Multi-sensor Data Fusion for Cyber Security Situation Awareness



Similar documents
A Hierarchical Anomaly Network Intrusion Detection System using Neural Network Classification

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

Forecasting the Direction and Strength of Stock Market Movement

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

Study on Model of Risks Assessment of Standard Operation in Rural Power Network

Network Security Situation Evaluation Method for Distributed Denial of Service

Forecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

NEURO-FUZZY INFERENCE SYSTEM FOR E-COMMERCE WEBSITE EVALUATION

Statistical Approach for Offline Handwritten Signature Verification

Research on Evaluation of Customer Experience of B2C Ecommerce Logistics Enterprises

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Watermark-based Provable Data Possession for Multimedia File in Cloud Storage

A Load-Balancing Algorithm for Cluster-based Multi-core Web Servers

A Dynamic Load Balancing for Massive Multiplayer Online Game Server

Design and Development of a Security Evaluation Platform Based on International Standards

A Performance Analysis of View Maintenance Techniques for Data Warehouses

A Multi-mode Image Tracking System Based on Distributed Fusion

On-Line Fault Detection in Wind Turbine Transmission System using Adaptive Filter and Robust Statistical Features

RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST)

A Secure Password-Authenticated Key Agreement Using Smart Cards

Traffic State Estimation in the Traffic Management Center of Berlin

IMPACT ANALYSIS OF A CELLULAR PHONE

Application of an Improved BP Neural Network Model in Enterprise Network Security Forecasting

Methodology to Determine Relationships between Performance Factors in Hadoop Cloud Computing Applications

A Design Method of High-availability and Low-optical-loss Optical Aggregation Network Architecture

An Interest-Oriented Network Evolution Mechanism for Online Communities

METHODOLOGY TO DETERMINE RELATIONSHIPS BETWEEN PERFORMANCE FACTORS IN HADOOP CLOUD COMPUTING APPLICATIONS

Bayesian Network Based Causal Relationship Identification and Funding Success Prediction in P2P Lending

Set. algorithms based. 1. Introduction. System Diagram. based. Exploration. 2. Index

Optimization Model of Reliable Data Storage in Cloud Environment Using Genetic Algorithm

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

A Novel Adaptive Load Balancing Routing Algorithm in Ad hoc Networks

Evaluation of the information servicing in a distributed learning environment by using monitoring and stochastic modeling

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

A Dynamic Energy-Efficiency Mechanism for Data Center Networks

Automated Network Performance Management and Monitoring via One-class Support Vector Machine

Vehicle Detection and Tracking in Video from Moving Airborne Platform

Overview of monitoring and evaluation

THE APPLICATION OF DATA MINING TECHNIQUES AND MULTIPLE CLASSIFIERS TO MARKETING DECISION

How To Classfy Onlne Mesh Network Traffc Classfcaton And Onlna Wreless Mesh Network Traffic Onlnge Network

An Evaluation of the Extended Logistic, Simple Logistic, and Gompertz Models for Forecasting Short Lifecycle Products and Services

A heuristic task deployment approach for load balancing

Research of Network System Reconfigurable Model Based on the Finite State Automation

Determination of Integrated Risk Degrees in Product Development Project

Introducing Online Reporting Your step-by-step guide to the new online copy report Online Reporting

A FEATURE SELECTION AGENT-BASED IDS

A DYNAMIC CUSTOMIZABLE ARCHITECTURE FOR SAAS BASED PLATFORM

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

A system for real-time calculation and monitoring of energy performance and carbon emissions of RET systems and buildings

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

A Falling Detection System with wireless sensor for the Elderly People Based on Ergnomics

Load Balancing By Max-Min Algorithm in Private Cloud Environment

Assessing Student Learning Through Keyword Density Analysis of Online Class Messages

Improved SVM in Cloud Computing Information Mining

Genetic Algorithm Based Optimization Model for Reliable Data Storage in Cloud Environment

An Alternative Way to Measure Private Equity Performance

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

Damage detection in composite laminates using coin-tap method

Mining Feature Importance: Applying Evolutionary Algorithms within a Web-based Educational System

