Research on Key Technologies of Network Security Situational Awareness for Attack Tracking Prediction

KOU Guang; WANG Shuo; TANG Guangming

doi:10.1049/cje.2018.10.007

Volume 28 Issue 1

Turn off MathJax

Article Contents

Article Navigation > Chinese Journal of Electronics > 2019 > 28(1): 162-171

KOU Guang, WANG Shuo, TANG Guangming, “Research on Key Technologies of Network Security Situational Awareness for Attack Tracking Prediction,” Chinese Journal of Electronics, vol. 28, no. 1, pp. 162-171, 2019, doi: 10.1049/cje.2018.10.007

Citation:

KOU Guang, WANG Shuo, TANG Guangming, “Research on Key Technologies of Network Security Situational Awareness for Attack Tracking Prediction,” Chinese Journal of Electronics, vol. 28, no. 1, pp. 162-171, 2019, doi: 10.1049/cje.2018.10.007

Citation:

PDF( 3890 KB)

Research on Key Technologies of Network Security Situational Awareness for Attack Tracking Prediction

doi: 10.1049/cje.2018.10.007

1.
Artificial Intelligence Research Center, National Innovation Institute of Defense Technology, Beijing 100072, China;
2.
Information Engineering University, Zhengzhou 450001, China

Funds: This work is supported by the National Natural Science Foundation of China (No.61303074) and the Foundation of Science and Technology on Information Assurance Laboratory (No.KJ-15-106).

Received Date: 2016-05-03
Rev Recd Date: 2018-05-14
Publish Date: 2019-01-10

Abstract

Abstract

This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.
- Multi-stage attack,
- Situation evaluation,
- Network security,
- Intention recognition,
- Causal analysis

FullText(HTML)

References(25)

References

Bass T., "Intrusion detection systems & multisensory data fusion:Creating Cyberspace Situational Awareness", Communications of the ACM, Vol.43, No.4, pp.99-105, 2000.

D' Ambrosio B., "Security situation assessment and response evaluation (SSARE)", Proc. of DARPA Information Survivability Conference & Exposition Ⅱ, Washington, USA, pp.387-394, 2001.

Abad Cristina and Yurcik William, "UCLog+:A security situational awareness system for incident storage, querying, and correlation", Proc. of the 14th International Conference on Telecommunication Systems Modeling and Analysis, Washington, USA, pp.316-322, 2006.

Chen Xiuzhen, Zheng Qinhua and Guan Xiaohong, "Quantitative hierarchical threat evaluation model for network security", Journal of Software, Vol.17, No.4, pp.885-997, 2006.

Wei Yong, Lian Yifeng and Feng Dengguo, "A network security situational awareness model based on information fusion", Journal of Computer Research and Development, Vol.46, No.3, pp.353-362, 2009.

Xi Rongrong, Yun Xiaochun and Zhang Yongzheng, "An improved quantitative evaluation method for network security", Journal of Software, Vol.26, No.7, pp.1638-1649, 2015.

Zhang Yong, Tan Xiaobin and Cui Xiaolin, " Network security situation awareness approach based on Markov game model", Journal of Software, Vol.22, No.3, pp.495-508, 2011.

Xi Rongrong, Yun Xiaochun and Zhang Yongzheng, "An improved quantitative evaluation method for network security", Chinese Joural of Computers, Vol.38, No.4, pp.749-758, 2015.

Lv Huiying, Peng Wu and Wang Ruimei, " A real-time network threat recognition and assessment method based on association analysis of time and space ", Journal of Computer Research and Development, Vol.51, No.5, pp.1039-1049, 2014.

Cyril Onwubiko and Thomas Owens, Situational Awareness in Computer Network Defense Principles, Methods and Applications, IGI Global Snippet, Hershey, USA, pp.125-137, 2012.

M Schiffman, "Common vulnerability scoring system version 2.0", available at http://www.first.org/cvss/cvss-guide.html,2013-7-8.

Fatemeh Kavousi and Behzad Akbari, "Automatic learning of attack behavior patterns using Bayesian networks", Proc. of 6th International Symposium on Telecommunications, Washington, USA, pp.999-1004, 2012.

Sheyner O, Haines J and Jha S, "Automated generation and analysis of attack graphs", Proc. of IEEE Symp on Security and Privacy (S&P 2002), Piscataway, NJ, USA, pp.273-283, 2002.

Noel S., Jajodia S. and O' Berry B., "Efficient minimumcost network hardening via exploit dependency graphs", Proc. of 19th Annual Computer Security Applications Conference(ACSAC' 03), Los Alamitos, CA, USA, pp.86-95, 2002.

Wei Yong and Lian Yifeng, " A network security situational awareness model based on log audit and performance correction", Chinese Joural of Computers, Vol.32, No.4, pp.763-772, 2009.

S.J. Templeton and K. Levitt, "A requires/provides model for computer attacks", Proc. of New Security Paradigms Workshop, Cork, Ireland, pp.31-38, 2002.

P. Ning, Y. Cui and D.S. Reeves, " Techniques and tools for analyzing intrusion alerts", ACM Transactions on Information and System Security, Vol.7, No.2, pp.274-318, 2004.

Peng Ning and Y Cui, An Intrusion Alert Correlator Based on Prerequisites of Intrusion, Department of Computer Science, North Carolina State University, Raleigh,North Carolina, USA, pp.1-16, 2002.

Frederic Cuppens, "Managing alerts in multi-intrusion detection environment", Proc. of 17th Annual Computer Security Applicaions Conference, New Orleans, Louisiana, USA, pp.22-31, 2001.

Frederic Cuppens and Alexandre Miege, "Alert correlation in a cooperative intrusion detection framework", Proc. of 2002 IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp.202-215, 2002.

Benferhat S., Autrel F. and Cuppens F., "Enhanced correlation in an intrusion detection process", Proc. of 2th International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, St. Petersburg, Russia, pp.157-170, 2002.

Phillips C. and Swiler L.P., " A graph-based system for network vulnerability analysis", Proc. of 1998 Workshop on New Security Paradigms, New York,, USA, pp.71-79, 1998.

Noel S., Jacobs M. and Kalapa P., " Multiple coordinated views for network attack graphs", Proc. of 2005 Workshop on Visualization for Computer Security, Piscataway, NJ, USA, pp.99-106, 2005.

TUO Yu-peng, ZHANG Yongzheng and YIN Tao, " Modeling and evaluating a cross-realm architecture for P2P botnet", Acta Electronica Sinica, Vol.46, No.4, pp.791-796, 2018.

LI Peng, WANG Zhen and XU He, " Intrusion detection methods based on incomplete RFID traces", Chinese Journal of Electronics, Vol.26, No.4, pp.675-680, 2017.

Relative Articles

Supplements(0)

Cited By

Proportional views