control center also generate the cu

control center also generate the current situation of the
network security and user can see the inspect results and the
view of the network security situation in real time by
graphical interfaces.
TABLE I. THE ArrCACK RECORDS
Stage Source IP
Stage I 202.77.162.213
Stage2 202.77.162.213
Stage3 202.77.162.213
172.16.115.20
Stage4 172.16.112.10
172.16.112.50
Destination IP
172.16.112.0124
172.16.113.0124
172.16.114.0124
172.16.115.0124
Active hosts in
stage I
172.16.115.20
172.16.112.10
172.16.112.50
202.77.162.213
Event Type
ICMP Ping Sweep
RPC portmap Sadmind
request UDP
RPC Sadmind
overflow attempt
RPC Sadmind query
with root credentials
attempt UDP
RSERVICES rsh root
StageS Forged IP 131.84.1.31 Possible DDoS Attack
Table I gave the records reported by the sensors during
the 5 stages of the whole network attack process. According
with the security situation modeling, alert events generated
from various security sensors were simplified, filtered, fused
and correlated. The number of the warning events decreased
greatly from 64481 to 6164. At the same time, according to
the corelation rule, it converts many trivial attacks which
aimed at the victim host from Forged IP into a DDoS attack.
With calculation of the risk value, mark the nodes of the
experiment network with different colors. The nodes with
high risk were marked in red. Furthermore, with analysis of
the attack events, the path of the attack was marked, and the
current network security situation view is formed, as shown
in Figure 2. .,.u._ I m ,