Keywords

1 Introduction

With the development of the power Internet, the network structure, scale, data, and applications have become more and more complex and diverse. The network boundary is gradually blurred, and the security problem of the power Internet has become increasingly prominent. Applying zero-trust security protection to the power mobile interconnection business can effectively build “endogenous security” capabilities and provide guarantees for the safe operation of the power mobile business. The implementation of continuous security monitoring for mobile networks is the cornerstone of the concept of a zero-trust security protection framework. Through continuous monitoring of the user terminal equipment environment and the user’s access behavior. The monitoring of changes in environmental data can also help realize dynamic authority control. In zero-trust security protection, decision-making and disposal of potential security risks through situation assessment is the key to meeting mobile security monitoring requirements. Therefore, network security situation assessment can provide strong support for mobile network security.

Security situation assessment [1] refers to the collection, filtering, and correlation analysis of security incidents generated by network security equipment, establishing a suitable mathematical model based on constructing security indexes, evaluating the degree of security threats suffered by the network system as a whole. At present, there are many research results on network security situation assessment methods at home and abroad. As shown in Fig. 1, according to the theoretical and technical basis of the assessment basis, it can be divided into three categories, namely based on mathematical models, based on probability and knowledge reasoning, and based on pattern classification.

Fig. 1.
figure 1

Network security situation assessment method.

Full size image

The methods based on the mathematical model are represented by the analytic hierarchy process [2], set pair analysis [3], fuzzy comprehensive evaluation method [4], multi-attribute utility function method [5]. It comprehensively considers the factors that affect network security situation awareness, and then establishes the corresponding relationship between the security index set and the security situation, and then assigns the situation assessment problem to issues such as multi-index comprehensive evaluation or multi-attribute set. Its disadvantage is that the evaluation model constructed by this method and the definition of its variables involve many subjective factors and lack objective unity.

The methods based on probability and knowledge reasoning are represented by fuzzy reasoning [6], Bayesian network [7], Markov process [8], DS evidence theory [9]. It builds models based on expert knowledge and experience databases and uses logical reasoning to evaluate the security situation. The use of this method to build a model requires first to obtain prior knowledge. From the practical application point of view, the method for acquiring knowledge is still relatively single, mainly relying on machine learning or an expert knowledge base. Machine learning has the problem of operating difficulties, while an expert knowledge base mainly relies on the accumulation of experience.

The methods based on pattern classification are represented by cluster analysis [10], rough set [11], grey correlation analysis [12], neural network [13], and support vector machine [14]. It is established by training, and then the network security situation is evaluated based on the classification of the model. The advantage of this method is that the learning ability is very good, and the model is established more accurately.

The traditional network situation assessment method is usually based on the information collection module to collect the required situation awareness information and store the results in a unified database after data preprocessing. This operation of centrally and uniformly sending the situational information perceived by the security device to the central database may cause data leakage problems during the transmission process. At the same time, the concurrent upload operation of multiple devices will also have the problem of excessive network load. In addition, for the situation assessment in distributed systems, there is a lack of effective feasible schemes for the fusion calculation of single-point situation value to multi-point situation value.

Based on this, this paper proposes a double AHP analysis method based on distributed architecture to evaluate the security situation of the system. The first level of analysis will directly calculate the situation value inside the node, no longer upload the perception result information to the central database, but rely on the principle of consistency of the distributed system to synchronize the situation weight vector of the node to other nodes. Data leakage caused by direct transmission of situational awareness information is avoided. In the second level of analysis, the single-node equipment is used as the analysis factor, and the level analysis model has been constructed again and combined with the situation weight vector, the situation assessment result of the distributed system composed of multiple nodes is comprehensively calculated. This network security situation assessment model based on double AHP provides a concrete and feasible scheme for the distributed system from single-point situation assessment to multi-point integration situation assessment.

The rest of the paper is arranged as follows. In Sect. 2, the construction of the situation indicator system is introduced. Section 3 introduces the double AHP evaluation model and its improvements. Section 4 gives an example analysis of the model. Section 5 summarizes the full text.

2 Construction of the Situation Indicator System

2.1 Build a Hierarchical Network Security Situation Indicator System

A group of scholars represented by Wang Juan and Zhang Fengli [15] of the University of Electronic Science and Technology of China has established a relatively complete set of network security situation indicators with a clear level, comprehensive coverage, and strong reference. This set of indexes can cover different levels of the network, different data sources, and different users by comparing various situation influencing factors. This article will use this as a blueprint to construct a network security situation indicator system.

