CN102148820A - System and method for estimating network security situation based on index logarithm analysis - Google Patents

Abstract

The invention discloses a system and method for estimating network security situation based on index logarithm analysis. The system is characterized by comprising a data acquisition sub-system, a network security situation understanding sub-system, a network security situation estimation sub-system and a security reinforcement scheme sub-system. The method comprises the following steps: A, carrying out statistical data fusion and correlation analysis on data of a network system in the aspects of asset, threat and vulnerability so as to obtain standardized data, wherein the data is acquired by a transducer; and B, carrying out the network security situation estimation on the fused standardized data in the step A based on the index logarithm analysis. The confidentiality, the integrity and the availability of the network security situation are estimated in the aspects of the asset, the threat and the vulnerability, and the estimation result is output. The system and method provided by the invention can be applied to the situation estimation and risk estimation. According to the system and method provided by the invention, the linear increment of the security situation can be avoided with the increment of network size, thus not only highlighting influences on security incidents with high hazard and significant assets, but also considering influences on security incidents with low hazard and nonsignificant assets, thereby complying with practical situations.

Description

A kind of based on the network safety situation evaluating system and the method that refer to logit analysis

Technical field

The invention belongs to field of information security technology, be specifically related to based on the network safety situation evaluating system and the method that refer to logit analysis.

Background technology

(Situation Awareness is exactly under regular hour and steric requirements SA), to the perception of environmental factor, understanding and to the prediction of its future development trend in the situation perception.

The network safety situation perception is in large-scale network environment, development in future trend is obtained, understands, assesses and predicted to the lot of essential factors that influences network security, being a kind of means to the internet security quantitative analysis, is the meticulous tolerance to internet security.

The situation assessment is the core of situation perception, is the qualitative, quantitative of network security situation is described.The network safety situation assessment is the basis and the key component of whole network safety situation perception.

The risk assessment foundation is safe practice and administrative standard for information about, to information system and estimating by the security attributes such as confidentiality, integrality and availability of its processing, transmission and canned data, it is a kind of quantitative description method to security of system, provides the safe condition of system with the form of safe class." (information security risk evaluation standard (GB/T20984-2007) " in, introduced a kind of method of using the matrix method calculation risk.Risk elements is generally assets, threat, fragility.Matrix method mainly is applicable to the situation of being determined a key element value by two key element values.

Can use for reference the network safety situation assessment based on the methods of risk assessment of GB/T 20984-2007, but matrix method only is used in the situation of being determined a key element value by two key element values, computational process is not directly perceived, and can not calculate well by single assets, threat, the fragility situation to a plurality of assets, threat, fragility.

Summary of the invention

The objective of the invention is to above-mentioned irrationality at prior art, propose a kind of based on the network safety situation evaluating system and the method that refer to logit analysis, both given prominence to and endangered the big security incident and the influence of critical asset, considered to endanger the influence of little security incident and not too important assets again, make it more to tally with the actual situation, to avoid along with the linear increase of the increase security postures value of network size.

Of the present invention based on the network safety situation evaluating system and the method that refer to logit analysis, it is characterized in that: comprise that data acquisition subsystem, network security postures understand subsystem, network safety situation evaluation subsystem; Data acquisition subsystem, pass through multisensor, comprise vulnerability scanning equipment, assets investigation apparatus, network topology scanning device, intruding detection system, antivirus protection software and hardware, fire compartment wall etc., catch assets, the threat of network system, the data of fragility aspect; Network safety situation is understood subsystem, the foundation data dictionary relevant in database at first with assets, threat and fragility, the initial data that the data acquisition subsystem is collected is carried out statistical analysis then, remove repetition, error items, revise nonconformance, then data after the statistical analysis and data dictionary are carried out association analysis, assets, threat and the fragility data of the form that obtains standardizing; Mainly be used in the network safety situation evaluation subsystem based on the network security situation evaluating method that refers to logit analysis, understand the data that subsystem provides according to network safety situation, assess in the face of network safety situation from confidentiality, integrality and availability are tripartite in the face of network safety situation from assets, threat and fragility are tripartite, export assessment result; According to network confidentiality security postures value, integrality security postures value, availability security postures value network safety situation is carried out total evaluation then, the output assessment result.