DEFINING %COMPLETE IN MICROSOFT PROJECT

Course outline. Financial Time Series Analysis. Overview. Data analysis. Predictive signal. Trading strategy

Canon NTSC Help Desk Documentation

IT09 - Identity Management Policy

PEER REVIEWER RECOMMENDATION IN ONLINE SOCIAL LEARNING CONTEXT: INTEGRATING INFORMATION OF LEARNERS AND SUBMISSIONS

Web Object Indexing Using Domain Knowledge *

How To Predct On The Web For Hfmd

A Study on Secure Data Storage Strategy in Cloud Computing

Performance Analysis and Coding Strategy of ECOC SVMs

M3S MULTIMEDIA MOBILITY MANAGEMENT AND LOAD BALANCING IN WIRELESS BROADCAST NETWORKS

Semantic Link Analysis for Finding Answer Experts *

Fuzzy TOPSIS Method in the Selection of Investment Boards by Incorporating Operational Risks

IWFMS: An Internal Workflow Management System/Optimizer for Hadoop

Daily Mood Assessment based on Mobile Phone Sensing

Resource Management and Organization in CROWN Grid

Optimal Choice of Random Variables in D-ITG Traffic Generating Tool using Evolutionary Algorithms

RequIn, a tool for fast web traffic inference

How To Detect An Traffc From A Network With A Network Onlne Onlnet

Project Networks With Mixed-Time Constraints

Searching for Interacting Features for Spam Filtering

Enterprise Master Patient Index

An Integrated Approach of AHP-GP and Visualization for Software Architecture Optimization: A case-study for selection of architecture style

Resource Scheduling in Desktop Grid by Grid-JQA

How To Calculate The Accountng Perod Of Nequalty

Fuzzy Set Approach To Asymmetrical Load Balancing In Distribution Networks

Transcription:

Avalable onlne at www.scencedrect.com Proceda Envronmental Scences 0 (20 ) 029 034 20 3rd Internatonal Conference on Envronmental 3rd Internatonal Conference on Envronmental Scence and Informaton Applcaton Scence and Informaton Applcaton echnology (ESIA 20) echnology Mult-sensor Data Fuson for Cyber Securty Stuaton Awareness Yan Zhang a,b, Shuguang Huang a, Shze Guo b, Junmao Zhu b, a* a Electronc Engneerng Insttute, Hefe 230037, Chna b Insttute of North Electronc Equpment, Bejng 00083, Chna Abstract o analyze the nfluence of securty ncdents on a networed system and accurately evaluate system securty, ths paper proposes a novel cyber securty stuaton assessment model, based on mult-heterogeneous sensors. By usng D-S evdence theory, we fuse securty data submtted from mult-sensors, accordng to the networ topology and the mportance of servces and hosts. Moreover, we adopt the evaluaton polcy that from bottom to top and from local to global n ths model. he evaluaton of a smulated networ ndcates that the proposed approach s sutable for networ envronment, and the evaluaton results are precse and effcent. 20 Publshed by Elsever Ltd. Selecton and/or peer-revew under responsblty of Conference ESIA20 Organzaton 20 Publshed Commttee. by Elsever Ltd. Selecton and/or peer-revew under responsblty of Yjn Wu. Keywords: Sensor; Securty Data; Assessment; Herarchcal Method; Securty Stuaton. Introducton Wth the development of computer networ, nformaton securty deterorates rapdly. o cope wth dfferent types of networ attacs, people often use dfferent types of securty devces (sensor). However, the management of these devces encounters many problems, ncludng Alert Overload, Alert Conflct and hgh False Postve etc. o solve these problems, many studes have tred to apply stuaton awareness to nformaton securty, e.g.: Bass [] proposed mult-sensor data fuson archtecture, Wang et al. [2] proposed the use of neural networ n mult-heterogeneous sensor fuson. We [3] and Zhang [4] mproved the framewor of * Correspondng author. el.: +0-86-055-5767838; fax: +0-86-055-5766654. E-mal address: eejac@63.com. 878-0296 20 Publshed by Elsever Ltd. Selecton and/or peer-revew under responsblty of Conference ESIA20 Organzaton Commttee. do:0.06/j.proenv.20.09.65

