CN101951329B - Network security situation evaluation method and system - Google Patents

Abstract

The invention discloses a network security situation evaluation method and a network security situation evaluation system for improving the application range and accuracy of network security situation evaluation. The method comprises: classifying all security events in a preset time period according to attack type to form at least one event collection; accumulating the attack risk grades of the security events in each event collection respectively, and determining the accumulated values as the rise degree values of the event collections; substituting the risk degree values of the event collections as independent variables into empirical functions fi() corresponding to the event collections to obtain the values of the credibility of the fact that the event collections render a network in an unsecure state; and using the values of the credibility of the event collections as weights of evidences, combining the weights of evidences by using a synthesis rule of the theory of evidence, and obtaining the credibility of the fact that the network is in an unsecure state in the preset time period. Thus, the technical scheme realizes the quantitative evaluation of the security situation of the whole network and improves the application range and accuracy of the network security situation evaluation.

Description

A kind of network security situation evaluating method and system

Technical field

The present invention relates to network safety filed, particularly relate to a kind of network security situation evaluating method and system.

Background technology

Networks security situation assessment is the important research content of information security field.So-called networks security situation assessment refers to utilize each security element of assessment algorithm analysis-by-synthesis cyberspace, the relation that affects between the element and influence degree are presented to the keeper in the mode of macroscopical index, allow the keeper from the angle perception of the overall situation, perceive the security postures of network system, and then impel that the keeper makes rationally, accurately decision-making.Networks security situation assessment is the basis of whole safety management.

At present in networks security situation assessment, use comparatively general based on the quantification classification technique of static weighting, its operation principle is: when having attack activity to occur in the cyberspace, attack activity can trigger the safety means of each distributed deployment, such as intruding detection system, fire compartment wall etc., produce security incident.Security incident has provided the association attributes of attacking with the form of record, such as attack type, source address, destination address, risk of attacks grade etc.The quantification classification technique of static weighting can be classified to event to the destination address of seeervice level binding events from system-level, host-level according to the granularity of Internet resources usually again, has so just produced the event set of a hierarchy type, as shown in Figure 1.In the tree structure of Fig. 1, each leaf node is an event sets.When security incident produces, according to destination host and the destination service of event this event is referred in some leaf nodes, such leaf node just representative for all security incidents of certain service on certain destination host.At first each leaf node is processed respectively in the time of assessment, with the cumulative situation index Service that obtains the upper service of main frame i j of the risk of attacks grade of each event in the leaf node _{I, j}, and then through type (1) calculates the situation index Node of each main frame _i, Weight (Service wherein _{I, j}) represent the upward weight of service j of main frame i, obtain the situation index Node of each main frame _iCalculate the situation index System of whole system according to formula (2), finish whole evaluation process.System has reflected the safe condition of working as the whole network space from macroscopic perspective.

${\mathrm{Node}}_i=\underset{j=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{Service}}_{i,j}*\mathrm{Weight}\left({\mathrm{Service}}_{i,j}\right)---\left(1\right)$

$\mathrm{System}=\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{\mathrm{Node}}_i*\mathrm{Weight}\left({\mathrm{Node}}_i\right)---\left(2\right)$

But because the quantification classification technique of static weighting is to follow from system-level, host-level, to the destination address of seeervice level binding events event is carried out merge sort again, there is following shortcoming at least in this scheme: at first, because the classification division to event depends on destination address, so that in the situation that destination address does not exist or be not unique, the method is with inapplicable.For example utilize icmp packet to carry out flood attack, it does not have clear and definite destination address, and at this moment the method has obvious limitation with inapplicable.In addition, in when, simultaneously polytype attack activity occuring in the network when, its processing feature only rests on static weighting aspect, so that the fusion process of this technology can not embody the difference difference between the different attack activity behavioural characteristics, so that the accuracy of assessment final result descends.

Summary of the invention

For solving the problems of the technologies described above, the embodiment of the invention provides a kind of network security situation evaluating method and system, and to improve the scope of application and the accuracy of networks security situation assessment, technical scheme is as follows:

A kind of network security situation evaluating method comprises:

All security incidents in preset time period are classified according to attack type, consist of at least one event set;

The risk of attacks grade of security incident described in cumulative each event set respectively is defined as accumulated value the extent of injury value of each event set;

Bring the extent of injury value of each event set into the empirical function f corresponding with each event set as independent variable _i() obtains each event set and makes network be in the confidence value of unsafe condition; Wherein, described empirical function is: according to concrete network application environment and satisfy the function that is used for extent of injury value is mapped to interval [0,1] that the application conditions of the composition rule of evidence theory is designed;

The confidence value of each event set as the evidence component, is utilized the composition rule of evidence theory, and comprehensive each described evidence component obtains the preset time period network and is in the confidence level of unsafe condition.

