A Novel Approach to Network Security Situation ... - IEEE Xplore

8 downloads 1123 Views 457KB Size Report
A Novel Approach to Network Security Situation Awareness Based on Multi- perspective Analysis. Zhang Yong. Department of Automation. University of Science ...
2007 International Conference on Computational Intelligence and Security

A Novel Approach to Network Security Situation Awareness Based on Multiperspective Analysis Zhang Yong Department of Automation University of Science and Technology of China Hefei, Anhui, P.R.China [email protected]

Tan Xiaobin Department of Automation University of Science and Technology of China Hefei, Anhui, P.R.China [email protected]

NetSA, based on air traffic control (ATC) situation awareness, and adopted mature theory and technology from ATC situation awareness [4]. Afterwards, a series of models of NSSA were proposed, but most of them are framework without practical value and only give qualitative analysis of NSSA without precise mathematic model. Based on these models, we propose a quantitative model of NSSA based on multiperspective analysis and time series analysis. This paper is organized as follows. Section 2, we discuss the conceptual model of NSSA and construct a NSSA system. Section 3, we suggest a method of network security situation measurement, and establish the model of current network security situation evaluation based on multi-perspective analysis. Section 4, we establish the model of future network security situation prediction based on time series analysis. Section 5 provides a simulation test of the models. Section 6 gives a conclusion of the paper.

Abstract Describing the security situation and its trend is the research hotspot of network security. As a new research field, Network security situation awareness (NSSA) includes three phases: situation perception, situation evaluation and situation prediction. This paper proposes a novel approach to NSSA model. The situation evaluation model adopts a multi-perspective analysis. It uses the description of security attacks, vulnerabilities and security services to evaluate current network security situation. The situation prediction model adopts time series analysis. It uses past and current situation map to forecast future network security situation. Simulation results show that the model is suitable and efficient.

1. Introduction The problem of network security becomes more serious with the growth of the Internet. Traditional concept of security focuses on the confidentiality of information, but now more and more studies concentrate on availability and survivability of services and interest in providing user-oriented system-level services. Network security assessment, especially, describing network security situation and its trend, becomes increasingly important. Many researches have focused on network security situation awareness (NSSA) [3] [5] [6], similar to network situation awareness (NetSA) [1]. Deriving from situation awareness (SA), NSSA describes the status of network equipments, network behaviors and user actions. SA is widely used in the commercial and military aviation communities. In 1988, Endsley gave a strict definition of SA [2]. In 1999, Tim Bass first introduced the concept of the

0-7695-3072-9/07 $25.00 © 2007 IEEE DOI 10.1109/CIS.2007.160

Xi Hongsheng Department of Automation University of Science and Technology of China Hefei, Anhui, P.R.China [email protected]

2. NSSA system framework 2.1. Hierarchy of NSSA Modeling is the basis of NSSA. There are many researches about NSSA models [1] [3] [5]. According to Tim’s idea, it’s to construct the network security situation infrastructure with the application of multisensors data fusion. Tim Bass gave a primary framework which provides conceptual analysis of NetSA. It is the basis of other models. But it can’t solve the actual security problems and has many shortages. As networks evolve in complexity, the number of objects, threats, sensors and data streams dramatically increase [1]. After investigating many other NSSA models, we give a conceptual model of NSSA. It is a hierarchical model, illustrated Figure 1.

768

Security Reinforcement Scheme module: Using the data input from other modules, this module gives a practical security reinforcement scheme to guide managers to improve network security.

3. Situation Evaluation Based on MultiPerspective Analysis Situation evaluation is a quantitative analysis about security, and it is the basis of situation prediction. There are many mature models for use to evaluate situation, but most of them have drawbacks. In this section we give a situation evaluation model using multi-perspective analysis. In data collection module, we use six detection subsystems to all-round monitoring network, including Malware Detection, IDS and Firewall, Vulnerability Scan, Penetration Testing, Online Testing and Security Service Detection. In situation perception and evaluation modules, because of topology of network and distinctness of hosts, we must distinguish different networks. Firstly, we consider a single computer security situation evaluation. According to the security situation of each host, we adopt additive weight method to compute security situation of entire network. Supposing a network contains N hosts, for security situation evaluation of a single host H k , we consider three types of security factor: security attacks, vulnerabilities and security services (illustrated in Figure 3).

