A Trusted 3.0 Network Security Risk Assessment and Decision Support System Based on Discrete Rough Sets

In the digital era, cyber-attacks are becoming more and more frequent, and a large amount of important data is leaked or stolen by malicious attackers due to the lack of technical security. In this situation, trusted computing technology has become a powerful weapon for network security [1-4]. Trusted computing technology refers to the combination of hardware and software to protect and verify the integrity and confidentiality of the computing process and results. It has five core elements: trusted startup, trusted computing, trusted storage, trusted transmission and trusted termination [5-8], which can ensure the correctness of the transmitted data as well as the privacy and security of their own data in the process of using the network. Trusted computing can ensure the security and privacy of network data, is a key part of the decision support system, so that the decision system can play a more effective role [9-12].

Decision support system (DSS) is a human-computer system with an intelligent role based on management science, operations research, cybernetics and behavioral science, and computer technology, simulation technology and information technology as a means to support decision-making activities for semi-structured decision-making problems [13-16]. It provides decision makers with an environment for analyzing problems, building models, simulating decision-making processes and scenarios, providing various alternatives, and evaluating and preferring various scenarios, analyzing, comparing and judging through human-computer interaction functions, and calling various information resources and analytical tools [17-20], helping decision makers to improve the level and quality of decision making. With the continuous development and application of information technology, decision support systems have been widely used and popularized in the fields of business, management, government, healthcare and science [21-23].

The trusted 3.0 network security decision support system proposed in this study adopts the B/S architecture, and the overall system architecture includes the representation layer module, the business layer module and the data layer module. Second, in the rough set data analysis module of the business layer, a trusted 3.0 network security risk assessment model is constructed based on discrete rough sets. The model is based on rough set theory and proposes a discrete analysis method for continuous attribute sets based on GA. Then the knowledge base for risk assessment is constructed through attribute approximation and rule extraction. Finally, the extracted risk assessment rules are utilized for risk assessment and decision support.

2

Trusted 3.0 network security research based on discrete rough sets

2.1

Trustworthiness 3.0

The main feature of China's Trusted Computing 3.0 is system immunity, the protection object is the system node-centered network dynamic chain, constituting a “host + trusted” two-node trusted immunity architecture, the host computing at the same time as the trusted machine security monitoring, to achieve the active immunity protection of network information systems.

Trusted Computing 3.0 is based on cryptographic complexity theory and trusted verification. It is aimed at application systems with known processes, and according to the security needs of the system, through a “tailor-made” approach, it formulates policies for applications and processes to adapt to the actual security needs without modifying the application programs, which is especially suitable for providing security for important production information systems.

2.2

Design of Trusted 3.0 network security decision support system

The system adopts the Internet-based B/S structure, which is a structure mode similar to the terminal/host system structure mode, and at the same time has the distributed computing characteristics of the C/S mode. The overall system structure is shown in Figure 1. This system applies the standard three-layer application software architecture, i.e., representation layer, business layer and data layer [24].

2.2.1

Representation layer

The presentation layer is responsible for providing the human-computer interface of the system to guide the user to have a dialog with the system, completing the tasks of collecting historical assessment data, submitting decision parameters, inputting cases to be assessed, and outputting the assessment results to the user in an appropriate way.

2.2.2

Operational layer

The business layer provides the application programs of the system that are related to risk assessment decision support and is the pivotal part of the system operation. The business layer runs on a web server and connects to the client via HTTP, TCP/IP and other protocols. The business layer mainly includes rough set data analysis module, background knowledge acquisition module and problem solving module.

1) Rough set data analysis module: this module is the core module of the system, mining risk rules from a large amount of risk data, which is the main source of the knowledge base. It consists of preprocessing module and rule generation module. The preprocessing module completes tasks such as null estimation, discretization, and deletion of duplicate tuples, while the rule generation module is responsible for basic concept calculation, attribute approximation, and value approximation. Then filter out the rules that satisfy a certain credibility and coverage rate and store them in the knowledge base for user decision-making.

2) Background Knowledge Acquisition Module: The knowledge in the knowledge base comes from two sources. One is the empirical knowledge of domain experts and the other is the risk rules mined by the system. The background knowledge acquisition module is responsible for obtaining empirical knowledge from domain experts.

3) Problem solving module: the problem solving module consists of two parts: the reasoning machine and the interpretation system. The reasoning machine solves the problem with the knowledge rules in the knowledge base according to the case to be evaluated inputted by the user to derive the evaluation result, and then outputs the evaluation result to the user through the interpretation system.

2.2.3

Data layer

The SQLServer2005 database system, which is highly integrated with the .NET platform, is selected as the database system, and the overall solution of ADO.NET database in the .NET platform is adopted to solve the bottleneck brought by real-time operation of a large amount of data in a distributed environment, to realize the high-speed access capacity of large-scale and complex data, and to improve the efficiency and security of data computation.

Two databases are set up in the SQLServer2005 database system, one is used to save the historical assessment data, and the other is a knowledge base to save the mined risk rules and the empirical knowledge of domain experts. Since the data access is more frequent, the operations on the databases are encapsulated in the database operation module.

2.3

Trusted 3.0 network security risk assessment model based on rough sets

The cybersecurity risk assessment model constructed based on discrete rough sets in this chapter is mainly applied to the rough set data analysis module of the decision support system.