Preferably, described empirical function is that the belief assignment function is:

$f_i\left(\right)=(2*\mathrm{arctgx}/\mathrm{\π}-e^{k_i-x}\·x^{s_i})/2+0.5;$

Wherein, i represents the type identification of attack activity, and independent variable x is the extent of injury value of event set, k _iAnd s _iBe the modifying factor of the attack activity that is designated i that presets,

Correction function for the attack activity that is designated i.

Preferably, the described composition rule that utilizes evidence theory, comprehensive each evidence component obtains the preset time period network and is in the confidence level of unsafe condition, comprising:

Bring the confidence level of each event set into following formula as the evidence component, acquisition preset time period network is in the confidence level of unsafe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(N\right)=$

$\frac{m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(N\right)}{1-(m_1\left(N\right)*m_2\left(Y\right)*...*m_n\left(Y\right)+m_1\left(Y\right)*m_2\left(N\right)*m_3\left(Y\right)*...*m_n\left(Y\right)+...+m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right))}$

Wherein, m makes network be in the function of unsafe condition confidence level for obtaining event set; m _i(N) for making network, the attack activity that is designated i is in the confidence level of unsafe condition, described i=1,2,3......n, m _i(Y) confidence level that for the attack activity that is designated i network is in a safe condition, described m _i(Y)=1-m _i(N),

For preset time period network be in the confidence level of unsafe condition.

Preferably, described method also comprises, utilizes the composition rule of evidence theory, and comprehensive each described evidence component obtains the preset time period confidence level that is in a safe condition of network.

Preferably, the described composition rule that utilizes evidence theory, comprehensive each evidence component obtains the preset time period confidence level that is in a safe condition of network, comprising:

Bring the confidence level of each event set into following formula as the evidence component, the confidence level that acquisition preset time period network is in a safe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(Y\right)=$

$\frac{m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(Y\right)}{1-(m_1\left(Y\right)*m_2\left(N\right)*...*m_n\left(N\right)+m_1\left(N\right)*m_2\left(Y\right)*m_3\left(N\right)*...*m_n\left(N\right)+...+m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(Y\right))}$

Wherein, Be the preset time period confidence level that is in a safe condition of network.

A kind of networks security situation assessment system comprises:

The Attack Classification unit is used for all security incidents in preset time period are classified according to attack type, consists of at least one event set;

The risk unit that adds up is used for the risk of attacks grade of security incident described in each event set of cumulative described Attack Classification cell formation respectively, accumulated value is defined as the extent of injury value of each event set;

The evidence component obtains the unit, brings the empirical function f corresponding with each event set for the extent of injury value of each event set that the cumulative unit of described risk is obtained into as independent variable _i() obtains each event set and makes network be in the confidence value of unsafe condition; Wherein, described empirical function is: according to concrete network application environment and use the function that is used for extent of injury value is mapped to interval [0,1] that the condition of the composition rule of evidence theory is designed;

The first confidence level obtains the unit, be used for described evidence component is obtained the confidence value of each event set that the unit obtains as the evidence component, utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period network and is in the confidence level of unsafe condition.

Preferably, described empirical function is that the belief assignment function is:

$f_i\left(\right)=(2*\mathrm{arctgx}/\mathrm{\π}-e^{k_i-x}\·x^{s_i})/2+0.5;$

Wherein, i represents the type identification of attack activity, and independent variable x is the extent of injury value of event set, k _iAnd s _iBe the modifying factor of the attack activity that is designated i that presets,

Correction function for the attack activity that is designated i.

Preferably, described the first confidence level obtains the unit and brings the confidence level of each event set into following formula as the evidence component, and acquisition preset time period network is in the confidence level of unsafe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(N\right)=$

$\frac{m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(N\right)}{1-(m_1\left(N\right)*m_2\left(Y\right)*...*m_n\left(Y\right)+m_1\left(Y\right)*m_2\left(N\right)*m_3\left(Y\right)*...*m_n\left(Y\right)+...+m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right))}$

Wherein, m makes network be in the function of unsafe condition confidence level for obtaining event set; m _i(N) for making network, the attack activity that is designated i is in the confidence level of unsafe condition, described i=1, and 2,3 ... n, m _i(Y) confidence level that for the attack activity that is designated i network is in a safe condition, described m _i(Y)=1-m _i(N), For preset time period network be in the confidence level of unsafe condition.