030 Yan Zhang et al. / Proceda Envronmental Scences 0 ( 20 ) 029 034 stuaton awareness by jonng n some envronment factors (host number, host servces, servce attacs, etc.), and La [5] used a smple weghted and grey theory to mplement securty stuaton awareness. In ths paper, we use DS Evdence heory to fuse alert that submtted from heterogeneous networ sensors. We perform an experment upon a smulated networ envronment. he results show that the proposed method not only provdes the securty stuaton n the macro system, but also provdes three dfferent levels of assessment of the securty stuaton. 2. Related Wor 2.. Networ securty stuaton awareness Brefly speang, stuaton awareness s to now what s happenng and how to respond. Endsley [6] vewed stuaton awareness as three levels: Percepton, Comprehenson and Projecton. he frst level percepton s to collect data from dfferent sources. he second level comprehenson s to ntegrate and understand these data. And the thrd level projecton s to predct what wll occur wthn a perod of tme. In order to create effcent networ securty stuaton awareness, La [5] proposed a Networ Securty Stuaton Awareness (referred to as NSSA) model. Inspred by Bass [], Lu et al. [7] proposed an nformaton fuson model for networ securty stuaton awareness. Accordng to these studes, current networ securty stuaton awareness only provdes macro nformaton, such as: What nd of networ s beng attaced (Probe, R2L, U2R, DoS...). hs can not help polcy-maers to tae prompt and effectve response. o solve ths problem, we ntroduced the concept of rs assessment, whch can dentfy the most weaness pont. 2.2. DS Evdence heory DS evdence theory s proposed by Shafer n 976. It s used to descrbe dfferent levels of accuracy and often appled to medcal dagnostcs, rs analyss and decson analyss [8]. Before usng the DS fuson rule, the frst step s to defne the target framewor. And then use BPA (Basc Probablty Assgnment) formula to allocate confdence to dfferent sensors. Suppose there are two IDS: O and O 2, and an attac ncdent: H. In O, confdence level m ( H ) represents the probablty that O support the occurrence of H. In O 2, confdence level m 2 ( H ) represents the probablty that O 2 support the occurrence of H. hrough DS rules, the fuson result of O and O 2 evdence s as follows: m( B) m2( C) BCH m2 ( H) () m( B) m2( C) B C After the fuson of the two evdences, m ( ) 2 H s the fnal probablty that the alert may occur. A number of studes have used ths method to lower the False Postve Rate [7] [9]. 3. Proposed Method In ths secton, we proposed a Herarchcal Networ Securty Stuaton Assessment Model (referred HNSSAM) (see Fgure ). hs model jons the DS evdence theory fuson rules wth herarchcal quanttatve rs assessment method, and maes use of confdence level, servce mportance and host mportance. he advantages of ths model are: a) to solve the problem of mass data processng; b) to provde three levels of ntutve securty threat; b) to qucly fnd weanesses n the system or the securty stuaton.

Yan Zhang et al. / Proceda Envronmental Scences 0 ( 20 ) 029 034 03 Mult-Sensors Data Data Verfcaton Formatng D-S Data Fuson Servce Stuaton Assessmen Host Stuaton Assessmen Networ Stuaton Assessmen Stuaton Predcton Fg.. Herarchcal framewor for networ securty stuaton awareness 3.. Pre-processng Data preprocessng module s desgned to collect securty data from dfferent sensors. Data verfcaton mechansm s adopted to determne whether there s a successful attac. By comparng the condtons and the confguraton nformaton (e.g.: OS verson, servces runnng, etc.) necessary for a successful attac, we could smply remove non-mpact attac alert. For example: IDS detected a large number of serv-u drectory traversal attacs whch am at serv-u software runnng on Wndows system. However, the target host s runnng on Lnux system, so attac can not be succeeded. herefore, these nvald alerts should be removed to reduce the number of alerts. Fnally, the securty data wll be converted nto a unform format so as to meet the HNSSAM archtecture. 3.2. D-S Data Fuson Accordng to the basc defnton of DS, we set the target framewor rue _ Postve, False _ Postve. Because the alerts generated by securty equpment clearly have two possbltes: () rue Postve; (2) False Postve, we defne the confdence values of an alert as rue Postve Rate (PR): m (correct alerts) = PR. We obtan PR by supervsed tranng of securty devces n varous attacs. hen the confdence values wll be stored n Knowledge Base for further use. he process of fuson s llustrated n Fgure 2. 3.3. Herarchcal Quanttatve Stuaton Assessment Fg. 2. D-S rule-based alert fuson model For narratve convenence, we defne the followng concepts: Defnton. A: Attac: he actvtes that trgger FW, IDS, Ant-Vrus and other securty devces to generate an alert. After pre-processng and DS data fuson, attac can be expressed as A AK _ YPE, AK _ BEL, SEVERIY, IME, DIP, where AK _ YPE s representatves of attac

