Research On Network Security Threat Situation Assessment And Analysis

Facing the increasingly complex and severe network security environment, the traditional security detection and protection method have not been able to satisfy the current demand of network security management. As a new approach for network security management, the network situation awareness and security evaluation has become an important research area. Its goal is fusing existing safety equipment information, extracting security factors, evaluating and forecasting the attack threats and security state, providing the scientific information for the network security plan and the management games formulation.At present, there still many challenges in the network security and threat situation awareness technology. For examples, the false positives alerts cause the low quality evaluation data, the evaluation model with no unified standards confuses the relations of security factors, static evaluation methods do poorly in dynamical threat awareness, largely dependent on expert knowledge lacks quantification standards.In this work, an alerts analyzing based threat awareness method is proposed. Base on analyzing the heavy tail distribution characteristic of alerts, an alert sequence model is built. The result of spectrum analysis for alert sequence indicate the sequence can be decomposed into the major part and the residual part, the former changes genteelly and owns continuing characteristics, which reflects the nature characteristics of alert sequence. The anomalies occur in the latter is the important evidences of threat awareness. The work proposes a spectrum analysis based anomalies detection approach for alert sequence, which uses sliding windows. The basic window is used for construct nature characteristics of alert sequence; the detection window is used for monitoring anomalies, and the distances existed between of them are taken as detection standard. For the low efficiency problem caused by recalculating and reconstructing in the sliding basic window, the work propos an incrementally updating method to adopt new characteristics in major part of alert sequence, which decrease the corresponding time cost. The method does not take periodicity, trendy, stability of sequence as the premise, and has the ability to adapt the structural changes in the sequence. The results of comparing experiments show, the true positives rate reaches above 92%.The approach not only eliminate massive false alerts, but also recognize the true threats hide in the alert noises.An information fusion based network threat situation quantized evaluation method is proposed. The relations of security incident and security incident, security incident and vulnerability, security incident and property environment are analyzed. Base on this, a multi-factors correlation and fusion based threat evaluation model is presented. The model composes three parts:threat degree, threat severity and the property value. The threat degree describes the successful possibility of an attack, the threat severity describes the destruction caused by an attack, and the property value reflects the loss caused by an attack. Through the excavation alert's space and time incidence relations, the correlation patterns and rules are built. The result of combing the match degree between alerts and rules, alerts and environmental information is the threat degree value. The factors of threat severity are composed by alert severity, vulnerability and service availabilities. A series of fuzz member functions are defined for these factors, which resolves the problem for fusion the alerts information and vulnerability information, fuzz rules for calculating the threat severity are presented. The whole process of the method is a fusion process and the result of the process is the threat situation value of some object. Experiments show, the approach can dynamically quantify the threat level of protected host or network, and can display network threat situation directly. The searches for security reasons and the adjustment of security policies can be provide by the evaluation results.For the threat situation forecast, a combination forecast model is applied. Through combing many sole forecast models, the shortcoming reside in them are relieved. An information entropy based method for determining the relations of models is applied. The experiment indicates that the combination forecast model can improve the accuracy of network threat situation forecast, updates the warning level.The work also proposes an alert attack graph based threat situation analyzing method. On the base of analyzing threat propagation behaviors, the alert attack graph model is proposed. The model utilizes the alert information to construct a weighed directed graph. The IP addresses of the alerts construct the nodes in the graph; each edge of the graph represents just the alerts, and the weight of edge indicates the threat impact between a pair of nodes. The nodes in the attack graph respond for threat propagation node, the path in the attack graph respond for threat propagation edge. The weight of edge is determined by the threat frequency and the algorithm for construct the attack graph is proposed. Then, the most threat node or edge is the node or edge that be passed most frequently by others, and the concept of betweenness centrality for attack graph is defined. Besides, the concept of attack graph sequence is proposed, which construct attack graph by using alerts information within different time span. In accordance with the frequency that a node (edge) with high betweenness centrality occurs in the attack graph sequence, the threat node (edge) can be identified, and the goal of macroscopic network threat situation analysis achieves. The merit of an alert attack graph based threat situation analyzing method lie in: 1) dynamically reflect network threat scene; 2) the constructing of attack graph and process of situation analyzing are carried out automatically which reduces the expert knowledge dependence; 3) the alert information can be easily obtained, and the adaptation for network scope is broad.