructor and Multistep-Abstract algorithms were proposed based on ECPN. At last, the experimental results show that alerts are correlated effectively, attack policy of attacker can be found early, and false positive and negative alerts can be reduced through the data set of DARPA 2000 intrusion scenario correlation benchmark.Then, NSSA based on data fusion is discussed. Network security situation analysis and its roles in the security risk assessment were described, and formal description of cyberspace situational awareness was presented from the refinement of situation character, comprehension of current situation and projection of the next behavior. The evidence of D-S theory is used for the fusion of network security situation elements from landscape orientation and portrait. Landscape orientation fusion resolves the problem of the alert overload and adds the reliability of attack. The result of landscape orientation fusion is the input of portrait fusion which correlates the multi-step complex attack through correlated algorithm. Petri net was used for describing transfer of the system at the time of attack occurrence. The current security situation was analyzed by the occurrence the attack events.Finally, network survivability after attack was assessed. Network survivability was used for projection of next security situation. Object-oriented Petri net was used for formal description and modeling of network system. Then attack failure model was established and the transformation of system state in the presence of attack was described by the method of fuzzy inference. In succession, the value parameters were presented based on the quantification of attack severity level and service level. At last, PCTL (Probabilistic real time Computation Tree Logic) was used for describing survivability formula, and model checking algorithm was used for estimating the survivability.