网络安全风险评估和情况分析

Network Security Risk Assessment and Situation AnalysisLiu Mixi Dˆ Yu Dongmei Zhang Qiuyu Zhu HongleiCollege of Computer and Communication, Lanzhou University of Technology, Lanzhou, China 730050Email: liumx@ABSTRACT˖With the development of computer networks, the spread of malicious network activities poses great risks to the operational integrity of many organizations and imposes heavy economic burdens on life and health. Therefore, risk assessment is very important in network security management and analysis. Network security situation analysis not only can describe the current state but also project the next behavior of the network. Alerts coming from IDS, Firewall, and other security tools are currently growing at a rapid pace. Large organizations are having trouble keeping on top of the current state of their networks. In this paper, we described cyberspace situational awareness from formal and visual methods. Next, to make security administrator comprehend security situation and project the next behaviors of the whole network, we present using parallel axes view to give expression clearly of security events correlations. At last, we concluded that visualization is an important research of risk evaluation and situation analysis of network.KEYWORDS˖security assessment, situational awareness, visualization, correlation1 INTRODUCTIONNetwork security estimation is to detect computer system or network facilities to find security holes and vulnerability possibly imposed by hacker, take measures earlier, and protect network system from threats. The current methods of risk evaluation on information security are basically related to qualitative and quantitative ones. Researches on network security situation have two great classes of based on system deployment and running information according to data resources[1]. The former is about system design, deployment, service and hidden trouble in the system. The latter is about attacks situations on the system mainly from IDS logs database.Security situation estimation work based on system running information is mainly about threat estimation from single event on the system. Bass presented that next generation cyberspace intrusion detection systems will fuse data from heterogeneous distributed network sensors to create cyberspace situational awareness, and multisensor data fusion technology is an important avenue on the road toward the development of highly reliable intrusion detection and security-decision systems that identify, track, and assess cyberspace situations with multiple complex threats[2][3]. But he only offers small steps in the process of setting the engineering requirements to design and develop cyberspace situational awareness systems. Chen Xiuzhen developed a quantitative hierarchical threat evaluation model and computational method based on the structure of the network and the importance of services and hosts to evaluate security threat status of a computer network system[1].Because attacks are dynamic, if analysts can’t absorb and correlate the available data, it is difficult for them to detect sophisticated attacks. Developing tools that increase the situational awareness and understanding of all those responsible for the network’s safe operation can increase a computer network’s overall security. System administrators are typically limited to textual or simple graphical representations of network activity. There is a growing body of research that validates the role of visualization as a means for solving complex data problems. Y arden and Stefano focus on visual correlation of network alerts and situational awareness[4][5]. The National Center for S upercomputing Applications (NCS A) has developed two applications for the detection of network incidents: VisFlowConnect[6] andNVisionIP [7]. They obtain Internet security situation according to visualization of connection analysis and system status.Network is a system; security is a process not a product. So analyzing network risk and estimating situation should be from the system point of view, no more than assess security status depending on certain security tool. For instance, virus scanners target malicious content, vulnerability scanners provide information about opportunities to exploit systems, intrusion detection systems identify suspicious activities, and misuse detectors identify policy violations.2 CYBERSPACE SITUATIONAL A WARENESS DESCRIPTIONSCyberspace situational awareness comes from Air Traffic Control. Currently, there is no uniform and general definition of it. Network situation indicates that the whole network current status and its change trend impacted on some factors of running status of network facilities, network and user behavior, etc. Namely, situation is a status, a trend and a whole notion.2.1 Formal DescriptionSituational awareness was defined by Endsley as “the perception of the elements in the environment with a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future”. The formal definition of security situational assessment breaks down into three separate levels.Level 1 refinement of security situation features: Data resources of refinement come from virus scanner, misuse detector, IDS, and Firewall. We formalize it as an n-tuple [8]:{}n l T T T T T S ,,,,,4321⋅⋅⋅= (1)where,l S is information vector of t period. j T is feature information from various security tools, such as alerts, logs, and audit data. Information vectors obtained from continuous security tools consist of situation space. The process of refinement of security situation features is the process of refine feature vector i V , namely, a few alert types are refined from large amount of security events.Level 2 comprehension of current situation: Explain and estimate current security status of network according to i V made from level 1, and form alert track A. A is revised depended on continuous reached feature vector.The whole network situation space {}⋅⋅⋅=,,,,D C B A θ, element in them is the possible appearing alert tracks. Set of current achieved situation feature vectors is {}⋅⋅⋅=,,,,4321V