A scalable model for network situational awareness based on Endsley' s situation model

The paper introduces the Endsley' s situation model into network security to describe the network security situation, and improves Endsley' s data processing to suit network alerts. The proposed model contains the information of incident frequency, incident time and incident space. The HoneyNet dataset is selected to evaluate the proposed model in the evaluation. The paper proposes three definitions to depict and predigest the whole situation extraction in detail, and a fusion component to reduce the influence of alert redundancy on the total security situation. The less complex extraction makes the situation analysis more efficient, and the fine-grained model makes the analysis have a better expansibility. Finally, the situational variation curves are simulated, and the evaluation results prove the situation model applicable and efficient.