Network security situation assessment based on data fusion

Abstract

Network security situation assessment can project the next behavior of the network by describing the current state. Security events from IDS, firewall, and other security tools are currently growing at a rapid pace. However, most intrusion event researches focus on IDS alerts, overlooking other intrusion evidence from other security tools, or they make simple integration of various security tools not inflecting the whole network state. In this paper, we described network security from the view of system. First, network situation elements are analyzed. Second, we research their correlations and present system architecture of network security situation. Third, multi-sensor correlation algorithms are analyzed that Colored Petri net is used for describing the changing of system state after arrival of new events and D-S Theory of Evidence is used for combining the different evidence. Then, we report the experimental results on the DARPA 2000 DDoS attack scenarios and analyze them. At last, we conclude our work and present next research goal. © 2008 IEEE.