CN108040062B - Network security situation assessment method based on evidence reasoning rule - Google Patents

Network security situation assessment method based on evidence reasoning rule Download PDF

Info

Publication number
CN108040062B
CN108040062B CN201711379085.9A CN201711379085A CN108040062B CN 108040062 B CN108040062 B CN 108040062B CN 201711379085 A CN201711379085 A CN 201711379085A CN 108040062 B CN108040062 B CN 108040062B
Authority
CN
China
Prior art keywords
network
network security
security situation
evaluation
evidence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711379085.9A
Other languages
Chinese (zh)
Other versions
CN108040062A (en
Inventor
钮焱
李军
童坤
程珊
刘宇强
李星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hubei University of Technology
Original Assignee
Hubei University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hubei University of Technology filed Critical Hubei University of Technology
Priority to CN201711379085.9A priority Critical patent/CN108040062B/en
Publication of CN108040062A publication Critical patent/CN108040062A/en
Application granted granted Critical
Publication of CN108040062B publication Critical patent/CN108040062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The invention discloses a network security situation assessment method based on evidence reasoning rules, which comprises the steps of determining a basic structure of network security situation assessment; collecting and preprocessing network data; determining an evaluation rule of a network situation; extracting the characteristics of the network data, and calculating the trust degree of the basic attribute; calculating the final trust degree of the generalized attributes; calculating the network security situation and the like; the invention divides the network behavior into normal behavior and attack behavior, analyzes the security situation of the network through the change of network resources such as flow, memory, CPU and disk, and evaluates the security level of the network through the security factors and evidence reasoning rules. In addition, the obtained safety situation is subjected to quantitative analysis. And reflecting the change of the network security condition through the change of the security situation value of the network. The experimental results show that: the method is effective and feasible and has a good situation evaluation effect.

