Research On Crucial Technologies Of Network Security Threat Situation Awareness Based On Multi-source Alerts

With the development of Internet technology and social informationization, network has been acknowledged as an indispensible part of our life. To enhance and maintain the security of network, many kinds of security devices have been utilized. The deficiency of effective data fusion and cooperative management has become a hinder to deal with different problem in network. Under this circumstance, the research about network security threat situation awareness (NSTSA) as one of next generation security solution has enough academic value and comprehensive practical value.Network security threat situation awareness based on a variety of network equipment alerts is the mainstream of today’s research, including IDS, IPS, Firewall and OS. But most studies were carried out on various data sources separate analysis and processing, which cannot effectively utilize the correlation between alerts, therefore the results obtained cannot accurately reflect the current network security threats. In this paper, aiming at these problems, a research based on multi-source alerts is performed. Some innovative contribution of this thesis is enumerated as follows:1. Analyzing the lack of network security threat situation awareness model in analyzing and processing multi-source alerts, we propose the multi-source alerts based network security threat situation awareness model, in according with threat situation data acquisition, threat situation elements analysis as the main theme and put forward the corresponding solutions.2. In analyzing threat situation data and factors, we study the common network security devices and alerts features, given the appropriate solutions and proposed unified situational factors and analysis processing model, which is the basis for the work of situational awareness of network threats, either. The study of network attacks is another important prerequisite in threat situation awareness work. With a deep understanding of network attacks, based on the lack in current existing classification methods to attack, we proposed a procedure-oriented attack classification system3. In analyzing multi-source alerts, we use a step-by-step strategy. Firstly, we propose an aggregation analysis method based on alerts attribute similarity degree method. Secondly, we propose the improved D-S evidence theory data fusion method to obtain high credibility attack event as the network security threat situation factors.4. In network attack correlation analysis, we propose a network attack correlation method based on reasoning model. Firstly, the attack event is converted into the corresponding semantic based on the semantic mapping model, then followed by the use of reasoning model to get all possibly attack conversion vector. Finally we get network attack scenario which reflected the network attack behavior by the use of correlation analysis algorithms. Network attack scenario can depict the intent of attacker and guiding the network security work effectively.The paper aggregates all the work finally, and prospects the future of this subject.