Research On The State Explosion Problem Of Network Security Situation Awareness

With the rapid development of the Internet,more and more sophisticated attacks are used by attackers.It becomes increasingly difficult to protect a network from the intrusions using traditional network security technology.Thus,network security situation awareness,which pays attention to comprehensive and active defense,is of great interest to the network security community.Although network security situation awareness can provide accurate security strategies,the task of providing strategies in real time remains challenging.One main challenge is the state explosion problem of the analysis of attack behavior which is caused by the massive scale and complex structure of the network,This paper aims to solve the state explosion problem and improve the real-time performance of network security situation awareness.The main research contents include the following aspects.1)We collect the node interactive data in the laboratory network,and alter the modularity function of FastNewman algorithm to make it suitable for the community detecting in the node interactive data.Based on the community detecting method and the node interactive data,we detect the community structure of the network system.2)Based on the community structure,the target network is divided into several logical subnets of various sizes.The logical subnets and connections between them constitute the logical network.Then,we generate a two-layer attack graph.At the top-level,state nodes are generated according to the different attack states of each logical subnet,and the connections between state nodes in the top-level are generated in term of the basic information of the network;at the bottom-level,state nodes are generated according to the different attack states of each physical node,and the connections between state nodes in the bottom-level are generated in line with the basic information of the network.And the mapping relationship between top-level state nodes and bottom-level state nodes is generated in the light of the containment relationship between logical subnets and physical nodes.3)Based on the original and logical networks,the selection of attack path is optimized according to the attack behavior's monotonic principle.To validate the effectiveness of our method,we conduct an experiment in our lab.The experiment results show that the method proposed in this paper can effectively solve the state explosion problem of network security situation awareness.