Description

Network security situation assessment method based on evidence reasoning rule
Technical Field
The invention belongs to the technical field of information security, relates to a network security situation assessment method, and particularly relates to a network security situation assessment method based on evidence reasoning rules.
Background
The network security situation perception is a novel network security technology, which evaluates the network security situation in real time from the macroscopic aspect, predicts the development trend of the network security situation and provides a basis for decision analysis of an administrator. The situation assessment is a core part, and reflects the overall security condition of the network by comprehensively analyzing the security factors of various aspects of the network. The situation awareness is introduced into the field of network security by the TimBass for the first time, and then a plurality of scholars conduct a series of researches on the problem of the network security situation.
Frigiult, Wenchui et al use Bayesian networks for network security posture assessment. Xielixia et al designed a network security situation assessment method based on BP neural network and a situation prediction method based on RBF neural network, respectively. Barford et al propose a method for network security situation assessment using honey nets. Chenxiu Zhen et al put forward a hierarchical evaluation method, and a host, a service and a system are used for carrying out hierarchical calculation to obtain a three-level security threat situation. Liu Lei et al apply the fuzzy analytic hierarchy process to carry out the network service level security situation assessment, have filled the blank of network service level security situation assessment.
In the above research, the prior probability of the bayesian network is difficult to obtain, a hierarchical structure model and a pair comparison matrix of the analytic hierarchy process are mostly determined according to experience, the subjectivity is strong, the calculation amount of the neural network is large, the time consumption is long, and the real-time evaluation is difficult. The evidence reasoning rule is one of common methods in evaluation, has the capability of processing uncertain and fuzzy information, does not need to train a large number of samples, and has high calculation speed.
Disclosure of Invention
In order to solve the problem that the threat of a normal behavior peak value to a network is neglected in the traditional method, the invention provides the network security situation assessment method based on the evidence reasoning rule, which accurately reflects the network security situation and has good use value.
The technical scheme adopted by the invention is as follows: a network security situation assessment method based on evidence reasoning rules is characterized by comprising the following steps:
step 1: determining a basic structure of network security situation evaluation;
step 2: collecting and preprocessing network data;
and step 3: determining an evaluation rule of a network situation;
and 4, step 4: extracting the characteristics of the network data, and calculating the trust degree of the basic attribute;
and 5: calculating the final trust degree of the generalized attributes;
step 6: and calculating the network security situation.
The invention divides the network behavior into normal behavior and attack behavior, analyzes the security situation of the network through the change of network resources such as flow, memory, CPU and disk, and evaluates the security level of the network through the security factors and evidence reasoning rules. In addition, the obtained safety situation is subjected to quantitative analysis. And reflecting the change of the network security condition through the change of the security situation value of the network. The experimental results show that: the method is effective and feasible and has a good situation evaluation effect.
Drawings
FIG. 1 is a schematic flow diagram of an embodiment of the present invention;
FIG. 2 is a diagram of a network security situation in which the four time periods total 2000s in duration for an embodiment of the present invention;
FIG. 3 is a comparison graph of CPU utilization for different behaviors in accordance with an embodiment of the present invention;
FIG. 4 is a comparison graph of memory utilization for different behaviors according to an embodiment of the present invention.
Detailed Description
In order to facilitate the understanding and implementation of the present invention for those of ordinary skill in the art, the present invention is further described in detail with reference to the accompanying drawings and examples, it is to be understood that the embodiments described herein are merely illustrative and explanatory of the present invention and are not restrictive thereof.
In the embodiment, after various existing methods are comprehensively compared, an evidence reasoning rule is selected for evaluation. The existing evaluation method mainly analyzes and utilizes security events caused by attacks, and is insufficient in threat investigation caused by normal behavior peaks. Therefore, the invention comprehensively analyzes the normal behavior and the attack behavior in the network environment so as to evaluate the network security situation.
