| For early discovery and defense of the assaulting to cyberspace, it's not enough to rely on the traditional security protection technologies such as authentication,authentic computing,firewall and intrusion detection. Through supervision and recognition of the attempts and action of invasion in large scale networks, the early-warning technology of security situational awareness can acquire more accurate description of threatening actions and more overall evaluation of the network security status in time, and try to forecast the quantity and the space-time characteristic of attacks before attacks occur or result in serious consequences, so we can adopt corresponding defense measures to intensify the security of networks in advance. To launch the research of early-warning systems facing to large-scale networks is very important to improve the response capability of network systems, alleviate the damage of network attacks, and enhance the counterattack ability of network systems.The technologies related to early-warning systems based on the network security situational awareness were studied in the thesis. The contents include the architecture of early-warning systems, the model of security situational knowledge, the measure technology in security situational awareness, the active learning technology in security early-warning systems and the attack early-warning technology. The main work and contributions of the thesis are summarized as follows:1. The architecture of early-warning system including composition, operation mode and process was analyzed in this thesis. We pointed out that the flow of data transaction in the early-warning system is the abstract process in three levels of data, information and knowledge. Aiming at the requirements of early warning, the thesis carried on an improvement to the IDMEF data model, designed a network security situational knowledge model and defined a related description language.2. The sensing method, deployment model and optimization of situational sensors in the early-warning system were studied in this thesis. Through the active and passive measurement technologies, the situational sensors collect the situational awareness information, such as the performance data, topology data, security event data, and so on. The optimized deployment of the situational sensors is one of the essential factors to create an early-warning system with fairly performance. To achieve the goal of obtaining more situational information through deploying less situational sensors as possible, the deployment model and the optimization algorithms of situational sensors under different sensing methods were studied.3. A new measuring strategy of network path traffic named COPP was proposed in this thesis. In the security situational information, traffics are the important data that describes network performance, and also the important indicative data that measures a worm and deny of service attack etc. But under the limited condition without privileges to obtain the traffic data in network nodes, how can we carry out a valid traffic measurement, becomes one of the problem has to be resolved in the early-warning system. The COPP strategy makes use of the information of detected messages, and then combines the message pairs and self-induced congestion principle. Thus through the investigation of one-way delay and variety regulation, we can obtain the relationship between the transmit rate and available bandwidth. In the same time, according to the different disturbing extent of the message to contiguous message pairs, the COPP strategy gives different weights to the corresponding conversion bandwidth, so we can obtain better measurement accuracy with less cost. The result of the simulation experiments show that COPP obtains better characteristic on the expense, accuracy, stabilization and sensitivity to the variety of network status compared to the traditional methods.4. An assessment method based on the network security situational graph was proposed. We analyzed the concept of situational assessment in the military realm, and presented the definition about network security situational assessment, including the question description, function model and reasoning framework of the assessment. We presented an assessment framework of network security situational based on honeypot, and submitted an assessment method based on the network security situational graph. The proposed method makes use of the generating algorithm to construct the network security situational graph, by introducing the concept of attack reliability and severity. Using the security situational knowledge base, the method implements the dynamic assessment to combined attacks. The method can exhibit the whole attack process, not only exhibit the process which invasion threat the target system in dynamic, but also predict the latent threat of attacks in quantity. The test on DARPA LLDOS1.0 dataset proved validity of the proposed method.5. Aiming at security situational information acquisition, a misclassification sampling active learning algorithm based on committee and a scalable active learning algorithm based on graph constraints and pre-clustering were proposed. Attacking and normal state are important content in security situational information acquisition. The process of constructing network security situational knowledge base depends on the quality and speed of knowledge acquisition. Compared with human participation, machine learning has advantages on knowledge acquisition. To attain labeled history data with high quality is a key technology for network security situational information acquisition. In the thesis, active learning is employed to reduce the labeling cost. Instances selection algorithm is a key problem in active learning. As the assumption may not be true in early-warning systems, a committee-based misclassification instances selection algorithm was proposed. Moreover, considering the current machine learning methods ignore the distribution of unlabeled instances, we combine active learning and semi-supervised learning and then propose a scalable active learning algorithm based on graph constraints and pre-clustering. The experiment shows that these two proposed algorithm can achieve the target accuracy with fewer labeling cost than traditional random sampling, Uncertainty sampling and QBC sampling algorithms.6. Aiming at security situational information acquisition, a cost-sensitive active learning algorithm base on misclassification cost minimization was proposed. Misclassification cost is a key criterion for network security situational acquisition using machine learning. Traditional machine learning methods only focus on accuracy and traditional active learning methods only concentrate on labeling cost. The proposed cost-sensitive active learning algorithm optimizes the learning engine with cost-sensitive method for low cost hypotheses in the version space. Furthermore, it tends to select the instances with the largest expected misclassification cost for labeling. The experiment shows that when considering misclassification cost, the proposed active learning algorithm costs less labeling than SRS, CRS and CAD algorithm when obtains the target misclassification cost.7. A hierarchy recognition model of attack forecasting was defined in this thesis. The recognition of attacks, including step recognition, action recognition and process recognition of attacks were defined in the thesis. The proposed recognition model can describe attacks effectively and support attack anticipation.8. A combination prediction model based on particle swarm based learning algorithms was proposed in the thesis. We analyzed several traditional methods of prediction and proposed a combination prediction model. In this model, weight-coefficients are given to every prediction method and the predicting results are integrated to reflect the whole predicting process from different aspects to make the predicting results more exact. The PSO global optimization is used to get the weight-coefficients, which can reduce the blindness of testing computation and raise the precision of prediction of the model. The experiment of Santa Fe test datasets showed that the combination prediction model obtains less errors and higher accuracy compared to single prediction models.An early-warning prototype system was implemented. The system reflects the above research results, can regulate and control the operation of situational sensors. Moreover, the system can accept and transact the data provided by situational sensors, and then display current network situation and early-warning results.
|
PDF Full Text Request