ArticlePDF Available

Network Security Situational Awareness

  • August 2013
Authors:
Ahmad Jakalan at Southeast University (China)
Ahmad Jakalan
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

With the different sources of threats to the Networks, from the physical and human threats to the extreme diverse methods used by hackers to exploit networks and disseminate different types of malware from simple kinds of comic, propaganda, ads, and viruses to highly sophisticated with a very advanced levels of Obfuscation Techniques like Packers, Polymorphism, Metamorphism [1] It’s becoming more and more difficult the task entrusted to network security scientists and engineers. Many kinds and different names of security monitoring and analysis tools have been used to detect the penetration on the networks and analyze the effectiveness of the network. The list is too long but we may mention Antivirus, firewalls, log audit tools, Host-based and Network-based Intrusion Detection Systems IDS, Low and High interaction based honeypots, general purpose and special purpose honeypots, network flow analysis tools,… It’s too difficult for network security engineers to be aware of the huge amount of data produced by these different tools, at the same time it has been proved that depending on one kind of these tools is not enough to protect the network from being exploited. In 1999 Bass Tim[2, 3] was the first author who recommended the application of Situational Awareness in the future Network Security. He foresees that next generation cyberspace intrusion detection systems will fuse data from heterogeneous distributed network sensors to create cyberspace situational awareness. In this paper we summarize the state of the art in situational awareness and its application in Network security, we will mention the different efforts done by scientists to apply the concept of Situational Awareness SA in network security.
Figures - uploaded by Ahmad Jakalan
Author content
All figure content in this area was uploaded by Ahmad Jakalan
Content may be subject to copyright.
Content uploaded by Ahmad Jakalan
Author content
All content in this area was uploaded by Ahmad Jakalan
Content may be subject to copyright.
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
61
Network Security Situational Awareness
AHMAD JAKALAN
ahmad@njnet.edu.cn
Jiangsu Key Laboratory of Computer Networking Technology,
China, Nanjing, Southeast University
Abstract: With the different sources of threats to the Networks, from the physical and human threats to the extreme diverse
methods used by hackers to exploit networks and disseminate different types of malware from simple kinds of comic, propaganda,
ads, and viruses to highly sophisticated with a very advanced levels of Obfuscation Techniques like Packers, Polymorphism,
Metamorphism [1] it’s becoming more and more difficult the task entrusted to network security scientists and engineers. Many
kinds and different names of security monitoring and analysis tools have been used to detect the penetration on the networks and
analyze the effectiveness of the network. The list is too long but we may mention Antivirus, firewalls, log audit tools, Host-based
and Network-based Intrusion Detection Systems IDS, Low and High interaction based honeypots, general purpose and special
purpose honeypots, network flow analysis tools,etc. It istoo difficult for network security engineers to be aware of the huge amount
of data produced by these different tools, at the same time it has been proved that depending on one kind of these tools is not
enough to protect the network from being exploited. In 1999 Bass Tim[2, 3] was the first author who recommended the application
of Situational Awareness in the future Network Security. He foresees that next generation cyberspace intrusion detection systems
will fuse data from heterogeneous distributed network sensors to create cyberspace situational awareness. In this paper we
summarize the state of the art in situational awareness and its application in Network security, we will mention the different efforts
done by scientists to apply the concept of Situational Awareness SA in network security.
Keywords: Network Security, Situational Awareness.
1. Introduction
The concept of Situation Awareness (SA) comes
from the research on human factors in the realms of
aerospace and aviation. The United States Department of
Homeland Security defines situational awareness as “the
ability to identify, process, and comprehend the critical
elements of information about what is happening to the team
with regards to the mission [4]”. The military term
“situational awareness” refers to a commander knowing
where his troops are, their readiness and capabilities, and
most importantly intelligence on the location of enemy
troops, their readiness and capabilities [5]. The knowledge
and ability of the analyst to perceive and analyze situations,
make sound decisions on how to protect organization’s
valued assets and offer accurate predictions of future states
in a dynamic and complex environment[6]. Situational
awareness is a cognitive human factor process that involves
a person (security analyst) who observes, analyses, resolves
situations in the network, and makes projections about
network states. NSSA encompasses security monitoring,
security visualization, detection techniques, data fusion,
automation, dynamism and complexity to achieve higher
levels of situation awareness[6]. Endsley defined situation
awareness as “the perception of the elements in the
environment within a volume of time and space; the
comprehension of their meaning and the project of their
status in the near future”[7]. In 1999, Tim Bass first proposed
the concept of Situational awareness to be used in the field
of Network Security NSSA.
