**3.2 The essence and attributes of the chain of evidence**

The evidence for situation awareness is essentially the retention of information about the past network activity of the object, and the retention of such information is the record and reflection of the network activity which objectively exists. When these records and reflections do not fully capture the main facts of a network activity, it needs to be achieved by constructing a chain of evidence. Therefore, the essence of the chain of evidence for situation awareness is that different evidences of different segments or conditions of the same network activity, through the multicomponent chain-dependent relationship in terms of meaning and logic, mutually confirm each other and connect with each other to jointly reveal the truth of the same economic activity. The chain of evidence for situation awareness not only has the characteristics of the adequacy and appropriateness of general audit evidence, but also has the characteristics of relevance, integrity and complexity, etc. of unique or different meanings. Among them, relevance refers to the objective connection of causal relationship, conditional relationship and space–time relationship between the evidences of each link constituting the chain of evidence. Integrity means that the evidences of each link constituting the chain of evidence have a consistent proof effect and proof direction, and together constitute a complete proof system. Complexity refers to the complex source of evidence of each link that constitutes the chain of evidence. There are some evidences from the same source, that is to say they come from the same network activity; and there are some evidences from different sources, but the contents of them are involved each other. The evidences of each link sometimes have different forms, and the evidence of entity coexists with the evidence of person. The contents of the evidences are coherent and overlapping, and there is other information unrelated to the audit findings.

**3.4 Basic concepts of evidence theory**

*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

*Composition of chain of evidence.*

1.Recognition framework

2.Basic probability allocation

combinations should equal 1.

3.Trust function

**43**

to a hypothesis.

**Figure 1.**

*<sup>m</sup>* : <sup>2</sup><sup>Θ</sup> ! ½ � 0, 1, And it satisfied:

D-S evidence theory [11, 12] adopts mathematical reasoning to perform fusion calculations of inexact and incomplete information. In the D-S evidence theory fusion algorithm, the recognition framework is the framework of the whole judgment; the Basic Probability Allocation is the basis of fusion; the combinational rule is the fusion process, and the trust function and likelihood function are used to express the upper and lower limits of support strength interval of fusion conclusion

Θ is a mutually exclusive non-empty finite set, which is known as recognition framework. It consists of N nonintersecting sets of *w*1, *w*2, *w*3*:* … *wN*, and there are N possible hypotheses in this recognition framework. The task of the evidence theory

Basic Probability Allocation (BPA) is a function known as E.g. (1)m function.

*A* ⊆ Φ

When an evidence is constructed, each possible hypothesis or hypothesis combination within the recognition framework should be assigned with a trust level between [0, 1], and the sum of the trust levels of all hypotheses or hypothetical

The fusion conclusion of D-S evidence theory expresses the support strength for any hypothesis through an interval, and the lower limit of this interval is called the trust function, and the trust function is also called the Belief Function (bel). The

*m A*ð Þ¼ 1 (1)

*m B*ð Þð Þ ∀ *A* ⊆ Θ (2)

fusion algorithm is to estimate the trust level to each possible hypothesis.

*<sup>m</sup>*ð Þ¼ <sup>Φ</sup> 0;<sup>X</sup>

trust function is defined in the recognition framework Θ as is Eq. 3:

*bel A*ð Þ¼ <sup>X</sup>

*B*⊆ *A*

#### **3.3 Connection mode of chain of evidence**

The chain of evidence can be divided into two kinds of connections, explicit and implicit, according to whether there are semantic intersections and overlapping relationships between links, such as explicit texts. Among them, explicit connection refers to the overlapping and embedding of evidences contents between adjacent business processes in the chain of evidence. Implicit connection refers to the connection relationship between evidences formed by logical reasoning. Node evidence in the chain of evidence can be divided into core evidence and auxiliary evidence according to their different proof functions in network activities. Among them, core evidence, also called direct evidence, refers to the evidence that plays a major role in proving the emergence and existence of witnessed network activities. Auxiliary evidence is the evidence supporting core evidence, including making up the quality defects of core evidence and enhancing the persuasiveness of core evidence. The composition of the chain of evidence is shown in **Figure 1**.

**Figure 1.** *Composition of chain of evidence.*

that constitutes the chain of evidence for situation awareness, also known as the node evidence, which is expressed as a single physical object; chain connection is an overlapping or embedding relationship or logical reasoning relationship between the single evidences; chain domain refers to the entire information set (all evidences) that the auditing entity can understand or know when verifying a certain network activity under the existing cognitive ability and technical conditions. The scope of chain domain is determined by the network activity and the cognitive ability of the network entity, and the maximum value is all the facts required for situation awareness, and the minimum is the main facts of situation awareness.

The evidence for situation awareness is essentially the retention of information about the past network activity of the object, and the retention of such information is the record and reflection of the network activity which objectively exists. When these records and reflections do not fully capture the main facts of a network activity, it needs to be achieved by constructing a chain of evidence. Therefore, the essence of the chain of evidence for situation awareness is that different evidences of different segments or conditions of the same network activity, through the multicomponent chain-dependent relationship in terms of meaning and logic, mutually confirm each other and connect with each other to jointly reveal the truth of the same economic activity. The chain of evidence for situation awareness not only has the characteristics of the adequacy and appropriateness of general audit evidence, but also has the characteristics of relevance, integrity and complexity, etc. of unique or different meanings. Among them, relevance refers to the objective connection of causal relationship, conditional relationship and space–time relationship between the evidences of each link constituting the chain of evidence. Integrity means that the evidences of each link constituting the chain of evidence have a consistent proof effect and proof direction, and together constitute a complete proof system. Complexity refers to the complex source of evidence of each link that constitutes the chain of evidence. There are some evidences from the same source, that is to say they come from the same network activity; and there are some evidences from different sources, but the contents of them are involved each other. The evidences of each link sometimes have different forms, and the evidence of entity coexists with the evidence of person. The contents of the evidences are coherent and overlapping, and there is other information unrelated to the audit findings.

The chain of evidence can be divided into two kinds of connections, explicit and implicit, according to whether there are semantic intersections and overlapping relationships between links, such as explicit texts. Among them, explicit connection refers to the overlapping and embedding of evidences contents between adjacent business processes in the chain of evidence. Implicit connection refers to the connection relationship between evidences formed by logical reasoning. Node evidence in the chain of evidence can be divided into core evidence and auxiliary evidence according to their different proof functions in network activities. Among them, core evidence, also called direct evidence, refers to the evidence that plays a major role in proving the emergence and existence of witnessed network activities. Auxiliary evidence is the evidence supporting core evidence, including making up the quality defects of core evidence and enhancing the persuasiveness of core evidence. The

**3.2 The essence and attributes of the chain of evidence**

*Computer Security Threats*

**3.3 Connection mode of chain of evidence**

composition of the chain of evidence is shown in **Figure 1**.

**42**
