Research On Security Situational Awareness Based On Network Security Events

As the scale of the Internet shows explosive growth,cyber attacks are also emerging,making network security more and more important in people's eyes.The normal operation of the network is related to whether a country or even global information flow can maintain a relatively stable state.Therefore,when a network attack occurs,whether it is possible to accurately perceive and analyze the network security status,it is extremely urgent to take effective and effective measures in time.Network Security Situation Awareness(NSSA)technology emerges as the times require.Its main goal is to perceive and measure the overall situation of network security,and to form a "complete view" of network attack behavior in time.The NSSA has a very important meaning for the precise location of the attack activity and the trend prediction of the attacker's follow-up activities.It can also help the attacker to take timely defense strategies.According to the current research status of NSSA,it can be learned that although scholars in history have done a lot of work from different angles,there are still many problems.First of all,the source and processing of data is the basis of situational awareness research,which involves multiple data fusion technologies,and it is difficult to implement unified structural processing of data,which brings difficulties for the follow-up work of situational awareness research.Secondly,cybersecurity incidents have not received extensive attention as an important parameter for situational awareness research.In the past research history,a complete security incident handling solution has not been formed.Finally,if only the information contained in a single network security event is considered,and the intrinsic connection between different security events is not analyzed in depth,it is difficult to assess the actual network state in the network attack and defense process,and it is impossible to analyze and process large complex networks from a macro perspective.In response to the above problems,this paper has carried out a series of research work,the innovation points and main work are as follows:(1)Through the Scrapy web crawler framework,data collection of well-known network security events such as Freebuf,Sihou,Security Cafe,and Threat Post was carried out.Based on the vulnerability database of the National Computer Network Intrusion Prevention Center,the design and establishment of the network security event database were carried out.At present,there are 43848 data in the network security event inventory.The establishment of a network security event library enriches the data foundation of situational awareness research and facilitates researchers to further query,retrieve and analyze data.(2)A text-based network security event analysis tool was designed and implemented.The designed tool can complete the data cleaning of the text message of the network security event.Using the neural network model to classify the acquired network security events.Using the hidden Markov model to decompose and extract text information,the similarity between different security events is calculated by the combination of Doc2 Vec and Word2 Vec algorithms.Compared with traditional security event processing methods,the tools designed in this paper pay more attention to the semantic features of text context,and can gradually discover the hidden relationship between different words.To form a set of highly applicable and comprehensive network security event handling solutions.(3)In order to reveal the relationship between different network security events,the concept of system theory is introduced,and unit security events are defined.The four evolution modes of security event points,chain,network and super network are used for progressive analysis.A semantic association model based on network security events is established,and a super-network evolution model construction method based on security events is presented.The proposed model reveals the chain reaction mechanism of security incidents and provides a theoretical basis for realizing the impact measurement,and evaluation methods of security incidents so that the inherent links of network security incidents can be clearly presented.