A Improved Network Security Situation Awareness Model

Fangwei Li Chongqing Key Lab of Mobile Communications Technology, Chongqing University of Posts and Telecommunications, Chongqing, China lifw@cqupt.edu.cn Xinyue Zhang Chongqing Key Lab of Mobile Communications Technology, Chongqing University of Posts and Telecommunications, Chongqing, China zhangxinyue159@163.com Jiang Zhu Chongqing Key Lab of Mobile Communications Technology, Chongqing University of Posts and Telecommunications, Chongqing, China zhujiang@cqupt.edu.cn Yan Wang Chongqing Key Lab of Mobile Communications Technology, Chongqing University of Posts and Telecommunications, Chongqing, China wangyan2250@sina.com ABSTRACT In order to reflect the situation of network security assessment performance fully and accurately, a new network security situation awareness model based on information fusion was proposed. Network security situation is the result of fusion three aspects evaluation. In terms of attack, to improve the accuracy of evaluation, a situation assessment method of DDoS attack based on the information of data packet was proposed. In terms of vulnerability, a improved Common Vulnerability Scoring System (CVSS) was raised and maked the assessment more comprehensive. In terms of node weights, the method of calculating the combined weights and optimizing the result by Sequence Quadratic Program (SQP) algorithm which reduced the uncertainty of fusion was raised. To verify the validity and necessity of the method, a testing platform was built and used to test through evaluating 2000 DAPRA data sets. Experiments show that the method can improve the accuracy of evaluation results.


INTRODUCTION
The current security technology is to consider network security from a single aspect and lack of awareness of the overall network situation, such as firewall, intrusion detection and vulnerability scanning.In this context, network security situation awareness is proposed and attracted much attention from researchers [1].
Network security situation awareness can access information in many aspects through related technology, obtain the whole network situation through quantification analysis, and forecast the future development trends based on the previous analysis.The concept of network security situation awareness was proposed, but the assessment framework was not realized [2].In order to realize the framework, some methods were raised.The method of using multi agent anomaly detection and data flow analysis ignored the characteristics of the network itself [3].The network security situation could be got when bayesian network was introduced to the evaluation, but the method cost high computational complexity and need huge training sample [4][5].Analytic hierarchy process needs to set the relative weights which was subjective and relied on conventional wisdom and common sense [6][7][8].The previous studies considered only the threat caused by attacks, ignored the situation changes caused by the network's own defects, reduced the accuracy of the whole situation assessment.
In order to reflect the situation of network security assessment performance fully and accurately, a new network security situation awareness model based on information fusion was proposed.This model has the following advantages.Firstly, the error evaluation of DDoS attacks is reduced.Secondly, the degree of accuracy is improved by increasing the assessment of vulnerability.Thirdly, the node weight of single one-sided is avoided through combining subjective weight and objective weight.

NETWORK SECURITY SITUATION A-WARENESS MODEL BASED ON INFO-RMATION FUSION 2.1 The assessment framework
The following are three basic definitions in the model.

The assessment of attacks
The original method relied on the alarm of IDS.The expression of the threat of attacks is given by [9] : where ) (t c i is the amount of attacks, ) (t d i is the threat level of attacks, ) (t T i is the threat of attacks.
Most attacks can be evaluated by the above formula with the exception of DDoS attack.Firstly, the alarm number is very different based on different rule bases of IDS.Besides, DDoS attack is a repeated attack in a short period of time.There are so many same alarm at the same time that it is hard to differentiate between the same alarm and the repeated alarm.
The original method is irrelevant because of the above two reasons.Aiming at solving the problem, a new method of the assessment of DDoS attacks is proposed based on the characteristics of DDoS attacks and the information of data packet.The threat of DDoS attack is expressed as follows: where ) (t p i is the range of attacks, it is the occupation ratio of attacked ports.) (t n i is the amount of attacked ports.The total of ports is 65536.The occupation ratio of attacked ports is defined as: ( ) ( ) 65536 where ) (t a i is the strength of attacks, it is the average amount of data packet each attacked port.

) (t b i
is the total of data packet.The strength of attacks is defined as: ( ) ( ) ( ) where t  is the duration of DDoS attack, it is the attack time from beginning to end.

