network security perception frame based on multi-sensor
data fusion [1] [2]. It helps network administrators to
identify, track and measure network attack activities. With
references from Endsley' s situation awareness framework
[3], Jibao et al. [4] developed network security situation
awareness model. In the other hand, according to Bass' s
concept, Liu et al. [5] put forward the model of network
security perception based on information fusion.
In order to know the whole network security trend, we
have to collect, fusion and analysis a great deal of
information, decrease the false positive rate and false
negative rate. Yu et al. [6] reported a warning message
fusion method based on weighted D-S evidence theory. Fuse
information from all sensors with different reliability and
weight to increase the reliability of warning message and
decrease the false alarm rate effectively. But, the important
thing is how to set the reliability and power of each sensor
accurately. Wang et al. [7] suggested that using neural
network for heterogeneous multi-Sensor data fusion and
considerate time and severity of the attack when analysis the
security situation. Stefanos et al. [8] find the latent
correlation with the help of automatic knowledge discovery
and realize correlation analysis among warning information.
The advantage is the mechanism of automatic knowledge
discovery and the disadvantage is it' s not always give
satisfaction without the interaction of human. Sometime it
may find a great deal of useless message.
After data fusion and correlation analysis of multi-sensor
warning information, the security situation model has to be
quantified. Bass [9] think the evaluation of security risk
should include the assets of the system, degree of threaten
and severity of attack. Zhang et al. [10] includes all network
environment parameters into the security situation
framework, such as the number of the important hosts in the
network, the service provided by the hosts, the impact could
be caused by the attacks. Chen [11] suggested dividing risk
evaluation method into different levels. According to a
hierarchical structure of service, host and network to
quantitative the network security situation. First defining the
importance of assets, the impact of attack and collect the
vulnerabilities, then the security situation of the whole
network could be evaluated when network attack happened.
It' s an integrated process from network security
information acquirement to building the network security
situation model. But most of the researches were focusing on
the fusion of the security events or the method of security
risk evaluation. All of them have no formal descriptions of
network security situation and lack an integrated situation
awareness frame. This paper is not only to bring forward a
formal network security situation model based on knowledge
discovery, but also to propose an integrated network
situation awareness framework which supports the whole
process from analysis of security events to perception of the
security situation.