V V V M . The process of comprehension of current situation is to find a mapping θ→M F :.Level 3 projection of future situation of network security: Project the future situation of network security based on θ from level 2, and present the trend of network security by means of probability. That is seeking security situation )(t t ∆+θof t t ∆+clock according to situation )(t θof t . The process of project future situation of network security is to find a mapping )()(:t t t ∆+→θθϕ.The relationship between these security situational assessment levels, the mental model, and the decision-making is illustrated in Figure 1.Fig. 1 Security situational assessment2.2 Visuali z ationMost current information security tools target specific problems not the big picture. Visualization is a useful method for advancing security situation assessment. For example, visualization can review many events simultaneously and see patterns and trends, yet textual or tabular representation focus on details and intensive study of a few events or parameters, that is good for studying events sequentially but difficult to see all the security events at the same time.Visualization is used for displaying system logs or IDS logs initially. But it can’t be transformed real-time. So data flow, multi-sources, and multi-view visualization system is presented for estimating network security situation.2.3 CorrelationIn the process of refining situation features of level 1, it is necessary to correlate the large amount of security events from various security tools. Yarden presented visual correlation[4][5]. Their approach was based on representing the network alerts as connections between two domains. One is representing node attribute, the other is two-dimensional domain representing time and type attribute, as shown in Figure 2. Map the node domain onto a finite circle, while the type-time domain is wrapped around it in the shape of a ring, as shown in Figure 3.Fig. 2 Security alerts domain Fig. 3 Visuali z ation mappingThe main problem in correlating alerts from disparate logs is the seeming lack of mutual grounds on which to base any kind of comparison between alerts. In Yarden’s method, alerts must possess what they term the W3 premise: the when, where, and what attributes, namely, time, node, and type. A few alert types are refined from large amount of security events in level 1, which formed alert tracks A in level 2 of security situation assessment. In our design, usingparallel axes view represents correlations between security events from various security tools, as illustrated in Figure 4. When a new attack event achieved, it will compare with all alert track and decide to join in the similar alert track or produce a new one. If a new one is produced, the number will change to n+1 on the alert track axis. If it joints in the old one, drew a line from the event to the alert track. A darker or thicker line represents a larger amount of events are correlated to certain alert track. This will focus the security administrator’s attention, so he or she can take action and correct the problem on the suspect machine.Fig. 4 Correlations representation of parallel axes3. THE ROLES OF SITUATION ANALYSIS IN NETWORK SECURITY RISK ASSESSMENTAs we said above, security assessment is a system project. The aim of security risk assessment is to comprehend where the current and future risks are, estimate security threat and the influence extent brought by them, and provide gist for establishment of security policy, and foundation and running of information system.Situation analysis estimates network current state and projects the next possible occurrence from three levels, not single security event or alert. Therefore, situation analysis is useful for advancing network security assessment.4. CONCLUSIONS ecurity risk assessment is an important management means running through the whole information system process, which is the foundation and premise of establishing and adjusting security policy. In this paper, we discussed situation assessment and its role in the risk estimation. Situation assessment is described from three levels of refinement, comprehension, and projection to understand the network situation, find out vulnerability, and project the next situation. Using this situation assessment, we can detect abnormal network behavior and patch holes to stop attacks before they have a chance to cause serious damage. So visualization and its correlation is an important research of risk evaluation and situation analysis of network.REFERENCES:[1] Chen XZ, Zheng QH, Guan XH, Lin CG.. Quantitative Hierarchical Threat Evaluation Model for Network Security. Journal of Software, 2006,17(4):885-897[2] Bass T. Intrusion systems and multisensor data fusion: Creating cyberspace situational awarenessˊCommunications of the ACM, 2000,43(4):99 -105ˊ[3] Bass TˊMultisensor data fusion for next generation distributed intrusion detection systemsˊIn: 1999 IRIS National Sympˊon Sensor and Data FusionˊLaurel, 1999, pp. 24 27.[4] Livnat, Yˊa , Agutter, Jˊb , Moon, Sˊb , Foresti, Sˊc Visual correlation for situational awareness Proceedings - IEEE Symposium on Information Visualization, INFO VIS, 2005, pp. 95-102ˊ[5] Foresti, Sˊa , Agutter, Jˊb , Livnat, Yˊc , Moon, Sˊa , Erbacher, Rˊd. Visual correlation of network alerts. IEEE Computer Graphics and Applications, 2006, 26 (2): 48-59ˊ[6] Yin Xiaoxin, Y urcik W, S lagell A. The Design of VisFlowConnect -IP: a Link Analysis S ystem for IP S ecurity Situational Awareness. In: Third IEEE International Work shop on Informa tion Assurance(IWIA), 2005[7] BearavoluR, LakkarajuK, Y urcikW. NVisionIP: An Animate S tate Analysis Tool for Visualizing NetFlows. FLOCON Network Flow Analysis Workshop (Network Flow Analysis for Security Situational Awareness), Sept. 2005[8] S U Y u, ZHAO Hai, S U Wei-ji, XU Ye. Situation Assessment/Diagnosis Model Based on Bayesian Networks for Hydropower Equipment. Journal of Northeastern University(Natural Science), 2005, 26(8):739-742Liu Mixia, Ph. D. candidate. Her research is interested in computer network security.。