Referring to fig. 1, the method for evaluating network security situation based on evidence reasoning rules provided by the present invention includes the following steps:
step 1: determining a basic structure of network security situation evaluation;
the invention divides the network security into normal behavior and attack behavior to consider the network security situation. Changes in network resources may reflect changes in network security posture. CPU resources and memory resources in the network are important resources in the network, and when the network is not used or is attacked, the two resources may be exhausted, thereby causing the performance of the network to be reduced and even to be broken down. Different behaviors can also cause changes in disk resources, and network behaviors are hidden in traffic. Therefore, the invention selects the flow, the CPU utilization rate, the memory consumption and the disk consumption as the safety factors to evaluate the network safety situation.
Step 2: collecting and preprocessing network data;
the specific implementation comprises the following substeps:
step 2.1: constructing a network, and simulating normal behaviors and attack behaviors;
simulating normal behavior, namely performing webpage browsing, video playing and file downloading access on the Internet through a server;
simulating attack behavior, namely simulating the generation of abnormal traffic by using LOIC to perform DDOS attack based on HTTP;
step 2.2: respectively and continuously performing four behavior simulations of webpage browsing, video playing, file downloading and network attack for N seconds, wherein N is a preset threshold value, and 500 is adopted in the implementation; respectively collecting flow, CPU, memory and disk data consumed by four events;
step 2.3: normalizing all data;
let e1Indicating normal behavior, e2Representing an attack behavior; e.g. of the type11,e12,e13,e14Respectively representing the flow, CPU, memory and disk data consumed by normal behaviors; e.g. of the type21,e22,e23,e24Respectively representing the flow, CPU, memory and disk data consumed by the attack behavior;
the preprocessed data is { e }1{e11,e12,e13,e14},e2{e21,e22,e23,e24}};
And step 3: determining an evaluation rule of a network situation;
evaluation level is set to { G }1Good, G2Good, G3Normal range, G4High risk }; let g11,g12,g13,g14Respectively representing the flow, CPU, memory and disk data excesses consumed by normal behaviorsThe number of times of the threshold; g21,g22,g23,g24Respectively representing the times that the flow, the CPU, the memory and the disk data consumed by the attack behavior exceed the threshold;
the evaluation rule is:
when g isijAt ≦ predetermined threshold F1, the evaluation level is deemed to be set as no risk, noted gij 1(ii) a When F1 is less than gijAt ≦ predetermined threshold F2, the evaluation level is deemed to be set at low risk, noted gij 2(ii) a When F2 is less than gijWhen the predetermined threshold value F3 is not more than the preset value, the evaluation grade is considered to be set as a normal range and is recorded as gij 3(ii) a When F3 is less than gijAt ≦ predetermined threshold F4, the evaluation level is deemed to be set at high risk, noted gij 4(ii) a Wherein, the value range of i is 1 and 2, and the value range of j is 1,2, 3 and 4.
In this embodiment, the evaluation rule may be established by evaluating the grades, as shown in table 1 below:
TABLE 1
Figure GDA0002627315680000041
With e11For example, when there is no risk in the evaluation level G1, the memory values of normal behavior and attack behavior do not exceed the threshold value within 500 seconds; g2 when the risk is low, the memory values of normal behavior and attack behavior exceed the threshold value for 5 times within 500 seconds; when G3 is in a normal range, the memory values of normal behaviors and attack behaviors exceed the threshold value 12 times within 500 seconds; g4 high risk, the highest risk, memory values of normal and aggressive behavior within 500 seconds all exceed the threshold 119 times.
And 4, step 4: extracting the characteristics of the network data, and calculating the trust degree of the basic attribute;
the confidence level of the basic attribute is as follows:
Figure GDA0002627315680000051
Figure GDA0002627315680000052
Figure GDA0002627315680000053
wherein, V (e)i) Representing evidence, the evidence is the support degree of data information to decision, and is the basic attribute eiA sequence value of (a); here V (e)i) Representing the counted basic attribute eiNumber of times of exceeding the threshold value, eiA network node resource value corresponding to the corresponding behavior;
Figure GDA0002627315680000054
representing a base attribute eiThe threshold value of the contract is set to,
Figure GDA0002627315680000055
representing a basic attribute eiIs evaluated as grade GjThe degree of trust of; m represents the number of evaluation grades 4, i takes the value 1,2 and j takes the value 1.
And 5: calculating the final trust degree of the generalized attributes;
the specific implementation comprises the following substeps:
step 5.1: determining the weight of each basic attribute;
