| Data fusion is one of the foundational techniques of situational awareness. Themain purpose of the cyberspace situation awareness is to extract, refine, integrate,deepen and manage relevant information in cyberspace, sublimate them into macrosituational knowledge of the network that can be understood by people, and providesupport for network deployment and emergency decision making. Data process and datafusion are core tasks of situation awareness. Cyberspace situational awareness involvesa wide scope of techniques. Combined with the specific needs of an863project, thispaper focuses on the design of situation element index architecture and the technologyof multi-source data fusion. Mainly solves the problem of how to describe cyberspacesituation and how to make full use of the redundancy and complementarity ofcyberspace detection data to get a better situation element index by data fusion. Themain contributions of this paper are listed as follows:1) Sort out different data fusion techniques, analyze their advantages,disadvantages as well as possible applications. And elaborate the application of datafusion algorithms in the field of cyberspace situation awareness, lay the foundation forfurther research.2) Due to the complexity of cyberspace situation elements construction, and thewide varieties of data, analyze the elements, construct an index system based onhierarchical method and describe cyberspace situation at different granularity.3) Analyze the process of cyberspace situation data, and present the procedure ofthe process using data fusion technology. D-S evidence theory is applied in the processof vulnerability data and a fusion method of vulnerability situation data based on D-Sevidence theory is proposed. This method can analyze and integrate the vulnerabilitydata gathered by network scanning, host scanning, and many other means. Through thesteps of standardizing vulnerability data, constructing the basic probability distributionfunction, fusing the data, this method can make use of the redundancy andcomplementarity of multi-source data, and achieve the integration of multiple scanningresults. Tests show that the results obtained by this method are more comprehensive andreliable.4) A method is proposed to process the alerts given by the network securityequipment based on difference calculation clustering, extended D-S evidence theory andtarget vulnerability information association. This method comprehensively considersmultiple equipment alarm information and environment information. Using this methodto processing the alerts can reduce the quantity of them and the final results can reflectthe network attack activity better. |
PDF Full Text Request