Abstract
A hierarchical online risk assessment model is proposed in this paper, which can assess real-time risks caused by an ongoing intrusion scenario at service level, host level and network level. D-S evidence theory is used to fuse multiple variables of an alert thread which can reflect risk trend to calculate the risk index at service level. The risk situation at service level is evaluated by combining the risk index with target risk distribution character. The character is determined by the importance of attacked services. A risk assessment approach based on the barrel principle is proposed to evaluate the risk situation at host level. The security dependency network concept and its corresponding properties are defined. An improved algorithm of risk propagation is used to assess the risk situation in network level. The proposed assessment model properly combines alert processing algorithms, including alert verification, alert aggregation, alert correlation and alert confidence learning, with risk assessment. As a result, the model can deal with the problems of subjectivity fuzziness and uncertainty very well. The experiments show that the online risk assessment results accord with the real situation of attacks. Therefore the hierarchical risk assessment approach gives a strong support to intrusion response time decision-making, intrusion response measure decision-making and response adjustment.
| Original language | English |
|---|---|
| Pages (from-to) | 1724-1732 |
| Number of pages | 9 |
| Journal | Jisuanji Yanjiu yu Fazhan/Computer Research and Development |
| Volume | 47 |
| Issue number | 10 |
| Publication status | Published - Oct 2010 |
Keywords
- Alert processing
- Intrusion detection
- Intrusion response
- Network security
- Online risk assessment