Abstract: Network security administrators need to obtain and analyze network security situation for management,maintenance, and planning purposes. The complexities and diversities of security alert data on modern networks, however,make the precise analysis and evaluation of network security situation extremely difficult We summarized the research progress and existing problems of network security situation awareness, and proposed a network security situation modeling and generation framework based on knowledge discovery. Then,we designed and implemented the network security situation awareness system(Net SSA) based on this framework. Net SSA consists of the modeling of network security situation and the generation of network security situation. The purpose of modeling is to construct the formal model of network security situation measurement based upon the IBS evidence theory, and support the general process of fusing and analyzing security alert events collected from security situation sensors. The network security situation is generated by extracting the frequent patterns and sequential patterns from the dataset of network security situation based upon knowledge discovery methods and transforming these patterns to the correlation rules of network security situalion, and finally automatically constructing the network security situation graph. The experimental results show that the system supports the accurate modeling and effective generation of network security situation.

Key words: Network security, Security situation modeling, Security situation generation, Data mining, Knowledge discovery