Keywords

1 Introduction

In recent years, the rapid development of the Internet makes the use of computer systems more and more common and people have become more and more inseparable from the network. Network security has become a key issue related to all areas of the network. How to perceive the situation of network security in time and effectively has aroused enough attention from relevant researchers.

Network security situational awareness refers to that in the large-scale network environment, Network security situation awareness refers to the acquisition, understanding, display and prediction of future development trends of security elements that can cause changes in network security situation in a large-scale network environment [1, 2], which can provide direct and effective global information, real-time response capability “afterwards” and timely early warning capability “in advance” to realize dynamic security protection for security managers. Situation assessment is the core part of the network, which reflects the overall security status of the network by comprehensively analyzing the security factors of all aspects of the network. Tim Bass [3] introduced situational awareness into the field of network security for the first time. He believes that the fusion of multi-sensor data to form network situational awareness is the key breakthrough of the next generation intrusion detection system. Since then, research teams from different countries have proposed a variety of data models and platforms based on different knowledge systems.

Wen et al. [4] applied Bayesian network to evaluate network security situation. Ye et al. [5] used deep learning to extract the characteristics of large-scale network data, and analyzed and evaluated the network security situation. Vinayakumar [6] proposed a network security situation prediction method based on domain name systems data analysis. Chen et al. [7] proposed a hierarchical evaluation method, and obtained the three-level security threat situation by using the host, service and system for hierarchical calculation. Liu et al. [8] applied cloud models and Markov chain to carry out network security situation assessment.

None of the above methods fully consider the uncertainty and randomness of network security situation assessment. And each method has its own disadvantages, firstly the prior probability of Bayesian network is difficult to obtain. Then, for a deep learning model, it requires a lot of data and a lot of time to train the model and it is difficult to evaluate in real time. Finally, the hierarchical structure model and paired comparison matrix of AHP are mostly determined based on experience, with strong subjectivity.

Based on the comprehensive comparison of various methods, this paper chooses to use evidential network based on Bayesian network for evaluation. The existing evaluation methods mainly analyze the security events caused by attacks, and the threats caused by the peak of normal behavior are not investigated enough. Therefore, this paper comprehensively analyzes the normal behavior and attack behavior in the network environment to evaluate the network security situation.

The rest of the paper is arranged as follows. Section 2 briefly introduces D-S evidence theory and Bayesian network. In Sect. 3, the method proposed in this paper are introduced. An example of network security assessment is given in Sect. 4 to illustrate the effectiveness of the method in this paper. Finally, the conclusion is given in Sect. 5.

2 Preliminaries

2.1 Evidence Theory

Evidence theory [9, 10] is an imprecise reasoning theory first proposed by Dempster and further developed by Shafer, also known as The Dempster-Shafer Theory of Evidence. The subjective Bayes method must give the prior probability, while the evidence theory can deal with the uncertainty caused by ignorance. When the probability value is known, the evidence theory becomes the probability theory.

Assuming that \( \varTheta \) is the exhaustive set of all possible values variables \( X \), and the elements are mutually exclusive. We call \( \varTheta \) frame of discernment (FOD). Assuming that there are \( N \) elements in \( \varTheta \), \( \varTheta = \left\{ {A_{1} ,A_{2} , \ldots ,A_{N} } \right\} \), so the number of the elements of the power set of \( \varTheta \) is \( 2^{N} \), \( 2^{\varTheta } = \left\{ {\left\{ \emptyset \right\}, \left\{ {A_{1} } \right\}, \ldots ,\left\{ {A_{N} } \right\},\left\{ {A_{1} ,A_{2} } \right\}, \ldots ,\left\{ {A_{1} ,A_{N} } \right\}, \ldots ,\left\{ \varTheta \right\}} \right\} \) and each member of the set corresponds to a subset of the values of \( X \).

Definition 2.1.

A basic probability assignment (BPA) is a function \( m:2^{\varTheta } \to \left[ {0,1} \right] \), which satisfies:

$$ \begin{array}{*{20}c} {\left\{ {\begin{array}{*{20}c} {m\left( \emptyset \right) = 0} \\ {\mathop \sum \limits_{{A \in 2^{\varTheta } }} m\left( A \right) = 1} \\ \end{array} } \right.} \\ \end{array} $$
(1)

where \( A \) is any subset of \( \varTheta \). The function \( m\left( A \right) \) represents the evidence’s support degree for \( A \). \( A \) is called the focal element of m when \( m\left( A \right) > 0 \).