2. The evolution of Situational Awareness
In 1988 in her paper Design and evaluation for situation
awareness enhancement[7] M. R. Endsley presented a
discussion of the SA construct, important considerations
facing designers of aircraft systems, and current research in
the area of SA measurement. Later in 1995 in her paper
Toward a theory of situation awareness in dynamic
systems[8] she Proposed a theoretical model of situation
awareness based on its role in dynamic human decision
making in a variety of domains. In dynamic environments,
many decisions are required across a fairly narrow space of
time, and tasks are dependent on an ongoing, up-to-date
analysis of the environment. She proposed Three levels of
SA:
Received July, 22, Reviewed August 24, 2013
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
62
1. Level l SA: Perception of the Elements in the
Environment to perceive the status, attributes, and
dynamics of relevant elements in the environment.
2. Level 2 SA: Comprehension of the Current
Situation
3. Level 3 SA: Projection of Future Status: This is
achieved through knowledge of the status and
dynamics of the elements and comprehension of the
situation (both Level I and Level 2 SA).
In 2001, in her article Designing for situation awareness
in complex systems[9] M. R. Endsley defined Situation
Awareness as The Key to Providing Information because that
the problem is no longer lack of information, but finding
what is needed when it is needed.
3. Network Security Situational Awareness NSSA
To understand what is the difference between
Security monitoring and situation awareness? It is that the
Security monitoring is when someone monitors the network
and systems for the ongoing phenomenon in which data
maybe continuously changing. Whether it is passive or active
security monitoring, future projection of the states of the
network is neither a mandatory condition nor an optional
requirement. Thus, security monitoring is only a part of the
perception stage of situation awareness[10].
In 1999 Tim Bass, published a series of papers on
the future of intrusion detection in the Internet. These papers,
in particular his ACM paper, Intrusion Detection Systems &
Multisensor Data Fusion Creating Cyberspace Situational
Awareness[3], helped spark a modern revolution in Internet
security, particularly in the area of network-based intrusion
detection systems (IDS). Tim Bass in This paper is
considered as the first author and network security researcher
who has proposed the application of Situational Awareness
in Network Security. He proposed that Multisensor data
fusion provides an important functional framework for
building next generation intrusion detection systems and
cyberspace situational awareness. Future design challenges
and areas of further research to develop Multisensor data
fusion based ID systems are suggested in this article. He
discussed the lack of individual Intrusion detection systems
to detect the Intrusions combining data from multiple and
diverse sensors and sources in order to make inferences
about events, activities, and situations. He compared these
systems to the human cognitive process where the brain fuses
sensory information from the various sensory organs,
evaluates situations, makes decisions, and directs the action.
The output of data fusion cyberspace ID systems would be
estimates of the identity (and possibly the location) of an
intruder, the intruder's activity, the observed threats, the
attack rates, and an assessment of the severity of the cyber
attack.
In another article Multi-sensor Data Fusion for Next
Generation Distributed Intrusion Detection Systems[2] 1999,
Tim Bass has estimated that “Next generation cyberspace
intrusion detection systems will fuse data from
heterogeneous distributed network sensors to create
cyberspace situational awareness”. This paper provided a
few first steps toward developing the engineering
requirements using the art and science of Multisensor data
fusion as the underlying model. And a functional overview
of how the art and science of Multisensor data fusion
enhances the performance and reliability of advanced
cyberspace management systems, touches on design
challenges and suggests areas of further research and
development. In addition it suggested that traditional
thinking in broad concepts such as network management
should evolve to fusion based cyberspace situational
awareness.
In 2000 and in his article Cyberspace Situational
Awareness Demands Mimic Traditional Command
Requirements[11], Tim Bass has estimated that
Sophisticated computer hardware and software will identify
a myriad of objects against a noise-saturated environment.
And Cyberspace command and control (CC2) systems will
track the objects, calculate the velocity, estimate the
projected threats and provide other critical decision support
functions. So Cyberspace situational awareness is required to
operate and survive in complex global network
infrastructures where both friendly and hostile activities
coexist.
Cyril Onwubiko in [6] presents the Functional
Requirements of Situational Awareness in Computer
Network Security. He gives a description of the three levels
of situation awareness, perception,comprehension and
projection as follows:
Perception: knowledge of the elements in the
network such as alerts reported by intrusion
detection systems, firewall logs, scan reports, as
well as the time they occurred. Classification of
information into meaningful representations that
offers the underlying for comprehension, projection
and resolution.
Comprehension: techniques, methodologies,
processes and procedures that security analysts use
to analyze, synthesize, correlate and aggregate
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
63
pieces of evidence data perceived in the network
from network elements.
oSecurity visualization is the transfer of
organized data and information into
meaningful patterns or sequence to be
visualized. It is part of the comprehension
stage of situation awareness.
oData fusion is a technique to aggregate sets
of evidence regarding a perceived
situation;
Projection: the ability to make future prediction or
forecast based on the knowledge extracted from the
dynamics of the network elements and
comprehension of the situation.
