Network Security Situation Awareness Framework based on Threat Intelligence

Network security situation awareness is an important foundation for network security management, which presents the target system security status by analyzing existing or potential cyber threats in the target system. In network offense and defense, the network security state of the target system will be affected by both offensive and defensive strategies. According to this feature, this paper proposes a network security situation awareness method using stochastic game in cloud computing environment, uses the utility of both sides of the game to quantify the network security situation value. This method analyzes the nodes based on the network security state of the target virtual machine and uses the virtual machine introspection mechanism to obtain the impact of network attacks on the target virtual machine, then dynamically evaluates the network security situation of the cloud environment based on the game process of both attack and defense. In attack prediction, cyber threat intelligence is used as an important basis for potential threat analysis. Cyber threat intelligence that is applicable to the current security state is screened through the system hierarchy fuzzy optimization method, and the potential threat of the target system is analyzed using the cyber threat intelligence obtained through screening. If there is no applicable cyber threat intelligence, using the Nash equilibrium to make predictions for the attack behavior. The experimental results show that the network security situation awareness method proposed in this paper can accurately reflect the changes in the network security situation and make predictions on the attack behavior.

[1]  Eric van Damme,et al.  Non-Cooperative Games , 2000 .

[2]  Qi Zhi-chang,et al.  Attack Graph Generation Algorithm for Large-Scale Network System , 2013 .

[3]  Jean-Marc Menaud,et al.  Virtual Machine Introspection: Techniques and Applications , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[4]  Edgar Toshiro Yano,et al.  Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[5]  Bryan D. Payne,et al.  Simplifying virtual machine introspection using LibVMI. , 2012 .

[6]  Mourad Debbabi,et al.  Towards a Forecasting Model for Distributed Denial of Service Activities , 2013, 2013 IEEE 12th International Symposium on Network Computing and Applications.

[7]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[8]  J. Nash Equilibrium Points in N-Person Games. , 1950, Proceedings of the National Academy of Sciences of the United States of America.

[9]  Read Sprabery,et al.  WinWizard: Expanding Xen with a LibVMI Intrusion Detection Tool , 2014, 2014 IEEE 7th International Conference on Cloud Computing.

[10]  Brian D. Noble,et al.  When virtual is better than real [operating system relocation to virtual machines] , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[11]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[12]  Hamid Farhadi,et al.  Alert correlation and prediction using data mining and HMM , 2011, ISC Int. J. Inf. Secur..

[13]  Jianhua Li,et al.  Big Data Analysis-Based Security Situational Awareness for Smart Grid , 2018, IEEE Transactions on Big Data.