The present invention is based on the network safety situation evaluating system and the method that refer to logit analysis and can not only use in the middle of the network safety situation assessment, equally also can apply in the middle of the risk assessment.It is similar that computational methods and situation are assessed.

Because the present invention has taked to get earlier index, weighting computational methods of taking the logarithm again, compare with the computational methods of prior art, can calculate the situation of determining a key element value by two and two above key element values, and the situation that can calculate a plurality of assets, threat, fragility by single assets, threat, fragility, both given prominence to and endangered the big security incident and the influence of critical asset, considered to endanger the influence of little security incident and not too important assets again, and computational process directly perceived, understand easily.

In the network safety situation evaluation subsystem, adopt based on the network security situation evaluating method that refers to logit analysis:

Because the infringement of the high one-level security incident of the integral body of two inferior grade security incidents infringement neither one is big, endanger big security incident and occur in the influence that important assets cause, occur on the unessential assets big more than the little security incident of harm, but little security incident and the assets of these influences impact the security postures of whole network system again, therefore when calculating entire effect by the individuality influence, can not adopt simple addition, need to adopt the computational methods shown in the formula (1) based on finger logit analysis, wherein, B is meant the truth of a matter of logit analysis, and k ∈ Φ represents to get the individuality that toilet has.

$R_{\mathrm{total}}={\log }_B{\mathrm{\Σ}}_{k\∈\mathrm{\Φ}}{B}^{R_k}---\left(1\right)$

With k constantly, by the confidentiality situation component of single threat, the confidentiality situation component of assessing whole network is an example, the computing formula that is adopted shown in (2), t ∈ Φ wherein _TExpression is to the confidentiality security postures analysis-by-synthesis of all concentrated threats of threat data, and is similar with it to the analysis of integrality and availability situation component.

$R^C\left(s\left(k\right)\right)={\log }_B{\mathrm{\Σ}}_{t\∈{\mathrm{\Φ}}_T}{B}^{R_{\mathrm{tk}}\left(C\right)}---\left(2\right)$

Key based on the network security situation evaluating method that refers to logit analysis is the selection of truth of a matter B, is evaluated as example with the confidentiality security postures below, and truth of a matter selection problem is described.

Assignment to the extent of injury of the assignment of assets confidentiality, the assignment that threatens probability of happening and fragility among the GBT20984 can be found, all be to be divided into five grades, and can be similar to the increase of thinking along with progression, corresponding harm and the probability that takes place all are that index increases, therefore the progression value is B=5 when concrete the application, and finds that in actual applications assessment result meets the actual conditions of network security.

Security postures is the safe condition of goal systems, and the final purpose of situation assessment is that aid decision person makes a strategic decision, therefore can not be too complicated, need a fairly simple expression intuitively.When the security postures of the whole network of assessment, need treat with a certain discrimination at the network of different application background, different application backgrounds is to the confidentiality of network, requiring of integrality and availability is different, such as for government bodies, confidentiality is most important, concerning Banking sector, integrality is vital, then is concerned about most availability such as the show business of VOD.When the security postures of the whole network of assessment, based on security postures component assessment result to confidentiality, integrality and availability, adopt weighted model to obtain the security postures component of whole network,, assess the system safety situation under the different application demand according to different weighting parameters.Concrete computational methods as shown in Equation (3), wherein, ω _C, ω _I, ω _ABe confidentiality, the weight of integrality and availability can be specified according to application background.

