Network Security Situation Assessment Method Based on Threat Propagation

doi:10.3969/j.issn.1671-1122.2025.06.001

Abstract

Abstract:

Network security situation awareness assessment remains a critical research focus in cybersecurity. Previous methods suffered from limited transferability and excessive reliance on expert experience, leading to rigid processes and subjective evaluations. We analyzed malicious traffic graphs and observed that attackers exhibited higher centrality characteristics, structurally resembling interaction patterns in social networks. Centrality analysis, widely used in social networks to identify key nodes and propagation paths, was adapted to detect attack sources and propagation nodes in malicious traffic graphs. This structural similarity enabled transferring social network analysis methods to cybersecurity domains, improving assessment transferability. To address these limitations, this paper proposed ThreatSA, a novel network security situation assessment method. Unlike static approaches, ThreatSA converted malicious traffic into graph structures and quantified node importance through centrality analysis to identify attackers and propagation nodes. It then employed intimacy analysis to measure node relationship strength, dynamically reflecting host security status. The method required only malicious traffic data and functioned effectively in information-incomplete environments. Experimental evaluations on three public datasets demonstrate ThreatSA’s real-time assessment capability with 99.32%, 99.65%, 99.74% similarity scores. Comparative tests show ThreatSA outperforms two representative methods, proving its effectiveness in network security situation assessment.

Key words: situation assessment, threat source localization, centrality analysis, intimacy calculation

CLC Number:

TP309

ZHAO Bo, PENG Junru, WANG Yixuan. Network Security Situation Assessment Method Based on Threat Propagation[J]. Netinfo Security, 2025, 25(6): 843-858.

Figures/Tables 9

References 33

[1]	ALAVIZADEH H, JANG-JACCARD J, ENOCH S Y, et al. A Survey on Cyber Situation-Awareness Systems: Framework, Techniques, and Insights[J]. ACM Computing Surveys, 2023, 55(5): 1-37.
[2]	CHEN Xiuzhen, ZHENG Qinghua, GUAN Xiaohong, et al. Quantitative Hierarchical Threat Evaluation Model for Network Security[J]. Journal of Software, 2006, 17(4): 885-897.
	陈秀真, 郑庆华, 管晓宏, 等. 层次化网络安全威胁态势量化评估方法[J]. 软件学报, 2006, 17(4): 885-897.
[3]	JIA Yiyang, WU Hanyan, JIANG Dongxing. A Hierarchical Framework of Security Situation Assessment for Information System[C]// IEEE. 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. New York: IEEE, 2015: 23-28.
[4]	XIE Lixia, NI Huiyu, YANG Hongyu, et al. A Key Business Node Identification Model for Internet of Things Security[EB/OL]. (2020-12-12)[2024-12-15]. https://doi.org/10.1155/2020/6654283.
[5]	ALALI M, ALMOGREN A, HASSAN M M, et al. Improving Risk Assessment Model of Cyber Security Using Fuzzy Logic Inference System[J]. Computers & Security, 2018, 74: 323-339.
[6]	BODE M A, OLUWADARE S A, ALESE B K, et al. Risk Analysis in Cyber Situation Awareness Using Bayesian Approach[C]// IEEE. 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). New York: IEEE, 2015: 1-12.
[7]	XI Rongrong, YUN Xiaochun, ZHANG Yongzheng. Quantitative Threat Situational Assessment Based on Contextual Information[J]. Journal of Software, 2015, 26(7): 1638-1649.
	席荣荣, 云晓春, 张永铮. 基于环境属性的网络威胁态势量化评估方法[J]. 软件学报, 2015, 26(7): 1638-1649.
[8]	POOLSAPPASIT N, DEWRI R, RAY I. Dynamic Security Risk Management Using Bayesian Attack Graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2012, 9(1): 61-74.
[9]	LI Cheng, LI Xingming. Cyber Performance Situation Awareness on Fuzzy Correlation Analysis[C]// IEEE. 2017 3rd IEEE International Conference on Computer and Communications (ICCC). New York: IEEE, 2017: 424-428.
[10]	ZHANG Lin, ZHU Yian, SHI Xianchen, et al. A Situation Assessment Method with an Improved Fuzzy Deep Neural Network for Multiple UAVs[EB/OL]. (2020-04-04)[2024-12-15]. https://doi.org/10.3390/info11040194.
[11]	ZHAO Yuyu, CHENG Guang, DUAN Yu, et al. Secure IoT Edge: Threat Situation Awareness Based on Network Traffic[EB/OL]. (2021-11-06)[2024-12-15]. https://doi.org/10.1016/j.comnet.2021.108525.
[12]	TANG Xiangyan, CHEN Meizhu, CHENG Jieren, et al. A Security Situation Assessment Method Based on Neural Network[EB/OL]. (2020-01-03)[2024-12-15]. https://link.springer.com/chapter/10.1007/978-3-030-37352-8_52.
[13]	LI Yan, HUANG Guangqiu, WANG Chunzi, et al. Analysis Framework of Network Security Situational Awareness and Comparison of Implementation Methods[EB/OL]. (2019-08-13)[2024-12-15]. https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1506-1.
[14]	KUMARI A, GUPTA D, UPPAL M. Enhanced Security Measures for Government and Military: ANN and Decision Tree Approach to Counter VPN Malicious Transmission[C]// IEEE. 2024 IEEE 3rd World Conference on Applied Intelligence and Computing (AIC). New York: IEEE, 2024: 1367-1372.
[15]	GOMES J E C, EHLERT R R, BOESCHE R M, et al. Surveying Emerging Network Approaches for Military Command and Control Systems[J]. ACM Computing Surveys, 2024, 56(6): 1-38.
[16]	UPADHYAY D, MANERO J, ZAMAN M, et al. Intrusion Detection in SCADA Based Power Grids: Recursive Feature Elimination Model with Majority Vote Ensemble Algorithm[J]. IEEE Transactions on Network Science and Engineering, 2021, 8(3): 2559-2574.
[17]	VERMA P, BHAROT N, BRESLIN J G, et al. Uncovering Collateral Damages and Advanced Defense Strategies in Cloud Environments against DDoS Attacks: A Comprehensive Review[EB/OL]. (2020-04-04)[2024-12-15]. https://doi.org/10.1002/ett.4934.
[18]	ESFANDIARI S, FAKHRAHMAD M. Predicting Node Influence in Complex Networks by the K-Shell Entropy and Degree Centrality[C]// ACM. Companion Proceedings of the ACM Web Conference 2024. New York: ACM, 2024: 629-632.
[19]	LEE Y G, PARK M J, KWON O M. Betweenness-Centrality-Based-Pinning Control Approach to Nonlinear Multi-Agent Systems[J]. IEEE Transactions on Circuits and Systems II: Express Briefs, 2024, 71(3): 1216-1220.
[20]	LIU Zhenfang, YE Jianxiong, ZOU Zhaonian. Closeness Centrality on Uncertain Graphs[J]. ACM Transactions on the Web, 2023, 17(4): 1-29.
[21]	ZHANG Tianming, FANG Junkai, YANG Zhengyi, et al. TATKC: A Temporal Graph Neural Network for Fast Approximate Temporal Katz Centrality Ranking[C]// ACM. Proceedings of the ACM Web Conference 2024. New York: ACM, 2024: 527-538.
[22]	ZOU Deqing, WU Yueming, YANG Siru, et al. IntDroid: Android Malware Detection Based on API Intimacy Analysis[J]. ACM Transactions on Software Engineering and Methodology, 2021, 30(3): 1-32.
[23]	BRINGMANN L F, ELMER T, EPSKAMP S, et al. What Do Centrality Measures Measure in Psychological Networks?[J]. Journal of Abnormal Psychology, 2019, 128(8): 892-903. doi: 10.1037/abn0000446 pmid: 31318245
[24]	MOUSTAFA N, SLAY J. UNSW-NB15: A Comprehensive Data Set for Network Intrusion Detection Systems (UNSW-NB15 Network Data Set)[C]// IEEE. 2015 Military Communications and Information Systems Conference (MilCIS). New York: IEEE, 2015: 1-6.
[25]	ALMSEIDIN M, AL-SAWWA J, ALKASASSBEH M. Generating a Benchmark Multi-Step Cyber Attacks Dataset for Intrusion Detection[J]. Journal of Intelligent & Fuzzy Systems, 2022, 43(3): 3679-3694.
[26]	KOUR K, GOSWAMI S, SHARMA D M, et al. Honeynet Implementation in Cyber Security Attack Prevention with Data Monitoring System Using AI Technique and IoT 4G Networks[J]. International Journal of Communication Networks and Information Security (IJCNIS), 2022, 14(3): 163-175.
[27]	SUN Jingchun, DENG Fei, DU Boya. Research on Whole-Link Risk Situational Awareness Index System and Dynamic Risk Pool Supervision[C]// ACM. The 2022 11th International Conference on Networks, Communication and Computing. New York: ACM, 2022: 190-197.
[28]	WANG Juan, ZHANG Fengli, FU Chong, et al. Study on Index System in Network Situation Awareness[J]. Journal of Computer Applications, 2007, 27(8): 1907-1909.
	王娟, 张凤荔, 傅翀, 等. 网络态势感知中的指标体系研究[J]. 计算机应用, 2007, 27(8): 1907-1909.
[29]	WU Guo, CHEN Lei, SI Zhigang, et al. An Index Optimization Model for Network Security Situation Evaluation[J]. Computer Engineering & Science, 2017, 39(5): 861-869.
	吴果, 陈雷, 司志刚, 等. 网络安全态势评估指标体系优化模型研究[J]. 计算机工程与科学, 2017, 39(5): 861-869.
[30]	CONRADI J, DRIEMEL A. On Computing Thek-Shortcut Fréchet Distance[J]. ACM Transactions on Algorithms, 2024, 20(4): 1-37.
[31]	ZHANG Ruiqing, XIA Jingkang, MA Junjie, et al. Human-Robot Interactive Skill Learning and Correction for Polishing Based on Dynamic Time Warping Iterative Learning Control[J]. IEEE Transactions on Control Systems Technology, 2024, 32(6): 2310-2320.
[32]	SHI Zhanhui, XIAO Jie, JIANG Jianhui, et al. Identifying Reliability High-Correlated Gates of Logic Circuits with Pearson Correlation Coefficient[J]. IEEE Transactions on Circuits and Systems II: Express Briefs, 2024, 71(4): 2319-2323.
[33]	WALEED A, JAMALI A F, MASOOD A. Which Open-Source IDS? Snort, Suricata or Zeek[EB/OL]. (2022-06-22)[2024-12-15]. https://doi.org/10.1016/j.comnet.2022.109116.

恶意流量数量/个	网络节点数量/个	图构建时间/s	态势评估时间/s
1000	14	0.04846	0.00071
1000	26	0.04279	0.00070
10000	14	0.43943	0.00114
10000	26	0.39719	0.00111
100000	14	4.44807	0.00112
100000	26	3.98954	0.00167
1000000	14	44.86769	0.00114
1000000	26	0.00167	0.00171

因素方法	层次化方法	基于上下文的方法	ThreatSA
数据类型	告警	告警	恶意流量
资产信息	需要	需要	不需要
网络信息	需要	需要	不需要
人工分析	需要	需要	不需要
分析对象	每个主机	每个主机	中心主机
客观性	较差	较差	较高
可移植性	较差	较差	较高
弗雷歇距离	87.64%	90.12%	99.74%
动态时间规整	0.087	0.750	0.043
相关系数	53.5%	40.1%	94.1%
标准差	0.314	0.235	0.292