Multi-Dimension Threat Situation Assessment Based on Network Security Attributes

Cyber-attacks become more and more complex, but the network situation assessment based on log analysis cannot meet the security requirements because of the low quality of logs and alerts. This paper addresses the lack of consideration of security attributes of hosts and attacks in network. What's more, the most common attacks, identity and effectiveness of Distributed Denial of Service (DDoS) are hard to be proved in risk assessment based on alerts and flow matching. The multi-dimension threat situation assessment method based on network security attributes is proposed in this paper. Firstly, it gives an adaptive Common Vulnerability Scoring System (CVSS) calculation, which considers asset value as environment metric. Secondly, it collects deterioration rate of properties by sensors in hosts and network, that aims at assessing the time and level of DDoS attacks. Thirdly, it adopts the distribution of asset value in security attributes considering the features of attacks and network, which aims at assessing and showing the whole situation. Experiments demonstrate that the results show the primary threat and security requirement of network. By comparison and analytic study, the method reflects more in security requirement and security risk situation than traditional methods based on alert and flow analyzing.