Definition 2.2.

Given a BPA, the believe function \( Bel \) and the plausibility function \( Pl \) represent the lower and upper limits of the degree of trust for each proposition, respectively. The definition is as follows:

$$ \begin{array}{*{20}c} {Bel\left( A \right) = \mathop \sum \limits_{B \subseteq A} m\left( B \right)\quad \quad \forall A\, \subseteq \,\varTheta } \\ \end{array} $$
(2)
$$ \begin{array}{*{20}c} {Pl\left( A \right) = 1 - Bel\left( {\bar{A}} \right) = \mathop \sum \limits_{B \cap A \ne \emptyset } m\left( B \right)\quad \quad \forall A \subseteq \varTheta } \\ \end{array} $$
(3)

Definition 2.3.

For a BPA, its specificity was measured by \( Sp \) function. The definition is as follows:

$$ \begin{array}{*{20}c} {Sp = \sum \frac{m\left( A \right)}{\left| A \right|}\quad \quad \forall A \subseteq \varTheta } \\ \end{array} $$
(4)

Definition 2.4.

If \( m \) is a BPA on a FOD \( \varTheta \), a PPT function \( Bet P_{m} \) P: \( \varTheta \to \left[ {0, 1} \right] \) associated with \( m \) is defined by

$$ \begin{array}{*{20}c} { Bet P_{m} \left( x \right) = \mathop \sum \limits_{x \in A,A \in \varTheta } \frac{1}{\left| A \right|}\frac{m\left( A \right)}{1 - m\left( \emptyset \right)}} \\ \end{array} $$
(5)

where \( m\left( \emptyset \right) \ne 1 \) and \( \left| A \right| \) is the cardinality of proposition A.

2.2 Bayesian Network

A Bayesian network [11] is a directed acyclic graph (DAG), which is composed of variable nodes and directed edges. The nodes represent random variables, and the directed edges between nodes represent the relations between nodes (from the parent node to the child node). The relationship strength is expressed by conditional probability, and the information is expressed by prior probability for a node without parents. It is suitable for expressing and analyzing uncertain and probabilistic events, and for making decisions that depend on various control factors conditionally. It can make inferences from incomplete, inaccurate or uncertain knowledge or information [12].

Definition 2.5.

Assuming that \( G = \left( {I,E} \right) \) represents a DAG, where \( I \) represents the set of all nodes in the graph, and \( E \) represents the set of directed connection edges. \( X = X_{i} \, i \in I \) is the random variable represented by a node \( i \) in the DAG. The conditional probability distribution of node \( X \) can be expressed as:

$$ \begin{array}{*{20}c} {p\left( x \right) = \mathop \prod \limits_{i \in I} p\left( {x |x_{pa\left( i \right)} } \right)} \\ \end{array} $$
(6)

where \( x_{pa\left( i \right)} \) represents the cause of a node \( i \).

For any random variable, its joint distribution can be obtained by multiplying their local conditional probability distributions:

$$ \begin{array}{*{20}c} {P\left( {X_{1} = x_{1} , \ldots ,X_{n} = x_{n} } \right) = \mathop \prod \limits_{i = 1}^{n} P\left( {X_{i} = x_{i} |X_{i + 1} = x_{i + 1} , \ldots ,X_{n} = x_{n} } \right)} \\ \end{array} $$
(7)

Bayesian network is probabilistic reasoning, and it can be extended to evidential network reasoning within the framework of evidence theory [13].

3 The Proposed Method

In this section, an evidential network model is introduced to network security assessment based on approaches in evidence theory [14]. There are two problems when reasoning by traditional evidential network [15]: Firstly, the information of the parent node is difficult to express completely and accurately, and it is difficult to obtain the information of the root node when the number of focal elements in the parent nodes is large. Then, for a non-parent node, the size of its conditional belief mass table increases exponentially with the rise of the cardinalities of its parents’ FODs. On one hand, the size of such table is huge; On the other hand, it is a big challenge to generate such a huge conditional belief mass table.

