Research On Network Threat Situation Deduction And Evaluation Technology Based On Ontology

Network threat situational awareness is important for enhancing the defense capability of network integrated system and improving the emergency response level of system. The multisource, heterogeneous and dynamic information of network security device brings new challenge to network threat situational awareness. It becomes the key issues to be addressed currently that how to process multi-source and heterogeneous information of situational elements effectively and improve the accuracy of network threat situation analysis and quantitative evaluation.In this paper, the technology of network threat situational awareness is studied deeply. The main work is as follows.1. A knowledge base model of network threat situational elements based on ontology is built. Existing methods lack shared common data model when massive multi-source and heterogeneous information of situational elements is described uniformly. To solve this problem, this paper analyses the data type structure of network threat situational elements and builds a knowledge base model of network threat situational elements based on ontology by means of the advantage of knowledge base on describing, managing and sharing information. The knowledge base has two components. One is ontology knowledge base based on OWL and the other is rule knowledge base based on SQWRL. The knowledge base describes the information of situational elements uniformly and lays the foundation of consistent semantics for the sharing and reuse of threat situational knowledge.2. Network threat situation deduce graph construction algorithm and real-time threat analysis algorithm are proposed. Existing methods of threat analysis mainly make threat status of local network superimposed directly and lack deep analysis and visual display for association relationship of time and space of the whole network. To solve this problem, this paper proposes the reverse construction algorithm towards threat target and the forward construction algorithm towards global network, which builds the network threat situation deduce graph. For the problem that large-scale threat analysis models become state explosion, this paper adopts optimization strategies that limit the number of analysis for threat state transition, which reduces the scale of threat situation deduce graph effectively. For the problem that threat analysis has poor real-time performance, this paper proposes real-time threat analysis algorithm based on network threat situation deduce graph, which timely grasps and analyzes intrusion status of network threat.3. Network threat situation quantitative evaluation method based on deduce graph is proposed. Existing methods have comparatively rough assessment granularity and can not make a comprehensive assessment of network threat situation from different stages, levels and perspectives. To solve this problem, this paper proposes the network threat situation quantitative evaluation method based on deduce graph. According to the composition structure of deduce graph, network threat situation is evaluated from five levels which are threat events, threat state transition atomic sequences, threat paths, threat goals and threat situation of the whole network. For the problem that the accuracy of assessment result is low because of the uncertainty and incompleteness of data, this paper uses the improved D-S evidence theory to correct initial evidence. Then a conflict evidence combination algorithm based on dissimilarity matrix is proposed to measure the credibility of assessment result, which improves the accuracy of decisions.