| Network situational awareness requires extracting safety equipment, filtering multi-source security information, fusing and refing the feature information to control the cyberspace security situation. Data fusion and situation assessment are the key supporting technologies of cyberspace situational awareness. This paper mainly focus on integration of multi-source alarm based on fuzzy clustring and network situation quantitative evaluation based on attack graph, which are to solve the redundancy alerts and quantitative assessment on the network situation and other issues. The main work and contributions include:1. It analyzes and summarizes the advantages and disadvantages of the traditional model of situational awareness and on this basis, proposes a multi-stage stratified hierarchical blackboard model for describing network situational awareness functions and perception process.2.Due to the difficulty to effectively merging a large number of multi-source, heterogeneous, redundant alarm information, this thesis presents a fusion method based on fuzzy clustering and introduces the alert fusion confidence analysis. In this method,each collected sensor alert information was preliminary polymerized based on the time and type of alert locally, and then was associated integrated in accordance with attribute weighting and the membership function,and finally introduced alert fusion confidence aiding analysis. The feature-level method without too much prior knowledge is of a good adaptability. It fuse the associated alert events with a faster speed than the classical one and improve the ability to identify new attack action sequences which reduce the number of false alert. The integrated use of fuzzy clustering and confidence study reach a good practical results. Experimental results show that this method can effectively merge redundant alerts, which has a technical supporting role in network situational awareness applications.3. Due to the problem of describing and evaluating the network situation, we propose a quantitative evaluation methods based on attack graph. First, the vulnerability are quantified as the specific properties values which are called anti-attack values. Then we get the comprehensive network situational value in the way of merging the vulnerability situation based on the calculation of the entire network attack graph and threat situation generated by fusion alert information. Situational values calculated by this method can not only react stand-alone network conditions but also react entire network situation, so as to solve the situation of a unified description of complex network problems.4. This paper build a prototype multi-source alert integration system based on the OSSIM open source project, functions of the multi-source alert integration and assessment of cyberspace situational awareness were tested on it. The experiments achieved good results. |
PDF Full Text Request