Research On Key Technologies Of Network Security Assessment

The network has become an essential information infrastructure of our country, andhas confronted with frequent network attacks. In terms of response to the threat of net-work attacks, enterprise and security operators have deployed a large number of networksecurity devices, such as IDS, firewall. However, most of these network security devicesare used separately in their own administrative domains, and suffer from a lack of infor-mation sharing. At the national and global levels, we come into the situation of lackingthe global control of large-scale network security situation. Therefore, based on the cur-rent network security infrastructures and technologies, constructing a large-scale networksecurity situation analysis system has now become an urgent necessity, especially on net-work security situation control, analysis and forecast.In this dissertation, a number of key technologies are proposed to address issuesbefore-mentioned in network security situation analysis system. When network attackshappen, a lot of network security alarms are produced by the network security deviceswhich are deployed on all layers of the network. Since the alarms are massive, in orderto well assist network administrators in comprehending the network security situation, infindingandrespondingtothesignificantnetworksecurityeventsintime,severalkeytech-nologies are proposed in this dissertation to evaluate the network security, such as quanti-tative evaluation of network security, getting the importance of the assessment indicatorsfor different applications, ranking the critical network alerts based on users’ preference.In summary, the major contents and contributions of this dissertation are presented asfollows:1. On the network security situation assessment, the existing methods are subjectedto a lot of disadvantages, such as insensitive computation, lack of real time, availabilityand sensitivity. In order to tackle those issues, a new hierarchical network security eval-uation method based on index system is proposed. In network security environment, thenetwork elements which are affected by network attacks are discussed and summarized tomeasure the security state of the network. All these network elements are formed as situa-tionalassessmentfactors. Tofulfilldifferentrequirementsindifferentenvironment,anewhierarchical network security evaluation method based on index system is proposed. Thismethod evaluates the network security situation by configuring the mapping style from situational assessment factors to security situation. According to the logical and physi-cal characteristics of network environments, a hierarchical situation aggregation methodis proposed. This method considers the impact of coordinated attacks in the large-scalenetwork, and improves the accuracy of large-scale network security situation evaluation.2. On mining user’s preference on network security evaluation, to solve the problemthat users are very difficult to specify their accurate preference to get top-k results, aninteractive algorithm is proposed to mine users’ preference. The main idea of this algo-rithm is to interact with users to mine their potential preferences, and the final goal ofthis algorithm is to get accurate preference value through a small number of interactiverounds. Different from the traditional sampling methods, representative weight vectorsare introduced to reduce the number of sampling points significantly and to improve theefficiency of the algorithm. Based on the representative weight vectors, a pruning policyon the candidate objects is proposed to remove the objects which have no chance to beappeared in top-k results as early as possible. On the basis of empirical observation, anoptimal pair of objects is returned to the user to learn his/her preference. This optimalpair of objects accelerates the weight space convergence rate. The experimental resultsshowthatthealgorithmproposedinthisdissertationcanefficientlygettheuser’spotentialpreference.3. On modifying situation preference, according to the questions of the k most se-rious network security alerts returned by system, a novel method is proposed to modifynetwork security evaluation parameters based on user’s feedback. First, an assessmentmodel is defined to evaluate the difference between two top-k queries. Then based on theassessment model, a sample method is used to sample the candidate weight vectors froman accuracy subspace of weight space. After that, for each candidate weight vector, aprogressive top-k algorithm is used to get the optimal new query. Furthermore, the termi-nal conditions of the progressive top-k algorithm are improved by the assessment model.Finally the experimental results show that the algorithm proposed in this dissertation hasa good execution efficiency.4.YHSAS is implemented for network security situation awareness. The YHSAScontainssixparts: datacollectionsubsystem,dataintegrationsubsystem,correlationanal-ysis subsystem, situation assessment subsystem, trend prediction subsystem and displaysubsystem. The situation assessment subsystem which is implemented based on the key technologiesproposedinthisdissertationplaysavitalroleinthenetworksecurityanalysissystem(YHSAS).TheresultsidentifiedbyTheMinistryofInformationIndustryNetworkand Information Security Testing Laboratory and Changsha Software Testing Laboratoryshow that: The network security index system in YHSAS is customizable, self-adaptive,self-feedback and quantifiable. The network security index system can describe the cur-rentmacroscopicoverallsecuritystateofaimednetwork,andcanbeadaptiveaccordingtodifferent application requirements. On detecting and sorting the serious network securityevents,YHSAScaneffectivelydetecttheseriousnetworkattackssuchasscanningattack-s, Dos attacks. YHSAS can get the top-k serious attacks according to user’s preference,andcanalsoadjustthetop-kseriousattacksaccordingtouser’sfeedback. Inaddition,YH-SAS is successfully used at many organizations, such as The National Computer NetworkEmergency Response Technical Team Coordination Center of China (CNCERT/CC), TheNetwork Security Department of the State Information Center, The National ComputerVirus Emergency Response Center. The technologies in this dissertation are effectivelyverified in the actual environment, and play a crucial role in YHSAS.