| With the complication of network, security threats tend to diversification, which leads tomassive logs and alerts of various formats and forms, beyond the processing capability oftraditional methods. Accordingly, network security situational awareness derives, whichfilters, fuses and abstracts multiple source security information that origins from supervisionfacilities, predicts future tendency, lets administrators apperceive network security situationand evolution tendency comprehensively and response quickly towards complex andinconstant security threats, so as to lessen the stress of cognition and response. Currentproblems are analyzed and author’s main work is introduced as follows.An attack is often reflected in various logs or alerts, so detection systems can remedydeficiencies each other and inhibit false positive via fusion decision. Most fusion decisionmethods depend on the kinds and quantity of training samples significantly, lack the measuresfor aiding decision, introduce the constraint conditions that are difficult to meet, and costmemory heavily when there are more attack kinds. Regarding of these problems, a fusiondecision model of multiple alerts based on statistic space mapping is proposed. The modelreduces statistical space via the mapping from alert vector to voting pattern, which lessens thedependence on training samples, and can achieve excellent fusion decision performance onlyvia small scale training. It infers the composition of the traffic being detected dynamicallyaccording to the variation of statistical characteristics, and can track, predict and adapt to itsvariation continuously, inhibit false negative or false positive autonomously with wellbalance. The model introduces no constraint condition that violates the correlation amongdetection systems, supports online incremental training and even the partial revocation ofprevious training, can cope with the insufficient or unilateral initial training via continuousimprovements. Whose space complexity is dominated only by the amount of detectionsystems, unrelated to the amount of attack kinds, and is much suitable to detect massiveattacks via a few systems in the field.Most traditional evaluation methods consider the services deployed in network asisolated individuals, ignored the indirect risks or threats caused by vulnerabilities or attacksand propagate along dependency relationships. Once attackers have stolen the authorities thatare granted to services for reading or writing data, they can cause data revealed or damaged,which has not been considered in most evaluation methods. Regarding of these problems, a situation assessment method that based on spreading analysis is presented. The methodintegrates the security factors of service, data, vulnerability and attack into evaluationarchitecture, assesses security situation from multiple aspects. It identifies the dependencyrelationships between services from the management information of operating system and themonitor records of network communication, finds the authorities granted to services forreading and/or writing data from access and object control list, and the influence upon thesecurity of data when authorities are exposed by vulnerabilities or stolen by attackers isanalyzed. The risks or threats that come from multiple vulnerabilities or attacks and passmultiple paths are composed via nonlinear incremental overlapping method, and the securitysituation is computed according to the value of resource security and faced risks or threats.The method regards various services and data as a highly correlated organic entity, can revealnetwork security situation and the effects of dependency and authority relationshipsthoroughly, and obtain more comprehensive, complete, precise and credible evaluationresults.There are few special researches on situation prediction, and existing prediction methodsare utilized in most cases, with many defects. Situation sequence contains massive complexand inconstant evolution tendencies, beyond the expression and prediction capability oftraditional methods only by some formulas, functions or via some training. Most traditionalmethods suffer from the confliction among training samples, rely on data preprocessing andartificial intervention heavily, do not support incremental training, and need to rebuild modelonce situation sequence changes. Therefore, a situation prediction method based on scenefitness is presented. The method measures the similarity between historical subgraphs fromthe aspects of morphology and precision, utilizes multiple step difference operation todiscriminate tendencies. It searches similar indications from recorded historical situationsequence, measures the domination strength of occurred indication upon subsequent effect,infers the recurrence possibilities of some effects according to current indication. Anevolution algorithm is introduced to measure prediction deviation and improve theadaptability of prediction algorithm continuously via gradual adjustment. The methodpreserves the rules in sequence at its best, does not need data preprocessing, and can track andadapt to the variation of situation sequence continuously.The research will develop along the clue of fusion decision, situation evaluation andsituation prediction. Fusion decision aims at obtaining intrusion detection results of highquality, so as to lay a foundation for situation evaluation, furthermore, situation evaluationwill provide security situation sequences for situation prediction. These research fields will be integrated into an entity according to cohesion. |
PDF Full Text Request