Aiming at the two problems, the solution of this paper is proposed as follows: Firstly, Transform the parent node information from the expression of BPA to the expression of plausibility function \( Pl \). Then, transform the reasoning rules from the conditional belief mass table to conditional plausibility function table. This makes the network still able to reason in the case of incomplete inference rules. As shown in Fig. 1 shows the process of this method.

Fig. 1.
figure 1

A flowchart of the introduced evidential network.

Full size image

  • Step 1. Construct an evidential network. An evidential network is defined as a directed acyclic graph (DAG). For example, there are three nodes, including two parent nodes \( X \) with FOD \( \varTheta_{X} = \left\{ {X_{1} ,X_{2} } \right\} \), \( Y \) with FOD \( \varTheta_{Y} = \left\{ {Y_{1} ,Y_{2} } \right\} \), and a child node of \( X \) and \( Y \) called \( Z \) with FOD \( \varTheta_{Z} = \left\{ {Z_{1} ,Z_{2} } \right\} \). We can construct an evidential network show in Fig. 2. The parent node represents the network parameters obtained, and the child node represents the network security situation evaluation results. The evidence network may have more than one layer.

    Fig. 2.
    figure 2

    An example of evidential network.

    Full size image

  • Step 2. By simplifying an extension operator given in [14], we use it to do the evidential network reasoning. As modelled in [14], the space composed of the parent node FOD called \( E_{e} \), the space composed of the child node FOD called \( E_{s} \). For example, in the evidential network shows in Fig. 2, \( E_{e} = \left\{ {\varTheta_{X} ,\varTheta_{Y} } \right\} \) and \( E_{s} = \left\{ {\varTheta_{Z} } \right\} \). \( Pl_{e} \left( \cdot \right) \) is the plausibility function on \( E_{e} \), which may be incomplete; \( Pl_{s} ( \cdot |B \subseteq E_{e} ) \) is the plausibility function on \( E_{s} \), which may be incomplete, and is valid when the subset \( B \) of \( E_{e} \) is definitely true. If the information we obtain on parent nodes is BPA and the rules we obtain is conditional belief mass table, we can use the formula (3) to transform to the plausibility function \( Pl_{e} \left( \cdot \right) \) and the conditional plausibility function table \( Pl_{s} ( \cdot |B \subseteq E_{e} ) \). If the information on parent nodes and rules are plausibility function and conditional plausibility function table respectively, we can skip this step.

  • Step 3. Determination of the \( Pl_{sr} \left( {A \times B} \right) \) values on \( E_{s} \times E_{r} \), for all available data, using the formula from [14]:

  • $$ \begin{array}{*{20}c} {Pl_{sr} \left( {A \times B} \right) = Pl_{s} \left( {A |B \subseteq E_{r} } \right)Pl_{e} \left( B \right)} \\ \end{array} $$
    (8)

  • where \( Pl_{sr} \left( \cdot \right) \) represents a joint distribution plausibility function.

  • Step 4. There are many such \( m\left( \cdot \right) \) functions, rather than just one, will satisfy an incompletely defined plausibility function. In order to obtain the \( m\left( \cdot \right) \) on space E and keep as much information as we can and don’t impose information, we use the minimum specificity algorithm proposed by Appriou [14] to transform plausibility function to BPA. Thus, out of all the possible functions, we look for the function that has least specificity \( Sp\left( m \right) \).

  • Step5. Determination of the mass function \( m_{s} \left( \cdot \right) \) on Es on the basis of \( m_{sr} \left( \cdot \right) \), using the formula:

$$ \begin{array}{*{20}c} {m_{s} \left( A \right) = \mathop \sum \limits_{{B \subseteq E_{r} }} m_{sr} \left( {A \times B} \right)} \\ \end{array} $$
(9)

So far, we have obtained the inference result of the child node, and we can proceed to the next inference or evaluate the situation of the child node according to this result.

4 Case Study

In this section, an example mentioned in paper [16] will be used to confirm the effectiveness of the proposed method. Because the security of network will be affected by the peak of normal behavior and attack behavior, this paper divides the network security into normal behavior and attack behavior to consider the network security situation. The change of network resources will reflect the change of network security situation. CPU resources and memory resources are important resources in the network. Improper use of the network or when the network is attacked, the two resources may be exhausted, resulting in network performance degradation or even crash. Therefore, this paper selects CPU utilization and memory consumption as security factors to evaluate the network security situations.