Preferably, described system also comprises: the second confidence level obtains the unit;

Described the second confidence level obtains the unit, be used for described evidence component is obtained the confidence value of each event set that the unit obtains as the evidence component, utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period confidence level that is in a safe condition of network.

Preferably, described the second confidence level obtains the unit, brings the confidence level of each event set into following formula as the evidence component, the confidence level that acquisition preset time period network is in a safe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(Y\right)=$

$\frac{m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(Y\right)}{1-(m_1\left(Y\right)*m_2\left(N\right)*...*m_n\left(N\right)+m_1\left(N\right)*m_2\left(Y\right)*m_3\left(N\right)*...*m_n\left(N\right)+...+m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(Y\right))}$

Wherein, Be the preset time period confidence level that is in a safe condition of network.

Such scheme has been realized the qualitative assessment to whole network system security situation.Compared with prior art, in the technical scheme that the embodiment of the invention provides, the classification of security incident is based on attack type, and unconventional based target address has solved thus effectively owing to destination address does not exist or the inapplicable limitation of not unique evaluation scheme that brings; And evaluation scheme provided by the present invention has designed suitable empirical function according to the behavioral characteristic of each type attack activity, dissimilar attack activity is treated with a certain discrimination according to himself characteristic, can accurately depict different attack activity to the harm ability of Internet resources, effectively improve the accuracy of assessment result.

Description of drawings

In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, the accompanying drawing that the following describes only is some embodiment that put down in writing among the present invention, for those of ordinary skills, can also obtain according to these accompanying drawings other accompanying drawing.

Fig. 1 is the level event set topological diagram of the quantification classification technique of static weighting;

The flow chart of the network security situation evaluating method that Fig. 2 provides for the embodiment of the invention;

Another flow chart of the network security situation evaluating method that Fig. 3 provides for the embodiment of the invention;

The structural representation of the networks security situation assessment system that Fig. 4 provides for the embodiment of the invention;

Another structural representation of the networks security situation assessment system that Fig. 5 provides for the embodiment of the invention.

Embodiment

In order to quote and clear, existing composition rule with evidence theory is described below:

Evidence theory be the sixties in 20th century mathematician of Harvard University APDempster propose, by his development of student GShafer, formed gradually a cover is processed the uncertain inference problem based on " evidence " and " combination " mathematical method.Evidence theory is by Ying Yu is in fields such as expert system, information fusion widely, and its composition rule is as follows:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(A\right)=\frac{1}{K}\underset{A_1\∩A_2\∩...\∩A_n=A}{\mathrm{\Σ}}{m}_1\left(A_1\right)*m_2\left(A_2\right)*...*m_n\left(A_n\right)$

Wherein K is called normaliztion constant:

Formula is explained as follows: at first need to define an identification framework Θ in the evidence theory, be also referred to as hypothesis space, the conclusion A that each evidence will be supported _iAll be the subset of identification framework, i.e. proposition.M is called the basic confidence level on the identification framework Θ, and following two equatioies must be satisfied in function m:R → [0,1]:

$2)\underset{A\⊆\mathrm{\Θ}}{\mathrm{\Σ}}m\left(A\right)=1;$

m _i(A) represent the confidence level that evidence i thinks that proposition A sets up. Represent multiple evidence so that the confidence level that proposition A sets up.

In order to make those skilled in the art person understand better technical scheme among the present invention, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtain should belong to the scope of protection of the invention.

The invention provides a kind of network security situation evaluating method, to improve the scope of application and the accuracy of networks security situation assessment.

Among the present invention, utilize the composition rule of evidence theory, definition identification framework Θ={ { N} is with { Y} represents respectively unsafe condition and the safe condition of network to two subsets of identification framework, and two states has consisted of the proposition collection of complete mutual exclusion for N, Y}.As shown in Figure 2, described network security situation evaluating method may further comprise the steps:

Step S10: all security incidents in preset time period are classified according to attack type, consist of at least one event set;

Different network safety situations is different, so the evaluation time section of heterogeneous networks is decided according to concrete network environment; In certain network, whole network has been subject to the various attacks activity within preset time period, has produced a large amount of security incidents, and described security incident can be the high-rise alarm event through obtaining after the association analysis; Described security incident all is kept in the database with the record format of standard, and each described security incident has attack type, address, attack source, attacks the security attributes such as destination address, risk class; When network safety situation is assessed within to described preset time period, then classify according to the attack type of all security incidents, so just consisted of at least one event set, described event set is the set of identical attack type security incident.