Basic operating status indexes: The basic operating state index is a value calculated by collecting system operating data in a certain time window, performing quantitative evaluation on it, and calculating it. This value reflects the current operating status of the network system. Generally speaking, the larger the value, the worse the operating status of the network system. This part can select the basic operating status as the first-level indexes, and specific indexes such as the CPU usage rate, memory usage rate, and hard disk space usage rate of the security equipment as the basic operating status indexes. As shown in Table 1.

Table 1. Description of related fields of basic operating status indexes.
Full size table

Equipment vulnerability status indexes: The equipment vulnerability status index is a comprehensive analysis by quantifying the number of vulnerabilities and other information, and then calculating the vulnerability index, which can measure the degree of loss that may be caused to the system when the network faces an attack [16]. Generally speaking, the larger the value, the more vulnerable the network is and the greater the possibility of loss.

Table 2. Description of fields related to device vulnerability status.
Full size table

We choose the vulnerability events reported by the vulnerability scanning system as the primary indexes to obtain the hierarchical equipment vulnerability status indicators, as shown in Table 2.

Risk event indexes: Risk event indexes are mainly used to collect various security events caused by cyber-attacks within a certain time and conduct a comprehensive and quantitative assessment of the frequency and degree of harm of these incidents, and then calculate an indication of the harm caused by the network system. A numerical value of the degree. The larger the value, the deeper the degree of this hazard.

Therefore, we combine the types of network security incidents to extract various security incidents such as virus attacks, botnets, Trojan horse attacks, and denial of service as the basic indicators of the risk event indicator system. As shown in Table 3.

Table 3. Description of fields related to risk events.
Full size table
Table 4. Description of fields related to threat event indicators.
Full size table

Threat event indexes: Threat event indicators are calculated by collecting security events caused by user violations or equipment operation over a while, and quantitatively assessing these events [17].

We can use cyber threat event indicators as the first-level indicators and use various alarm events caused by user operations or abnormal system operation as the second-level indicators to build a threat event indicator system hierarchically, as shown in Table 4.

3 Double AHP Evaluation Model

The AHP [18] was first proposed by Professor T.L.Saaty at the International Conference on Mathematical Modeling. In this method, the decision-making problem is decomposed into different constituent factors, and the factors are sorted according to the relative importance of the factors, to complete the decision-making on the target problem [19].

3.1 The First Level of Analysis

The first analytic hierarchy process obtains the situation assessment result information of the current node through the calculation of the internal perception information of the single node device, and the steps are as follows:

Establish a Hierarchical Structure Model of Equipment Nodes.

From top to bottom, the target layer A, the criterion layer B, the index layer C, and the plan layer D are constructed progressively. The target layer is expressed as the purpose of decision-making, that is, the security situation of the current node equipment. The target layer is composed of an element and dominant criterion level factors \({B}_{1}\), \({B}_{2}\), \({B}_{3}\), \({B}_{4}\). The criterion layer considers various factors that can affect the current decision, including four factors: basic operating status \({B}_{1}\), equipment vulnerability status \({B}_{2}\), risk events \({B}_{3}\), and threat events \({B}_{4}\). The index level is a quantitative index that can be calculated by refining the decision-making factors of the criterion level and is limited by the corresponding factors of the criterion level. The various factors at the program level represent the results of the assessment of the node situation, including good \({D}_{1}\), warning \({D}_{2}\), and critical \({D}_{3}\). As Shown in Fig. 2.

Fig. 2.
figure 2

Node equipment network security situation system.

Full size image

Construct a Judgment Matrix.

Starting from the criterion level of the hierarchical model structure, for the elements of the same level that belong to each factor of the upper level, the judgment matrix is ​​constructed by the pairwise comparison method until the lowest level. Among them, the pairwise comparison method is the relative importance evaluation formed by comparing the factors representing this level with the factors of the upper level that are dominated by each other. Use Santy 1–9 [20] to evaluate the relative importance of each factor. The details are as follows in Table 5.

