Network Security Risk Assessment and Situation Analysis

Liu MixiDˆ Yu Dongmei Zhang Qiuyu Zhu Honglei

College of Computer and Communication, Lanzhou University of Technology, Lanzhou, China 730050
ABSTRACT˖With the development of computer networks, the spread of malicious network activities poses great risks
to the operational integrity of many organizations and imposes heavy economic burdens on life and health. Therefore,
risk assessment is very important in network security management and analysis. Network security situation analysis not
only can describe the current state but also project the next behavior of the network. Alerts coming from IDS, Firewall,
and other security tools are currently growing at a rapid pace. Large organizations are having trouble keeping on top of
the current state of their networks. In this paper, we described cyberspace situational awareness from formal and visual
methods. Next, to make security administrator comprehend security situation and project the next behaviors of the
whole network, we present using parallel axes view to give expression clearly of security events correlations. At last,
we concluded that visualization is an important research of risk evaluation and situation analysis of network.

KEYWORDS˖security assessment, situational awareness, visualization, correlation


Network security estimation is to detect computer system or network facilities to find security holes and
vulnerability possibly imposed by hacker, take measures earlier, and protect network system from threats. The current
methods of risk evaluation on information security are basically related to qualitative and quantitative ones. Researches
on network security situation have two great classes of based on system deployment and running information according
to data resources[1]. The former is about system design, deployment, service and hidden trouble in the system. The latter
is about attacks situations on the system mainly from IDS logs database.

Security situation estimation work based on system running information is mainly about threat estimation from
single event on the system. Bass presented that next generation cyberspace intrusion detection systems will fuse data
from heterogeneous distributed network sensors to create cyberspace situational awareness, and multisensor data fusion
technology is an important avenue on the road toward the development of highly reliable intrusion detection and
security-decision systems that identify, track, and assess cyberspace situations with multiple complex threats[2][3]. But he
only offers small steps in the process of setting the engineering requirements to design and develop cyberspace
situational awareness systems. Chen Xiuzhen developed a quantitative hierarchical threat evaluation model and
computational method based on the structure of the network and the importance of services and hosts to evaluate
security threat status of a computer network system[1].

Because attacks are dynamic, if analysts can’t absorb and correlate the available data, it is difficult for them to
detect sophisticated attacks. Developing tools that increase the situational awareness and understanding of all those
responsible for the network’s safe operation can increase a computer network’s overall security. System administrators
are typically limited to textual or simple graphical representations of network activity. There is a growing body of
research that validates the role of visualization as a means for solving complex data problems. Yarden and Stefano focus
on visual correlation of network alerts and situational awareness[4][5]. The National Center for Supercomputing
Applications (NCSA) has developed two applications for the detection of network incidents: VisFlowConnect[6] and

NVisionIP[7]. They obtain Internet security situation according to visualization of connection analysis and system status.

Network is a system; security is a process not a product. So analyzing network risk and estimating situation should
be from the system point of view, no more than assess security status depending on certain security tool. For instance,
virus scanners target malicious content, vulnerability scanners provide information about opportunities to exploit
systems, intrusion detection systems identify suspicious activities, and misuse detectors identify policy violations.


Cyberspace situational awareness comes from Air Traffic Control. Currently, there is no uniform and general
definition of it. Network situation indicates that the whole network current status and its change trend impacted on some
factors of running status of network facilities, network and user behavior, etc. Namely, situation is a status, a trend and a
whole notion.

2.1 Formal Description

Situational awareness was defined by Endsley as “the perception of the elements in the environment with a volume
of time and space, the comprehension of their meaning, and the projection of their status in the near future”. The formal
definition of security situational assessment breaks down into three separate levels.
Level 1 refinement of security situation features: Data resources of refinement come from virus scanner, misuse
detector, IDS, and Firewall. We formalize it as an n-tuple [8]:

S l = {T1 , T2 , T3 , T4 ,⋅ ⋅ ⋅, Tn } (1)


S l is information vector of t period. T j is feature information from various security tools, such as alerts, logs,

and audit data. Information vectors obtained from continuous security tools consist of situation space. The process of

refinement of security situation features is the process of refine feature vector Vi , namely, a few alert types are refined

from large amount of security events.