The following figure is adapted from Endsley's SA
reference model [8], which presents three levels of situation
awareness, perception,comprehension and projection. The
fourth level (resolution) is as a result of McGuinness and
Foy extension of Endsley's SA model[12].
Figure 1 Network Security Situation Awareness
Model[6]
Onwubiko[6] proposed the essential attribute to
designing and implementing SA in computer network
security including: Dynamism and Complexity, Automation,
Real time processing, Multisource Data Fusion,
Heterogeneity, Security Visualization, Risk Assessment,
Resolution, and finally Forecasting and Prediction of how
situations may develop over time by predicting or simulating
possible scenarios.
In 2003 [5, 13] present a tool, NVisionIP, that
makes a direct contribution to solving the problem
of visualizing security events. NVisionIP used NetFlow as a
data source. It simultaneously visualizes multidimensional
characteristics of individual computers as well as their
relationship to network-wide security events in an entire
Class B IP address space. NVisionIP utilized Argus NetFlow
data to present a visual representation of the traffic of an
entire class-B IP network on a single screen. The
visualization presented is based upon either the number of
bytes transmitted or the number of flows to or from the hosts
on the network and can be filtered based upon a number of
attributes useful in categorizing security incidents. Flows are
recorded at each router in the network and sent over UDP to
a central collection point that aggregates the flow data into a
single flow file. The galaxy view gives a visual picture of the
current state of an entire class-B network. All subnets of the
network are listed along the top axis of the galaxy view,
while the hosts in each subnet are listed down the vertical
axis.
VisFlowConnect[14] looks like an improvement to
the previous NVisionIP. It Visualizes by animation the
network traffic between an internal network and the Internet
(to/from) as well as traffic contained entirely within an
internal network. With its filtering capabilities to only show
traffic with certain attributes VisFlowConnect is a powerful
tool to visualize network traffic flows using points, lines,
colors, shapes, and animation. And It allows analysts to focus
on abnormal flow behavior signatures.
Another article presenting VisFlowConnect[15]
with some improvements to enhance the ability of an
administrator to detect and investigate anomalous traffic
between a local network and external domains. It displays
NetFlow records as links between two machines or domains,
Parallel axes view, and an Animation mechanism to display
temporal aspects of the data.
In 2005, VisFlowConnect-IP [16] A tool for
visualizing IP network traffic flows with a focus on the real-
time connectivity between different IP hosts. It Visualizes
network traffic both between an internal network and the
Internet as well traffic strictly within an internal network.
Besides monitoring the overall traffic, VisFlowConnect-IP is
also capable of monitoring traffic on specific ports.
Figure 2 General System Architecture of
VisFlowConnect-IP
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
64
All previous works could be considered as
visualizing IP network traffic flows, but in their article [17]
published in 2006 Lai Jibao et al. provide a conceptual model
of network security situation awareness consisting of three
levels, from bottom to top are network security situation
perception, situation evaluation, and situation prediction.
Their model of network security situation evaluation uses
simple additive weight and established by the threat degree
of various services attacked. While the model of future
network security situation prediction adopted grey theory
and built by past and current network security situation. The
starting point of this research is evaluating attacks on
services provided by the network.
Figure 3 The conceptual model of network security
situation awareness[17]
Another approach is provided by using HoneyNet
dataset and adopts statistical analysis to find the
vulnerabilities of the services which the hosts provide the
network system. According to the network topology, the host
layout and the relations among services, the [18] presents a
novel time-divided and hierarchical approach to achieve the
current situation of network security. The evaluation of the
security situation depends on first classifying services
depending on importance as high level, medium level, and
low level services. And Damage degree of the attacks on five
levels: Ultra-High, High, Medium, Low, and None. A
hierarchical structure of situational awareness is used
starting from each host in the network and situational
awareness of the total system is obtainedfrom combining the
calculated values on different hosts.
A novel NSSA model, based on multi-sensor data
fusion and multi-class support vector machines, is presented
in [19] and [20] and [21] which Adopts Snort and NetFlow
as the two sensors to gather data from network traffic. It
employed multi-class support vector machines as fusion
engine of their model in combination with an efficient
feature reduction approach to fuse the gathered data from
heterogeneous sensors. Multi-source provides more
integrated and robust data which can be analyzed and a more
accurate result can be gained. The authors discussed the alert
aggregation algorithm and the security situation awareness
generation techniques. The model has proven to be feasible
and effectively through a series of experiments.
