The Research On Network Security Situation Awareness Based On Data Mining

In recent years,the problem of internet security is becoming more and more acute.With the expansion of network scale and the increasing complexity of attack means,network security technology based on a single protection device has been unable to cope with the security detection and protection of large-scale networks.To solve this problem,this paper proposes a method of network security situation awareness based on data mining.We can realize the awareness of network situation by taking the advantage of data mining that it can quickly discover the useful information from massive data.This paper makes a comprehensive use of multi-source alerts fusion,data mining and situation awareness to realize threat assessment of large-scale network,in order to provide warning and defense against network threats.The main work of this paper includes three aspects:(1)This paper proposes a method of merging redundant alerts based on the similarity feature.Aiming at the problem that alerts generated by different security detection devices cannot share and analyze collaboratively,we use the IDMEF model to unify different alerts firstly.Then we improve similarity feature and realize the alerts fusion by the improved similarity feature,in order to reduce the number of redundant alerts.Finally,experiments show that the method can work efficiently on redundant alerts fusion.(2)This paper proposes a method of mining maximum multi-step attack sequence based on improved Apriori.Firstly,we propose an improvement to Apriori,which is a kind of frequent pattern-mining algorithm belong to data mining.Then,aiming at unearthing the relationship between the independent alarms,we mine the multi-step attack mode hidden in the network by N-Apriori to obtain higher-level attack semantics.Finally,experiments show that N-Apriori improves the efficiency of multi-step attack sequence mining.(3)This paper proposes a method of network security situation assessment based on DS theory.Firstly,each multi-step attack sequence is used as an evidence of DS.Then,multiple evidences are combined to evaluate the situation risk value of the host through the DS synthesis formula.Last,we can calculate the situation risk value of the whole network by the risk value and the importance of each host.Finally,experiments show that the method based on DS can evaluate the network situation accurately.