R(s(k))＝R ^C(s(k))·ω _C+R ^I(s(k))·ω _I+R ^A(s(k))·ω _A (3)

Description of drawings

Fig. 1 is a network safety situation evaluating system schematic diagram of the present invention.

Embodiment

Embodiment 1:

Fig. 1 has provided network security situation sensing system of the present invention, and this system comprises that data acquisition subsystem, network safety situation understand subsystem, network safety situation evaluation subsystem, security hardening scheme subsystem.

Wherein, data acquisition subsystem, by multisensor, comprise vulnerability scanning equipment, assets investigation apparatus, network topology scanning device, intruding detection system, antivirus protection software and hardware, fire compartment wall etc., catch assets, the threat of network system, the data of fragility aspect.

Network safety situation is understood subsystem, the foundation data dictionary relevant in database at first with assets, threat and fragility, the initial data that the data acquisition subsystem is collected is carried out statistical analysis then, remove repetition, error items, revise nonconformance, then data after the statistical analysis and data dictionary are carried out association analysis, assets, threat and the fragility data of the form that obtains standardizing.

Mainly be used in the network safety situation evaluation subsystem based on the network security situation evaluating method that refers to logit analysis, understand the data that subsystem provides according to network safety situation, assess in the face of network safety situation from confidentiality, integrality and availability are tripartite in the face of network safety situation from assets, threat and fragility are tripartite, export assessment result; According to network confidentiality security postures value, integrality security postures value, availability security postures value network safety situation is carried out total evaluation then, the output assessment result.

Security hardening scheme subsystem according to the security postures of network system and user's demand, provides different Scheme of Strengthening, satisfies the needs of user to network system security.This subsystem with network current safety situation value and predefined security postures threshold ratio then according to comparative result, to the part of security postures value greater than threshold value, generates corresponding Scheme of Strengthening.

The inventive method can not only be used in the middle of the network safety situation assessment, also can apply in the middle of the risk assessment.

In the methods of the invention, why select to refer to that the reason that logarithm calculates is as follows:

According to the wooden barrel principle, the big security incident of those harm occurs in the influence that important assets cause, occur on the unessential assets big more than the little security incident of harm, but little security incident and the assets of these influences impact the confidentiality security postures of whole network system again, the mode that all adopt first weighting to take the logarithm again, both given prominence to and endangered the big security incident and the influence of critical asset, considered to endanger the influence of little security incident and not too important assets again.

According to national standard " information security risk evaluation standard (GB/T 20984-2007) ", as shown in table 1, for fragility, value is 1 to 5, totally 5 values, if there are two fragility on the assets, value is respectively 2 and 3, then should be simply and value be not 5 threat equivalence, by analyzing, we find that the difference between the rank can be described with an exponential relationship and (further discover, truth of a matter selection 5 is more rational), if adopt exponential manner to calculate, be 2 and 3 two fragility then for value, result of calculation is 5 ²+ 5 ³=150, the value of being far smaller than is 5 of 5 a fragility ⁵=3125.But there is a problem in such computational methods, are exactly that the result is difficult to understand, and therefore it are taken the logarithm again, find that by test such result has suitable reasonability.Correlation computations for assets, threat also can adopt similar approach.

The probability assignment table that table 1 fragility is utilized

Illustrate below based on the network security situation evaluating method that refers to logit analysis:

Having two network A, B to prepare assessment, is 5 assets if network A has a confidentiality security postures value, and two assets are arranged in the network B, and its confidentiality situation value is respectively 3,4.If the expert of consulting secure context can not think that network A is just necessarily than network B safety.

