Network Security Situation Awareness Model Research And System Implementation

With the developing of the network technology, network scale and complexity are becoming large. Network vulnerabilities are increasing. Network attack technologies have been renovated. Some new attack tools are coming forth. Traditional network security technologies are inadequate. Network security problem is becoming more and more severe. Security technologies are developing from intrusion prevention and intrusion detection to intrusion tolerance and network survivability, from information confidentiality to information availability and service sustainability, from single security solution to the description of entire network security status and its trends.Network security situation awareness (NSSA) is concern about all of the security elements. It collects security elements, and understands relations, and evaluates impacts, and forecasts trends. It is a means of quantitative analysis of network security. The research of situation awareness technology is significant. Based on the fusion of variety of network security elements, situation awareness technology evaluates security status of the entire network and forecasts its trends. Recently, more and more researches focus on NSSA, but there is no common concept. NSSA framework is not appropriate. The evaluation models and algorithms are still in initial stage. There are few systematic quantitative analysis techniques and tools.Based on existent network security technologies, according to relevant national standards, this paper investigates qualitative and quantitative analysis methods of the network security. Firstly, this paper builds technology framework of NSSA and consummates evaluation and forecasting models. After that, this paper studies key technologies and methods of NSSA and develops NSSA supporting platform.Firstly, this paper elaborates background and significance of NSSA. Starting from the development of network technology and security problems, it explains traditional network security technologies and their shortages, and extracts the significance of NSSA technology. After analyzes some NSSA technologies and its shortages, this paper introduces the problems and challenges of NSSA. After that, according as NSSA conceptual model, this paper analyzes the process and results of NSSA, and builds NSSA framework. According to three stages of situation comprehension, situation evaluation and situation forecasting, this paper discusses NSSA technologies and algorithms separately.The purpose of situation comprehension is fusion heterogeneous security data which detected by multiple sensors. It is a basis of NSSA and prepares for situation evaluation. Firstly, it introduces simple data level fusion technology which can deal with original security data and acquires standardized data set of assets, threats, vulnerabilities and network topology. Next, it analyzes the correlation of asset, threat and vulnerability. After studies of network security incidents, it acquires standardized data set of security incidents. Finally, it proposes threat propagation network which can describe the impact of threat propagation. According to comprehensive analysis asset, threat vulnerability and network topology, it gains every threat propagation network of threats data set.Situation evaluation is the core of NSSA which is qualitative and quantitative description of network security. Firstly, it establishes Multi-level and multi-angle evaluation framework which can evaluate network security from three levels of special topic level, element level and whole level. Afterwards, it introduces special topic evaluation level which can evaluate network security from four aspects of asset, threat, vulnerability and securiy incident. After that, it gives an approach to situation evaluation which based on hidden Markov model. Through analyzing security incidents and security measures which happened on the asset, it evaluates the situation component of confidentiality, integrity and availability of single asset. Then, it proposes an approach to situation evaluation which based on Markov game model. According to analysis of the influences of threat propagation, administrator and ordinary user action, it evaluates the situation component of confidentiality, integrity and availability of single threat. Finally, it gives a method of situation evaluation which based on exponent and logarithm analysis. It can evaluate the entire network whole situation from single situation component.According to the situation evaluating output, with the help of forecasting model, situation forecasting can forecast security situation development trends. Time series analysis can well describe the correlation of situation sequences which is suitable for forecasting its trends. This paper introduces two situation forecasting model of Box-Jenkins model and Holt-Winter model, both of which are based on time series analysis. Via season difference and trend difference, Box-Jenkins model converts non-stationary original series to stationary new series. According to the characteristics of autocorrelation and partial autocorrelation function of the new series, it proposes autoregressive moving average model to investigate new series trend. Holt-Winter model separates the correlation of original series into three parts of season change item, trend change item and random component. For each item of original series it builds model respectively.In the end, this paper gives support platform of NSSA. Firstly, it discusses the correlations among of each subsystem of this platform. Then, it introduces each stage of NSSA. After that, it expounds the implementation of situation evaluation and forecasting subsystem. Finally, it sets up a specific network to demonstrate the processes and functions of NSSA, and analyzes the results of NSSA. The investigation of application indicates that the NSSA framework is rational, feasible and practical for actual network environment and the results are precise and efficient.Network security situation awareness is a new security technology which can describe network security and its trends from different perspectives. It can also provide appropriate security reinforcement. More and more applications of NSSA are being used. NSSA becomes the focus of the next generation of network security technology which plays a very important role in information assurance.