Step S20: the risk of attacks grade of security incident described in cumulative each event set respectively is defined as accumulated value the extent of injury value of each event set;

Each security incident has corresponding risk of attacks grade, the different different risk of attacks grades of numerical value representative; During assessment, the risk of attacks grade point of all security incidents in each event set that adds up respectively, described accumulated value is the extent of injury value of each event set.

Step S30: bring the extent of injury value of each event set into the empirical function f corresponding with each event set as independent variable _i() obtains each event set and makes network be in the confidence value of unsafe condition; Wherein, described empirical function is: according to concrete network application environment and satisfy the function that is used for extent of injury value is mapped to interval [0,1] that the application conditions of the composition rule of evidence theory is designed;

Be directed to the characteristics of Situation Assessment and various attack activity, designed in advance an amendable empirical function, be used for the extent of injury value of each event set is mapped to interval [0,1]; And described empirical function satisfies the application conditions in the composition rule of evidence theory, i.e. empirical function f _i(): R → [0,1] must be satisfied:

$2)\underset{N\⊆\mathrm{\Θ}}{\mathrm{\Σ}}f\left(N\right)=1;$

Comprise modifying factor in the described empirical function, the attack activity that different modifying factors is corresponding different; By adjusting modifying factor in the described empirical function so that empirical function corresponding to different attack activity, embody like this different characteristics of different attack activity; During assessment, bring the extent of injury value of each event set into empirical function f as independent variable _i() obtains each event set and makes network be in the confidence value of unsafe condition.

Step S40: the confidence value of each event set as the evidence component, is utilized the composition rule of evidence theory, and comprehensive each described evidence component obtains the preset time period network and is in the confidence level of unsafe condition.

Each event set is by corresponding empirical function f _i() obtains to make network be in the confidence level of unsafe condition, with each confidence level each evidence component as the composition rule of evidence theory, can obtain all security incidents after the analysis-by-synthesis so that network is in the confidence level of unsafe condition.

By using above-mentioned network security situation evaluating method, can realize the qualitative assessment to whole network system security situation.Compared with prior art, the classification of security incident is based on attack type, and unconventional based target address has solved thus effectively owing to destination address does not exist or the inapplicable limitation of not unique evaluation scheme that brings; And evaluation scheme provided by the present invention has designed suitable empirical function according to the behavioral characteristic of each type attack activity, dissimilar attack activity is treated with a certain discrimination according to himself characteristic, can accurately depict different attack activity to the harm ability of Internet resources, effectively improve the accuracy of assessment result.

Wherein, above-mentioned empirical function can be the belief assignment function of following form:

$f_i\left(\right)=(2*\mathrm{arctgx}/\mathrm{\π}-e^{k_i-x}\·x^{s_i})/2+0.5;$

Wherein, i represents the type identification of attack activity, and independent variable x is the extent of injury value of event set, k _iAnd s _iBe the modifying factor of the attack activity that is designated i that presets,

Correction function for the attack activity that is designated i.

Described belief assignment function f _i() is to design according to concrete applied environment as empirical function, and satisfies the application conditions of the composition rule of evidence theory; Utilize arctan function as radix, then the characteristics according to every kind of attack activity are correction function of its definition

Utilize this correction function to control growth rate and the growth space of arctan function, thereby embody attack characteristics, the K that namely identifies different attack activity is not identical with the S value, and each attacks to live its specific correction function.During assessment, the extent of injury value of each event set is brought in the described belief assignment function as independent variable x, makes network be in the confidence value of unsafe condition thereby obtain each event set.As seen, because the correction function of the correspondence of every kind of attack activity is different, make it possible to embody the different characteristics of different attack activity.

Certainly, empirical function is not limited to the set form of above-mentioned belief assignment function, preset parameter etc., be different belief assignment function corresponding to applied environment, and in order to reduce the evaluation expense, the design process of simplified function also can be designed the different attack activity that a correction function represents plurality of classes in the reality, namely, movable corresponding identical modifying factor k and s of various attacks.By different empirical functions are arranged, so that this technical scheme can be applied to different network environments, thereby improved the scope of using.

Wherein, utilize the composition rule of evidence theory, comprehensive each evidence component obtains the preset time period network and is in the confidence level of unsafe condition, specifically can realize in the following ways:

Bring the confidence level of each event set into following formula as the evidence component, acquisition preset time period network is in the confidence level of unsafe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(N\right)=$

$\frac{m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(N\right)}{1-(m_1\left(N\right)*m_2\left(Y\right)*...*m_n\left(Y\right)+m_1\left(Y\right)*m_2\left(N\right)*m_3\left(Y\right)*...*m_n\left(Y\right)+...+m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right))}$

Wherein, m is in the function of various state confidence levels for obtaining network; m _i(N) for making network, the attack activity that is designated i is in the confidence level of unsafe condition, described i=1, and 2,3 ... n, m _i(Y) confidence level that for the attack activity that is designated i network is in a safe condition, described m _i(Y)=1-m _i(N), For preset time period network be in the confidence level of unsafe condition.