To have proposed a kind of analytical method in order addressing this problem, can to have given affirmative answer based on the index logarithm.Such as, can calculate the validity situation value of whole network system by following method, be designated as

$S_{\mathrm{Asset}}^A={\log }_b\left(\underset{\underset{\underset{a\∈\mathrm{asset}}{v\∈\mathrm{vu}\ln \mathrm{erability}}}{t\∈\mathrm{threat}}}{\mathrm{\Σ}}(b^{{A^T}_t}\×v^{{A^V}_v}\×v^{{A^A}_a})\right)---\left(1\right)$

$S_{\mathrm{total}}^A={\log }_b\left(\underset{i\∈\mathrm{asset}}{\mathrm{\Σ}}{b}^{S_i^A}\right)---\left(2\right)$

Wherein:

It is the validity situation value of single assets.

A ^T _tIt is the validity situation value that threatens t;

A ^V _vIt is the validity situation value of fragile v;

A ^A _aIt is the validity situation value of assets a;

B is the truth of a matter.

Illustrate: the single assets of mentioning here, specifically be meant and calculate a threat, assets, the security postures that fragility associates, promptly threaten and utilize the situation of fragility the hurtful complete procedure of assets, so, the validity situation value of single assets just refers to the situation value of an association.

In formula (1), calculated the validity situation value of single assets.Here, only be concerned about validity, integrality and three attributes of availability.In formula (1), only be concerned about validity.In the formula (1), the situation exponential quantity of threat, fragility and assets is multiplied each other, take the logarithm, just obtained the validity situation value of assets now then all multiplied result additions, and to summation.

In formula (2), calculated the validity situation value of all assets in the whole network.Be to obtain as can be seen by taking the logarithm after the validity situation value addition with all single assets.Now, obtained the validity situation value of whole network to be assessed.

Usually establishing the truth of a matter is 2.Confidentiality situation value and integrality situation value also can calculate by the inventive method.

The advantage of the algorithm that adopts in order to introduce among the present invention to do relatively individual with previous general method now.

Two network B and C are arranged.2 assets are arranged in the network B, and its validity situation value is respectively 5 and 3; Network C has three assets, and its validity situation value is respectively 4,3,3.

If with the method for general simple addition, the validity situation value of calculating is as follows:

$S_B^A=5+3=8---\left(3\right)$

$S_C^A=3+3+4=10---\left(4\right)$

From the result of calculation of (3), (4), network B is more safer than network C, but it seems that the expert might not be such.

Now, calculate validity situation value with the inventive method, as follows:

$S_B^{,}={\log }_2(2^5+2^3)=5.32---\left(5\right)$

$S_C^{,}={\log }_2(2^3+2^3+2^4)=5---\left(6\right)$

From the result of calculation of (5), (6), network B is more safer than network C, and this result more corresponds to reality.So the inventive method is better than former method.

As everyone knows, network is very complicated, and is constantly changing.See following Example.

3 assets are arranged among the network D, and its validity situation value is respectively 4,3,3.If wherein there are assets to go wrong, must leave this network, so just only be left 2 assets, the validity situation value of remaining assets is 4,3.Now, respectively the validity situation value of the network D before changing is calculated validity situation value with change network D ' afterwards with former method and new method.

Method with general simple addition can obtain:

$S_D^A=3+4+3=10---\left(7\right)$

$S_{D^{\′}}^A=3+4=7---\left(8\right)$

${\mathrm{\λ}}_1=\frac{S_D^A-S_{D^{\′}}^A}{S_D^A}=\frac{10-7}{10}\×100\%=30\%---\left(9\right)$

Use index logit analysis method, can obtain:

$S_D^A={\log }_2(2^3+2^4+2^3)=5---\left(10\right)$

$S_{D^{\′}}^A={\log }_2(2^3+2^4)=4.58---\left(11\right)$

${\mathrm{\λ}}_2=\frac{S_D^A-S_{D^{\′}}^A}{S_D^A}=\frac{5-4.58}{5}\×100\%=8.4\%---\left(12\right)$

In formula (9) and formula (12), λ ₁And λ ₂Variable quantity before and after expression changes.Can see λ ₂Compare λ ₁Little a lot, so the inventive method is more suitable for dynamic network.

