网络安全态势感知论文《A Framework of Network Security Situation Analysis Ba...
需积分: 21 197 浏览量
2014-06-12
11:22:13
上传
评论 2
收藏 309KB PDF 举报
A Framework of Network Security Situation Analysis Based on the
Technologies of Event Correlation and Situation Assessment
Feng Xuewei
[1]
, Wang Dongxia
[1]
, Ke Shanwen
[2]
,Ma Guoqing
[1]
, Li Jin
[1]
1
(Beijing Institute of System Engineer, National Key Laboratory of Science and Technology on Information System Security,
Beijing 100101, China)
2
(Xichang Satellite Launch Center, Sichuan 615000, China)
e-mail: brafum@yeah.net, dongxiawang@126.com
Abstract—After analyzing the existing research of network
security situation awareness, a framework of situation analysis
is proposed in this paper. It is an application and reification of
the classic situation awareness model proposed by Timbass.
The framework is composed of three core contents, namely,
situation information model, event correlation analysis
technology and situation assessment technology. The
information model defines what is situation and how to express
them, the other two technologies are the implement means of
acquiring these situation information. The
hierarchic
information model
contains four levels: raw security datas,
security entities, assessment report, and mission impact. Along
with the rising of the model level, the quantity of the
information decreases while the quality increases. The
correlation technology focuses on achieving the security
entities, that is the second level situation information. The
situation assessment technology provides methods and means
for acquiring the information belongs to the third and the
fourth levels, namely, it is the technical guarantee of creating
assessment report and mission impact. The framework
provides guidance and technical support for the whole
situation analysis procedure, and it is the foundation of the
analysis work.
Keywords- network security; situation analysis; situation
information model
; correlation analysis; situation assessment
I. INTRODUCTION
Along with the popularity of computer networks and the
continuous deepening of various network applications, the
issues of network security becomes more prominent, it has
become a major constraining factor for the development of
Internet[1]. The essence of network security is the
cooperation of attack and vulnerability[2]. Traditional
security defense technology always only pays attention to the
recognition and analysis of attack activities, such as IDS
(Intrusion Detection System) etc, it can not cognize the
disastrous consequence of utilizing vulnerabilities
successfully
.
Network security situation awareness belongs to the third
generation of security defense technology, and it aims to
acquire the global view of the cyberspace timely and
accurately. It presents the whole security view of cyberspace
to network manager through analyzing external threat and
internal vulnerabilities. In this way, the manager will be
aware of the situation of the cyberspace expediently, and the
defense ability of the cyberspace will be enhanced.
In this paper, we propose a framework of network
security situation analysis based on the technology of event
correlation and situation assessment. It is more operable than
the concept model provided by TimBass, and can be used to
guide the whole process of situation analysis. The
framework points out what is situation information and how
to acquire it, so it not only defines the analysis goal, but also
presents the analysis means. Situation analysis emphasizes
the technology and means of achieving network security
situation, and situation awareness emphasizes concept and
content, so this paper mainly focuses on technology and
means, that is situation analysis.
The remainder of this paper is organized as follows:
section 2 analyzes the exiting researches on network security
situation awareness. Section 3 describes the structure of the
situation analysis framework, and the three core contents of
the framework are explained detailedly in this section too. In
section 4, we use an experiment to validate the technologies
in the framework. At last we summarize this paper and
suggest the future work in section 5.
II. R
ELATED WORKS
A. Models of Network Security Situation Awareness
The data fusion model[3][4] proposed by TimBass in
1999 is the rudiment of network security situation awareness.
The model includes five levels, and the objectives of each
level are defined in this model. It mainly focuses on the
concept of situation awareness, so in the practical
environment, available technologies and methods for
analyzing security situation are lacking. Wang[5][6][7]
proposes a hierarchical implementation model for network
security situation awareness, but the situation information
presented by this model is only security threat level, the level
can not indicates the whole situation of the network system.
A security situation evaluation model for inter-domain
routing system in the internet is proposed in [8], the model is
a two tuples (TREE, EA ), TREE is the routing tree of the
routing system, and EA is the assessment algorithm. The
ultimate results presented by this model are security metrics
too. Otherwise, the EA’s input is abnormal routing
information, this information is always hard to acquire
accurately.
2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
978-0-7695-4372-7/11 $26.00 © 2011 IEEE
DOI 10.1109/IMIS.2011.43
432
2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
978-0-7695-4372-7/11 $26.00 © 2011 IEEE
DOI 10.1109/IMIS.2011.43
376
资源评论
