3.Trust function

The fusion conclusion of D-S evidence theory expresses the support strength for any hypothesis through an interval, and the lower limit of this interval is called the trust function, and the trust function is also called the Belief Function (bel). The trust function is defined in the recognition framework Θ as is Eq. 3:

$$bel(A) = \sum\_{B \subseteq A} m(B)(\forall A \subseteq \Theta) \tag{2}$$

The trust function of a hypothesis in the fusion conclusion only calculates the support strength for the hypothesis directly during the fusion calculation, and does not calculate the support strength for the combination containing the hypothesis. If a part of the support strength in the Basic Probability Allocation is assigned to an unknown domain, then the support strength of this part cannot be calculated in the trust function.

### 4.Likelihood function

The upper limit of the fusion conclusion interval of D-S evidence theory is called the likelihood function, and the likelihood function is also called the Plausibility Function (pl). The likelihood function is defined in the recognition framework Θ as is Eq. 3:

$$pl(A) = \sum\_{B \cap A \neq \Phi} m(B) = 1 - bel(\overline{A}) \tag{3}$$

1.Construct a corresponding fast algorithm for a specific evidence organization

In different application fields, the organization structure and expression form of evidence are different. Starting from the evidence itself, it is an important point in the application field to study the algorithm that can quickly obtain the fusion

Aiming at the problem that the computation amount will increase rapidly when the dimension of evidence theory fusion algorithm and the quantity of evidence increase, the approximate algorithm is constructed starting from the practical application. The method of approximate calculation can simplify the calculation process under the condition of ensuring the calculation conclusion of uncertain

The basic idea of approximate calculation is to reduce the number of focal

Voorbraak found that if the combination of m functions will produce a Bayes trust function (i.e. a probability measure on a recognition framework), and then the substitution of m function with their Bayes approximation will not affect the result of Dempster's combinational rule, which is called the "Bayes" approximation method. The meaning of the "Bayes approximation" is that it is very useful and computationally efficient for those cases where the final conclusion is concerned only with identifying the "elements" of the framework (i.e., a single hypothesis) rather than its "subset" (i.e., a subset of multiple hypotheses). Dubois and Prade proposed a "Consonant approximation" which is characterized by that the focal elements are nested after approximate calculation, and the number of focal elements does not exceed the number of hypotheses in the identification

framework. The disadvantage is that this method is not suitable for calculation by Dempster's combinational rule, which may produce a large error. The "Consonant

Tessem proposed "(k, l, x) approximate algorithm ", k represents the minimum number of retained focal elements; l represents the maximum number of retained focal elements; x represents the maximum m value that is allowed to be deleted, and

First, sort the m value from big to small, and then loop the sum of m function values successively. If the number of retained focal elements is equal to 1, or the sum of the calculated m functions is greater than or equal to 1-x, the loop ends; otherwise, continue the loop, and finally normalize the m function values corresponding to the retained focal elements. The (k, l, x) method gives neither Bayes m function nor a consonant m function, but it does reduce the focal element.

In view of the problems existing in the practical application of D-S evidence theory fusion algorithm, corresponding modifications are made on the basis of traditional combination rules to avoid the irrationality of fusion conclusion under

This section briefly introduces the flow of network SA [13] based on DS evidence theory: First, the identification framework should be determined, and all

**4. Network security SA approach based on evidence chain**

approximation" method applies to the expression of evidence.

elements to achieve the purpose of reducing the amount of calculation.

structure

reasoning.

conclusion in the application.

2.Approximate calculation

*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

x usually takes a value on [0, 0.1].

3.Modification of D-S Method

special circumstances.

**45**

The likelihood function of a hypothesis in the fusion conclusion not only calculates the support strength for the hypothesis directly during the fusion calculation, but also calculates the support strength for the combination containing the hypothesis and the support strength allocated to an unknown domain. The fusion conclusion could directly adopt trust function, likelihood function, even the interval formed by the trust function and likelihood function to express the support strength for each possible hypothesis.