the basic attributes set by claim 3 are flow, CPU, memory, disk. The security condition of the network has a large influence on memory consumption, CPU utilization rate and flow, and the influence on disk consumption is small, so e11,e12,e13,e14Are respectively set to { omega11=0.3,ω12=0.3,ω13=0.3,ω140.1, and e21,e22,e23,e24Are respectively set to { omega21=0.3,ω22=0.3,ω23=0.3,ω240.1 }; the attack behavior is much more harmful to the network environment than the normal behavior, so e will be used1,e2The weights of the sequence values are { omega } respectively1=0.2,ω2=0.8};
Step 5.2: calculating a probability assignment function of the basic attribute;
calculating a probability assignment function according to the confidence level of the basic attribute calculated in the step 4 and the following formula:
Figure GDA0002627315680000061
wherein the content of the first and second substances,
Figure GDA0002627315680000062
representing a basic attribute eiIs evaluated as grade GjThe degree of trust of; basic probability assignment function
Figure GDA0002627315680000063
Representing basic properties eiSupport for generalized attributes T, i.e. attributes are evaluated as a level GjThe degree of support of (c);
step 5.3: evidence of aggregation { e11,e12,e13,e14Obtaining the behavior confidence; evidence is the support degree of the data information to the decision, and is { e11,e12,e13,e14The sequence value of { C };
the polymerization was carried out using the following formula:
Figure GDA0002627315680000064
wherein M represents the number of evaluation levels of 4,
Figure GDA0002627315680000065
represents a comprehensive probability assignment function that represents the comprehensive support of the first i basic attributes, i.e., the attribute is evaluated as a rank GkThe degree of support of (c); i (I +1) denotes the aggregation of I +1 basic attributes, KI(i+1)The normalization factor reflects the degree of conflict among evidences, that is, the degree that each attribute does not support a certain evaluation level at the same time.
Step 6: calculating the network security situation;
the network security posture can be calculated by the following formula:
Figure GDA0002627315680000066
wherein, βjIs the behavioral confidence calculated in step 5.3,
Figure GDA0002627315680000067
indicating that the evaluation grade is G in the current time periodjThe experience threshold of the network security situation is given by the network management system according to the historical experience value; t denotes the time period in which the current network situation is. In this embodiment:
Figure GDA0002627315680000068
the effects of the present invention are further illustrated by the following comparative experiments;
1. simulating conditions;
and constructing a network to simulate normal behavior and attack behavior. Respectively performing webpage browsing, video playing and file downloading access on the Internet through a server; in addition, HTTP-based DDOS attacks are performed using LOIC to mimic the generation of abnormal traffic. Each action was continued for 500 seconds. Data of four network resource indexes, namely flow, CPU, memory and disk, consumed by four behaviors are collected respectively through a data collector in a performance monitor of the server.
2. Experimental content and results;
the network security situation with the total duration of 2000s in four time periods is shown in fig. 2, where the x axis is time, the y axis is the value of the network security situation, and a higher value of the network security situation indicates a more serious network security risk condition at this moment. The CPU utilization and memory consumption for different behaviors are shown in fig. 3 and 4, where the x-axis is time and the y-axis is the values of CPU utilization and memory consumption, respectively.
The network security situation value calculation process is as follows
Assume that the identified network may be in an unsafe condition when the memory, traffic, CPU, and disk values are 0.3. Therefore, the threshold values are all set to0.3. Randomly selecting a network at the time of 1800 seconds as an example to evaluate the situation, namely collecting 1301s-1800s of data in the form of { e } in the collected data1{e11=5,e12=201,e13=1,e14=0},e2{e21=32,e22=103,e23=59,e247} }. This means that the memory value of the normal behavior within 500 seconds exceeds the threshold value 5 times, the flow value exceeds the threshold value 201 times, the CPU value exceeds the threshold value 1 time, and the disk value exceeds the threshold value 0 time; the memory value of the attack behavior exceeds the threshold value 32 times, the flow value exceeds the threshold value 103 times, the CPU value exceeds the threshold value 59 times, and the disk value exceeds the threshold value 7 times.
(1) Assessment of Normal behavior e1
To obtain normal behavior e1Evaluation result of (1), bottom layer { e11=5,e12=201,e13=1,e 140 should be regularly aggregated by ER. Firstly, respectively calculating e according to evaluation rules and formulas11,e12,e13And e14As shown in table 2.
Table 2: e.g. of the type11,e12,e13And e14Degree of trust of
Figure GDA0002627315680000071
Figure GDA0002627315680000081
By looking up the relevant data, the security status of the network has a large influence on the memory, CPU and traffic, and the disk has a small influence, so that e is made11,e12,e13And e14The weights of the evidence are respectively { omega }11=0.3,ω12=0.3,ω13=0.3,ω140.1 }. Similarly, the weight of the memory, the flow, the CPU and the disk under the attack behavior is { omega }21=0.3,ω22=0.3,ω23=0.3,ω24=0.1}。
The basic probability assignment function is then calculated, as shown in table 3.
