Research On Some Key Technologies For Heterogeneous Sensors-Based Network Security Situation Awareness

With the rapid development of global information and the increasing dependence on network for people, network has become an indispensable part in many domains including social life, economic activity and military, and so on. However, traditional single-point heterogeneous security defense technologies, such as IDS, Firewall and VDS, can enhance security performance of network system to a certain degree, but among which lack of effective collaboration leads to be unable to monitor the whole network security situation. Under the circumstances, study of large-scale complex network-oriented security situation awareness is put forward to fuse security components in different security domains and form a seamless security system.At Present, research on network security situation awareness (NSSA) is still in its infancy stage, and there exists many technical problems. Combining with specific requirements of the project, system architecture, situation element extraction, situation quantitative evaluation, situation dynamic prediction and situation visualization need be solved. Aiming at this, an overall solution for network security situation awareness system (NSSAS) is proposed, and the core technologies consisting of security situation element extraction, situation evaluation and situation prediction are deeply studied in this dissertation. The work will offer theoretic base and technical reference for advancing the project.Firstly, combined with the application requirements, network security situation awareness system architecture based on multi-sensors is studied with using the idea of 'distributed acquisition, multi-domain processing', and then the corresponding ring physical architecture and hierarchical conceptual model of NSSAS are put forward. The architecture of NSSAS is composed of three levels, including information acquisition level, element extraction level and situation decision-making level from bottom to top successively. The modules of every level are designed in detail, and the solution of multi-source heterogeneous security information XML format is given. The NSSAS architecture based on multi-sensors is an open and extensible ring architecture that can reduce system implementation complexity and avoid single-point failure problem. At the same time, it can clearly describe the relationship among levels and components, and guide the development of engineering practice and key technologies.Secondly, for the sake of fusing multi-source heterogeneous security information and extracting security element information about the whole network, network security situation element extraction method based on Dissimilarity Computing (DSimC)and Exponentially Weighted DS Evidence Theory (EWDS) is studied. The method is divided into two phases including multi-source alert clustering and alert fusing. Fitst of all, multi-source alert clustering method is put forward through computing different characteristics dissimilarity of alert to judge the dissimilarity among alerts. After multi-source alert fusion method based on EWDS is proposed through fusing different sources to indentify intrusion attack behaviors. Experimental results indicate that the proposed method does well in True Positive Rate (TPR), False Positive Rate (FPR) and Data to Information Rate (DIR), remarkably reduces the number of alerts and enhances detection performance, and supplies data sources for network security situation evaluation and situation prediction.Thirdly, from view of attack-defense confrontation, network security situation quantitative evaluation method based on improved analytic hierarchy process (IAHP) is studied. At the same time, we give the corresponding quantitative security situation computation methods in service-level, host-level and network-level, and adopt interval matrix to denote the comparative result between indices according to different importance of different indices. A consistency tuning automatic algorithm is studied, which automatically judges and tunes interval matrix while there is inconsistent, and inputs the appropriate weights that are directly used to network security situation quantitative evaluation model. Experimental results show that the proposed evaluation method can intuitively provide more objective network security situation in service-level, host-level and network-level and ease data analysis burden for security administrators who can adjust system security policies timely.Finally, in order to predict the security situation more accurately, quantitative prediction method of network security situation based on Wavelet Neural Network with Genetic Algorithm (GAWNN) is studied. After analyzing the past and the current network security situation in detail, we build a network-security-situation prediction model based on wavelet neural network that is optimized by the improved genetic algorithm which is improved in coding, fitness computation and genetic operation, etc, and then adopt the GAWNN to forecast the non-linear time series of network security situation. Simulation experiments prove that the proposed method has advantages over Wavelet Neural Network (WNN) method and Back Propagation Neural Network (BPNN) method with the same architecture in the convergence speed, the functional approximation and prediction accuracy. What's more, system security tendency and laws are revealed from prediction result as early as possible, by which security analyzers and administrators can adjust security policies in real-time.