Research on situation awareness of network security assessment based on dempster-shafer

. There are a lot of uncertainties in the network security situation assessment that depends on is multi-source and heterogeneous. Therefore, the objective uncertainties must be described and dealt with in the process of network security situation assessment. This paper proposes a multi-attribute decision-making trust evaluation model based on D-S evidence theory in multi-source and heterogeneous environment. By collecting, processing and evaluating attack event information from many data sources of security device, it can effectively evaluate the possibility of network intrusion, and provide a new exploration for network security situation assessment.


Introduction
the objective uncertainties must be described and dealt with in the process of network security situation assessment. Based on the combination of intrusion detection features and evidence theory, aiming at the characterization of various intrusion behaviors in the network, this paper uses D-S evidence theory to evaluate the credibility of the intrusion threat, which provides a new method for the security situation assessment of the network.

Network security situation assessment
The concept of situation awareness (SA) was put forward by Endsley in 1988. SA is the acquisition, understanding and short-term prediction of environmental factors in a certain time and space. The purpose of network situation awareness is to display and predict the latest development trend of the network by acquiring, understanding the equipment running status, network behavior and user behavior that can cause the change of network situation in large-scale network environment. Network security situation awareness refers to the realtime collection of all data flows in the network, the analysis and processing of the flows by using data fusion and data mining technology, and the visual display of big data technology to show the operation security of the network in real time, so as to provide guarantee for network security [3][4][5]. In order to detect potential and malicious attacks in real time and accurately, network security situation awareness should include data preprocessing, feature extraction, situation assessment, situation prediction and situation display. [6][7] The data of network security situation awareness comes from a large number of heterogeneous hosts and networks, including firewalls, web application firewalls, intrusion detection systems(IDS), intrusion prevention systems(IPS), database audit equipment, etc. The quantity of security log data generated by these security devices are growing rapidly. Different kinds of log data contain a large amount of uncertain information, which is incomplete, inaccurate and contradictory to some extent, so it is necessary to solve the problem of uncertain information in the situation assessment process by integrating the complementary, redundant and even contradictory data.

D-S evidence theory
When G.Shafer published the book A Mathematical found of Evidence in 1976, it marks the Evidence Theory became a complete theory of dealing with uncertainty. In D-S evidence theory, the recognition framework  is used to represent the complete set of the object studied, and the elements in  are mutually exclusive and discrete values. The set of all subsets based on the recognition framework  is called the power set of , which is called 2 Θ . [8][9] [10] Definition 1: Basic Probability Assignment Function m (BPA). In the identification framework , if m: Then m is the basic probability distribution function of A, called mass function, so that A of m(A)>0 is called Focal elements.
Definition 2: Belief function. The Belief function based on BPA m on the identification framework  is defined as: Definition 3: Plausibility function, the Plausibility function based on BPA on the identification framework  is defined as follows:

Definition 4: Reliability interval. The Belief function Bel(A) and the Plausibility function Pl(A) constitute the reliability interval [Bel(A), Pl(A)]
, which is used to express the degree of confirmation of the proposition. [0,0] represents the negation of proposition A, [1,1] represents the affirmation of proposition A. The description of the evidence reliability interval is shown in figure 1 below:   Fig. 1. D-S reliability interval description.
Definition 5: Dempster's combinational rule, also known as evidence combination formula. For two mass functions 1 and 2 on A and , Dempster's combination rule is: where, K is the normalized constant For A, identify the finite mass functions 1 , 2 ,…, n 's Dempster combination rule is: K known as the normalization factor, reflect the degree of evidence conflict between, when K is close to zero, the smaller the degree of the conflict between body of evidence, the more accurate-fusion results, when K is close to 1, the greater the degree of the conflict between body of evidence, the fusion result is not accurate, when K = 1, the contradiction between the evidence body, can't carry on the effective fusion.
Definition 6: class of probability functions.
where | |and ||are the number of elements in A and  respectively. The certainty of A proposition can be expressed by the quasi-probability function.

Network security situation evaluation model based on D-S evidence
In this paper, the D-S evidence theory is used to fuse the security data sources. By dealing with the characteristic attributes of network security events, the basic probability distribution is established, the modified BPA function can be obtained by weight calculation, and the credibility of network attacks is evaluated according to the synthesis rules. In this paper, is the credibility of the network attack event. The credibility of the attack event is measured by multi-dimensional characteristic attributes, including four characteristic attributes. In the trust model of this paper,  is defined as {Attack, NO Attack}. The relationship between intruder and event is divided into trust {Attack}, distrust {NO Attack}, uncertainty {Attack, NO Attack}. Among them, S1 represents the degree of threat calculated by the logs of firewall, S2 represents the degree of threat calculated by the logs of web application, S3 represents the degree of threat calculated by the logs of IDS.
Event basic probability distribution. The basic probability distribution is shown in the following The basic probability distribution functions of S1,S2 and S3 in the identification framework  are 1 , 2 , 3 respectively.
Based on the basic probability distribution corresponding to each evidence, the importance weight of evidence is calculated by using equations (1) ~ (7) According to formula (4) Formula (8) class probability function is used to calculate the trust value. As a measure of the imprecision of trust, the reliability space of uncertain events is divided according to the probability of occurrence of trusted and untrusted events in the data source, and the two events are assigned to be trusted and untrusted. | | = 1, |{ , }| = 2. Formula (9) comprehensively considers the trusted part, the untrusted part and the uncertain part of trust relationship. This method can accurately evaluate the direct trust relationship between the security logs.

Experiments
In this paper, the network security situation assessment uses the log generated by three security devices to calculate the credibility of the attack event, in which S1 represents the degree of threat calculated by the firewall log record, S2 represents the degree of threat calculated by the web application firewall log record, S3 represents the degree of threat calculated by the intrusion detection system (IDS) log record. Taking S1 as an example, the value range is 0-1, which is calculated according to the connection duration, protocol type, and network service type of the target host in the firewall log. Randomly generate data of 100 attack events, select 10 of them, and the BPA is According to formula (1) ~ (9), We calculate the credibility of the above 10 attacks based on three different data sources which are collected from 3 security devices.

Conclusion
This paper proposes a multi-attribute decision-making trust evaluation model based on D-S evidence theory in multi-source heterogeneous environment. It evaluates the credibility of network attack events by objective evidence, thus providing a new exploration for network situation evaluation technology. The paper proves that we can effectively evaluate the possibility of network intrusion by collecting, processing and evaluating the attack event information of multiple security device data sources. This research has certain reference significance for the development of network security situation.