Table 3: e.g. of the type11,e12,e13And e14Basic probability assignment function of
Figure GDA0002627315680000082
Second, ER rule is used to pair the bottom layer { e11=5,e12=201,e13=1,e 140 evidence aggregation. The specific process is as follows:
first, the polymerization of the bottom layer { e11,e12}。
Calculating KI(12)
Figure GDA0002627315680000083
Figure GDA0002627315680000091
Evidence of aggregation { e11,e12The basic probability assignment function of (1) is calculated by using the formula:
Figure GDA0002627315680000092
Figure GDA0002627315680000093
Figure GDA0002627315680000094
Figure GDA0002627315680000095
the above assignment function represents the integration of evidence { e } in the decision11,e12The degree of importance of.
Second, aggregate { e }11,e12And { e } and13}。
calculating KI(13):
Figure GDA0002627315680000096
Evidence of aggregation { e11,e12And { e } and13the basic probability assignment function of (1) is calculated by using the formula:
Figure GDA0002627315680000097
Figure GDA0002627315680000098
Figure GDA0002627315680000099
Figure GDA00026273156800000910
the above assignment function represents the aggregation of evidence in the decision { e }11,e12,e13The degree of importance of.
Third, integrate { e }11,e12,e13And { e } and14}。
calculating KI(14):
KI(14)=1.044
Evidence of aggregation { e11,e12,e13And { e } and14the basic probability assignment function of (c) }, compute:
Figure GDA0002627315680000101
Figure GDA0002627315680000102
Figure GDA0002627315680000103
Figure GDA0002627315680000104
the above assignment function represents the bottom layer in the decision { e }11,e12,e13,e14The degree of importance of the aggregated evidence.
Finally, evidence e is obtained1As shown in table 4.
Table 4: evidence e1Degree of trust of
Figure GDA0002627315680000105
(2) Evaluating an attack behavior e2
To obtain an attack behavior e2Evaluation result of (1), bottom layer { e21=32,e22=103,e23=59,e247 should be regularly aggregated by ER.
First, obtain e21,e22,e23And e23The results are shown in Table 5.
Table 5: e.g. of the type21,e22,e23And e23Degree of trust of
Figure GDA0002627315680000106
Then, the basic probability assignment function is calculated by the formula, and the result is shown in table 6.
Table 6: e.g. of the type21,e22,e23And e23Basic probability assignment function of
Figure GDA0002627315680000111
Second, ER rule is used to pair the bottom layer { e21=32,e22=103,e23=59,e247 evidence aggregation.
Attack behavior e2Underlying base attributes and normal behavior e1Are identical and therefore the calculation process is identical to the normal behavior and the calculation steps are not listed in detail here. The calculation yields:
KI(24)=1.0408
Figure GDA0002627315680000112
Figure GDA0002627315680000113
Figure GDA0002627315680000114
Figure GDA0002627315680000115
the above assignment function represents the bottom layer in the decision { e }21,e22,e23,e24The degree of importance of the aggregated evidence.
Finally, e can be obtained2The results are shown in Table 7.
Table 7: evidence e2Degree of trust of
Figure GDA0002627315680000116
(3) Evaluating network security T
The attack behavior is much more harmful to the network environment than the normal behavior. Thus, let e1,e2The weights of the evidence are respectively { omega }1=0.2,ω20.8. To obtain the evaluation result of the network security T, first, the basic probability assignment function is calculated, and the result is shown in table 8.
Table 8: e.g. of the type1,e2Basic probability assignment function of
Figure GDA0002627315680000121
Then, e for the second layer using ER rule1,e2Evidence polymerization, the process is as follows:
calculating KI(2)
Figure GDA0002627315680000122
Computing aggregate evidence { e }1,e2The basic probability assignment function of:
Figure GDA0002627315680000123
Figure GDA0002627315680000124
Figure GDA0002627315680000125
Figure GDA0002627315680000126
finally, the confidence level of T can be obtained, and the results are shown in table 9.
Table 9: confidence of security posture T
Figure GDA0002627315680000131
It can be seen that, as a result of the evaluation of the security situation of the network at this time, the probability of no risk level is 0.0186, the probability of low risk level is 0.1877, the probability of normal range level is 0.6401, and the probability of high risk level is 0.1536.
(4) Calculating a quantitative value of the network security situation:
Figure GDA0002627315680000132
experiments show that the network security situation assessment problem based on the evidence reasoning rule is researched, a corresponding assessment model is provided, and experimental proofs are carried out. The method provided by the invention evaluates the security level of the network through the corresponding security factor and ER rule, and can obtain the quantitative value of the security situation of the network. Experimental results show that the method provided by the invention is effective and feasible, can accurately reflect the current safety condition of the network, and has certain practical application value
It should be understood that parts of the specification not set forth in detail are well within the prior art.
It should be understood that the above description of the preferred embodiments is given for clarity and not for any purpose of limitation, and that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (6)