Table 5. Santy1–9 scaling method.
Full size table

According to the assignment method shown in Table 1, we can determine the value of each element of the matrix, thereby constructing the judgment matrix A = \({({a}_{ij})}_{n\times n}\), which satisfies the following properties:

$$ a_{ij} \left\{ {\begin{array}{*{20}l} { = 1} \hfill & {i = j} \hfill \\ { = \frac{1}{{a_{ji} }}} \hfill & {i,j > 0} \hfill \\ { > 0} \hfill & {i,j > 0} \hfill \\ \end{array} } \right. $$
(1)

Calculate the Feature Vector.

After constructing the judgment matrix according to the pairwise comparison method, the normalized weights of these indicators should be obtained, that is, the feature vector \(W\) is obtained from the judgment matrix to express the relative importance of the elements of the same level to the previous element. First, use the following formula to normalize the elements in matrix A by column to obtain a column-normalized column matrix \(Q={({p}_{ij})}_{m\times n}\):

$$ p_{ij} = \,\,{{a_{ij} } / {\sum\nolimits_{k = 1}^{k = 1} {a_{ij} } }} $$
(2)

The Q matrix elements are added by rows to get \(\overline{W}={({\alpha }_{1},{\alpha }_{2},\dots ,{\alpha }_{m},)}^{T}\). Subsequently use

$$ w_i = \,{{\alpha_i } / {\sum\nolimits_{k = 1}^m {\alpha_k } }} $$
(3)

to calculate the feature vector \({W=({w}_{1},{w}_{2},\dots ,{w}_{m})}^{T}\).

Consistency Inspection.

According to the formula:

$$ CI = { }\frac{{\lambda_{max} - m}}{m - 1} $$
(4)

calculate the consistency index, where \(m\) is the order of the judgment matrix. According to the formula:

$$ {\text{CR}} = { }\frac{CI}{{RI}} $$
(5)

calculate the consistency ratio \(CR\), which \(RI\) [21] is shown in Table 6 below.

Table 6. Average random consistency index
Full size table

When \(CR<0.1\), the judgment that the consistency of the matrix can be accepted, the feature vector is also desired, or required to adjust the judgment matrix until \(CR<0.1\).

3.2 The Second Level of Analysis

The situation assessment result information (equipment node situation assessment weight vector) obtained by the first-fold analytic hierarchy process will be sent to other nodes in the network according to the consistency principle of the current distributed system.

Use the received situation assessment result information of other nodes and the security situation assessment result within the node to perform the second-level analysis to calculate the network security situation of the entire distributed system. The steps are as follows:

Fig. 3.
figure 3

System security situation classification.

Full size image

Establish a Hierarchical Model of the Situational Awareness System.

From top to bottom, the target layer E, the criterion layer F, and the scheme layer G are constructed progressively. The target layer is expressed as the purpose of decision-making, that is, the current security situation of the system. The target layer is composed of an element and dominant criterion level factors \({F}_{1}\), \({F}_{2}\), \({F}_{3}\). The factors of the criterion layer are the various sensing entities in the current sensing system, including mobile devices, host devices, server devices, and so on. The program layer represents the evaluation results of the system, including good \({G}_{1}\), warning \({G}_{2}\), and critical \({G}_{3}\). As shown in Fig. 3.

Sorting of Calculation Levels.

First layer calculation scheme of all the factors \({G}_{1}\), \({G}_{2}\), \({G}_{3}\) or the rule layer factor \({F}_{i}\) level of a single sort \({W}_{{F}_{i}G}={({w}_{{F}_{i}{G}_{1}},{w}_{{F}_{i}{G}_{2}},{w}_{{F}_{i}{G}_{3}})}^{T}\) which

$$ W_{F_i G} = W^i = \left( {w_1^i ,w_2^i ,w_3^i } \right)^T $$
(6)

\({W}^{i}\) represents the weight vector of the situation assessment of the i-th device node.

Constructing the Criterion-Level Judgment Matrix.

According to the different weight status of equipment assets, continue to use the pairwise comparison method to construct the judgment matrix of criterion layer F, and calculate its eigenvector \({W}_{F}={({w}_{{F}_{1}},{w}_{{F}_{2}},\dots ,{w}_{{F}_{i}})}^{T}\).

Total Ranking of Calculation Levels.