This only is a simple example, but a lot of factors of instability are arranged in network world.For example, various wireless networks, its fail safe is very complicated.The seriousness that whether can predict these network environments in advance seems particularly important, whether can obtain more accurately that assessment result is very crucial, and the inventive method can done better aspect the accuracy of assessment.

Each is different to some extent for the emphasis that the user is concerned about, and most of user is to the expert of network security aspect, so they wonder the assessment result of an integral body.

The present invention provides a weight table, has wherein reflected the emphasis that the different users pays close attention to.

Based on this weight table, whole security postures value can calculate by formula (13).

$V_H=\underset{i\∈(C,I,A)}{\mathrm{\Σ}}{\mathrm{\α}}_i\×i---\left(13\right)$

In the formula:

C, I and A: the security postures value of expression confidentiality, integrity, and availability.

α _i: the weights of expression C, I and A.

Claims (5)

1. one kind based on the network safety situation evaluating system and the method that refer to logit analysis, comprises that data acquisition subsystem, network safety situation understand subsystem, network safety situation evaluation subsystem, security hardening scheme subsystem, it is characterized in that:

Data acquisition subsystem, pass through multisensor, comprise vulnerability scanning equipment, assets investigation apparatus, network topology scanning device, intruding detection system, antivirus protection software and hardware, fire compartment wall etc., catch assets, the threat of network system, the data of fragility aspect;

Network safety situation is understood subsystem, the foundation data dictionary relevant in database at first with assets, threat and fragility, the initial data that the data acquisition subsystem is collected is carried out statistical analysis then, remove repetition, error items, revise nonconformance, then data after the statistical analysis and data dictionary are carried out association analysis, assets, threat and the fragility data of the form that obtains standardizing;

The network safety situation evaluation subsystem, employing is based on the network security situation evaluating method that refers to logit analysis, understand the data that subsystem provides according to network safety situation, adopt index method to describe the value of assets, threat, fragility, employing refers to counting method is calculated the security postures value of single assets and the security postures value of whole network, assess in the face of network safety situation from confidentiality, integrality and availability are tripartite in the face of network safety situation from assets, threat and fragility are tripartite, export assessment result; According to network confidentiality security postures value, integrality security postures value, availability security postures value network safety situation is carried out total evaluation then, the output assessment result.

2. according to claim 1 based on the network safety situation evaluating system and the method that refer to logit analysis, it is characterized in that, this network safety situation evaluating system and method further comprise: security hardening scheme subsystem, security postures and Changing Pattern according to network system, different Scheme of Strengthening is provided, and the user who satisfies different demands improves security of network system.

3. realize that claim 1 is described based on the network safety situation evaluating system and the method that refer to logit analysis, may further comprise the steps:

A. to sensor acquisition to assets, threat, the data of fragility aspect of network system carry out statistical analysis and association analysis, obtain the normalized number certificate, then carry out B;

B. the normalized number after steps A being merged carries out the network safety situation assessment according to analyzing, and generates assessment result.

4. in accordance with the method for claim 3, wherein, in the steps A to sensor acquisition to the statistics of data merge and further to comprise with association analysis: the foundation data dictionary relevant in database at first with assets, threat and fragility, the initial data that the data acquisition module is collected is carried out statistical analysis then, remove repetition, error items, revise nonconformance, then data after the statistical analysis and data dictionary are carried out association analysis, assets, threat and the fragility data of the form that obtains standardizing.

5. in accordance with the method for claim 3, wherein, network safety situation assessment among the step B further comprises: adopt index method to describe the value of assets, threat, fragility, employing refers to counting method is calculated the security postures value of single assets and the security postures value of whole network, assess in the face of network safety situation from confidentiality, integrality and availability are tripartite in the face of network safety situation from assets, threat and fragility are tripartite, export assessment result; According to network confidentiality security postures value, integrality security postures value, availability security postures value network safety situation is carried out total evaluation then, the output assessment result.