1. A network security situation assessment method based on evidence reasoning rules is characterized by comprising the following steps:
step 1: determining a basic structure of network security situation evaluation;
step 2: collecting and preprocessing network data;
the specific implementation of the step 2 comprises the following substeps:
step 2.1: constructing a network, and simulating normal behaviors and attack behaviors;
the normal behavior is simulated by respectively performing webpage browsing, video playing and file downloading access on the Internet through a server;
the simulated attack behavior is to use LOIC to carry out DDOS attack based on HTTP to simulate the generation of abnormal traffic;
step 2.2: simulating four behaviors of webpage browsing, video playing, file downloading and network attack, wherein the four behaviors are respectively continuously carried out for N seconds, and N is a preset threshold value; respectively collecting flow, CPU, memory and disk data consumed by four events;
step 2.3: normalizing all data;
let e1Indicating normal behavior, e2Representing an attack behavior; e.g. of the type11,e12,e13,e14Respectively representing the flow, CPU, memory and disk data consumed by normal behaviors; e.g. of the type21,e22,e23,e24Respectively representing the flow, CPU, memory and disk data consumed by the attack behavior;
the preprocessed data is { e }1{e11,e12,e13,e14},e2{e21,e22,e23,e24}};
And step 3: determining an evaluation rule of a network situation;
and 4, step 4: extracting the characteristics of the network data, and calculating the trust degree of the basic attribute;
and 5: calculating the final trust degree of the generalized attributes;
step 6: and calculating the network security situation.
2. The evidence reasoning rule based network security situation assessment method according to claim 1, wherein: in step 1, the network security situation is evaluated by selecting flow, CPU utilization rate, memory consumption and disk consumption as security factors.
3. The evidence reasoning rule based network security situation assessment method according to claim 1, wherein: in step 3, the evaluation level is set to { G }1Good, G2Good, G3Normal range, G4High risk }; let g11,g12,g13,g14Respectively representing the number of times that the flow, CPU, memory and disk data consumed by normal behaviors exceed a threshold; g21,g22,g23,g24Respectively representing the flow, CPU, memory and disk data consumed by the attack behaviorThe number of times of threshold crossing;
the evaluation rule is:
when g isijAt ≦ predetermined threshold F1, the evaluation level is deemed to be set as no risk, noted gij 1(ii) a When F1 is less than gijAt ≦ predetermined threshold F2, the evaluation level is deemed to be set at low risk, noted gij 2(ii) a When F2 is less than gijWhen the predetermined threshold value F3 is not more than the preset value, the evaluation grade is considered to be set as a normal range and is recorded as gij 3(ii) a When F3 is less than gijAt ≦ predetermined threshold F4, the evaluation level is deemed to be set at high risk, noted gij 4(ii) a Wherein, the value range of i is 1 and 2, and the value range of j is 1,2, 3 and 4.
4. The evidence reasoning rule-based network security situation assessment method according to claim 3, wherein the trust level of the basic attribute in the step 4 is as follows:
Figure FDA0002627315670000021
Figure FDA0002627315670000022
Figure FDA0002627315670000023
wherein, V (e)i) Representing evidence, the evidence is the support degree of data information to decision, and is the basic attribute eiA sequence value of (a);
Figure FDA0002627315670000024
representing a base attribute eiAn agreed threshold;
Figure FDA0002627315670000025
representing a basic attribute eiIs evaluated as grade GjThe degree of trust of; m represents the number of evaluation grades 4, i takes the values 1,2, jTaking the value 1.
5. The evidence reasoning rule-based network security situation assessment method according to claim 3, wherein the specific implementation of the step 5 comprises the following sub-steps:
step 5.1: determining the weight of each basic attribute;
e is to be11,e12,e13,e14Are respectively set to { omega11=0.3,ω12=0.3,ω13=0.3,ω140.1, and e21,e22,e23,e24Are respectively set to { omega21=0.3,ω22=0.3,ω23=0.3,ω240.1, and e1,e2The weights of the sequence values are { omega } respectively1=0.2,ω2=0.8};
Step 5.2: calculating a probability assignment function of the basic attribute;
calculating a probability assignment function according to the confidence level of the basic attribute calculated in the step 4 and the following formula:
Figure FDA0002627315670000026
wherein the content of the first and second substances,
Figure FDA0002627315670000031
representing a basic attribute eiIs evaluated as grade GjThe degree of trust of; basic probability assignment function
Figure FDA0002627315670000032
Representing basic properties eiSupport for generalized attributes T, i.e. attributes are evaluated as a level GjThe degree of support of (c);
step 5.3: evidence of aggregation { e11,e12,e13,e14Obtaining the behavior confidence; evidence is the support degree of the data information to the decision, and is { e11,e12,e13,e14The sequence value of { C };
the polymerization was carried out using the following formula:
Figure FDA0002627315670000033
wherein the content of the first and second substances,
Figure FDA0002627315670000034
represents a comprehensive probability assignment function that represents the comprehensive support of the first i basic attributes, i.e., the attribute is evaluated as a rank GkThe degree of support of (c); i (I +1) denotes the aggregation of I +1 basic attributes, KI(i+1)The normalization factor reflects the degree of conflict among the evidences, namely the degree that the attributes support a certain evaluation grade at different times; m represents the number of evaluation levels 4.
6. The evidence reasoning rule-based network security situation assessment method according to claim 5, wherein the calculation formula of the network security situation in the step 6 is as follows:
Figure FDA0002627315670000035
wherein, βjIs the behavioral confidence calculated in step 5.3,
Figure FDA0002627315670000036
indicating that the evaluation grade is G in the current time periodjThe experience threshold of the network security situation is given by the network management system according to the historical experience value; t denotes the time period in which the current network situation is.
CN201711379085.9A 2017-12-19 2017-12-19 Network security situation assessment method based on evidence reasoning rule Active CN108040062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711379085.9A CN108040062B (en) 2017-12-19 2017-12-19 Network security situation assessment method based on evidence reasoning rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711379085.9A CN108040062B (en) 2017-12-19 2017-12-19 Network security situation assessment method based on evidence reasoning rule