All security incidents in each event set belong to identical attack activity, the confidence level that each event set makes network be in unsafe condition is that corresponding attack activity makes network be in the confidence level of unsafe condition, so bring the confidence value of each event set into corresponding m as the evidence component _i(N), and since each confidence level that makes network be in unsafe condition by event set be m _i(N), each event set confidence level that network is in a safe condition is m as can be known _i(Y)=1-m _i(N), can obtain thus the preset time period network and be in the confidence level of unsafe condition.

Obtaining after network is in the confidence level of unsafe condition, can also further utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period confidence level that is in a safe condition of network.Specifically can adopt following scheme:

Bring the confidence level of each event set into following formula as the evidence component, the confidence level that acquisition preset time period network is in a safe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(Y\right)=$

$\frac{m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(Y\right)}{1-(m_1\left(Y\right)*m_2\left(N\right)*...*m_n\left(N\right)+m_1\left(N\right)*m_2\left(Y\right)*m_3\left(N\right)*...*m_n\left(N\right)+...+m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(Y\right))}$

Wherein,

Be the preset time period confidence level that is in a safe condition of network.Owing to utilizing the composition rule of evidence theory among the present invention, definition identification framework Θ={ N, Y}, { N} is with { Y} represents respectively unsafe condition and the safe condition of network to two subsets of identification framework, two states has consisted of the proposition collection of complete mutual exclusion, so the confidence level m that still can network is in a safe condition according to each event set _i(Y) and the confidence level m of unsafe condition _i(N) obtain the preset time period confidence level that is in a safe condition of network.By obtaining the preset time period confidence level that is in a safe condition of network so that whole technical scheme is more complete.

Be understandable that; such scheme is a kind of concrete implementation; do not consist of the restriction to the present invention program; on the basis of such scheme; those skilled in the art can design other forms of empirical function according to actual application environment; perhaps adopt other concrete modes to obtain the confidence level that network is in safety/unsafe condition, these also all should belong to protection scope of the present invention.

In order to make those skilled in the art person understand better the present invention program, the present invention is described in further detail as example take two kinds of attack activity for the below.

As shown in table 1, two kinds of attack activity have occured current network within preset time period: RPC buffer overflow attack (RPC OverFlow Attack) and tcp port scanning attack (TCP PortScanAttack), described two kinds of attack activity triggering safety means have produced the security incident such as the record format of table 1.

Table 1:

In conjunction with Fig. 3, the process of the safe condition of the network of assessment current network preset time period is as follows:

Step S11: according to the attack activity type all security incidents are divided into two classes, consist of two event set;

Step S21: respectively cumulative each event set in the risk of attacks grade of all security incidents, obtain the extent of injury value of two event set;

As shown in Table 1, ID is that the attack type of three security incidents of 196,197,198 is the RPC buffer overflow attack, is 12 with the cumulative extent of injury value that obtains event set corresponding to RPC buffer overflow attack of value of the risk of attacks grade of these three security incidents; ID is that the attack type of 199 and 200 security incident is the tcp port scanning attack, is 9 with the value of the risk of attacks grade of these two security incidents extent of injury value that obtains event set corresponding to tcp port scanning attack that adds up;

Step S31: the extent of injury value of each event set is brought into as independent variable in the empirical function that sets in advance, the extent of injury value of event set is mapped to interval [0,1], make network be in the confidence value of unsafe condition thereby obtain each event set;

Suppose that the empirical function that designs for the RPC buffer overflow attack in advance is belief assignment function: f _{RPC_OverFlow_Attack}()=(2*arctgx/ π-e ^-1-xX ^1.5)/2+0.5, the empirical function for the design of tcp port scanning attack is belief assignment function: f in advance _{TCP_PortScan_Attack}()=(2*arctgx/ π-e ^-3.5-xX ⁴)/2+0.5, so that each event set is corresponding extent of injury value is brought in the corresponding empirical function as independent variable x, obtains

The confidence value that table 2 is shown;

Table 2:

Attack type	The extent of injury	Unsafety	Safety
				RPC OverFlow Attack	12	0.9735	1-0.9735＝0.0265
TCPPortScanAttack	9	0.9525	1-0.9525＝0.0475