  • Step 1. According to the above analysis, an evidential network is constructed as follows (Fig. 3):

    Fig. 3.
    figure 3

    The evidential network we construct for network security situation assessment [16].

    Full size image

  • In the evidential network MC, CPU, NB, AB and NS represent memory consumption, CPU utilization, normal behavior, attack behavior and network security respectively. And the FOD of MC, CPU, NB, AB have two elements \( \varTheta = \left\{ {G_{1} ,G_{2} } \right\} \), \( G_{1} \) and \( G_{2} \) represent the good and bad for assessment of the FOD. The FOD of NS have four elements \( \varTheta = \left\{ {G_{1} ,G_{2} ,G_{3} ,G_{4} } \right\} \). Elements from \( G_{1} \) to \( G_{4} \) means excellent, good, ordinary and bad.

  • Step 2. Network security has a greater impact on CPU utilization. Compared with normal behavior, the harm caused by attack behavior to network environment is much more serious. In order to simplify the calculation, we assume that the conditional plausibility function table between memory consumption, CPU utilization and normal behavior and attack behavior is same. For the evidential network, suppose we have the following conditional plausibility function Tables 1 and 2.

    Table 1. The conditional plausibility function table between {CPU, MC} and {NB}/{AB}.
    Full size table
    Table 2. The conditional plausibility function table between {AB, NB} and {NS}.
    Full size table

  • From the conditional plausibility function table, we can see that the inference rules are incomplete and imprecise. For example, we do not have the information when CPU is \( G_{1} \), \( G_{2} \) while MC is \( G_{1} \). And the description of child node is fuzzy when CPU is \( G_{1} \) while MC is \( G_{1} \).

  • Then for the evidential network, assume we have the information of the parent node as follows:

    $$ \begin{array}{*{20}l} {m_{MC1} \left( {\left\{ {G_{1} } \right\}, \left\{ {G_{2} } \right\},\left\{ {G_{1} ,G_{2} } \right\}} \right) = \left( {0.6,0.3,0.1} \right)} \hfill \\ {m_{CPU1} \left( {\left\{ {G_{1} } \right\}, \left\{ {G_{2} } \right\},\left\{ {G_{1} ,G_{2} } \right\}} \right) = \left( {0.8,0.1,0.1} \right)} \hfill \\ {m_{MC2} \left( {\left\{ {G_{1} } \right\}, \left\{ {G_{2} } \right\},\left\{ {G_{1} ,G_{2} } \right\}} \right) = \left( {0.7,0,0.3} \right)} \hfill \\ {m_{MCPU2} \left( {\left\{ {G_{1} } \right\}, \left\{ {G_{2} } \right\},\left\{ {G_{1} ,G_{2} } \right\}} \right) = \left( {0.9,0.05,0.05} \right)} \hfill \\ \end{array} $$

  • When reasoning from MC and CPU to NB, we can find that \( E_{r} = \left\{ {MC,CPU} \right\} \), \( E_{s} = \left\{ {NB} \right\} \). Other reasoning processes are similar as above.

  • Step 3. Compute the \( Pl_{sr} \left( {A \times B} \right) \) values on \( E_{s} \times E_{r} \) with formal (8). When reasoning from MC and CPU to NB, the result of \( Pl_{sr} \left( {A \times B} \right) \) as follow:

    $$ \begin{array}{*{20}l} {Pl_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{1}^{2} } \right\}} \right) = 0.63\quad \quad Pl_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{2}^{1} ,G_{1}^{2} } \right\}} \right) = 0.36} \hfill \\ {Pl_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{2}^{1} ,G_{2}^{2} } \right\}} \right) = 0.08\quad \quad Pl_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{2}^{2} } \right\}} \right) = 0.14} \hfill \\ {Pl_{sr} \left( {\left\{ {G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{1}^{2} } \right\}} \right) = 0.063\quad \quad Pl_{sr} \left( {\left\{ {G_{1} } \right\} \times \left\{ {G_{2}^{1} ,G_{1}^{2} } \right\}} \right) = 0.288} \hfill \\ {Pl_{sr} \left( {\left\{ {G_{2} } \right\} \times \left( {G_{2}^{1} ,G_{1}^{2} } \right)} \right) = 0.108\quad \quad Pl_{sr} (\{ G_{1} \} \times \left\{ {G_{2}^{1} ,G_{2}^{2} } \right\}) = 0.08} \hfill \\ {Pl_{sr} \left( {\left\{ {G_{2} } \right\} \times \left\{ {G_{2}^{1} ,G_{2}^{2} } \right\}} \right) = 0.064} \hfill \\ \end{array} $$

  • By the same way, we can obtain \( Pl_{sr} \left( {A \times B} \right) \) between {MC, CPU} and {AB}.