Publications (2)

Publication Number Publication Date
CN108040062A CN108040062A (en) 2018-05-15
CN108040062B true CN108040062B (en) 2020-10-13

Family

ID=62100145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711379085.9A Active CN108040062B (en) 2017-12-19 2017-12-19 Network security situation assessment method based on evidence reasoning rule

Country Status (1)

Country Link
CN (1) CN108040062B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111125685A (en) * 2018-10-30 2020-05-08 中国移动通信集团湖南有限公司 Method and device for predicting network security situation
CN109547242A (en) * 2018-11-15 2019-03-29 北京计算机技术及应用研究所 Network security efficiency evaluation method based on attacking and defending incidence matrix
CN111669375B (en) * 2020-05-26 2021-03-16 武汉大学 Online safety situation assessment method and system for power industrial control terminal
CN111967791B (en) * 2020-08-28 2021-08-31 中国人民解放军火箭军工程大学 Equipment performance evaluation method and system considering disturbance and fault threshold
CN112511492B (en) * 2020-10-30 2023-04-14 苏州浪潮智能科技有限公司 Security assessment method for third-party component and related equipment
CN114362994B (en) * 2021-11-26 2023-01-06 北京交通大学 Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method
CN115051847B (en) * 2022-06-07 2024-01-19 中国电子信息产业集团有限公司第六研究所 Method, device and electronic equipment for determining attack level of denial of service attack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951329A (en) * 2010-09-27 2011-01-19 北京系统工程研究所 Network security situation evaluation method and system
CN102098180A (en) * 2011-02-17 2011-06-15 华北电力大学 Network security situational awareness method
US8019712B2 (en) * 2008-01-30 2011-09-13 The Boeing Company Intelligent threat assessment module, method and system for space situational awareness system
CN102932337A (en) * 2012-10-24 2013-02-13 中国航天科工集团第二研究院七〇六所 Network security state predication method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8019712B2 (en) * 2008-01-30 2011-09-13 The Boeing Company Intelligent threat assessment module, method and system for space situational awareness system
CN101951329A (en) * 2010-09-27 2011-01-19 北京系统工程研究所 Network security situation evaluation method and system
CN102098180A (en) * 2011-02-17 2011-06-15 华北电力大学 Network security situational awareness method
CN102932337A (en) * 2012-10-24 2013-02-13 中国航天科工集团第二研究院七〇六所 Network security state predication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于信息融合技术的动态安全态势评估模型;黄光球等;《微计算机信息》;20101231;27-29页 *

Also Published As

Publication number Publication date
CN108040062A (en) 2018-05-15

Similar Documents

Publication Publication Date Title
CN108040062B (en) Network security situation assessment method based on evidence reasoning rule
Zhao et al. Study on network security situation awareness based on particle swarm optimization algorithm
Tuli et al. HUNTER: AI based holistic resource management for sustainable cloud computing
Li et al. Adaptive and attribute‐based trust model for service‐level agreement guarantee in cloud computing
CN102075352B (en) Method and device for predicting network user behavior
CN112422537B (en) Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN109218304B (en) Network risk blocking method based on attack graph and co-evolution
CN104850727A (en) Distributed big data system risk evaluation method based on cloud barycenter theory
CN108900513B (en) DDOS effect evaluation method based on BP neural network
CN110474904B (en) Situation awareness method and system for improving prediction
CN105245362B (en) Important node information collecting method in a kind of SDN environment
CN105760649A (en) Big-data-oriented creditability measuring method
CN109242250A (en) A kind of user's behavior confidence level detection method based on Based on Entropy method and cloud model
CN101404591B (en) Self-adapting dynamic trust weight estimation method
CN109359686A (en) A kind of user's portrait method and system based on Campus Network Traffic
CN116846565A (en) SAA-SSA-BPNN-based network security situation assessment method
CN112329997A (en) Power demand load prediction method and system, electronic device, and storage medium
CN105933316A (en) Network security level determination method and device
CN111476610A (en) Information detection method and device and computer readable storage medium
Liu et al. Network security situation detection of internet of things for smart city based on fuzzy neural network
CN105933138B (en) Space-time dimension combined cloud service credibility situation assessment and prediction method
Dai et al. Study of online learning resource recommendation based on improved BP neural network
Agarwal et al. Detection and mitigation of fraudulent resource consumption attacks in cloud using deep learning approach
CN110493218B (en) Situation awareness virtualization method and device
CN112491627A (en) Network quality real-time analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant