abstract
In order to provide reliable basis for network administrators' decision-making and defense measures, a hidden Markov prediction model is proposed by studying the changing characteristics of network security situation. Time series analysis method is used to describe the correlation of security situation at different times. When the security situation is in the sub-state or deviates from the normal state, the security situation prediction mechanism is used to analyze its changing law and predict the changing trend of the system security situation. Finally, the proposed network security situation prediction algorithm is verified by simulation data. The results of visiting the truth verify the correctness of this method.
Hidden Markov Model (HMM) is a statistical model, and its difficulty lies in determining the hidden parameters of the process from the observable parameters. Hidden Markov model is a probability model about time series, which describes the process of randomly generating an unobservable state random sequence from a hidden Markov chain, and then generating an observation from each state, thus generating an observation random sequence. If the hidden Markov model is to be used, the state set and observation set of the model should be given in advance.
For example, there is a child named Xiaoming. Xiaoming gets up early every day and goes to school at night. Suppose Xiaoming has three states at school: losing money, picking up money, and not losing money. Let's call it {q0, q 1, q2}.
So how to determine his lost money status? If Xiaoming loses money, he should be in a bad mood today. If he picks up the money, he will be in a good mood when he comes back. If he hadn't lost it, he would surely be depressed. We will record his mental state as {v0, v 1v2}. We observed Xiao Ming's mentality for a week, and the order of his mentality was {v0, v0, V 1, V 1, V2, v0, V 1}. So what is Xiaoming's state of losing money this week? Hidden Markov model is introduced here.
The formal definition of hidden Markov model is as follows:
A HMM model can be determined by state transition matrix a, observation probability matrix b and initial state probability π, so a HMM model can be expressed as λ(A, b, π).
When using hidden Markov model, there are usually three problems involved, namely:
The latter calculation is similar to Markov, so I won't write it. . . . . .
2. 1 Network security situation
In the aspect of network situation, the related research at home and abroad is mostly seen in the situation acquisition of military battlefield, and the research on situation acquisition in the field of network security is still in its infancy, and there is no universally recognized solution. Zhang Haixia et al. [9] put forward a hierarchical quantification method of network security to calculate the comprehensive threat value. The more dangerous the network entity is, the higher the threat value is. The network security situation defined in this paper consists of three dimensions: network basic operability, network vulnerability and network threat. Present the current security situation of the entire network SA = (operability, vulnerability, threat) to users in an intuitive form from three different dimensions (or components). Through network security situation awareness and information fusion from all operating components on the network, each dimension can be quantified and graded. In order to facilitate the calculation experiment and reduce the complexity, this paper takes each dimension of the security situation as "high, medium and poor" or "1, 2,3" * * *. This paper mainly predicts the network security situation.
2.2 Establish a forecasting model
Hidden Markov model can easily solve a basic problem, that is, to predict the occurrence probability of a new observation symbol sequence for a given observation symbol sequence. Hidden Markov model is a stochastic process about the relationship between observable variable O and hidden variable S, which is very similar to the internal state (hidden state) and external state (observable state) of security situation system. Therefore, the hidden Markov model can be used to analyze the network security situation well. In this paper, hidden Markov time series analysis method is used to describe the correlation of security situation at different times.
Knowing the network security situation at time t, predict T+ 1, T+2,? Possible network security situation at T+n moment. The external performance characteristics of hidden Markov model are composed of three dimensions of network security situation, namely, network basic operability, network vulnerability and network threat, that is, observation state or external state, which have values of "high, medium, poor" or "1, 2,3" respectively, so the security situation * * * has 33. The internal state (hidden state) of the model is the value of "high, medium high, medium, medium difference and poor" of the safety state potential SA. Note: Of the three dimensions of external characteristics in this paper, each dimension has a triple equivalent, while the internal state s a has a quintuple equivalent. An example of this model is shown in figure 1.
Generally, the network security situation SA changes among five states of "high, medium high, medium, medium poor and poor" with a certain probability, and moves from one state to another. These states are called internal states or hidden states and cannot be monitored by the outside world. The external performance characteristics of security situation can be monitored by monitoring tools, such as network basic operability, network vulnerability and network threat. These monitored parameter values can be regarded as an observable state (external state, consisting of L components, is 1 vector). In the figure 1, it is assumed that the state 1 is a "high" state of the security situation, and the state 5 is a "poor" state of the security situation. In practical application, it can be set by itself according to the specific situation. In this paper, if the external characteristics of each dimension of security situation are L=3, there are 27 security situations in which external states can be observed and 5 internal states (hidden states) N ***.
Definition 1: Let the internal hidden state of network security situation SA be expressed as S 1, S2,? S5, the network security situation will freely switch between these five hidden states with a certain probability, where 0 ≤ aiji ≤1.
Definition 2: The external performance characteristics of network security situation SA can be expressed by L random variables xi( 1≤i≤L, where L=3), and let v=(x 1, x2,? XL) constitutes 1 L-dimensional random variable v; At time I, the observation value of 1 time of specific observation of oi is expressed as vi, so after observing V at time T, 1 safety state observation sequence O={o 1, o2,? ,oT} .
The basic idea of this paper is: to establish the corresponding hidden Markov model and collect the total number of internal and external States to train the hidden Markov model; When the network security situation is abnormal, the external performance characteristic data of the network are collected by the monitor, and the trained HMM model is used to predict the network security situation, which provides decision-making service for the administrator.
The basic steps are as follows: firstly, according to lemma 1, the prior values of these three parameters λ = (π, a, b) of hidden Markov model are given; Secondly, samples are randomly collected according to certain rules to train the HMM model until it converges, and the approximate values of three parameters are obtained; Finally, a group of network security situation sample observation sequences are used to predict the next phase situation.
The data of a group of 10 observation samples collected in this experiment are as follows:
& lt high, high, high >,< high, high, high >,< high, medium and high >,
< high, medium, medium >, < medium, medium >, < medium, medium >,
< medium, medium and high >, < medium, high and high >, < high, high and high > and.
Input the hidden Markov model and decode it into the hidden state of the security situation: "high, high, medium high, medium high, medium high, medium high, medium high, medium high, medium high, medium high, medium high, medium high". Finally, 1 hidden state qT= "high". Because a 1 1=0.682 6 (high last time, high next time) is the highest among all hidden state transition probabilities, the security situation SA at T+ 1 = "high". The comparison chart of network security situation prediction is shown in Figure 4, in which the vertical axis indicates the security situation level, "5" indicates "high" and "0" indicates "low"; The horizontal axis represents time. When the sampling number is 10, the security situation is high. It is predicted that the security situation of the next 1 1 should be high with a reliability of 68.26%. Through this experiment, according to the trained hidden Markov prediction model, the development trend of network security situation at the next moment can be predicted conveniently. It is obvious from Figure 4 that the reliability of HMM method in this paper is higher than that of Bayesian prediction method.