  • Step 4. Transform \( Pl_{sr} \left( {A \times B} \right) \) to \( m_{sr} \left( {A \times B} \right) \) by minimum specificity algorithm in Sect. 3. The result are as follows:

    $$ \begin{array}{*{20}l} {m_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{2}^{1} ,G_{1}^{2} } \right\}} \right) = 0.108\quad \quad m_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{1}^{2} } \right\}} \right) = 0.063} \hfill \\ {m_{sr} \left( {\left\{ {G_{1} } \right\} \times \left\{ {G_{2}^{1} ,G_{1}^{2} } \right\}} \right) = 0.497\quad \quad m_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{2}^{2} } \right\}} \right) = 0.072} \hfill \\ {m_{sr} \left( {\left\{ {G_{1} } \right\} \times \left\{ {G_{1}^{1} ,G_{1}^{2} } \right\} \cap \left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{2}^{1} ,G_{2}^{2} } \right\}} \right) = 0.064} \hfill \\ {m_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{2}^{2} } \right\} \cap \left\{ {G_{1} } \right\} \times \left\{ {G_{2}^{1} ,G_{1}^{2} } \right\}} \right) = 0.058} \hfill \\ {m_{sr} \left( {\left\{ {G_{1} ,G_{2} } \right\} \times \left\{ {G_{1}^{1} ,G_{2}^{2} } \right\} \cap \left\{ {G_{1} } \right\} \times \left\{ {G_{2}^{1} ,G_{2}^{2} } \right\}} \right) = 0.01} \hfill \\ {m_{sr} \left( {\left\{ {G_{1} } \right\} \times \left\{ {G_{2}^{1} ,G_{1}^{2} } \right\}} \right) = 0.122} \hfill \\ \end{array} $$

  • Step 5. Compute the mass function \( m_{s} \left( \cdot \right) \) on Es on the basis of \( m_{sr} \left( \cdot \right) \) by formal (9). The result are as follows:

$$ \begin{array}{*{20}l} {m_{NB} \left( {\left\{ {G_{1} } \right\},\left\{ {G_{1} ,G_{2} } \right\}} \right) = \left( {0.625,0.375} \right)} \hfill \\ {m_{AB} \left( {\left\{ {G_{1} } \right\},\left\{ {G_{1} ,G_{2} } \right\}} \right) = \left( {0.7455,0.2545} \right)} \hfill \\ \end{array} $$

So far, we obtain the information on nodes NB and AB. In order to obtain the information on node NS, we just need to regard the NB and AB as parent nodes and repeat the above procedures. Finally, the BPA on node NS as follows:

$$ \begin{aligned} m_{NS} \left( {\left\{ {G1,{\text{G}}2} \right\}, \left\{ {G1,{\text{G}}2,G3} \right\},\left\{ {G1,{\text{G}}2,G4} \right\},\left\{ {G1,G2,{\text{G}}3,{\text{G}}4} \right\}} \right) \hfill \\ = \left( {0.4687,0.0573,0.0477,0.4265} \right) \hfill \\ \end{aligned} $$

We can assess the network security situation according to the result. For example, we transform the BPA to probability by PPT function to make the assessment more intuitive.

The result computed by the formal (5) is as follows:

$$ \begin{array}{*{20}l} {P\left( {G_{1} } \right) = 0.3759 \quad \quad P\left( {G_{2} } \right) = 0.3759} \hfill \\ {P\left( {G_{3} } \right) = 0.1257\quad \quad P\left( {G_{4} } \right) = 0.1225} \hfill \\ \end{array} $$

We can conclude that the current network security situation is at a good level.

5 Conclusion

This paper has mainly studied the evaluation of network security situation based on evidential network and evaluate the network security situation by evidential network based on Bayesian network. Firstly, D-S evidence theory and Bayesian network are introduced, and then an evidential network based on Bayesian network is proposed to evaluate network security situation. Finally, an example is given to verify the feasibility of the method.