Key Techniques In Privacy Preserving Network Security Integrated Management

Network security issues nowadays become critical than ever in the form of maliciousattacks, virus exploding, and so forth，which has been seen as the side effect of theexpansion of network applications, as well as the fact that modern information systemchanges to become larger, fully connected, and center-free. Different means of attacksappear wave after wave along with applications and they are correlated, sophisticated, andhard to be detected. In the aim of ensuring network and information security under severecircumstances, techniques of network security integrated management, represented bynetwork alert correlation and security assessment should be in research in-depth.Remarkable breakthroughs have been made recently in the field of network securityintegrated management. On the network security alert correlation side, different kinds ofcorrelation methods appear to construct attack scenarios and identify attack intentions,including causal correlation methods, pre-defined-rules methods, attack-graph-basedmethods, and data mining correlation methods, etc. On the other side of network securityassessment, it is usually a parameter system along with models which analyze on differentlevels to manage the system risks and acquire the network situational awareness. However,the above methods have their limitations in regard of the high complication and fierceconfrontation in modern network attacks and they ignore the need of data sharing. First ofall, alert correlation is heavily dependent on expert experiences and could be greatlyimproved in its performance of calculation. Secondly, the assessment of network threatsusually focus on the impact of network attacks in a certain domain which is no longerstands for the common cases. Last but not least, almost all these above techniques ignorethe requirements of privacy preservation of the raw data which makes privacy a mainobstacle for security data sharing to be used in reality. Besides that, the existing privacypreserving methods are usually complicated in calculation, or over dependent on expertknowledge. To resolve the issues listed above, this paper studies on aspects of alertcorrelation analysis and risk assessment, as well as privacy preserving techniques, thenprovides a complete privacy preserving network security integrated managementframework.Based on the structured analysis of alert data, this paper raises a novel protectionmethod for sensitive alert data. Improving Incognito algorithm, the paper introduces alert generalization hierarchy design method which is leaded by entropy, and generalizationevaluating method based on alert certainty penalty. The new quantitative assessmentmethod reaches a balance between the privacy preservation and the quality of theprotected data. Afterwards, it designs an alert frequency calculation method based ongeneralization sub-lattices and produces a higher efficiency. Practical experiment provesthat the new method is much more efficient and effective to protect alerts comparing to theoriginal k-anonymity model.One of the major ways to alert correlation and analysis is to acquire the relationshipbetween alert attributes by frequent pattern mining technology. However, it is hard toachieve in reality due to the lack of effective secure mechanisms to share alert data. Inorder to improve this situation, this paper proposes a PPFPM method to mine therelationships among security alert attributes with privacy preservation based on the typicalmethod of frequent pattern mining. By using a frequent-pattern tree structure for thedatabase storage, it avoids the repeated database scans in the follow up procedures. It alsoadopts a pattern-fragment growth method to lower the generation costs in large-scalecandidate sets and achieves a high efficiency. Experimental results suggest PPFPM iseffective, flexible, and of a good performance. This method is proved as a general levelprivacy preserving approach for alert correlation that applying frequent pattern mining.Another common tactic to process the security alert correlation is to reveal the causalrelationship or the sequential relationship among alerts. The paper studies the methods inmulti-step attack correlation using sequential pattern mining and ensures the privacy. Itraises Quick Sequential Pattern Mining (QSPM) method and Privacy PreservingSequential Pattern Mining (PPSPM) method. Intensive expert knowledge of scenarios orcomplicated pre-defined rules is no longer necessary in the presented method, whichshould be seen as an advantage. On the other hand, it proposes a support evaluationmethod to optimize the algorithm based on the analysis of attack data sequentialcharacteristics which leads to the reduction of scan times. Therefore, it is much quicker,more accurate, and more effective to correlate multi-step attacks. Experiments areconducted and a comparison against existing methods is provided. Results show the newmethods have a positive accuracy and efficiency: At least87.76%of the alerts could becorrelated accurately and the performance improves by170%~650%comparing withtypical methods. These researches on attack behavior sequential patterns in privacypreserved environments could be commonly used for security alert correlation, and shouldbe of good value.To identify, evaluate, and control the vulnerabilities of network information systemsis the fundamental basis of network security management. Inefficient modeling skillsagainst mass security data and the lack of effective secured evaluation methods incooperative environment have always been stubborn problems in network security areas.Targeting at these issues, this thesis introduces a distributed quantitative situation evaluation model and corresponding computational methods, with the consideration onimportance of the services, frequency of the alerts, and severity of the secure threats, etc.A privacy preserving distributed statistics mechanism is proposed based on the model. Theapproach to realize distributed privacy-preserving methods is to resolve the collusionattack problem in the semi-honest environments firstly. Typical encryption based methods,such as homomorphic encryption, resolve the problem with high computation cost, anddependency on a trustful third-party to manage the public/private key pairs as well as thecalculation processes. This thesis raises a light distributed secure statistic model in thesemi-honest environment, and also solves the security vulnerability under collusion attackin existing methods which are based on random path-finding methods. This technology issuitable for common networks as it provides the basic privacy preserving distributedsummation and variance algorithm, which makes it possible to extend to any distributivesecurity evaluation and analysis using basic statistics.Finally, this paper draws the conclusions on our studies and gives a general view onprospection of further directions. Complete interpretation of frequent patterns andsequential patterns, adaptive min-support valve setting, and dynamic time-windowmatching method are potential research targets with the fundamentals on current works.