Design And Implementation Of Multi-source Data Fusion System Oriented To Network Security Situation Awareness

The iterative development of the Internet has spawned a technological revolution and promoted social change;however,as a double-edged sword,the rise of the cyber world has also brought about serious security challenges.In recent years,numerous cybersecurity incidents have seriously affected the social order,and the traditional hindsight mode of security technology is somewhat weak in dealing with multi-dimensional,multi-step,and highly covert cyber-attacks.To proactively discover attack intentions and details hidden in complex network data,Network Security Situation Awareness(NSSA)technology has been developed.Network Security Situation Awareness is regarded as a kind of cognitive behavior to the network security state,which needs a large amount of underlying data as support,and the log data that records the network state information is one of the data sources of the situational awareness experiment.According to the actual data processing requirements of network security situational awareness,this paper will demonstrate the details of the multi-source data fusion system through the data reduction module,data fusion module and data retrieval module to provide perfect data support service for network security situational awareness.The data reduction module mainly solves the problem that the storage space of log data is too large when it is archived.Network Forensics technology requires the system to retain log data and other information for a long period of time,and when an attack is exposed,the steps and details of the network attack can be deduced in reverse,which leads to the need to provide a large storage space for data storage.Due to the unequal speed of data fusion and log data acquisition,the system needs to cache the log data locally.To relieve the storage pressure of the system,this paper carries out data reduction processing on the original data according to the similarity of log attributes in local time,which greatly reduces the storage space of log data without destroying the original log structure.The data fusion module mainly realizes the enrichment and fusion functions of log data.The data packets transmitted in the network are limited to the length of the data and only provide a small amount of critical data,which is not conducive to in-depth analysis of the network status.Existing logging systems usually subdivide network logs into multiple types,and although the processed log files have rich data types,this distribution structure is not conducive to the holistic analysis of network security.In this paper,based on the existing information in the raw log data,combined with IPCIS(IP Comprehensive Information System)and threat intelligence database,the raw data can be enriched in attributes such as management attribution,geographic location and threat intelligence.Sensing provides relevant information in different fields to improve the reliability of analysis results.The data retrieval module is mainly used to provide the retrieval and query of data fusion results,including a complete retrieval language and visual operation interface.The network security posture perception does not require all the data in actual use,and experimenters select some of the data for analysis through specific conditions such as timestamps,strings and IPs according to the analysis requirements.To support the fast response to the query request of fusion results,this paper uses rich data types to describe events,bitmap indexes to achieve fast hits,and a refined search language to provide query services.At the same time,the system can also provide user-oriented services such as data retrieval display and download through Web pages.