Figure 4 The NSSA model [20]
By adopting a multi-perspective analysis, In [22]
Yong, Z. et al. use the description of security attacks,
vulnerabilities and security services to evaluate the current
network security situation. The situation prediction model
adopts time series analysis. It uses past and current situation
map to forecast future network security situation. The data
collection module includes: Malware Detection, IDS,
Firewall, Vulnerability Scan, Penetration Testing, Online
Testing, and Security Service Detection. According to the
security situation of each host, they adopted additive weight
method to compute the security situation of the entire
network (N hosts). Situation Prediction based on probability
and statistics, time series analysis.
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
65
Figure 5 The framework of NSSA[22]
In [23], Juan, W., et al. adopted Alert Analysis and
Threat Evaluation in Network Situation Awareness
where the NSA system gets alerts from IDS deployed in the
network (SNORT, REALSECURE). NSA just wants to
know where, when and how serious of an attack is. The main
idea of correlation in their work is that a successful attack
usually has several steps. The attacker may use scan tools to
get the target network information firstly. After finding
weakness of the network, the attacker will focuses on certain
devices, and start certain attack steps. These attack steps are
related, thus their corresponding alerts are also related. We
correlate the related alerts to an attack scenario based on time
and space relations. From this definition, Two alerts ai; aj ,
if they are related, they usually have certain time and space
relations as follows:
1. Srcip(ai)=Srcip(aj ), Dstip(ai)=Dstip(aj ), Time(ai)
<Time(aj ).
2. Dstip(ai)= Srcip(aj ), Time(ai)<Time(aj ).
They give different threat levels for different snort alert
classes,
Alert Classes
Severe Level
Root-attempted
high
Attempted-dos
medium
Network-scan
low
Also devices have different importance too. For
example the servers are usually more important than the
individual hosts. Because individual hosts only store
personal information, intrusion of them can only hurt
individuals. An Alert Device Evaluation Matrix (ADEM)
for nalerts and mdevices is a n X m matrix, in which the
element contains an evaluation value of a device suffering
from an attack.
Published in 2011 Towards Situational Awareness
of Large-Scale Botnet Probing Events [24] the authors
investigated ways to analyze collections of malicious
probing traffic in order to understand the significance of
large-scale “botnet probes.” In such events, an entire
collection of remote hosts together probes the address space
monitored by a sensor in some sort of coordinated fashion.
The analysis draws upon extensive Honeynet data to explore
the prevalence of different types of scanning, including
properties, such as trend, uniformity, coordination, and
Darknet avoidance. They developed techniques for
recognizing botnet scanning strategies and inferring the
global properties of botnet events. The approach holds for
contributing to a site’s “situational awareness”—including
the crucial question of whether a large probing event
detected by the site simply reflects broader, indiscriminate
activity, or instead reflects an attacker who has explicitly
targeted the site.
The article in [25] “Situation awareness for
networked systems” presents the concepts of forming
situational information templates and hierarchies based on
data available from a distributed monitoring system where
the temporal and spatial properties of situational information
are taken into account. A case study is presented that shows
the feasibility of the concepts in a real world monitoring
scenario.
Conclusion
From the previous article we can summarize the needs and
techniques related issues (Problems) for situational
awareness application in network security as the following:
Three levels of situation awareness:
Perception: IDS alerts, firewall logs,
Netflow, Honeynet [26],…
Comprehension:
Techniques used to analyze,
correlate and aggregate pieces of
perceived data.
Visualization, Data fusion are
parts of this stage.
Projection: make future prediction
Classification
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
66
Threats[23], resources, services, alerts,
sensors, vulnerabilities,…
Data Reduction: Selecting useful parts of the
collected data
Data Fusion (Which theoretical model will be used?)
multi-class support vector machines
Additive-weights
Prediction and Estimation (Which Prediction model
will be used? And What is the meaning of the
achieved results?)
Time series analysis
Probability and statistics
Artificial neural networks,
Fuzzy mathematics,
The Grey theory [27, 28]
Scope: Protect What? Is there any Critical area
should be protected. LAN or Cyberspace?
References
1. O'Kane, P., S. Sezer, and K. McLaughlin,
Obfuscation: The Hidden Malware. Ieee Security &
Privacy, 2011. 9(5): p. 41-47.
2. Bass, T., Multisensor data fusion for next
generation distributed intrusion detection systems.
1999.
3. Bass, T., Intrusion Detection Systems and
Multisensor Data Fusion: Creating Cyberspace
Situational Awareness. Communications of the
ACM, 1999. 43(4): p. 99-105.
4. United States Department of Homeland Security.
Team Coordination Training, Student Guide, .
5. Bearavolu, R., et al. A visualization tool for
situational awareness of tactical and strategic
security events on large and complex computer
networks. 2003. IEEE.
6. Onwubiko, C. Functional requirements of
situational awareness in computer network security.
in Intelligence and Security Informatics, 2009. ISI
'09. IEEE International Conference on. 2009.
7. ENDSLEY, M. Design and evaluation for situation
awareness enhancement. 1988.