5.Dempster's combinational rule

The Dempster's combinational rule, also known as the evidence combination formula, can be expressed as Eq. 4:

$$\begin{aligned} \mathbf{m}(A) &= m\_1(A\_1) \oplus \mathbf{m}\_2(A\_2) \oplus \mathbf{m}\_3(A\_3) \oplus \dots \oplus \mathbf{m}\_n(A\_n) \\ &= \frac{1}{1-k} \sum\_{A\_1 \cap A\_2 \ge \dots \cap A\_n = A} \prod\_{i=1}^n \mathbf{m}\_i \mathbf{A}\_i \end{aligned} \qquad (\forall A \subseteq \Theta) \tag{4}$$

Where *k* is the degree of conflict of evidence, <sup>1</sup> <sup>1</sup>�*<sup>k</sup>*, *<sup>k</sup>* <sup>¼</sup> <sup>P</sup> *<sup>A</sup>*1∩*A*2∩*A*3∩⋯*An*6¼<sup>Φ</sup>*m*1ð Þ *<sup>A</sup>*<sup>1</sup> • *<sup>m</sup>*2ð Þ *<sup>A</sup>*<sup>2</sup> •⋯• *mn*ð Þ *An* . *<sup>k</sup>* = 1, the conflict between the evidences is so great that the evidence cannot be fused using the Dempster formula. When some These, two characteristics of the D-S evidence theory combination rule facilitate us in the combination of evidence. When combining multiple evidences, it does not need to consider combination orders. At the meanwhile, when there are

consistency and contradiction between the evidences, group similar evidence into groups and then carry out the combination of grouped combination conclusions.

#### **3.5 Research on application of evidence theory**

Evidence theory has been widely used in the fields of expert system, information fusion, intelligence analysis, target judgment, legal case analysis, multi-attribute decision analysis, etc. due to its extensive advantages in algorithm and application level. Many researchers have also carried out corresponding improvement research on the problems in the application. As far as the algorithm itself is concerned, there are three main aspects from the terms of application:

1.Construct a corresponding fast algorithm for a specific evidence organization structure

In different application fields, the organization structure and expression form of evidence are different. Starting from the evidence itself, it is an important point in the application field to study the algorithm that can quickly obtain the fusion conclusion in the application.

#### 2.Approximate calculation

The trust function of a hypothesis in the fusion conclusion only calculates the support strength for the hypothesis directly during the fusion calculation, and does not calculate the support strength for the combination containing the hypothesis. If a part of the support strength in the Basic Probability Allocation is assigned to an unknown domain, then the support strength of this part cannot be calculated in the

The upper limit of the fusion conclusion interval of D-S evidence theory is called the likelihood function, and the likelihood function is also called the Plausibility Function (pl). The likelihood function is defined in the recognition framework Θ as

The likelihood function of a hypothesis in the fusion conclusion not only calculates the support strength for the hypothesis directly during the fusion calculation, but also calculates the support strength for the combination containing the hypothesis and the support strength allocated to an unknown domain. The fusion conclusion could directly adopt trust function, likelihood function, even the interval formed by the trust function and likelihood function to express the support strength

The Dempster's combinational rule, also known as the evidence combination

 Y*n i*¼1

*<sup>A</sup>*1∩*A*2∩*A*3∩⋯*An*6¼<sup>Φ</sup>*m*1ð Þ *<sup>A</sup>*<sup>1</sup> • *<sup>m</sup>*2ð Þ *<sup>A</sup>*<sup>2</sup> •⋯• *mn*ð Þ *An* . *<sup>k</sup>* = 1, the conflict between the evidences is so great that the evidence cannot be fused using the Dempster formula. When some These, two characteristics of the D-S evidence theory combination rule facilitate us in the combination of evidence. When combining multiple evidences, it does not need to consider combination orders. At the meanwhile, when there are consistency and contradiction between the evidences, group similar evidence into groups and then carry out the combination of grouped combination conclusions.