Figure 1. The conceptual model of NSSA

2.2. A Novel Design Approach to NSSA System Based on above conceptual model of NSSA, we suggest a novel design approach to NSSA system, illustrated in Figure 2. This framework gives precise mathematical model to describe network security situation and its trend. Especially, it gives a practical security reinforcement scheme used to guide people to improve network security. It is composed of five modules, except security reinforcement scheme module, four of them correspond to the four levels of conceptual model. We will discuss them in details.

Figure 2. The framework of NSSA Data collection module: It observes information in cyberspace and captures metadata by multi-sensors. The output of this module is tremendous original data. Situation perception module: It analyzes the original data, then categorizes them and transforms into a unified format of XML. This module prepares for situation evaluation, and it is the basis of situation awareness. Situation evaluation module: Analyzing the input of security incidents with precise mathematics model, this module gives a comprehensive and quantitative description of current situation. It is the core of situation awareness and will be discussed in section 3. Situation prediction module: Comprehending all historical situation values this module plots situation map. It forecasts the future situation using time series model. We will discuss this model in section 4.

Figure 3. Multi-Perspective Analysis

3.1. Security Attacks Evaluation Security attacks: Any action that compromises the security of cyberspace, including effective and invalid attacks. We use quantitative hierarchical method, which is similar to Chen’s conclusion [3]. Assumption 1. During time t, divide t into L intervals, WT = {t1 , t2 ," tL } presents the weight of time interval. S = {S1 , S2 ," S n } presents n kinds services. WS = {α1 , α 2 ,"α n } presents the weight of

769

services. A = {a1 , a2 ," am } presents m kinds of attacks.

Ck = ( cijvk )

n×m×L

Assumption 3. During time t,

presents five security attributes. WT = {β1 , β2 ,"β5} presents the weight of the security attributes. M = {M 1 , M 2 , " M q } presents q kinds of security

,(1≤ i ≤ n,1≤ j ≤ m,1≤ v ≤ L,1≤ k ≤ N)

, cijvk presents the times of service

Si faced attack a j

mechanisms.

during interval tv in host H k . B = {b1 , b2 ," bm } presents the importance of attacks. The security situation about attacks is: L

n

RAHk = ∑ t(v

m

∑ α (∑ c i

v =1

i =1

ijvk

bj

10 ))

Gk = ( gijk )

5×q

security attribute N j in

(1)

j =1

formula: RHk = G ⋅

(4)

(5)

k =1

WH = {χ1 , χ 2 ," χ N } presents the weight of host

H k . The security situation of vulnerability is: j =1

RAHk ⋅ RVHk RSHk

N

RN = ∑ χ k RHk

presents the effect of vulnerability V j to service Si in

i =1

(3)

G is a normalization factor. The current security situation of network can be computed in formula:

, (1 ≤ i ≤ n,1 ≤ j ≤ p,1 ≤ k ≤ N )

d

j =1

Definition 1. According to Assumption 1, 2 and 3, current security situation of host H k is computed in

vulnerabilities.

RVHk = ∑ αi (∑ eijk 10 j )

i =1

3.4. Network Security Situation Evaluation

kinds of vulnerabilities. D = {d1 , d 2 ," d p } presents the importance of

p

q

The bigger the value is, the safer the host is.

p

n

5

RSHk = ∑ βi (∑ gijk )

Vulnerabilities: Weakness in the cyberspace allows attacker to violate the security of it. We consider five types of vulnerability: software vulnerability, protocol vulnerability, service vulnerability, management vulnerability and false configuration. Assumption 2. During time t, V = {V1 , V2 ,"V p }

n× p

H k . The security situation

about security services is:

3.2. Vulnerabilities Evaluation

Ek = ( eijk )

, (1 ≤ i ≤ 5,1 ≤ j ≤ q,1 ≤ k ≤ N ) ,

gijk presents the effect of security mechanism M j to

The bigger the value is, the more insecure the host is.

presents

N = {N1, N2 ,"N5}

which depends on two aspects: the services of it provides and the location of it.