The assessment of Vulnerability
The existing methods ignored the vulnerability of the node itself and got the situation only based on external attacks.The previous studies considered only the threat caused by attacks, ignored the situation changes caused by the Vulnerability, so the assessment of vulnerability is increased in this model.In order to reflect the fully and accurately, CVSS is adopted [10].
Firstly, the vulnerabilities are discovered by vulnerability scanners like Nessus.Next, The vulnerabilities are related to National Vulnerability Database and quantified form six aspects which are attack avenue, attack complexity, authentication, confidentiality, availability and integrity.In order to emphasize vulnerabilities that are exploited, the activating factor is identified and added to CVSS and reflects the different vulnerability in different period of time.The assessment of vulnerability is given by: 0 6 0 4 1 5 where 10 41 1 1 1 1 20 0 0 is equal to 1 if the node i contains the vulnerability k , otherwise 0. where ) (t ik  is equal to 1 if the vulnerability k of the node i is exploited, otherwise 0.7.The value can be adjusted based on specific condition of the network and the administrator's needs.where k BE is the value of the vulnerability k 's the utilizability.
are the value of attack avenue, attack complexity, authentication.

The assessment of nodes' weight
The weight reflects the importance of the node, the larger the weight is, the more effect security situation has.If the weight is unreasonable, the whole assessment of security situation will be meaningless.
The current method of determining weight are subjective weighting and objective weighting.The subjective weighting can reflect the people's intention, but the weight is more subjective.The objective weighting is determined based on objective data, but the weight has no participation of people and the weight and the importance of node may be opposite.In order to obtain the reasonable weight, this paper combines the two weights and the combined weight represents the importance of node.

The object weight
The object weight is determined based on the improved entropy evaluation method [10].In information theory, entropy reflects the degree of disorder information and is a measure of uncertainty.The smaller entropy means the bigger certainty and the more information and more importance of the index.The process of the improved entropy evaluation method is: a) Establish judgment matrix based on service where ij r is the value of the service, if the node i has the service j , the value is 1, otherwise 0. n is the total of the node, m is the total of the service.
b) Calculate the entropy of the service j where ij f is the service j 's weight of the node i and Calculate the variation coefficients of the service j where E H g g where j g is the variation coefficients of the service j , the larger the value is , the more effect the node has.
d) Calculate the object weight

The subject weight
The subject weight is determined based on the experts' experience [8].The weight depends on the number and the importance of the service.The subject weight is given by: where i w 2 is the subject weight , ij v is the importance of the node i 's the service j .

The combined weight
In order to make the weight more reasonable, the object weight and the subject weight are fused.The combined weight can not only reflect the intention of people but also be more objective.
In order to consider the advantages of the subject weight and the object weight, the concept of weighted euclidean distance is proposed.The weight is optimal when the sum of euclidean distance is the minimum.Firstly, the different nodes' euclidean distance of the subject weight and the object weight is calculated.Then, in order to avoid the preference, this paper uses the combined weight itself instead of the constant weight.The method makes the weight adaptive.The formula of the combined weight is defined as: The solution of the formula(10) can be described as the solution of the nonlinear quadratic programming.The nonlinear quadratic programming is described as: The optimal solution can be got based on the SQP.The SQP is one of the best algorithm that solves the nonlinear quadratic programming.The SQP can guarantee the global convergence that is superlinear convergence.Figure 2 is the flowchart of SQP.

The information fusion
The node and network security situation are calculated by fusing the threat, the vulnerability and the weight. where represent the threat and the vulnerability.l is the total of the node's vulnerability. ) (t NA i is the value of the node security situation.Definition 5.The network security situation: The extent of the influence caused by the whole nodes' security situation based on the weight.The network security situation is defined as:

EXPERIMENT RESULTS ANALYSIS A-ND COMPARISON
This experiment selected the scenario one of the data sets DARPA 2000 from MIT Lincoln Laboratory [12].The scenario has five steps of attack.Figure 3 is the network topology.

The experiment 1
In order to prove the unstability of the assessment of DDoS attack based on the attack alarm, this experiment was designed.Firstly, the intrusion detection system was constructed.Secondly, the data packet was detected by the different rule database.Lastly, the result was imported into the MySQL.Table 1 is the statistical result.Table 1 shows that the number of alarm caused by the attack which is not DDoS is approximately equal.The original method is still valid except DDoS.In the fifth period, the number of alarm caused by DDoS is completely different.The original method no longer applies to DDoS.

