**2. Related work**

There are already some approaches to network security SA: In the research of network security SA architecture, Kokkonen proposed in 2016 a network security SA architecture, which mainly includes information exchange module and emphasizes standardized information format [4]. In 2017, Eiseler proposed a network security SA architecture from the perspective of IT complexity [5]. The main idea is to abstract a layer of operation (decision) and the result of decision for decision makers from non-technical background. In the research of network security SA, in 2016, Yang et al. used SVM machine learning method for SA [6]. After being trained by classifier, the data can be used to predict the situation value. But the method has the defect that the situation is normalized and the information is not abundant enough. In 2016, KHALID et al., targeting data injection attacks, could lead to unreliability and insecurity of network physical infrastructure such as (WAMS),

### *Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

and make decisions and actions by acquiring, understanding, predicting, and making decisions [1]. The concept of Situational Awareness (SA) originates from the military demand in the 1980s, and with the rise of network, it was introduced by

SA should go through several steps, such as situation acquisition, situation understanding, situation prediction, situation visualization and so on [2, 3]. In the situation acquisition stage, there may be a lot of complex, repetitive, or even false alarm information. In addition, the existing SA methods use IDS, firewalls, virus detection and other tools data, based on time series, graph theory, Bayes, game theory and other methods, according to the network environment, the history of the attacker and the network ontology vulnerability; these are used to evaluate and predict the network security situation, without considering the emerging vulnerabilities and their SA. To solve the above problems, this chapter proposes a botnet SA method based on DS evidence theory. Compared with other SA methods, DS evidence theory not only can solve uncertainty problems, but it also does not need prior probability and conditional probability density. Therefore, we can manually assign it initial trust

Botnet SA integrates all kinds of botnet security elements to evaluate the security situation of the network in real time, which provides the basis for the network security analysis, and evaluates the network security more accurately, thus minimizing risks and losses from botnet threats. Botnet security SA plays an important role in improving the ability of network monitoring, emergency response and

1.we propose a method of botnet threat assessment based on evidence chain, which computes the target credibility to determine whether there is a threat in

2. the evidence chain method is applied to botnet to realize the situation of network security. DS evidence theory solves the uncertainty problem of

3. the experiment is carried out using the public data set of Nanjing University of Posts and Telecommunications (NJUPT). The results show that the network security situation assessment method proposed in this chapter is reasonable and effective, and can improve the accuracy of security situation prediction.

There are already some approaches to network security SA: In the research of network security SA architecture, Kokkonen proposed in 2016 a network security SA architecture, which mainly includes information exchange module and emphasizes standardized information format [4]. In 2017, Eiseler proposed a network security SA architecture from the perspective of IT complexity [5]. The main idea is to abstract a layer of operation (decision) and the result of decision for decision makers from non-technical background. In the research of network security SA, in 2016, Yang et al. used SVM machine learning method for SA [6]. After being trained by classifier, the data can be used to predict the situation value. But the method has the defect that the situation is normalized and the information is not abundant enough. In 2016, KHALID et al., targeting data injection attacks, could lead to unreliability and insecurity of network physical infrastructure such as (WAMS),

Tim Bass into the field of network security.

*Computer Security Threats*

based on our expertise and individual knowledge.

predicting the development trend of network security. The main contributions of this chapter are as follows:

the network;

network threat.

**2. Related work**

**40**

a wide-area monitoring system. In this chapter, a Bayesian based approximate filter (BAF) method [7] is proposed to minimize the impact of injection attack on oscillatory parameters, so as to improve the resistance of monitoring applications to data injection attacks. In 2016, in the HMM-based network security situation assessment method, Li et al. used to extract the observation values and model parameters by establishing the time period, which is an important factor affecting the real-time and accuracy of the evaluation. However, there are two problems: The results are as follows: (1) the size of the time period is given randomly by people, which cannot represent the security and real-time performance of the current network; (2) the state transition matrix and the observation symbol matrix are usually determined by experience and have strong abstractness. To solve this problem, Li et al. later trained the parameters of the HMM model by mixed multi-population genetic algorithm (MPGA) [8] to improve the reliability of the parameters and to solve the problem that the emergency situation could not be highlighted in a certain period of time. Experiments show that this method can reflect the current network security situation effectively and accurately. [9, 10] put forward the overall goal of network security SA, which is determined by scope, level, requirement and decision. The method of SA is classified from four aspects: data collection, decision making, analysis and visualization.

Through the research of network security SA, to a certain extent, the researchers give other researchers some practical methods, but these methods also have a limited scope of application. Most of the SA methods only consider the calculation of the threat situation caused by an external attack and ignore the problem of the security situation change caused by the insecurity of the system and the equipment itself. This chapter presents a method of network security SA based on evidence chain theory. DS evidence chain theory has many advantages in SA. Firstly, it does not require prior probability and conditional probability density. Secondly, sometimes the information provided by the sensor is not necessarily very accurate, and there may be a certain degree of fuzziness, and the DS evidence method can solve the uncertainty calculation problem. Finally, DS evidence theory can continuously narrow the scope of the hypothesis set by merging evidence. Its basic idea is to fuse several sub-evidences according to the Dempster formula, so as to further determine the possibility of the occurrence of certain propositions.