8. Endsley, M.R., Toward a theory of situation
awareness in dynamic systems. Human Factors:
The Journal of the Human Factors and Ergonomics
Society, 1995. 37(1): p. 32-64.
9. Endsley, M.R. Designing for situation awareness in
complex systems. 2001.
10. D'Amico, A. and M. Kocka. Information assurance
visualizations for specific stages of situational
awareness and intended uses: lessons learned. in
Visualization for Computer Security, 2005.(VizSEC
05). IEEE Workshop on. 2005. IEEE.
11. Bass, T., Cyberspace situational awareness
demands mimic traditional command requirements.
SIGNAL-FALLS CHURCH VIRGINIA THEN
FAIRFAX--, 2000. 54(6): p. 83-84.
12. McGuinness, B. and L. Foy. A subjective measure
of SA: the Crew Awareness Rating Scale (CARS). in
Proc. of Human Performance, Situation Awareness
and Automation: User-Centered Design for the
New Millenium. 2000.
13. Lakkaraju, K., W. Yurcik, and A.J. Lee, NVisionIP:
netflow visualizations of system state for security
situational awareness, in Proceedings of the 2004
ACM workshop on Visualization and data mining
for computer security. 2004, ACM: Washington DC,
USA. p. 65-72.
14. Xiaoxin, Y., et al. VisFlowConnect: providing
security situational awareness by visualizing
network traffic flows. in Performance, Computing,
and Communications, 2004 IEEE International
Conference on. 2004.
15. Yin, X., et al., VisFlowConnect: netflow
visualizations of link relationships for security
situational awareness, in Proceedings of the 2004
ACM workshop on Visualization and data mining
for computer security. 2004, ACM: Washington DC,
USA. p. 26-34.
16. Xiaoxin, Y., W. Yurcik, and A. Slagell. The design
of VisFlowConnect-IP: a link analysis system for IP
security situational awareness. in Information
Assurance, 2005. Proceedings. Third IEEE
International Workshop on. 2005.
17. Lai, J., H. Wang, and L. Zhu. Study of Network
Security Situation Awareness Model Based on
Simple Additive Weight and Grey Theory. in
Computational Intelligence and Security, 2006
International Conference on. 2006.
18. Wei, H., L. Jianhua, and S. Jianjun. A Novel
Approach to Cyberspace Security Situation Based
on the Vulnerabilities Analysis. in Intelligent
Control and Automation, 2006. WCICA 2006. The
Sixth World Congress on. 2006.
19. Xiaowu, L., et al. Network security situation
awareness model based on heterogeneous multi-
sensor data fusion. in Computer and information
sciences, 2007. iscis 2007. 22nd international
symposium on. 2007.
20. Xiaowu, L., et al. Multiclass Support Vector
Machines Theory and Its Data Fusion Application
in Network Security Situation Awareness. in
Wireless Communications, Networking and Mobile
The International Journal of Computer Science and Communication Security (IJCSCS), August, 2013
67
Computing, 2007. WiCom 2007. International
Conference on. 2007.
21. Liu, X., J. Yu, and M. Wang. Network Security
Situation Generation and Evaluation Based on
Heterogeneous Sensor Fusion. in Wireless
Communications, Networking and Mobile
Computing, 2009. WiCom '09. 5th International
Conference on. 2009.
22. Yong, Z., T. Xiaobin, and X. Hongsheng. A Novel
Approach to Network Security Situation Awareness
Based on Multi-Perspective Analysis. in
Computational Intelligence and Security, 2007
International Conference on. 2007.
23. Juan, W., et al. Alert analysis and threat evaluation
in Network Situation Awareness. in
Communications, Circuits and Systems (ICCCAS),
2010 International Conference on. 2010.
24. Li, Z., et al., Towards Situational Awareness of
Large-Scale Botnet Probing Events. IEEE
TRANSACTIONS ON INFORMATION
FORENSICS AND SECURITY, 2011. 6(1).
25. Preden, J., et al. Situation awareness for networked
systems. in Cognitive Methods in Situation
Awareness and Decision Support (CogSIMA), 2011
IEEE First International Multi-Disciplinary
Conference on. 2011.
26. Barford, P., et al., Employing Honeynets For
Network Situational Awareness Cyber Situational
Awareness, S. Jajodia, et al., Editors. 2010,
Springer US. p. 71-102.
27. Jiaquan, S., et al. Study of Index Weight in Network
Threat Evaluation Based on Improved Grey Theory.
in Computational Intelligence and Industrial
Application, 2008. PACIIA '08. Pacific-Asia
Workshop on. 2008.
28. Rongzhen, F. and Z. Mingkuai, Network Security
Awareness and Tracking Method by GT. Journal of
Computational Information Systems, 2013. 9(3): p.
