A hierarchical algorithm for cyberspace situational awareness based on analytic hierarchy process

294HICH TECHNOLOGY LETTERSIVol. 13 No.3ISept. 2007son matrix between hosts and network can be obtained asThe results are shown as follows:the followingλmax = 8.0233W =[0.1919,0.1919 ,0.0575,0.0575 ,0. 1031,H「15210.1031 ,0.1031 ,0. 1919]T.1/5 1 1/2According to the Eqs. (5) and (6), the unifomityjudgment is shown as the following:By nommalizing each column vector in pairwise com-8.0233一8= 0.00338-1parison matrix of the host-network, the eigenvector W =0.0033[0. 5954,0.1283,0.2763]T and maximum eigenvalueCR=R=1.40= 0.0024 << 0.1.λmx = 3.0055 are obtained. Here, the number of hosts is(2 )The judgment matrix of the services provided by3. Based on the historical research on AHP, the index ofRandom Identity ( RI) is 0.58. Hence,cI=Amex-n.=3.0055-= 0.0028H2→S=lI3- 1The computation results are as follows:CR =CI 0. 0028the maximum eigenvalue λmax = 2,RI=0.58=0.0047<<0.1The above computations show that the inconsistencythe eigenvector W = [0.6667,0.3333]T, CI =0index of the judgment matrix is acceptable. Then,and CR=0.0.5954, 0. 1283 and 0. 2763 are the importance weights(3)The judgment matrix of the services provided byof the hosts H;, H2 and Hz, respectively.Following the above procedure, the judgment matrixof each host is also constructed, and the eigenvector andeigenvalue are calculated, The uniformity judgment is giv-H3+S=1/31/311en below.(1)The judgment matrix of the services provided byThe maximum eigenvalue λmux = 4; The eigenvectorW = [0.375,0.375,0.125,0.125]", CI=0 and CR =Hl→S=0. The results show that the constructed matrix satisfiesthe condition. Finally, the total importance rank of each33service provided in the network is shown in Table 2.1/31/3111/21/21/21/3The uniformity check of the general rank of weightingcoefficients is described in detail as the following1 1/2CI=2H;.CI;=0.5954x0.0033+0.1283x1/21/2221/20+ 0.2763 x 011331.= 0.002:able 2 The weighting coefficients rank of the services and hostsHost levelHost HHost H2Host H3General rankService level0. 59540.12830.2763RPC0. 19190.66670.3750.3034WEB00.1143SOCKS0.05750.1250.0688PROXYSNMP0. 10310.0614FTP0.33330.1041NetBIOSTELNET).1919DNSC0. 1036中国煤化工CN MHG .296HIGH TECHNOLOGY LETTERSIVol. 13 No.3ISept. 2007National Symposium on Sensor and Data Fusion, 1999. 1-63 Conclusions[ 5] XiaoHD, Li J H. Analyeis of security aituation of networksbased on knowledge base. WSEAS Trans on Electronics ,2006, 3(1): 34-39It is an emenging technique to utilize multi-source[ 6] ChenXZ, ZhengQ H, Guan X H, et al. Approach to secu-data with weighting cofficients to achieve a quantitativerity evaluation based on rough set theory for host comnputer.description about the overall data. By combining the alertJournal of Xi' an JiaoTong Unizersity , 2004, 38(12): 1228-necords and fusing the data from the bottom to the top,1231, 1255 (in Chineae)the quantitative evaluation of the attack degree that the[ 7] Li W s, Wang B S. Sitnation asment based on Bayesiannetwork suffers can be accomplished. The above proce-network. Systems Engineering and Electronics , 2003, 25(4):dure will be the goal of the network management systems480- 483 ( in Chinese)in the future. Starting with the Snort alerts, this paper[ 8] Mahew S, Shah C, Upadhyaya S. An alert fusion frameworksituation awareness of coordinated multistage attacks. Inimplements a great deal of calculation, and achieves theProceedings of the 3rd EEE Intermational Workshop on Infor-curent situation of the network security . The experimen-mation Assurance, Maryland, 2005. 95-104tal results reflect the security situation of the evaluated[ 9] Chen X Z, Zheng Q H, Guan X H, et al. Multiple behaviornetwork accurately, and lay an academic foundation forinformation fusion based quanhitative threat evaluation. Com-the future research. The proposed approach makes theputer & Seurity, 24 (3): 218-231analysis more reliable and easier to realize. Several mea-[10] Satty T L. The Analytic Hierarchy Process. New York: Mc-sures can be implemented to improve our proposedGraw-Hll，1980. 17-34scheme, like the order reduction of the pairwise compari-[11] Chen X Z, ZhengQ H, Guan XH, et al. Study叽evalua-tion for security situation of networked systeme. Joumal ofson matrix. It is a tradeoff between perfomance and com-Xi' an }iaoTong Unitersity, 2004, 38 (4): 404 407 (in Chi-plexity for the large scale network to meet the demands.nese)[12] The Nessus Vulnerability Scanner. http://www. nessus. com;ReferenceTenable Network SecunityTM, 2005[ 1] Hall D L, Llinas J. Introduction to mulb sensor data fusion.[13] Snort. http://www. snort. org: SourceFile Inc, 2006In: Proceedings of the IEEE Intemational Symposium on Cir-[14] Ted Hale. Analysis of Snt Alent Log for the Project HoneyNetcuits and Systeme, Monterey, 1998. 537-540Scan of the Month 17. http://www. honeynet. rg/ scans/[ 2] Bass T, Intnusion detection systems and multi-sensor data fu-scan17/ soo/ 8om1/ som1-LogAnalysis. html:HoneyNet. org, 2001sion: creating cyberspace situation awareness. Communica-[15]Nation Anti-Intnusion & Anti- Vinus Center. htp://www. a-tions of the ACM, 2000, 43(4): 99-105iav . com.cn: AI & AV, 2005 (in Chinese)[ 3] Bass T, Robichaux R. Defense -in deph revisited; qualitativerisk analysis methodology for complex network- centric opeta-Hu Wei, born in 1977. Now he is a Ph.D candi-tions. hn: Proceedings of the IEEE Military Communicationsdate in Electronic Engineering Departnent of Shanghai[ 4} Bass T. Multi-seneor data fusion for next generation distribut-Jiaotong University. His research interests include com-ed intrusion detection systems. In: Proceedings of the IRISputer cormunication network, network secunty manage-ment and data fusion ,中国煤化工CNMHG