The confidence value that the event set that the RPC buffer overflow attack is corresponding makes network be in unsafe condition is 0.9735, and the confidence value that network is in a safe condition is 0.0265; The confidence value that the event set that the tcp port scanning attack is corresponding makes network be in unsafe condition is 0.9525, and the confidence value that network is in a safe condition is 0.0475;

Step S41: utilize the composition rule of evidence theory, bring two event set into following formula so that network is in the confidence value of two states:

$(m_1\⊕m_2)\left(\mathrm{Unsafety}\right)=$

$\frac{m_1\left(\mathrm{Unsafety}\right)*m_2\left(\mathrm{Unsafety}\right)}{1-(m_1\left(\mathrm{Unsafety}\right)*m_2\left(\mathrm{Safety}\right)+m_1\left(\mathrm{Safety}\right)*m_2\left(\mathrm{Unsafety}\right))}---\left(3\right)$

$(m_1\⊕m_2)\left(\mathrm{Safety}\right)=$

$\frac{m_1\left(\mathrm{Safety}\right)*m_2\left(\mathrm{Safety}\right)}{1-(m_1\left(\mathrm{safety}\right)*m_2\left(\mathrm{Unsafety}\right)+m_1\left(\mathrm{Unsafety}\right)*m_2\left(\mathrm{Safety}\right))}---\left(4\right)$

Wherein, the type identification of RPC buffer overflow attack is 1, the type identification of tcp port scanning attack is 2, m1 (Unsafety) and m2 (Unsafety) are respectively the RPC buffer overflow attack and the tcp port scanning attack makes network be in the confidence level of unsafe condition, m1 (Safety) and m2 (Safety) are respectively the confidence level that RPC buffer overflow attack and tcp port scanning attack are in a safe condition network With

Be respectively the preset time period network and be in the confidence level of unsafe condition and safe condition.

The confidence value that RPC buffer overflow attack and event set corresponding to tcp port scanning attack make network be in two states is brought into respectively in formula (3) and (4), obtains following formula and result:

$(m_1\⊕m_2)\left(\mathrm{Unsafety}\right)=\frac{0.9735*0.9525}{1-(0.9735*0.0475+0.9525*0.0265)}\≈0.99864$

$(m_1\⊕m_2)\left(\mathrm{Safety}\right)=\frac{0.0265*0.0475}{1-(0.9735*0.0475+0.9525*0.0265)}\≈0.00136$

The confidence level that whole network is in unsafe condition in preset time period is about 0.99864, and the confidence level that is in a safe condition is about 0.00136.

The scheme that above embodiment provides, five security incidents of network generation are classified based on attack type with preset time period, consist of two event set, the respectively corresponding event set of RPC buffer overflow attack and tcp port scanning attack, the attack type of the security incident in each event set is identical, efficiently solves like this owing to destination address does not exist or the inapplicable limitation of not unique evaluation scheme that brings; And these two event set have respectively corresponding belief assignment function, these two kinds of attack activity can be treated with a certain discrimination according to himself characteristic, accurately depict these two kinds of attack activity to the extent of injury of Internet resources, have effectively improved the accuracy of assessment.

As seen through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium, such as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.

Corresponding to top embodiment of the method, the present invention also provides a kind of networks security situation assessment system, and as shown in Figure 4, described evaluating system can comprise:

Attack Classification unit 01 is used for all security incidents in preset time period are classified according to attack type, consists of at least one event set;

The risk unit 02 that adds up is used for the risk of attacks grade of security incident described in each event set that cumulative described Attack Classification unit 01 respectively consists of, accumulated value is defined as the extent of injury value of each event set;

The evidence component obtains unit 03, brings the empirical function f corresponding with each event set for the extent of injury value of each event set that the cumulative unit 02 of described risk is obtained into as independent variable _i() obtains each event set and makes network be in the confidence value of unsafe condition; Wherein, described empirical function is: according to concrete network application environment and use the function that is used for extent of injury value is mapped to interval [0,1] that the condition of the composition rule of evidence theory is designed;

The first confidence level obtains unit 04, be used for described evidence component is obtained the confidence value of each event set that unit 03 obtains as the evidence component, utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period network and is in the confidence level of unsafe condition.Wherein, described empirical function is that the belief assignment function is:

$f_i\left(\right)=(2*\mathrm{arctgx}/\mathrm{\π}-e^{k_i-x}\·x^{s_i})/2+0.5;$

Wherein, i represents the type identification of attack activity, and independent variable x is the extent of injury value of event set, k _iAnd s _iBe the modifying factor of the attack activity that is designated i that presets,

Correction function for the attack activity that is designated i.

