Wang Dongxia

Analyzing and Correlating Security Events Using State Machine

It is unfeasible to analyze the security events by the manual way for the security manager, because the number of the events is huge and the information contained in the events is meaningless. After analyzing the existing algorithms of security events correlation, we propose an attack scenario reconstruction technology based on state machine. The processes of attackers intruding into the cyberspace can be restored and the more comprehensive attack scenario description information will be generated using this technology. This working lets the security manager more comfy. The state machine based attack scenario reconstruction technology processes security events using clustering analysis and causal analysis concurrently, it builds a correlation state machine in memory for every attack scenario tree which is predefined by the security manager, when security events are coming, the certain state machines will process them, if the condition is satisfied, an attack scenario description information will be generated and then sent to the security manager. The correlating technology based on state machine is more timely and accurately, and at last, we use the DARPA2000 Intrusion Scenario Specific Data Sets to validate the technology, the experiment results show that it is feasible to analyze security events using the technology we proposed.

An Approach of Discovering Causal Knowledge for Alert Correlating Based on Data Mining

The process of attackers exploiting the target facilities is always gradual in cyberspace, and multiple attack steps would be performed in order to achieve the ultimate goal. How to identify the attack scenarios is one of the challenges in many research fields, such as cyberspace security situation awareness, the detection of APT (Advanced Persistent Threat) and so on. Alert correlation analysis based on causal knowledge is one of the widely adopted methods in CEP (Complex Event Processing), which is a promising way to identify multi-step attack processes and can reconstruct attack scenarios. However, current researches suffer from the problem of defining causal knowledge manually. In order to solve this problem, we propose an approach of mining for causal knowledge automatically based on the Markov property in this paper. Firstly, the raw alert stream is clustered into several alert sets, then each set is mined in order to obtain the one step transition probability matrix based on the Markov property, and after being generated, each matrix represents a piece of causal knowledge. Then we fuse the knowledge which has overlapping steps to create the knowledge base of attack patterns. Finally the experimental results show that this approach is feasible.

A Framework of Network Security Situation Analysis Based on the Technologies of Event Correlation and Situation Assessment

After analyzing the existing research of network security situation awareness, a framework of situation analysis is proposed in this paper. It is an application and reification of the classic situation awareness model proposed by Tim bass. The framework is composed of three core contents, namely, situation information model, event correlation analysis technology and situation assessment technology. The information model defines what is situation and how to express them, the other two technologies are the implement means of acquiring these situation information. The hierarchic information model contains four levels: raw security datas, security entities, assessment report, and mission impact. Along with the rising of the model level, the quantity of the information decreases while the quality increases. The correlation technology focuses on achieving the security entities, that is the second level situation information. The situation assessment technology provides methods and means for acquiring the information belongs to the third and the fourth levels, namely, it is the technical guarantee of creating assessment report and mission impact. The framework provides guidance and technical support for the whole situation analysis procedure, and it is the foundation of the analysis work.

Security Situation Assessment Based on the DS Theory

A security situation assessment model is proposed in this paper. One of the math function and the rectification function are used to design the experience function in the theory of evidence. Then the theory of evidence is brought into the security situation assessment. From correlating and fusing the data which is provided by the sensors deployed in network to depicting the curve of security situation, we complete the whole process. We also verified the security situation assessment model and the algorithm, the results show that the problem of network security situation assessment is resolved very well by the use of the theory of evidence. At last the method of how to apply this assessment model to large-scale network security situation assessment is introduced in this paper.

Research on the key technology of reconstructing attack scenario based on state machine

An attack activity to cyberspace will cause the security devices generating huge number of security events, it is unfeasible to analyze these events by the manual way for the security manager. After analyzing the existing algorithms of security events correlation, we propose an attack scenario reconstruction technology based on state machine. The processes of attackers intruding into the cyberspace can be restored and the more comprehensive attack scenario description information will be generated using this technology. This working lets the security manager more comfy. The state machine based attack scenario reconstruction technology processes security events using clustering analysis and causal analysis concurrently, it builds a correlation state machine in memory for every attack scenario tree which is predefined by the security manager, when security events are coming, the current state set of the correlation state machine will process them, if the condition is satisfied, the current states of the state machine will transfer, it corresponds to the developing of the multi-step attack. If one of the leaf nodes of the state machine is in its current state set, an attack scenario description information will be generated and then sent to the security manager. The correlating technology based on state machine is more timely and accurately, and at last, we use the DARPA2000 Intrusion Scenario Specific Data Sets to validate the technology, the experiment results show that it is feasible to analyze security events using the technology we proposed.

