**3. A method of network SA awareness based on evidence chain**

The chain of evidence is a collection of evidence formed by two or more evidence links connected by the chain heads for a certain object of proof. Due to the complexity of the current network environment and the emergence of various network attack methods, the management requirements and the means of recording technology are different. The vulnerabilities of most network and system are scattered and independent, and the performance cannot fully reflect the real situation of the network status. It needs to combine the vulnerabilities and network status transformation together through the relevance of vulnerabilities, and to connect them according to the inherent meanings and logical relationships to form a chain structure that is mutually connected and mutually validated, which involves the chain of evidence for network situation awareness.

#### **3.1 The components of the chain of evidence**

The components of chain of evidence for audit include chain link, chain connection and chain domain. Among them, chain link refers to the single evidence

that constitutes the chain of evidence for situation awareness, also known as the node evidence, which is expressed as a single physical object; chain connection is an overlapping or embedding relationship or logical reasoning relationship between the single evidences; chain domain refers to the entire information set (all evidences) that the auditing entity can understand or know when verifying a certain network activity under the existing cognitive ability and technical conditions. The scope of chain domain is determined by the network activity and the cognitive ability of the network entity, and the maximum value is all the facts required for situation awareness, and the minimum is the main facts of situation awareness.