The first confidence level obtains unit 04 specifically can be by bringing the confidence level of each event set into following formula as the evidence component, and acquisition preset time period network is in the confidence level of unsafe condition:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(N\right)=$

$\frac{m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(N\right)}{1-(m_1\left(N\right)*m_2\left(Y\right)*...*m_n\left(Y\right)+m_1\left(Y\right)*m_2\left(N\right)*m_3\left(Y\right)*...*m_n\left(Y\right)+...+m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right))}$

Wherein, m makes network be in the function of unsafe condition confidence level for obtaining event set; m _i(N) for making network, the attack activity that is designated i is in the confidence level of unsafe condition, described i=1,2,3......n, m _i(Y) confidence level that for the attack activity that is designated i network is in a safe condition, described m _i(Y)=1-m _i(N),

For preset time period network be in the confidence level of unsafe condition.

As shown in Figure 5, further, described system can also comprise: the second confidence level obtains unit 05;

Described the second confidence level obtains unit 05, be used for described evidence component is obtained the confidence value of each event set that unit 03 obtains as the evidence component, utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period confidence level that is in a safe condition of network.

The second confidence level obtains unit 05 specifically can be by bringing the confidence level of each event set into following formula as the evidence component, obtains the preset time period confidence level that is in a safe condition of network:

$(m_1\⊕m_2\⊕...\⊕m_n)\left(Y\right)=$

$\frac{m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(Y\right)}{1-(m_1\left(Y\right)*m_2\left(N\right)*...*m_n\left(N\right)+m_1\left(N\right)*m_2\left(Y\right)*m_3\left(N\right)*...*m_n\left(N\right)+...+m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(Y\right))}$

Wherein,

Be the preset time period confidence level that is in a safe condition of network.

For the convenience of describing, be divided into various unit with function when describing above system and describe respectively.Certainly, when enforcement is of the present invention, can in same or a plurality of softwares and/or hardware, realize the function of each unit.

Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses is difference with other embodiment.Especially, for system embodiment, because its basic simlarity is in embodiment of the method, so describe fairly simplely, relevant part gets final product referring to the part explanation of embodiment of the method.System embodiment described above only is schematic, wherein said unit as the separating component explanation can or can not be physically to separate also, the parts that show as the unit can be or can not be physical locations also, namely can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select according to the actual needs wherein some or all of module to realize the purpose of the present embodiment scheme.Those of ordinary skills namely can understand and implement in the situation that do not pay creative work.

The above only is the specific embodiment of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (10)

1. a network security situation evaluating method is characterized in that, comprising:

All security incidents in preset time period are classified according to attack type, consist of at least one event set;

The risk of attacks grade of security incident described in cumulative each event set respectively is defined as accumulated value the extent of injury value of each event set;

Bring the extent of injury value of each event set into the empirical function fi () corresponding with each event set as independent variable, obtain each event set and make network be in the confidence value of unsafe condition; Wherein, described empirical function is: according to concrete network application environment and satisfy the function that is used for extent of injury value is mapped to interval [0,1] that the application conditions of the composition rule of evidence theory is designed, described empirical function is the belief assignment function;

The confidence value of each event set as the evidence component, is utilized the composition rule of evidence theory, and comprehensive each described evidence component obtains the preset time period network and is in the confidence level of unsafe condition.

2. method according to claim 1 is characterized in that, described belief assignment function is:

$f_i\left(\right)=(2*\mathrm{arctgx}/\mathrm{\π}-e^{k_{i}x}\·x^{s_i})/2+0.5;$

Wherein, i represents the type identification of attack activity, and independent variable x is the extent of injury value of event set, k _iAnd s _iBe the modifying factor of the attack activity that is designated i that presets,

Correction function for the attack activity that is designated i.

3. method according to claim 1 is characterized in that, the described composition rule that utilizes evidence theory, and comprehensive each evidence component obtains the preset time period network and is in the confidence level of unsafe condition, comprising:

Bring the confidence level of each event set into following formula as the evidence component, acquisition preset time period network is in the confidence level of unsafe condition:

$(m_1\⊕m_2\⊕...{\⊕m}_n)\left(N\right)=$

$\frac{m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(N\right)}{1-(m_1\left(N\right)*m_2\left(Y\right)*...*m_n\left(Y\right)+m_1\left(Y\right)*m_2\left(N\right)*m_3\left(Y\right)*...*m_n\left(Y\right)+...+m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right))}$

Wherein, m makes network be in the function of unsafe condition confidence level for obtaining event set; m _i(N) for making network, the attack activity that is designated i is in the confidence level of unsafe condition, described i=1,2,3......n, m _i(Y) confidence level that for the attack activity that is designated i network is in a safe condition, described m _i(Y)=1-m _i(N),

For preset time period network be in the confidence level of unsafe condition.