Level 2 comprehension of current situation: Explain and estimate current security status of network according to

Vi made from level 1, and form alert track A. A is revised depended on continuous reached feature vector.

The whole network situation space θ = {A, B, C , D,⋅ ⋅ ⋅}, element in them is the possible appearing alert tracks.

Set of current achieved situation feature vectors is M = {V1 ,V2 ,V3 ,V4 ,⋅ ⋅ ⋅}. The process of comprehension of current

situation is to find a mapping F : M → θ .

Level 3 projection of future situation of network security: Project the future situation of network security based on
θ from level 2, and present the trend of network security by means of probability. That is seeking security situation

θ (t + ∆t ) of t + ∆t clock according to situation θ (t ) of t . The process of project future situation of network

security is to find a mapping ϕ : θ (t ) → θ (t + ∆t ) .

The relationship between these security situational assessment levels, the mental model, and the decision-making
is illustrated in Figure 1.

Fig. 1 Security situational assessment

2.2 Visualization

Most current information security tools target specific problems not the big picture. Visualization is a useful
method for advancing security situation assessment. For example, visualization can review many events simultaneously
and see patterns and trends, yet textual or tabular representation focus on details and intensive study of a few events or
parameters, that is good for studying events sequentially but difficult to see all the security events at the same time.

Visualization is used for displaying system logs or IDS logs initially. But it can’t be transformed real-time. So data
flow, multi-sources, and multi-view visualization system is presented for estimating network security situation.

2.3 Correlation

In the process of refining situation features of level 1, it is necessary to correlate the large amount of security
events from various security tools. Yarden presented visual correlation [4][5]. Their approach was based on representing
the network alerts as connections between two domains. One is representing node attribute, the other is
two-dimensional domain representing time and type attribute, as shown in Figure 2. Map the node domain onto a finite
circle, while the type-time domain is wrapped around it in the shape of a ring, as shown in Figure 3.



Fig. 2 Security alerts domain Fig. 3 Visualization mapping

The main problem in correlating alerts from disparate logs is the seeming lack of mutual grounds on which to base
any kind of comparison between alerts. In Yarden’s method, alerts must possess what they term the W3 premise: the
when, where, and what attributes, namely, time, node, and type. A few alert types are refined from large amount of
security events in level 1, which formed alert tracks A in level 2 of security situation assessment. In our design, using

parallel axes view represents correlations between security events from various security tools, as illustrated in Figure 4.
When a new attack event achieved, it will compare with all alert track and decide to join in the similar alert track or
produce a new one. If a new one is produced, the number will change to n+1 on the alert track axis. If it joints in the old
one, drew a line from the event to the alert track. A darker or thicker line represents a larger amount of events are
correlated to certain alert track. This will focus the security administrator’s attention, so he or she can take action and
correct the problem on the suspect machine.

Fig. 4 Correlations representation of parallel axes


As we said above, security assessment is a system project. The aim of security risk assessment is to comprehend
where the current and future risks are, estimate security threat and the influence extent brought by them, and provide
gist for establishment of security policy, and foundation and running of information system.

Situation analysis estimates network current state and projects the next possible occurrence from three levels, not
single security event or alert. Therefore, situation analysis is useful for advancing network security assessment.


Security risk assessment is an important management means running through the whole information system
process, which is the foundation and premise of establishing and adjusting security policy. In this paper, we discussed
situation assessment and its role in the risk estimation. Situation assessment is described from three levels of refinement,
comprehension, and projection to understand the network situation, find out vulnerability, and project the next situation.
Using this situation assessment, we can detect abnormal network behavior and patch holes to stop attacks before they
have a chance to cause serious damage. So visualization and its correlation is an important research of risk evaluation
and situation analysis of network.


Liu Mixia, Ph. D. candidate. Her research is interested in computer network security.

