Situation Awareness System Based On Multi-source Data Fusion

With the continuous development of the Internet infrastructure,the successive emergence of new network applications,the gradual expansion of the network scale,and the increasing complexity of the network topology,the difficulty of network security management becomes increasingly difficult.Network security situational awareness system can assess the current network status and detect the network security situation so as to notify the management personnel of the emergence of threats.Current network security situational awareness systems,however,face the problem of false positives that may incorrectly identify normal behavior as malicious.This leads to additional workload and unnecessary disruptions.And the input data is single,which cannot provide comprehensive original information for the detection of the system.To address these two points this paper has done the following work:(1)Developed a parser for more than ten popular application logs.Based on the classification of current popular application execution models and their corresponding execution units,we develop a parser for application logs with the same execution model and execution units,unify the formats of application logs and OS logs,and provide a standard input of multisource logs for threat detection.(2)A threat detection method based on multi-source log fusion is proposed,converting logs into traceability graphs and extracting system entity interactions into bipartite graphs,synthesizing knowledge graphs and then inputting them into a recommendation model for learning and prediction.The effectiveness of the method is experimentally verified.(3)A threat situational awareness system based on recommendation algorithm fusing multi-source logs is designed and implemented,including log collection module,data pre-processing module,threat analysis module,etc.The experiments verified the effectiveness of the system.