Research On The Improvement Of HMM Method In Risk Assessment To Network Security

With the extensive applications of computer network technology, network security has become increasingly important and has been an important part of national security. The key of improving network security is How to accurately assess the risk of a network. The traditional methods in risk assessment to network security can only do static risk assessment and can't reflect the real-time threat and risk status.Based on the research, the Hidden Markov Model (HMM) methods of risk assessment to network security has been realized. The method takes Intrusion Detection System (IDS) alerts as input, and can quantify the risk of real-time network, and can effectively assess the threat of the network, compared with the traditional static approach has great advantages.two issues in the traditional HMM method of risk assessment to network security, which are the difficulties of controlling parameters scale and determining parameters, have been solved. For the first one, alerts are classified by assessing the threat of them, in order to control the scale of observation matrix. In the process of assessing threat, combine IDS events with vulnerability, network assets and network environments, by assessing the attacks on four factors: the severity, Targets assets, the administrator point and probability of success, to define the threat of attacks. In accordance with the threat, the attack will be divided into ten levels. For the second problem, use genetic algorithms for auto-solving the parameters in the HMM matrix, and binary code to describe matrix, define risk described rules as the target for the optimization. The accuracy of parameters setting has been improved, by using auto-generated parameters instead of manual settings.The above method has been realized in JAVA platform ,and experiments has been done with the use of Honeynet data and Darpa 2000 data. Experiments show that the proposed method can solve the two problems in HMM-based risk assessment methods successful, and systems can effectively reflect the real-time network security risk situation.