Hong-lei ZHENG, Zhong ZHENG

(1Compute Engineering Department, Taiyuan University, Taiyuan 030032, China) (2Department of Automation, Tsinghua University, Beijing 100089, China)

Abstract: Information network security is very important for the Internet office. As a key component of information security, real-time network security risk assessment can effectively detect the security status of network resources. Therefore, in order to improve the security of office resources in the Internet environment, an online assessment method of network security risk based on prediction model is proposed. This method uses the expectation and maximization (EM) algorithm to improve the traditional continuous-time hidden Markov model in order to complete the risk assessment based on the predictive model. The simulation results show that the proposed method can effectively complete the network security online prediction. Compared with other methods, the proposed method can achieve high accuracy and real-time to meet the needs of a variety of information security under the Internet environment.

Key words： Security prediction, Security risk assessment, Hidden Markov model, Cyberattack

By analyzing the historical data of network security assessment, and collecting the current network status information and network equipment information, we can set up a suitable mathematical model to predict future changes in network security within a certain period of time. Network security risk assessment can objectively predict the change of network security status accurately, grasp the possible trend of network intrusion, and prevent possible intrusion in the future so as to improve the network security reliability [3].

At this stage, the methods of network security risk assessment can be divided into two categories: ① Offline assessment (static assessment). Through the comprehensive evaluation of the target network assets value, the number of security vulnerabilities, the number of occurrences of intrusion events and other factors, offline evaluation can get the risk level of the target network. ② Online assessment (real-time assessment). At present, the research of real-time network risk assessment is still in the development stage. Most of the real-time risk assessment methods of network security use security events (such as intrusion detection system alerts and vulnerability scanning) as observation information.

A network security prediction method based on Radial basis function (RBF) neural network was proposed in [4]. The RBF neural network is used to analyze the nonlinear state, and the security risk is predicted by the relationship among different states. However, in the real-time network security risk assessment, this method may have local optimization problems, resulting in inaccurate evaluation results. A network security risk prediction scheme based on Back Propagation (BP) neural network was proposed in [5]. This method uses risk assessment model to generate the state sequence and trains the BP neural network as training sequence. However, this method has more training parameters and training time, which cannot meet the needs of real-time. As a statistical analysis model, the hidden Markov HMM (Hidden Markov Model) has a good application prospect in the field of network security. A method of network security risk assessment based on HMM model was proposed in [6]. However, this method has a long time to build a model and cannot evaluate online security risks in real time.

Based on the above research, in order to improve the security of office resources in the Internet environment, an online assessment method of network security risk based on prediction model is proposed. This method uses the expectation and maximization (EM) algorithm to improve the traditional continuous-time hidden Markov model in order to complete the risk assessment based on the predictive model. The simulation results show that the proposed method can effectively complete the network security online prediction. Compared with other methods, the proposed method can achieve high accuracy and real-time, to meet the needs of a variety of information security under the Internet environment.

1 Real-time network security risk assessment system

In order to simplify the analysis, this article constructs a simple real-time risk management system architecture, as shown in Fig. 1. Based on the observed data from network monitoring, the proposed real-time network security risk assessment system can assess the risk of assets.

Fig.1 Real time risk management system architecture

In the above system architecture, the network sensor module needs to be deployed on all nodes within the overall network [7-9]. Data acquisition and alarm classification module is responsible for the collection of status data, such as data traffic, intrusion reports, system logs, etc., to provide a threat and vulnerability assessment. This module can collect the output information data of all types of network sensors and classify the output information according to the set classification index. The output of the module is the data source of the risk assessment module [10-11]. The risk assessment module assigns assets through asset identification, evaluates the security status of assets based on the observed data, and then performs quantitative risk analysis according to the status distribution and asset value. Risk management and safety measures can distinguish the alarm level, and implement corresponding safety treatment and protection measures according to the alarm level.

2 The proposed risk assessment methods

2.1 Model building

It is assumed that different asset security levels can be represented by N states, denoted asS={s1,s2,…,sN}UseX={x1,x2,…} to represent the state access sequence, wherext∈Srepresents the access state at time t. We assume that the asset security model can be shown in Fig.2, that isS={G,P,A,C}.StateGindicates that it is in a safe state and that no intrusion has occurred. StatePindicates that the intruder detected the host in the network system, but has not yet started the intrusion. StateAindicates that the host in the network system started to be invaded, but it has not started yet. StateCindicates that the intruder successfully destroyed the security of the host in the network system and the assets were successfully destroyed by the intruder.

I got it. I got the joy, the sharing, the love. My dad pulled me to him in a warm embrace and just helds me for what seemed the longest time. We both cried.

Fig.2 Security state model of assets

Suppose a homogeneous continuous-time HMM process isW=(Z,Y), whereZ={Zt,t≥0} is a random process and the state set isS={s1,s2,….,sN}.Y={Yt,t≥0} indicates the observation process. Therefore, the parameter model can be expressed asλ=(Q,B,π).

2.2 Parameter learning process

Due to the stochastic processZ={Zt,t≥0}, wheni≠j, the state transfer function can be defined as:

pij(t)=P{Zh+t=sj|Zh=si}=

qij(t)+o(t)

(1)

(2)

In this paper, the Markov process is discretized to obtain a corresponding embedded Markov chain. Using the EM algorithm to observe a state sequence, the transfer matrix can be obtained. Define the forward variable as:

αi(t)=P(y1y2…yt,xt=si|λ)

(3)

Since the observations are independent, then:

bx1(y1)bx2(y2)…bxL(yL)

(4)

In addition, the following two formulas are adopted:

P(Y|X,λ)=πx1px1x2(Δ1)…pxL-1xL(ΔL-1)

(5)

P(Y,X|λ)=P(Y|X,λ)P(X|λ)

(6)

We can get:

pxL-1 xL(ΔL-1)bxL(yL)

(7)

(8)

Suppose the variableγt(i)=P(xt=si|y1,y2,…,yt,λ) represents the online state distribution, that is, the probability of statesiat time t. The forward variables can be initialized:

α1(i)=πibi(yi), 1≤i≤N

(9)

(10)

The status distribution is updated with each new observation while online, as shown below:

1≤t≤L-1

(11)

(12)

When the timeLis reached, the recursion process is terminated, thus obtaining:

(13)

2.3 Quantitative risk assessment

The risk value of the asset at timetcan be expressed as:

(14)

Ifhrepresents a host,Rh,trepresents the risk of hosthat timet. Then all the host risk value is:

(15)

Where,Mrepresents the total number of hosts in the entire network.

3 Experimental design and results analysis

3.1 Experimental configuration

In order to verify the validity and feasibility of the improved continuous-time hidden Markov model, a typical example of Internet office environment is set up and simulated. Experimental network topology shown in Fig.3, the typical office network has three asset nodes, namely HTTP server, www server and FTP server. The weights of each asset node in the network instance are set to 0.6, 0.3, and 0.1, respectively. This paper simulates intruders’ malicious scanning and overflow attack on node hosts at different times. By looking at the IDS alarm log, the number of attack nodes (unit time is minute) is obtained, and the attack intensity level is evaluated according to the attack threat degree.

Fig.3 Network instance structure diagram

3.2 BER comparison

In this paper, the performance of different models is compared by bit error rate calculation. The bit error rate is calculated as follows:

(16)

The simulation results of the proposed method and the traditional HMM model are shown in Fig.4.

Fig.4 BER comparison of two different models

3.3 Risk assessment results

The attack intensity change curve of 2 different intrusion modes is shown in Fig.5. From Fig.5, we can get the different results of the number of malicious attacks varying with time in the simulation experiment, in which the abscissa is the invasion time, the unit is minute, and the ordinate is the attack times in unit time.

Fig.5 Variation curve of attack intensity

The GM (1,1) model, the ARMA model [6] and the proposed algorithm are used to evaluate the network security risk. The result of the risk value prediction is shown in Fig.6. In the first 30 minutes, the malicious scanning attack occurred, which had a lower degree of threat, so the value of risk assessment increased slowly, and the value was smaller. During the 30- 40 minute period, a spillover attack began and the threat was higher, so the risk assessment reached its first peak. At 65 and 85 minutes, the number of overflow attacks reached two peaks respectively. It can be seen from Fig.6 that the risk assessment results of ARMA model and the model in this paper are consistent with the attack threat level change. However, compared with the ARMA model, the prediction results of the risk value of the algorithm in this paper are closer to the actual evaluation value.

Fig.6 Network security risk prediction curve

6 Conclusion

In order to improve the security of office resources in the Internet environment, a online assessment method of network security risk based on prediction model is proposed. This method uses the expectation maximization algorithm to improve the traditional continuous-time Hidden Markov model in order to complete the risk assessment based on the prediction model. The simulation results show that the proposed method can effectively complete the network security online prediction. Compared with other methods proposed methods to achieve high accuracy and real-time, to meet the various information security needs of the Internet environment.