032 Yan Zhang et al. / Proceda Envronmental Scences 0 ( 20 ) 029 034 type, AK _ BEL s representatves of the confdence level, SEVERIY s representatves of threat ndex obtaned from the Knowledge Base, IME s representatves of the tme attac taen place, and DIP s representatves of the target host. Defnton 2. Servce Securty Stuaton: he nsecurty degree of a servce after been attaced. Defnton 3. Host Securty Stuaton: he mpact of a number of nsecurty servces on a host. Defnton 4. Networ Securty Stuaton: he mpact of a number of nsecurty hosts on a networ. We frst evaluate how serous the servces provded by the host are under attac. Note that, the mpact of attac on servces s not only related to the level of threat but also related to the networ traffc of user actvtes. Besde, the mpact of attac vares wth dfferent perod of tme [0]. So we proposed the servce securty stuaton assessment formula as follows: B SS 0 j KS t W t Aj (2) In formula (2), S s representatve of servce that s under attac. W s representatve of the weght of tme. We dvde one day nto three contnuous sectons: t, t2, t 3. Based on the statstcal results, networ admnstrators can set each secton a separated traffc descrpton: low, medum, and hgh. he correspondng quanttatve values are, 2, and 3. Followed by normalzaton, we obtan the weght of each tme perodw. W (3) A j s representatve of the value of confdence after alert fuson, j FP _ AK _, FP _ AK _2, HP _ AK _,.... B j s representatve of the severty of the attac. he hgher the value of SSKS t s, the hgher the level of servce threats at tme t s. hen the host securty stuaton s evaluated. he securty stuaton of host s affected by the servces and the securty mechansms [4]. he assessment formula s desgned as follows: WS SS S t SSH t (4) W SP H t, H Host_ A, Host_ B, Host_ C,... SAp SS t s representatves of the securty stuaton of host H at the tme. W S s representatve of the mportance weght of the servce S on host H. SS S s representatves of the securty ndex of the servce S on host H. W SA p s representatves of the mportance weght of the securty standards on host H, SAp Confdentalty, Avalablty, Integrty, Authentcaton, Non _ Repudaton. SP S pq s representatves of the level of nfluence of securty mechansm q on securty standard p, q { encryptng, dgtal _ sgnaturng, access _ controllng...}, p SAp. he greater the value of SSH t s, the hgher the level of the threat to the host H at tme t s. herefore, the networ securty stuaton assessment formula s desgned as follows: SS t W SS t (5) N H H W H s representatves of the mportance weght of host n the networ. he larger the value of SS t s, the hgher threat level of networ at tme t s. N 4. Expermental Results and Analyss o test the effect of ths HNSSAM model, we smulated a mult-sensor networ envronment (see Fgure 3). In ths smulated networ envronment, we deployed four dfferent sensors, the frewall at Internet entry, networ ntruson detecton system, the host ntruson detecton system and ant-vrus software nstalled on the hosts. S pq