(2)

4. Situation Prediction Based on Time Series Analysis

RVHk similar to RAHk describes current security situation of host H k from different perspective. The

4.1. Modeling

bigger the value is, the more insecure the host is.

Many mature prediction theories are commendably researched, such as artificial neural networks, fuzzy mathematics, time series analysis, gray theory etc. Based on probability and statistics, time series analysis is felicitous to describe the dependence of a time series. The modeling process is complex. Firstly, we use incomplete theoretical knowledge to indicate a suitable class of models. Then, the number of terms needed in the model and the numerical values of the parameters are estimated from input data. If any inadequacy is found, the iterative cycle is repeated. We should obtain adequate but parsimonious models. Forecasting procedures could be seriously deficient if these models

3.3. Security Services Evaluation Security Services: Service that enhance the security of the cyberspace. We consider several security mechanisms to implement security service: encryption, digital signature, data backup, access control, auditing, etc. [8]. We use five security properties including Confidentiality, Availability, Integrity, Authentication, Non-Repudiation, defined by DoD [9] to describe the improvement of security enhanced by security mechanisms.

770

were either inadequate or unnecessarily prodigal in the use of parameters [7]. At time t, a situation sequence output from evaluation module, which is input for prediction module, is marked as {z t , z t-1 , z t-2 ,..., z0 } , "1" is interval. It is a linear non-stationary series. A common analysis is to decompose series into three components: a "trend", a "seasonal component", and a "random component". The trend is fitted by a polynomial and the seasonal component by a Fourier series. The random component is fitted by Autoregressive Moving Average (ARMA) model. Forecasting is made by these fitted functions. It is called Simple Seasonal model. If the correlation among three components is too complex, Simple Seasonal model will not be suitable and sometimes give extremely misleading result. We use Multiplicative Seasonal model instead [7]. Definition 2. Let {zt , zt-1, zt-2 ,...} be the input time

that series is AR(p), MA(q), or ARMA(p,q). The values of p and q can also be identified by the maps. Parameters Estimate: Least Squares estimation and Maximum Likelihood estimation can be used. Forecasting: Using past and current value of time series the model estimates the possible value of future. If the number of points is large, estimations error in the parameters will not seriously affect the forecasts. Forecasts can be computed directly from the difference equation. It is a minimum mean square error forecasts. Definition 3. The forecast [ zt +l ] for lead time l is the conditional expectation of zt +l at origin t: ^

[ zt +l ] = zt (l ) = ϕ1[zt +l −1 ] +"+ ϕ p+d [zt +l − p−d ]-

θ1[at +l −1] −"θq[at +l −q ] + [at +l ]

The residual value of forecasting for lead time l at origin t is: et (l ) = at +l + ψ 1at +l −1 + " +ψ l −1at +1 (8)

series, if µ ≠ 0 , z t ← zt − µ , {et ,et-1,et-2 ,...} be Gauss White Noise Series. The Simple Seasonal model is:

φ (Β)∇ d ∇ s zt = θ (Β)at ∇ d = (1 − Β)d is trend difference,

(7)

5. Simulation Test

(6)

We select a part of HoneyNet dataset [11] during Nov. 2001 for simulation. The data is collected by the Honeynet Project. It only contains attacks and has no description of system vulnerabilities and security services. In order to satisfy the conditions of test, we assume R VHk = 1 and R SHk = 1 . The weight of host depends on number of services the host provides. The services are divided into three classifications: {High-Level, Medium-Level, LowLevel} [6]. One day is divided into three slots: {00:0008:00, 08:00-18:00, 18:00-24:00} [3]. The importance of the attacks is divided into five levels: {None, Low, Medium, High and Ultra-High} [10]. So, the weight of each service and each host can be computed. Using formula (1), (4) and (5), current network security situation can be easily computed. By adjusting, we find the optimal model is ARIMA(6,0,5), illustrated in Figure 4.

∇ s = (1 − Β s ) is seasonal difference,

φ (B) = 1 − φ1B − ... − φp Bp , θ (B)=1 − θ1B − ... − θ q Bq . When s=0 , the model degrades to ARIMA(p,d,q).

4.2. Model Identify and Forecasting We estimate autocorrelation functions and partial autocorrelation function of {zt } . They describe the dependence of series. If the autocorrelation function does not die out rapidly, the series is nonstationary, but d

possibly stationary in ∇ zt . Identifying the degree of difference: If the d

autocorrelation function of ∇ zt dies out rapidly, the series has reached stationary, and the degree of trend difference is d. In practice, d is 0, 1, or 2. If we cannot find the lower d, seasonal component should be considered. After seasonal difference and trend difference, the series is stationary and can be fitted by ARMA(p,q). Identifying the resultant stationary ARMA: We plot the autocorrelation and partial autocorrelation maps. According to cutoff or tails off of the autocorrelation and partial autocorrelation, we identify

Figure 4. Prediction and true value

771

References

The variance of the residual value is least. The forecasting equation is:

[1] Bass T, "Intrusion Detection Systems and Multi-sensor Data Fusion: Creating Cyberspace Situation Awareness", Communications of the ACM, 2000, 43(4): pp.99-105.

zt =et + 0.9308et +0.3115et-2 -0.3892et-3-1.149et-4 −0.4674et-5 − 0.6384zt−1 + 0.236zt−2 + 0.4563zt−3

(9)

[2] Endsley M R, "Design and evaluation for situation awareness enhancement", Human Factors Society, 32nd Annual Meeting, Santa Monica, CA, 1988.

+0.6494zt−4 + 0.164zt−5 − 0.1173zt−6 The average residual value e(1) is less than 3.7, and the average relative error ∆ is not more than 5%.

[3] Chen XZ etc., "Quantitative hierarchical threat evaluation model for network security", Journal of Software, 2006, 17(4): pp.885-897.

6. Conclusions

[4] Bass T etc., "A glimpse into the future of id", http://www.usenix.org/publications/login/1999-9/features/f uture.html.

NSSA describes the network security situation and its trend. This paper proposes a novel approach to NSSA. Using the model, we can describe network security situation precisely, and adjust security strategy to improve network security. The situation evaluation model adopting multi-perspective analysis is more comprehensive than simple hierarchical model. It analyzes the security attacks, as well as quantitative description of the vulnerabilities and security services. The situation prediction model adopting time series analysis is suitable to describe the dependence of situation value series, and to find the law of situation development. Consequently, it gives a precise forecasting of future situation. Simulation results show that the model is suitable and efficient. In future, we will test the model in actual network environment and improve it. We will use the model to build a practical NSSA system and develop some non-linear models.

[5] Lai jibao etc., "Study of Network Security Situation Awareness Model Based on Simple Additive Weight and Grey Theory", IEEE, 2006. [6] Wei Hu etc., "A Novel Approach to Cyberspace Security Situation Based on the Vulnerabilities Analysis", Proceedings of the 6th World Congress on Intelligent Control and Automation, June 21 - 23, 2006 [7] Box, Jenkins etc., Time Series Analysis: Forecasting and Control, 3rd edition, Prentice Hall, 1994 [8] William Stallings, Cryptography and Network Security Principle and Practice, 3rd edition, Prentice Hall, 2003 [9] DoD Directive 3600.1, "Information Operations", December 1996.

7. Acknowledge

[10] "Snort Rules", http://www.snort.org/rules/.

This work is supported by the National High-Tech R&D Program of China(863,2006AA01Z449).

[11] "Know Your Enemy: Statistics", http://www.honeynet.o rg/papers/stats/, 2001.

772