Research On Key Technologies Of Large-scale Network Security Situation Awareness Based On Network Traffic

With the development of Internet technology and social informatization, network has beenacknowledged as an indispensible part of our life. To enhance and maintain the security ofnetwork, many kinds of security devices have been utilized. The deficiency of effective datafusion and cooperative management has become a hinder to deal with different problem innetwork. Under this circumstance, the research about network security situation awareness(NSSA) as one of next generation security solution has enough academic value andcomprehensive practical value.Traditional situation awareness technology almost use different log file come fromsingle-point heterogeneous security device, such as IDS, IPS, Firewall etc. These kinds of datasource will enforce many problems when the network scale is enlarged. Aiming at theseproblems, a research based on analysis of the existing studies in the application of networksecurity situation awareness is performed. This thesis study the key technology of the networksecurity situation awareness, these technology include awareness model, security situationalinformation acquisition, extraction, index system and assessment method. Some innovativecontribution of this thesis is enumerated as follows:1. Analyzing the lack of existing network security situation awareness models andalgorithms when face to large-scale environment. Because the disadvantages of multi-sourceand log files when dealing with large-scale environment, we choose network data as the maindata source of situation awareness. Studied the method of extracting situation information fromnetwork data and proposed the network traffic based large-scale network security situationawareness model.2. Aiming at extracting situation information, a multi-level network anomaly detectionmethod has been proposed. In the first level of this model, we use packets as the data sourceand propose an anomaly detection method that can be used in high speed network backbone.Based on nonextensive entropy with different parameters, the original statistical informationabout several packets attributes in a time window is decomposed to high dimensional features.Using these detailed features, the detection model based double random forests been proposed.In the second level, when facing with branch network, we use flow as data source and choosethe features from two aspects: service request and service acknowledge. Based on these features,we utilize a new technique in data mining technology, TreeNet, as the anomaly detectionalgorithm. The experiment results suggest that both methods can achieve competitive detectionaccuracy with a high recall ratio. 3. Aiming at extracting security situation elements, a comparing method has been proposed.One is comparing between the result of network traffic anomaly detection and the result ofservice request anomaly detection. Another is comparing between the result of service requestand result of service acknowledgement. From the process of comparing, the true threat can beproved. In the meantime, security defense information can be found.4. Following the character of the proposed NSSA model, we choose quantitative index asthe evaluation method and choose real security threat, theory security threat, security threatscale, controllability of security threat, security devices defense ability of security devices,defense ability of all network hosts, the six indexes both from the aspect of attack threat andaspect of network defense. According to these indexes, the algorithm to get these indexes hasbeen proposed. Finally the objectivity, accuracy, validity is proved through differentexperiment.