4. method according to claim 3 is characterized in that, described method also comprises, utilizes the composition rule of evidence theory, and comprehensive each described evidence component obtains the preset time period confidence level that is in a safe condition of network.

5. method according to claim 4 is characterized in that, the described composition rule that utilizes evidence theory, and comprehensive each evidence component obtains the preset time period confidence level that is in a safe condition of network, comprising:

Bring the confidence level of each event set into following formula as the evidence component, the confidence level that acquisition preset time period network is in a safe condition:

$(m_1\⊕m_2\⊕...{\⊕m}_n)\left(Y\right)=$

$\frac{m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(Y\right)}{1-(m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right)+m_1\left(N\right)*m_2\left(Y\right)*m_3\left(N\right)*...*m_n\left(N\right)+...+m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(Y\right))}$

Wherein,

Be the preset time period confidence level that is in a safe condition of network.

6. a networks security situation assessment system is characterized in that, comprising:

The Attack Classification unit is used for all security incidents in preset time period are classified according to attack type, consists of at least one event set;

The risk unit that adds up is used for the risk of attacks grade of security incident described in each event set of cumulative described Attack Classification cell formation respectively, accumulated value is defined as the extent of injury value of each event set;

The evidence component obtains the unit, brings the empirical function fi () corresponding with each event set for the extent of injury value of each event set that the cumulative unit of described risk is obtained into as independent variable, obtains each event set and makes network be in the confidence value of unsafe condition; Wherein, described empirical function is: according to concrete network application environment and use the function that is used for extent of injury value is mapped to interval [0,1] that the condition of the composition rule of evidence theory is designed, described empirical function is the belief assignment function;

The first confidence level obtains the unit, be used for described evidence component is obtained the confidence value of each event set that the unit obtains as the evidence component, utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period network and is in the confidence level of unsafe condition.

7. system according to claim 6 is characterized in that, described belief assignment function is:

$f_i\left(\right)=(2*\mathrm{arctgx}/\mathrm{\π}-e^{k_{i}x}\·x^{s_i})/2+0.5;$

Wherein, i represents the type identification of attack activity, and independent variable x is the extent of injury value of event set, k _iAnd s _iBe the modifying factor of the attack activity that is designated i that presets,

Correction function for the attack activity that is designated i.

8. system according to claim 6 is characterized in that, described the first confidence level obtains the unit and brings the confidence level of each event set into following formula as the evidence component, and acquisition preset time period network is in the confidence level of unsafe condition:

$(m_1\⊕m_2\⊕...{\⊕m}_n)\left(N\right)=$

$\frac{m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(N\right)}{1-(m_1\left(N\right)*m_2\left(Y\right)*...*m_n\left(Y\right)+m_1\left(Y\right)*m_2\left(N\right)*m_3\left(Y\right)*...*m_n\left(Y\right)+...+m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right))}$

Wherein, m makes network be in the function of unsafe condition confidence level for obtaining event set; m _i(N) for making network, the attack activity that is designated i is in the confidence level of unsafe condition, described i=1, and 2,3 ... n, m _i(Y) confidence level that for the attack activity that is designated i network is in a safe condition, described m _i(Y)=1-m _i(N),

For preset time period network be in the confidence level of unsafe condition.

9. system according to claim 8 is characterized in that, described system also comprises: the second confidence level obtains the unit;

Described the second confidence level obtains the unit, be used for described evidence component is obtained the confidence value of each event set that the unit obtains as the evidence component, utilize the composition rule of evidence theory, comprehensive each described evidence component obtains the preset time period confidence level that is in a safe condition of network.

10. system according to claim 9 is characterized in that, described the second confidence level obtains the unit, brings the confidence level of each event set into following formula as the evidence component, the confidence level that acquisition preset time period network is in a safe condition:

$(m_1\⊕m_2\⊕...{\⊕m}_n)\left(Y\right)=$

$\frac{m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(Y\right)}{1-(m_1\left(Y\right)*m_2\left(Y\right)*...*m_n\left(N\right)+m_1\left(N\right)*m_2\left(Y\right)*m_3\left(N\right)*...*m_n\left(N\right)+...+m_1\left(N\right)*m_2\left(N\right)*...*m_n\left(Y\right))}$

Wherein,

Be the preset time period confidence level that is in a safe condition of network.

Images