Evidence theory has been widely used in the fields of expert system, information fusion, intelligence analysis, target judgment, legal case analysis, multi-attribute decision analysis, etc. due to its extensive advantages in algorithm and application level. Many researchers have also carried out corresponding improvement research on the problems in the application. As far as the algorithm itself is concerned, there

miAi

<sup>1</sup>�*<sup>k</sup>*,

mð Þ¼ *A m*1ð Þ *A*<sup>1</sup> ⊕m2ð Þ *A*<sup>2</sup> ⊕m3ð Þ *A*<sup>3</sup> ⊕⋯⊕m*n*ð Þ *An*

X *A*1∩*A*22∩⋯∩*An*¼*A*

*m B*ð Þ¼ 1 � *bel A*

� � (3)

ð Þ ∀*A* ⊆ Θ (4)

*pl A*ð Þ¼ <sup>X</sup>

*B*∩*A*6¼Φ

trust function.

is Eq. 3:

*<sup>k</sup>* <sup>¼</sup> <sup>P</sup>

**44**

4.Likelihood function

*Computer Security Threats*

for each possible hypothesis.

5.Dempster's combinational rule

<sup>¼</sup> <sup>1</sup> 1 � *k*

Where *k* is the degree of conflict of evidence, <sup>1</sup>

**3.5 Research on application of evidence theory**

are three main aspects from the terms of application:

formula, can be expressed as Eq. 4:

Aiming at the problem that the computation amount will increase rapidly when the dimension of evidence theory fusion algorithm and the quantity of evidence increase, the approximate algorithm is constructed starting from the practical application. The method of approximate calculation can simplify the calculation process under the condition of ensuring the calculation conclusion of uncertain reasoning.

The basic idea of approximate calculation is to reduce the number of focal elements to achieve the purpose of reducing the amount of calculation.

Voorbraak found that if the combination of m functions will produce a Bayes trust function (i.e. a probability measure on a recognition framework), and then the substitution of m function with their Bayes approximation will not affect the result of Dempster's combinational rule, which is called the "Bayes" approximation method.

The meaning of the "Bayes approximation" is that it is very useful and computationally efficient for those cases where the final conclusion is concerned only with identifying the "elements" of the framework (i.e., a single hypothesis) rather than its "subset" (i.e., a subset of multiple hypotheses). Dubois and Prade proposed a "Consonant approximation" which is characterized by that the focal elements are nested after approximate calculation, and the number of focal elements does not exceed the number of hypotheses in the identification framework. The disadvantage is that this method is not suitable for calculation by Dempster's combinational rule, which may produce a large error. The "Consonant approximation" method applies to the expression of evidence.

Tessem proposed "(k, l, x) approximate algorithm ", k represents the minimum number of retained focal elements; l represents the maximum number of retained focal elements; x represents the maximum m value that is allowed to be deleted, and x usually takes a value on [0, 0.1].

First, sort the m value from big to small, and then loop the sum of m function values successively. If the number of retained focal elements is equal to 1, or the sum of the calculated m functions is greater than or equal to 1-x, the loop ends; otherwise, continue the loop, and finally normalize the m function values corresponding to the retained focal elements. The (k, l, x) method gives neither Bayes m function nor a consonant m function, but it does reduce the focal element.

#### 3.Modification of D-S Method

In view of the problems existing in the practical application of D-S evidence theory fusion algorithm, corresponding modifications are made on the basis of traditional combination rules to avoid the irrationality of fusion conclusion under special circumstances.