Yan Zhang et al. / Proceda Envronmental Scences 0 ( 20 ) 029 034 033 Fg. 3. Expermental networ topology Secton. We dvded one day nto three perods: t = 00:00 ~ 08:00, t 2 = 08:00 ~ 8:00, t 3 = 8:00 ~ 24:00. Each perod s assgned wth a dfferent mportance level. Observed tme and 6 fall n perod t 3, 2 ~ 3 fall n perod t, 4 ~ 5 fall n perod t 2. From to 6, collecton the nformaton that FW, NIDS, HIDS, Ant-Vrus detect attac on Host A, B, C. Secton 2. Accordng to the securty data collected from secton, we loo up the confdence level correspondng to the securty data n the Knowledge Base. By DS fuson rule, we fuse the confdence value. hen the results are multpled by the severty value of attacs n the nowledge base. Fnally, the servce securty stuaton value s obtaned by equ. 2. Secton 3. In accordance wth the analyss of secton 2, we draw the results n Fgure 4 a). We could clearly see n Fgure 4 a) that the RPC servces on the Host A suffer hgher level of threats, whch should be deal wth frstly. Accordng to equ. 4, we obtan the host securty stuaton, as shown n Fgure 4 b). It can be clearly seen that the attacs are actve durng tme to 4. Fg. 4. (a) Securty stuaton of all servces on host A; (b) Securty stuaton of host A Secton 4. In accordance wth the analyss of the results generated n secton 3, t s easy to draw the securty stuaton of all hosts n Fgure 5 a). From ths fgure, admnstrators could fnd out the threat level on each host. Accordng to equ.. 5, we obtan the networ securty stuaton. he results are shown n Fgure 5 b). We could fnd out through ths fgure that ths networ s sufferng more attacs from afternoon to mdnght.

034 Yan Zhang et al. / Proceda Envronmental Scences 0 ( 20 ) 029 034 Fg. 5. (a) Securty stuaton of all hosts on LAN; (b) Securty stuaton of LAN Accordng to the analyss above, t can be seen that HNSSAM framewor provdes three levels of cyber securty stuaton. hs method overcomes the shortcomngs of current herarchcal stuaton awareness systems. It can also assst decson-maers to adjust polcy to enhance securty. 5. Conclusons In ths paper, we analyzed the exstng stuaton assessment algorthms, proposed a novel cyber securty stuaton assessment model based on mult-heterogeneous sensors. Accordng to the proposed model, we mplemented a stuaton awareness system. he evaluaton of a smulated networ ndcates that the approach s sutable for networ envronment, and the evaluaton results are precse and effcent. References [] Bass,., Intruson Detecton Systems and Multsensor Data Fuson, Communcatons of the ACM, Vol. 43, No. 4, Aprl 2000. [2] Wang Huqang, La Jbao, and Yng Lang, Networ Securty Stuaton Awareness Based on Heterogeneous Mult-Sensor Data Fuson and Neural Networ, Second Internatonal Multsymposum on Computer and Computatonal Scences, 2007. [3] We Yong, Lan Y-Feng, A Networ Securty Stuatonal Awareness Model Based on Log Audt and Performance Correcton[J], Chnese Journal of Computers, 2009,(04) [4] Zhang Yong; an Xao-bn; Cu Xao-ln; X Hong-sheng, Networ Securty Stuaton Awareness Approach Based on Marov Game Model[J], Journal of Software, 20,(03) [5] La J-bao; Wang Yng; Wang Hu-qang Zheng Feng-bng Zhou Bng, Research on Networ Securty Stuaton Awareness System Archtecture Based on Mult-source Heterogeneous Sensors[J], Computer Scence, 20,(03) [6] Endsley, M., Desgn and evaluaton for stuaton awareness enhancement, In Proceedngs of the Human Factors Socety 32nd Annual Meetng, Human Factors Socety, pp. 97-0, 988. [7] Lu Mx, Yu Dongme and Zhang Quyu et al., Networ Securty Stuaton Assessment Based on Data Fuson, 2008 Worshop on Knowledge Dscovery and Data Mnng, 2008. [8] Sentz, K. and Ferson, S., Combnaton of Evdence n Dempster-Shafer heory, SAND 2002-0835, Unlmted Release, Aprl 2002. [9] Me Habn and Gong Jan, Intruson Alert Correlaton Based On D-S Evdence heory, Communcatons and Networng n Chna, Second Internatonal Conference on IEEE, 2007. [0] Chen XZ, Zheng QH and Guan XH et al., Quanttatve herarchcal threat evaluaton model for networ securty, Journal of Software, 2006(04)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information