A Framework of Network Security Situation Analysis Based on the Technologies of Event Correlation and Situation Assessment

After analyzing the existing research of network security situation awareness, a framework of situation analysis is proposed in this paper. It is an application and reification of the classic situation awareness model proposed by Tim bass. The framework is composed of three core contents, namely, situation information model, event correlation analysis technology and situation assessment technology. The information model defines what is situation and how to express them, the other two technologies are the implement means of acquiring these situation information. The hierarchic information model contains four levels: raw security datas, security entities, assessment report, and mission impact. Along with the rising of the model level, the quantity of the information decreases while the quality increases. The correlation technology focuses on achieving the security entities, that is the second level situation information. The situation assessment technology provides methods and means for acquiring the information belongs to the third and the fourth levels, namely, it is the technical guarantee of creating assessment report and mission impact. The framework provides guidance and technical support for the whole situation analysis procedure, and it is the foundation of the analysis work.