1043-1050.
... Because all security elements in the process of situation assessment are uncertain [26], the BP neural network can find potential laws through adaptive learning via continuous training of massive data and it has certain assessment ability. Generally speaking, the three-layer BP neural network can solve the problem of arbitrary precision approximation of any mapping relationship, and the training time is not too long [27]. ...
Network Situation Assessment Method Based on Improved BP Neural Network
Article
Full-text available
  • Jan 2023
Although a software defined network (SDN) realizes the flexible configuration and centralized control of network resources, there are potential security risks and challenges. Network security situation awareness (NSSA) technology associates and integrates multi-source heterogeneous information to analyze the impact of the information on the whole network, and network security situation assessment can grasp the network security situation information in real time. However, the existing situation assessment methods have low assessment accuracy, and most of the studies focus on traditional networks, while there are few situation assessment studies in the SDN environment. In this paper, by summarizing the important index parameters of SDN, a network security situation assessment model based on the improved back propagation (BP) neural network (based on the cuckoo search algorithm) is proposed, and the step factor of the cuckoo search algorithm (CS) was improved to improve the search accuracy. The model maps the situation elements to the layers of the neural network, and optimizes the weights and thresholds of the BP neural network through the cuckoo search algorithm to obtain the global optimal solution; it finally realizes the purpose of situation assessment and the comprehensive rating of the SDN environment. In this paper, the evaluation model was verified on the network set up in Mininet. The experimental results show that the situation assessment curve of this model is closer to the real situation value, and the accuracy rate is 97.61%, with good situation assessment results.
View
... They relied on homomorphic Paillier encryption, Chinese remainder theorem and one-way hash chain techniques to ensure efficient data gathering and to achieve a reduction in the false rate. Jakalan et al. [28] designed a model called network security situation awareness (NSSA), where the focus was on assessing security situation-related elements and information originating from a multi-source heterogeneous networks. The authors considered four IoT security-related variables, such as context, attack, vulnerability, and network flow, which were then processed using the ontological concept to obtain the best security solution. ...
Multifactor Authentication and Key Management Protocol for WSN-assisted IoT Communication
Article
Full-text available
  • Oct 2019
In this paper a novel multi-factor authentication protocol for IoT applications, relying on enhanced Rabinassisted elliptic curve cryptography, biometric features and time stamping methods, is developed. Furthermore, a fuzzy verification algorithm has been developed to perform receiverlevel user verification, making computation efficient in terms of computational overhead as well as latency. An NS2 simulation-based performance assessment has revealed that the multifactor authentication and key management models we have proposed are capable of not only avoiding security breaches, such as smart card loss (SCLA) and impersonation attacks, but can also ensure the provision of maximum possible QoS levels by offering higher packet delivery and minimum latency rates.
View
... He foresaw that next generation cyberspace intrusion detection systems would fuse data from heterogeneous distributed network sensors to create cyberspace situational awareness. In my paper [21] (published in August 2013) I have summarized the state of the art in the field of situational awareness and its application in network security. I have mentioned the different efforts done by scientists to apply the concept of Situational Awareness (SA) in network security. ...
Inter-network IP hosts traffic behavior analysis and their relationship discovery
Thesis
Full-text available
  • Jun 2016
Internet is a network that consists of millions of networks of local to global scope. It carries an extensive range of information resources and services. The systems and networks that operate in cyberspace have vulnerabilities that present significant risks to both individual organizations and national security. Internet threats is one of the most serious economic and security challenges facing nations. Security researchers proposed different strategies for reducing the impact of Internet threats and improving the resilience to cyber-attacks. A key factor is the accurate and timely detection of attacks. The role of the defenders consists of complex cognitive tasks. Many kinds and different names of security, monitoring, and analysis tools have been used to detect the network penetration and analyze the network performance, such as Antivirus, firewalls, log audit tools, Host-based and Network-based Intrusion Detection Systems IDS, Low and High interaction based honeypots, general purpose and special purpose honeypots, network flow analysis tools, etc. With all of these different sources of security tools, it is becoming more and more difficult for network security engineers to be aware of the huge amount of data produced by these different tools, at the same time it has been proved that depending on one kind of these tools is not enough to protect the networks from being exploited, and to detect previously known threats in addition to zero day exploits. Network security situation awareness NSSA provides a high level security view based upon the continuous monitoring and security alert events. It is the ability to effectively determine an overall computer network status based on relationships between security events in multiple dimensions. This dissertation proposes a contribution to provide background information about the networks environment to setup IP information database to support NSSA. This kind of IP information will be useful in the prediction of the future situation of the network security. We tackled the problem of IP hosts profiling and clustering aiming at identifying dominant and persistent hosts’ behaviors to setup hosts’ profiles and identify groups with similar behaviors. This will enrich the IP characteristics database to accumulate other researches in this SA perception and comprehension levels. IP profiling is done based on traffic patterns of the most significant active observed IP