## **4. Network security SA approach based on evidence chain**

This section briefly introduces the flow of network SA [13] based on DS evidence theory: First, the identification framework should be determined, and all

possible results should be considered, and each evidence should be assigned a basic credibility, and then the final credibility value of the target should be fused by using the composition rule. In this section, a method of SA based on DS evidence theory is proposed.

that a large number of cameras in the campus network have weak password vulnerabilities. As shown in **Figure 2**, this vulnerability allows for intrusion into the monitoring system. Moreover, based on the vulnerability, the Mirai botnet can be uploaded to the camera and run. The camera becomes the Mirai botnet broiler, which can launch a large-scale DDoS attack. Because the scope of the research object is relatively small, after discovering the problems existing in the monitoring system in the campus network, we should inform the relevant departments of the school and take timely measures to protect the monitoring system. However, for large-scale protected networks, SA methods are needed to discover threat situation in time. This chapter uses DS theory to verify the feasibility and effectiveness of the

This chapter data source contains three kinds of data: (1) all 23 Telnet ports in the campus network in the open device and its type, IP address and other information; (2) the network camera with the weak password vulnerability of 23 Telnet in the campus network; (3) the camera which can upload Mirai virus and run it

proposed approach based on campus network data sources.

*Schematic diagram of campus monitoring system through weak password vulnerability.*

successfully through weak password vulnerability.

*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

**Figure 2.**

**Figure 3.**

**47**

*Scanned device records opened on port 23.*

The network security SA based on DS evidence chain collects the protected network information through active and passive network sensors and takes the information as the fusion data of DS evidence theory after processing. Each piece of data collected by the sensor can be corresponding to one evidence, and then the corresponding initial credibility can be given to the evidence. Finally, the composite formula is used to fuse these evidences to obtain the credibility of the protected network threat proposition. This value reflects the degree of trustworthiness of the protected network under the threat of the evidence, and sets the confidence threshold. If the credibility exceeds the threshold, it indicates that the network component has a security threat and is vulnerable to attack, otherwise, the network component is secure.

In this chapter, the identification framework is Θ ¼ f g T, F in which T indicates the camera was dangerous and vulnerable to attack while F indicates that the camera is secure and is not vulnerable to attack. Then the power set is 2<sup>Θ</sup> <sup>¼</sup> f g Φ, *T*, F, H in which Φ indicates the camera is both dangerous and safe while Himplies the camera may or may not be safe. The trust function satisfies *m*ð Þþ Φ *m T*ð Þþ *m F*ð Þþ *m H*ð Þ¼ 1 in which *m*ð Þ¼ Φ 0 and *m H*ð Þ¼ 0.

Second, every piece of data that is scanned from a camera device is used as a piece of evidence, and there are three types of evidence. The first is to scan the IOT devices opened on the port 23 all over the school, in which the camera device is the object of our SA so it could be attacked. An initial trust value is assigned to this evidence, that is, the ratio of camera devices to the number of devices opened on port 23 is used as the initial trust probability function of the evidence; the second type of evidence scans camera devices, in which cameras with weak password vulnerabilities are vulnerable to attack. Here we take the ratio of camera equipment with weak password vulnerability to the total number of cameras in NJUPT as the initial confidence probability function of the evidence; the third kind of evidence is to upload the virus to the camera device with weak password vulnerability. The successful uploading of the virus is highly dangerous and vulnerable to attack. We use the ratio of a successful webcam uploaded by a virus to a camera with a weak password vulnerability as the initial trust probability function. Through the above methods, we adopt three different types of evidence, further improve the credibility of evidence fusion, at the same time, we also compress a large number of evidence data into three pieces of evidence, improve the efficiency and time of synthesis. After that, we can use the improved composite formula to fuse the three evidences against the camera, and obtain the ultimate credibility of the dangerous situation of the camera in NJUPT.

Finally, the credibility *m T*ð Þ after fusion will be compared with a given threshold. If the reliability is greater than the threshold, it shows that the whole situation of the camera in NJUPT is dangerous and vulnerable to attack, otherwise, the overall situation of the camera of NJUPT is safe.

## **5. Experiment**

In order to verify the feasibility and effectiveness of this method, the Telnet port scanning record of the network equipment in the campus network of NJUPT was used as the data source. The data was collected from the outbreak of a large-scale Mirai botnet attack on the East Coast of the United States at the end of 2016. The scope of collection is limited to the campus network of NJUPT. The study found