Research on survivability metrics based on survivable process of network system

Survivability is a necessary property of network system in disturbed environment. A survivable network always experience five phases, i.e., normal phase, resistance phase, destroyed phase, recovery phase, and adaptation and evolution phase, in its survivable process. This paper concludes the network survivability into four basic attributes: availability, controllability, robustness, and adaptability. According to these four attributes and five phases of a survivable network, this paper provides four novel quantifiable survivability metrics, i.e., Process-Weighted Average Availability (PWAA), Process-Weighted Average Controllability (PWAC), Process-Weighted Average Robustness (PWAR), and Process-Weighted Average Adaptability (PWAD). Analysis and Experiment results show that, these four quantitative metrics describe the meaning of network survivability properly, and can be used to test and evaluate survivability of network during the survivable process.

Improved shifted robust soliton distribution

In shifted Luby transform (SLT) codes, robust soltion distribution (RSD) degree distribution was conducted with shifted rounding to derive shifted RSD (SRSD) degree distribution based on partial information. In shifted rounding process, the large shift of corresponding probability distribution destroyed belief propagation decoding rule, so the decoding symbols increased. Meanwhile, the overlarge probability distribution value of degree k resulted in the increase of decoding symbols. In this work, traditional SRSD degree distribution was developed to improved SRSD (I-SRSD) degree distribution function by decreasing degree shift of rounding and limiting probability distribution of degree k. Theoretical analysis and experimental results show that SLT codes by I-SRSD degree distribution can decrease decoding symbols as well as encoding and decoding complexity.

Implemention of Cyber Security Situation Awareness Based on Knowledge Discovery with Trusted Computer

Situation awareness aims to provide the global security views of the cyberspace for administrators. In this paper, a novel framework of cyber security situation awareness is proposed. The framework is based on a trusted engine, and can be viewed from two perspectives, one is data flow, which presents the abstracting of cyber data, and the other one is logic view, which presents the procedure of situation awareness. The framework’s core component is a correlation state machine, which is an extension of state machine, and used to model attack scenarios. The correlation state machine is a data structure of situation awareness, and stored in a trusted computer in order to avoid being tampered. It is created based on the technology of knowledge discovery, and after being created, it can be used to assess and predict the threat situation. We conclude with an example of how the framework can be applied to real world to provide cyber security situation for administrators.Situation awareness aims to provide the global security views of the cyberspace for administrators. In this paper, a novel framework of cyber security situation awareness is proposed. The framework is based on a trusted engine, and can be viewed from two perspectives, one is data flow, which presents the abstracting of cyber data, and the other one is logic view, which presents the procedure of situation awareness. The framework’s core component is a correlation state machine, which is an extension of state machine, and used to model attack scenarios. The correlation state machine is a data structure of situation awareness, and stored in a trusted computer in order to avoid being tampered. It is created based on the technology of knowledge discovery, and after being created, it can be used to assess and predict the threat situation. We conclude with an example of how the framework can be applied to real world to provide cyber security situation for administrators.

Research on monitoring probe deployment in large scale network

Lots of failures of networking implementation in the large scale network system demonstrate the need for monitor network performance. How to deploy network probe effectively is hard problem. For a large scale network with n end hosts, most of the existing systems have to send O (n2) probes into the network and then they calculate the performances of all links. Although these systems to some extent can determine the performances of the links, they have to send plenty of probes into the network, which has generated great traffic and imposed extra overload in the network. In order to address the problem, we propose a new approach based on greedy and random theory by which we only need to measure a few probes in the total probe set. The experiments have shown that we only need to send about 6.2% of the total probes and can monitor about 98% links.

On speech recognition access control system based on HMM/ANN

In order to improve the recognition rate and practicability of the existing speech access control system, a method of HMM/ANN hybrid model was presented. By the analysis on the principle of speech recognition system, a speech access control system was designed by using DSP as the hardware platform. The working principle and the software design process of the system were described. In the training stage, the system filtered out one from N-group user models closest to the current composition and then optimized HMM adaptively. Afterwards, the system carried on the speech recognition with ANN and gave the final result. Through the system simulation, the experimental result shows that the system has a higher speech recognition rate by the selection-confirmation algorithm. Therefore, it is a novel way by which the security of the system can be effectively guaranteed that applying HMM/ANN hybrid model to the speech access control system.