addresses, we present an algorithm to extract most significant IP nodes to be analyzed instead of analyzing the complete list of millions of IP nodes that exist in the trace (Data Reduction). We discuss the features or host behavior communication patterns to be utilized in hosts’ characterization to setup profiles. Fifteen traffic patterns related to the IP address traffic patterns are extracted or calculated to be used later as features for machine learning clustering. We analyze IP nodes traffic behavior on relatively long periods of traces, which helped to extract a more stable host’s behavior. While previous studies focus only on host behavior for relatively short periods, we extract host’s behavior patterns over a period of one hour which needs big data analysis to provide results in a reasonable time. IP Relationship is studied based on the social relationship of the managed domain network hosts with the outside IP network. The key idea of this methodology is to split the entire IP address space into Internal (inside the managed domain) and External (outside) ones. The clustering strategy is to group inside IP addresses that communicate with common outside IP addresses, the similarity measure of two inside IP addresses is the unique number of the common outside IP addresses. We propose a novel approach with an approximation algorithm to discover communities on a large scale in the managed domain based on the bipartite networks and one mode projection and the basis of graph partitioning of the similarity graph. Bipartite networks were built using NetFlow datasets collected from a boundary router in an actual environment, and then a one-mode projection has been applied to build a social relationship similarity graph of the inside IP addresses. A new innovative community detection algorithm is used to detect communities of similar behavior. We experimentally validate our approach in terms of IP networking by applying deep flow inspection (DFI) and deep packet inspection (DPI) on related traffic to prove that hosts with the same cluster tend to have some dominant network behavior. We demonstrated the practical benefits of exploring social behavior similarity of IP hosts in understanding application usage, users’ behavior, detecting malicious users, and users of prohibited applications.
View
... Introduce membership functions in the five similarity types to the matrix (1) in Section 4 to get membership function matrix, and then get fuzzy similarity matrix via merging and vector distance calculation of formulae (2) According to the maximum membership degree principle, assume that v k =max{v 1 , v 2 , v 3 ,..., v k }(1≤k≤n). Compare current events with those in historical event template one by one. ...
An Improved Event Scenario Correlation Method for Multi-Source Security Log
Article
  • Feb 2016
Developing computer technologies and a network of persistently growing size put massive hosts and transmission devices in a vast network at increasingly higher risks. Log information of various devices can facilitate the detection of intrusion and attacks. Log information from a single data source is, however, with limitations. The analysis results cannot precisely reflect the current network situation if log information in a single data source is analyzed without correlation to analysis of log information from different data sources. To better demonstrate network situation, this paper proposes an improved event scenario correlation method for multi-source log analysis via researching on numerous existing data fusion methods and event correlation methods as well as integration of conventional event scenario correlation (ESC) method with fuzzy reasoning. Experimental results prove that the proposed method significantly reduces the False Positive rate (FP rate) and False Negative rate (FN rate) of security logs.
View
Proliferation of Cyber Situational Awareness: Today’s Truly Pervasive Drive of Cybersecurity
Article
Full-text available
  • Jan 2022
Situation awareness (SA) issues necessitate a comprehension of present activities, the ability to forecast, what will happen next, and strategies to assess the threat or impact of current internet activities and projections. These SA procedures are universal, domain-independent and can be used to detect cyber intrusions. This study introduces cyber situation awareness (CSA), its origin, conception, aim, and characteristics based on an analysis of function shortages and development requirements. Furthermore, we discussed the CSA research framework and examined the research history, which is the essential aspect, and assessed the present issues of the research as well. The assessment approaches were divided into three methods: mathematics model, knowledge reasoning, and pattern recognition. The study then goes into detail regarding the core idea, assessment procedure, strengths, and weaknesses of novel approaches, and then, it addresses CSA from three perspectives: model, knowledge representation, and assessment methods. Many common approaches are contrasted, and current CSA application research in the realms of security, transmission, survivability, and system evaluation is discussed. Finally, this study summarized the findings of the present from technical and application systems, outlined CSA’s future development directions, and provided adversary activities and information that can be used to improve an organization’s SA operations.
View
Functional Pavements
Book
Full-text available
  • Dec 2020
Functional Pavements is a collection of papers presented at the 6th Chinese-European Workshop (CEW) on Functional Pavement Design (Nanjing, China, October 18-21, 2020). The focus of the CEW series is on field tests, laboratory test methods and advanced analysis techniques, and cover analysis, material development and production, experimental characterization, design and construction of pavements. The main areas covered by the book include: - Asphalt binders for flexible pavements - Asphalt mixture evaluation and performance - Pavement construction and maintenance - Pavement Surface Properties and Vehicle Interaction - Cementitious materials for rigid pavements - Pavement geotechnics and environment Functional Pavements aims at contributing to the establishment of a new generation of pavement design methodologies in which rational mechanics principles, advanced constitutive models and advanced material characterization techniques shall constitute the backbone of the design process. The book will be much of interest to professionals, academics and practitioners in pavement engineering and related disciplines as it should assist them in providing improved road pavement infrastructure to their stakeholders.
