**1. Introduction**

In recent years, with the rapid development of Internet of Things (IOT) technology, more and more devices are exposed to the Internet. These devices are complex in variety and explosive in number. This kind of interconnected environment will make the security risk increase and spread rapidly, and bring severe security problems. Among all kinds of security problems, botnet in particular brings serious harm. Botnets are made up of "zombie hosts" infected with a malicious code that infect normal devices, forming a large-scale "botnet" of IOT, once the "botnet" launches a distributed denial of service attack. This will wreak havoc on the Internet infrastructure [1].

In view of the large scale of botnet, the variety and number of botnet hosts, and the unpredictable vulnerability types, the network security protection should be considered from the overall situation. Therefore, it is very important to grasp the information of the network and to perceive the status and development trend of the network security. Network situational awareness can capture the security elements that cause the change of network situation in a large-scale network environment,

and make decisions and actions by acquiring, understanding, predicting, and making decisions [1]. The concept of Situational Awareness (SA) originates from the military demand in the 1980s, and with the rise of network, it was introduced by Tim Bass into the field of network security.

a wide-area monitoring system. In this chapter, a Bayesian based approximate filter (BAF) method [7] is proposed to minimize the impact of injection attack on oscillatory parameters, so as to improve the resistance of monitoring applications to data injection attacks. In 2016, in the HMM-based network security situation assessment method, Li et al. used to extract the observation values and model parameters by establishing the time period, which is an important factor affecting the real-time and accuracy of the evaluation. However, there are two problems: The results are as follows: (1) the size of the time period is given randomly by people, which cannot represent the security and real-time performance of the current network; (2) the state transition matrix and the observation symbol matrix are usually determined by experience and have strong abstractness. To solve this problem, Li et al. later trained the parameters of the HMM model by mixed multi-population genetic algorithm (MPGA) [8] to improve the reliability of the parameters and to solve the problem that the emergency situation could not be highlighted in a certain period of time. Experiments show that this method can reflect the current network security situation effectively and accurately. [9, 10] put forward the overall goal of network security SA, which is determined by scope, level, requirement and decision. The method of SA is classified from four aspects: data collection, decision making,

*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

Through the research of network security SA, to a certain extent, the researchers

give other researchers some practical methods, but these methods also have a limited scope of application. Most of the SA methods only consider the calculation of the threat situation caused by an external attack and ignore the problem of the security situation change caused by the insecurity of the system and the equipment itself. This chapter presents a method of network security SA based on evidence chain theory. DS evidence chain theory has many advantages in SA. Firstly, it does not require prior probability and conditional probability density. Secondly, sometimes the information provided by the sensor is not necessarily very accurate, and there may be a certain degree of fuzziness, and the DS evidence method can solve the uncertainty calculation problem. Finally, DS evidence theory can continuously narrow the scope of the hypothesis set by merging evidence. Its basic idea is to fuse several sub-evidences according to the Dempster formula, so as to further deter-

mine the possibility of the occurrence of certain propositions.

the chain of evidence for network situation awareness.

**3.1 The components of the chain of evidence**

**41**

**3. A method of network SA awareness based on evidence chain**

The chain of evidence is a collection of evidence formed by two or more evidence links connected by the chain heads for a certain object of proof. Due to the complexity of the current network environment and the emergence of various network attack methods, the management requirements and the means of recording technology are different. The vulnerabilities of most network and system are scattered and independent, and the performance cannot fully reflect the real situation of the network status. It needs to combine the vulnerabilities and network status transformation together through the relevance of vulnerabilities, and to connect them according to the inherent meanings and logical relationships to form a chain structure that is mutually connected and mutually validated, which involves

The components of chain of evidence for audit include chain link, chain connection and chain domain. Among them, chain link refers to the single evidence

analysis and visualization.

SA should go through several steps, such as situation acquisition, situation understanding, situation prediction, situation visualization and so on [2, 3]. In the situation acquisition stage, there may be a lot of complex, repetitive, or even false alarm information. In addition, the existing SA methods use IDS, firewalls, virus detection and other tools data, based on time series, graph theory, Bayes, game theory and other methods, according to the network environment, the history of the attacker and the network ontology vulnerability; these are used to evaluate and predict the network security situation, without considering the emerging vulnerabilities and their SA.

To solve the above problems, this chapter proposes a botnet SA method based on DS evidence theory. Compared with other SA methods, DS evidence theory not only can solve uncertainty problems, but it also does not need prior probability and conditional probability density. Therefore, we can manually assign it initial trust based on our expertise and individual knowledge.

Botnet SA integrates all kinds of botnet security elements to evaluate the security situation of the network in real time, which provides the basis for the network security analysis, and evaluates the network security more accurately, thus minimizing risks and losses from botnet threats. Botnet security SA plays an important role in improving the ability of network monitoring, emergency response and predicting the development trend of network security.

The main contributions of this chapter are as follows:

