基于时空关联分析的网络实时威胁识别与评估

如何从大量安全报警中提取有效威胁并识别当前状态，是评估实时威胁状况的前提和关键，这需要对威胁事件进行多角度、多信息的关联融合.为此，深入分析网络安全对抗环境在空间上的复杂性和时间上的动态性，提出一种基于时空关联分析的网络实时威胁识别与量化评估方法.首先基于威胁状态转移图挖掘威胁事件的时空关联关系，在时间维度上结合威胁渗透过程，在空间维度上关联威胁状态属性，获得当前有效威胁及实时状态；进而基于网络实体价值、威胁严重度、威胁成功3个要素，提出多粒度的层次化递推算法，按照“点、线、面”的思路，分别从威胁状态、威胁路径、网络全局3个层面上量化评估安全威胁，以反映不同粒度的威胁态势.通过仿真实验，验证了该方法的实用性及有效性.

A Real-time Network Threat Recognition and Assessment Method Based on Association Analysis of Time and Space

How to identify successful threat activities and current security state, is the prerequisite and key to network real-time threat assessment. To do this, all the detected threats need to be associated and studied in many ways and multiple directions. Aiming at this issue, a network real-time threat identification and quantitative assessment approach is proposed based on the association analysis from two dimensions of time and space. This approach fully considers spatial complexity and temporal dynamic under network attack-defense confrontation environment. Firstly threat state transition graph is constructed to simulate intruding process and model threat scenarios. Based on the graph, by associating threat spreading paths in temporal dimension and correlating with threat state features in spatial dimension, valid threats can be filtered out and current threat state can be recognized. Then a multi-granularity hierarchical assessment method is put forward to evaluate network threat. This method takes entity value, threat weight and threat success probability as evaluation indexes in order to quantitatively analyze threat indexes of single state, path and the whole network respectively. Therefore, the results report network real-time risk situation in different levels. Finally simulation experiment verifies the effectiveness and advantage of the approach, and the approach can reveal threat situation more thoroughly and provide valuable guide for intrusion response decision-making and dynamic defense strategy adjusting.