View
A hierarchical architectural model for network security exploring situational awareness
Conference Paper
  • Apr 2019
Often network security technologies used by organizations for securing their computational systems are deficient in providing holistic view of the environment. Based on this, our paper presents an architectural model based on a Situational Awareness approach for securing computational systems in distributed environments. The architecture is called EXEHDA-ISSA and is inspired by SIEM systems. It is composed of three modular software components called Collector, SmartLogger, and Manager. These components are interconnected following a multi-level hierarchical model and provide features such as event collection, hybrid event processing and a hybrid approach to contextual data storage. For the purpose of evaluating this proposal, four case studies were developed to validate the holistic view of security events as well as the model's characteristics such as flexibility, autonomy, scalability and the support to heterogeneity. Finally, the strengths and limitations of our approach are discussed, then followed by future works.
View
View
VisFlowCormect: NetFlow visualizations of link relationships for security situational awareness
Conference Paper
Full-text available
  • Oct 2004
We present a visualization design to enhance the ability of an administrator to detect and investigate anomalous traffic between a local network and external domains. Central to the design is a parallel axes view which displays NetFlow records as links between two machines or domains while employing a variety of visual cues to assist the user. We describe several filtering options that can be employed to hide uninteresting or innocuous traffic such that the user can focus his or her attention on the more unusual network flows. This design is implemented in the form of VisFlowConnect, a prototype application which we used to study the effectiveness of our visualization approach. Using VisFlowConnect, we were able to discover a variety of interesting network traffic patterns. Some of these were harmless, normal behavior, but some were malicious attacks against machines on the network.
View
NVisionIP: NetFlow visualizations of system state for security situational awareness
Conference Paper
Full-text available
  • Oct 2004
The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analyst's situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.
View
The Design of VisFlowConnect-IP: A Link Analysis System for IP Security Situational Awareness
Conference Paper
Full-text available
  • Jan 2005
Visualization of IP-based traffic dynamics on networks is a challenging task due to large data volume and the complex, temporal relationships between hosts. We present the architecture of VisFlowConnect-IP, a powerful new tool to visualize IP network traffic flow dynamics for security situational awareness. VisFlowConnect-IP allows an operator to visually assess the connectivity of large and complex networks on a single screen. It provides an overall view of the entire network and filter/drill-down features that allow operators to request more detailed information. Preliminary reports from several organizations using this tool report increased responsiveness to security events as well as new insights into understanding the security dynamics of their networks. In this paper we focus specifically on the design decisions made during the VisFlowConnect development process so that others may learn from our experience. The current VisFlowConnect architecture - the result of these design decisions - is extensible to processing other high-volume multi-dimensional data streams where link connectivity/activity is a focus of study. We report experimental results quantifying the scalability of the underlying algorithms for representing link analysis given continuous high-volume traffic flows as input.
View
View
View
Study of Network Security Situation Awareness Model Based on Simple Additive Weight and Grey Theory
Conference Paper
  • Dec 2006
Network security situation awareness is a new technology to monitor network security, and it is one of hot research domains in information security. The research situation of situation awareness all over the world is first analyzed. Network security situation awareness model (NSAM) based on simple additive weight and grey theory is presented. The construction of NSAM is divided into two stages: current network security situation evaluation modeling and future network security situation prediction modeling. The model of current network security situation evaluation using simple additive weight is established by the threat degree of various services attacked. The model of future network security situation prediction adopting grey theory is built by past and current network security situation. Test results show that NSAM is feasible and reasonable
View
Functional requirements of situational awareness in computer network security
Conference Paper
  • Jul 2009
The underpinning of situational awareness in computer networks is to identify adversaries, estimate impact of attacks, evaluate risks, understand situations and make sound decisions on how to protect valued assets swiftly and accurately. SA also underscores situation assessment in order to make accurate forecast in dynamic and complex environments. In this paper, situational awareness in computer network security is investigated. Functional attributes of situational awareness in computer network security are discussed: dynamism and complexity, automation, realtime processing, multisource data fusion, heterogeneity, security visualisation, decision control, risk assessment, resolution, forecasting and prediction.
View
View
Towards Situational Awareness of Large-Scale Botnet Probing Events
Article
  • Apr 2011
Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale “botnet probes.” In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer-using purely local observation-information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.
View