Calculate the total ranking of the level G of the scheme \({W}_{G}={({w}_{{G}_{1}}{,w}_{{G}_{2}}{,w}_{{G}_{3}})}^{T}\), where

$$ w_{G_j } = \mathop \sum \limits_{i = 1}^{\text{n}} w_{F_i } w_{F_i G_{\text{j}} } $$
(7)

\({w}_{{G}_{j}}\) indicates the weight value of the j-th evaluation result, j = 1, 2, 3.

Consistency Inspection.

According to the formula

$$ CR = { }\frac{{\sum_{i = 1}^3 w_{F_i } { } \times { }CI_i { }}}{{\sum_{i = 1}^3 w_{F_i { }} \times { }RI_i }} $$
(8)

calculate the overall ranking consistency ratio of the hierarchy. Among them, \({CI}_{i}\) and \({RI}_{i}\) with that of the standard-level device i.

When \(CR<0.1\), the matrix that is determined by the consistency check, or need to adjust the ratio of high consistency judgment matrix until \(CR<0.1\);

The factor corresponding to the highest weight item in the total ranking of levels is the result of the security situation assessment of the requested system.

4 Case Analysis

This article takes a small local area network as an analysis example, and the main sensing device nodes include mobile devices, host devices, and server devices. As shown in Fig. 2, this paper mainly uses the basic operating status, equipment vulnerability status, risk events, and threat events perceived in the local area network to evaluate the situation of the internal node equipment of the network. And it establishes the situation indicator system formed by the target layer, the criterion layer, and the indicator layer.

The evaluation model takes the node equipment network security situation indicator system as the target layer \(C\). The criterion layer includes basic operating status \({B}_{1}\), equipment vulnerability status \({B}_{2}\), risk events \({B}_{3}\) and threat events \({B}_{4}\). The basis of the operating state \({B}_{1}\) can be decomposed into CPU usage \({C}_{1}\), memory usage \({C}_{2}\) and hard drive usage \({C}_{3}\). The vulnerability status of the device \({B}_{2}\) can be decomposed into four indicators: header tracking vulnerability \({C}_{4}\), SQL injection vulnerability \({C}_{5}\), cross-site scripting vulnerability \({C}_{6}\), and weak password vulnerability \({C}_{7}\). Risk events \({B}_{3}\) can be decomposed into virus attacks \({C}_{8}\), botnets \({C}_{9}\), Trojans attacks \({C}_{10}\) and deny service \({C}_{11}\). Threat events \({B}_{4}\) can be divided into two indicators: illegal access \({C}_{12}\) and offline abnormality \({C}_{13}\). The program layer contains three levels of good \({D}_{1}\), warning \({D}_{2}\) and critical \({D}_{3}\).

Because the calculation method is the same, this article only uses mobile devices \({F}_{1}\) as an example to calculate the weight vector of the first-level analysis situation assessment, and the other device assessment weight vectors will be directly given.

Determine the judgment matrix and weight of the situation index system according to the pairwise comparison method, establish the judgment matrix and weight vector of the evaluation factors of the first-level analysis criterion layer (as shown in Table 7) and the judgment matrix of the evaluation factors of the index layer And the weight vector (as shown in Table 8). Establish the judgment matrix and weight vector of the evaluation factors of the first level of analysis program level (as shown in Table 9).

Table 7. The judgment matrix and weight vector of the evaluation factors at the first level of the criterion layer B.
Full size table
Table 8. The judgment matrix and weight vector of the evaluation factors at the first level of the index layer C.
Full size table
Table 9. The judgment matrix and weight vector of the evaluation factors at the first level of the plan layer D.
Full size table

Then calculate the combined weight \({W}_{C}\) of each factor of the indicator layer according to the above-mentioned obtained criterion layer weight vector \({W}_{B}\) and indicator layer weight vector \({W}_{{B}_{i}\_C}\):

\({W}_{C}\left({w}_{{C}_{j}}\right)=\left[\begin{array}{c}\begin{array}{c}\begin{array}{c}\begin{array}{c}0.0173\\ 0.0048\\ 0.0314\end{array}\\ 0.0201\\ 0.0626\end{array}\\ 0.0224\\ 0.0072\end{array}\\ 0.0155\\ \begin{array}{c}0.1550\\ 0.0456\\ 0.0753\\ 0.4072\\ 0.1357\end{array}\end{array}\right]\), where

$$ w_{C_j } = w_{B_i } \times w_{B_i C_j { }} ,{\text{\{ }}i{ | }i \in \left[ {1,4} \right],{\text{i}} \in N^+ \} ,{\text{\{ }}j{ | }j \in \left[ {1,13} \right], j \in N^+ \} $$
(9)