The threat of DDoS
This method is proposed based on the characteristics of DDoS and the analysis of data packet by wireshark.The threat of DDoS is calculated by the formula (2).

Figure 4: the threat of the different host in fifth period
Figure 4 shows that the value of the server www.af.mil's threat is largest.The server www.af.mil is attacked and the host mill, locke and pascal are controlled remotely.The obtained results were consistent with actual condition.Figure 5 indicates the threat is completely different because of different rules.The proposed method based on data packet is stable and effective and reflects the threat of DDoS objectively.

The network security situation
The threat is calculated by the formula ( 1) and ( 2).The threat level of attacks are divided into three degrees.The value of the high, middle and low levels of attacks are 1, 2 and 3.
Figure 6 shows that the threat of mill, pascal, locke are biggest in the third period because these hosts' permissions of root are obtained by hackers and controlled remotely.The threat of the server www.af.mil increases rapidly because of the attack of DDoS.When the permission of root is obtained, the administrator should be as soon as possible to repair in order to avoid more damage.According to the score of vulnerability by NVD, Figure 7 is the vulnerability of hosts based on the improved CVSS.As can be seen from the figure, the vulnerability of the host mill is largest, followed by locke and pascal.The vulnerability of these host are large and the vulnerability are exploited by attacks.The administrator should be as soon as possible to patch the code.
According to the information of services, the nodes' importance is evaluated by the entropy evaluation and the expert experience.The combined weight is optimized based on SQP algorithm.Table 2 shows that the value of the objective function is steady and minimum after the ninth iteration.The optimal weight is [0.2240 0.2147 0.2147 0.1469 0.0999 0.0999].The combined weight takes advantage of the subject weight and object weight.The sum of weighted euclidean distance is minimum.
The threat, vulnerability and combined weight are fused based on the formula ( 14) and (15).Figure 8 is the result of the fusion.

Figure 8: Comparison of the network security situation
As can be seen from the Figure 8, the value of the network security situation is low caused by network-scan attack in the first and second period.In the third period, the value increased rapidly because these hosts' permissions of root are obtained by hackers and controlled remotely.The network is in danger and a lot of attacks will follow.The administrator should be as soon as possible to repair and patch the code in order to avoid more damage.The value is generally low and can't reflect the potential danger without the assessment of vulnerability.In fifth period, the value of situation caused by DDoS is too high and exaggerates the threat of DDoS based on the method [10].Because it is difficult to distinguish the repeat alarm and the real alarm.
Experimental results show that the proposed model and quantization is reasonable and necessary.The assessment of DDoS is more accurate because it is independent of alarm.The result of the assessment is more comprehensive with vulnerability.The combined weight is more reasonable and takes advantage of the subject and the object.

CONCLUSION
The threat of attacks, the vulnerability and the importance of nodes are evaluated effectively by the proposed model.The network security situation is obtained reasonably by the fusion of the above three aspects.The change of the situation can be observed visually.The administrator can know the dynamic of the network security situation and the caused could be established and corrected.In future work, the more comprehensive index and quantitative method will be researched.And in this basis, we will study how to forecast the network security situation.

Definition 1 .Definition 2 .Definition 3 .
Threat( T(t ) ): The extent of the damage caused by the different attacks on different nodes, mainly to explain the influence of external attacks on nodes' situation.Vulnerability( ) (t V ): The degree of vulnerabilit- y of host nodes, mainly to explain the effect of internal vulnerabili ty on the nodes' situation.Combined Weights( W ): The weights have the advantage of objective weight and subjective weight, mainly to explain the nodes' important degree.This model fuse the information of external attack threats, internal vulnerability and the nodes' important degree and obtain current network security situation.

Figure 1 :
Figure 1: The model framework based on fusion information

M
where k is the value that the vulnerability k affects security situation.
the value of confidentiality, integrity and availability.

Figure 2 :
Figure 2: The flowchart of SQP

Definition 4 .
The node security situation: The extent of the influence caused by the external attacks and the internal vulnerability on the nodes' situation.The node security situation is expressed as follows: 2 1

Figure 3 :
Figure 3: the network topology

Figure 5 :
Figure 5: the network threat based on different source

Figure 6 :Figure 7 :
Figure 6: The threat of hosts in different period