According to the calculated solution layer weight vector \({W}_{{C}_{j}D}\) and the index layer combination weight\({W}_{C}\), the overall ranking of the solution layer \({W}_{D}\) is calculated as follow:

\({W}_{D}\left({w}_{{D}_{k}}\right)=\left[\begin{array}{c}0.5027\\ 0.2717\\ 0.2256\end{array}\right]\), where

$$ w_{D_k } = \sum\nolimits_{j = 1}^{13} {w_{C_j } w_{C_j D_k }, \it{}{\text{\{ }}j,k{| }j \in \left[ {1,13} \right],k \in \left[ {1,3} \right],{\text{j}} \in N^+ ,k \in N^+ \} } $$
(10)

The hierarchical total sorting \({W}_{D}\) is the situation evaluation weight vector of the current device node, which is recorded as the weight vector \({{W}^{{F}_{1}}}_{D}\) of the device \({F}_{1}\), and the first level of analysis is completed.

Similarly available \({{W}^{{F}_{2}}}_{D}=\left[\begin{array}{c}0.4517\\ 0.2105\\ 0.3378\end{array}\right]\),\({{W}^{{F}_{3}}}_{D}=\left[\begin{array}{c}0.6521\\ 0.3110\\ 0.0369\end{array}\right]\).

The second part of the evaluation model, the second level of analysis, takes the system security situation as the target layer E, and the criterion layer F includes mobile devices \({B}_{1}\), host devices \({B}_{2}\), and server devices \({B}_{3}\). Scheme layer \(E\) includes three levels: good \({G}_{1}\), warning \({G}_{2}\), and critical \({G}_{3}\), as shown in Fig. 3.

According to the pairwise comparison method, the judgment matrix and weight of the situation index system are determined, and the judgment matrix and weight vector of the evaluation factors of the second-level analysis criterion layer are established (as shown in Table 10).

Table 10. The judgment matrix and weight vector of the evaluation factors of the second AHP analysis criterion layer.
Full size table

Since the scheme level G is the same as the scheme level D in the first-level analysis, the weight vector \({W}_{{F}_{p}G}({w}_{{F}_{p}{G}_{q}})\) of the second level analysis scheme level evaluation factors to the criteria level factors to which they belong is equivalent to the first level analysis of the corresponding equipment node. The total order of levels, namely \({W}_{{F}_{p}G}={{W}^{{F}_{p}}}_{D},\left\{p \right| p\in \left[\mathrm{1,3}\right],\mathrm{i}\in {N}^{+}\}\).

According to the weight vector of the solution layer \({W}_{{F}_{p}G}\) and the weight of the criterion layer \({W}_{F}\), the total ranking of the solution layer is calculated \({W}_{G}\):

\({W}_{G}\left({w}_{{G}_{q}}\right)=\left[\begin{array}{c}0.5811\\ 0.2881\\ 0.1308\end{array}\right]\), where

$$ w_{G_q } = \,\,\sum\nolimits_{p = 1}^3 {w_{F_p } w_{F_p G_q }, \it{}{\text{\{ }}p,q{|}p \in \left[ {1,3} \right],q \in \left[ {1,3} \right],{\text{p}} \in N^+ ,q \in N^+ \} } $$
(11)

The hierarchical total sorting \({W}_{G}\) is the situation assessment weight vector of the current equipment node, and the second-level analysis is completed.

The analysis results show that the proportion of good evaluation grades is 0.5811, the proportion of warning evaluation grades is 0.2881, and the proportion of critical evaluation grades is 0.1308. According to the criterion of maximum comprehensive evaluation weight, it can be seen that the network security situation assessment is in a good state.

5 Conclusion

This paper uses a hierarchical analysis model to evaluate the security situation of the system. The first level of analysis will directly calculate the weight vector of the situational security level of a single node, and will not upload this assessment information to the central database, but rely on the principle of consistency of the distributed system to ensure the synchronization of the assessment information, Effectively avoiding the leakage of assessment information and the tampering of security data. The second-level analysis carried out re-built the level analysis model around the importance of equipment, realized the situation assessment of the system directly within a single node, and provided the situation assessment for the distributed system from single-point situation assessment to multi-point integration. A concrete and feasible solution.