2.3.1

Rough set description for Trusted 3.0 network security risk assessment

The original information system of the Trusted 3.0 Cybersecurity Risk Assessment System can be viewed as a decision-making system with continuous attribute values, and the knowledge can be represented and processed in rough set theory by a quaternion, i.e., S=<U,C ∪ {d},V,f>, where:

U = {x₁,x₂,…,x_n} is the thesis domain, which is a non-empty finite set and represents the trusted 3.0 cybersecurity risk assessment sample set.

C = {a₁,a₂,…,a_m} is the non-empty finite set of conditional attributes, i.e., the set of trusted 3.0 cybersecurity risk assessment indicators.

d represents the result attribute, i.e., the result of the assessment of the network security.

V = V_C ∪ V_d is a set of attribute values, V_C = {V_a|a ∈ C} is a set of conditional attribute values, V_d is a set of decision attribute values, and the value of the ith object on the jth conditional attribute v_ij(i = 1,2,…,n; j = 1,2,…,m) is continuously varying.

f : U×C ∪ {d}→V is an information function indicating that there is f(x,a) ∈ V_a for ∀a ∈ C,x ∈ U.

2.3.2

GA-based discretization analysis of continuous attribute sets

In this paper, based on the basic idea of rough set theory, the classification ability is used as the evaluation criterion of discretization, and the continuous attribute discretization problem is transformed into the segmentation point optimization searching problem, and a discretization analysis method based on genetic algorithm for continuous attribute set is proposed, which discovers and removes the redundant segmentation points while keeping the required classification ability unchanged to the original discrete results are simplified, thus effectively reducing the search space of the mining algorithm.

1)

Problem description for continuous attribute set discretization

Let A=<U,C ∪ D> be a decision table, U = {x₁,x₂,…,x₄ be a non-empty finite set called the domain, c be the set of conditional attributes, and D be the set of decision attributes. Suppose for any c_i ∈ C, there are V_i = {s_i,e_i) ⊂ R, R are sets of real numbers, then c_i is a continuous attribute. Let P_i be the set of partition points on v_i, denoted: (1) $P_{i} = {c_{0}^{i}, c_{1}^{i}, c_{2}^{i}, \dots, c_{k_{1}}^{i}}$ \[{{P}_{i}}=\{c_{0}^{i},c_{1}^{i},c_{2}^{i},\cdots ,c_{{{k}_{1}}}^{i}\}\]

For a continuous attribute set C′ ⊆ C that needs to be discretized, the set of split points is denoted: (2) $P = \underset{c_{i} \in C^{'}}{\cup} {c_{i}} \times P_{i} = \underset{c_{i} \in C^{'}}{\cup} {(c_{i}, c_{0}^{'}), (c_{i}, c_{1}^{'}), (c_{i}, c_{2}^{'}), \dots, (c_{i}, c_{k_{i}}^{'})}$ \[P=\bigcup\limits_{{{c}_{i}}\in {{C}^{\prime }}}{\{{{c}_{i}}\}}\times {{P}_{i}}=\bigcup\limits_{{{c}_{i}}\in {{C}^{\prime }}}{\{(}{{c}_{i}},c_{0}^{\prime }),({{c}_{i}},c_{1}^{\prime }),({{c}_{i}},c_{2}^{\prime }),\cdots ,({{c}_{i}},c_{{{k}_{i}}}^{\prime })\}\]

The continuous values of attribute c_i are mapped to the discrete space, i.e., for any x_i ∈ U (k = 1,2,…,n), if the value of its attribute c_i is in the interval $[c_{j - 1}^{'}, c_{i}^{'}) (j \in (1, 2, \dots, k_{i}))$ $[c_{j-1}^{\prime },c_{i}^{\prime })(j\in (1,2,\cdots ,{{k}_{i}}))$, the value of the attribute is relabeled as j. This converts the original decision table A containing continuous attributes into a discretized decision table Aⁿ. Thus the discretization problem can be essentially boiled down to the problem of dividing the space of values of the attributes by using the selected partition points.

2)

Discretization method

The equal interval and equal informativeness methods are probably the simplest discretization methods. Equal interval segmentation involves dividing the value domain of a continuous attribute equally into k_i(k,∈ N) interval, k_i generally determined by the user. Equal-informativeness segmentation first ranks the measurements and then divides the attribute value domain into k_i intervals, each containing the same number of measurements.

Statistical test methods determine the validity of the segmentation points based on the degree of independence between the decision attribute analysis interval divisions.

For any segmentation point, it is possible to divide [s_i,e_i) into 2 intervals $L_{ϵ} = [s_{i}, c_{j}^{'})$ ${{L}_{\epsilon }}=[{{s}_{i}},c_{j}^{\prime })$ and $R_{ϵ} = (c_{i}^{'}, e_{i})$ ${{R}_{\epsilon }}=(c_{i}^{\prime },{{e}_{i}})$, and the degree of independence between the two intervals is: (3) $χ^{2} = \sum_{i = 1}^{2} \sum_{j = 1}^{r} \frac{{(n_{i j} - E_{i j})}^{2}}{E_{i j}}$ \[{{\chi }^{2}}=\sum\limits_{i=1}^{2}{\sum\limits_{j=1}^{r}{\frac{{{({{n}_{ij}}-{{E}_{ij}})}^{2}}}{{{E}_{ij}}}}}\]

Where: r is the number of decision classes and n_ij is the number of objects belonging to decision class j in interval 1: (4) $E_{y} = \frac{\sum_{k = 1}^{i} n_{x} \times \sum_{k = 1}^{2} n_{y}}{\sum_{k = 1}^{2} \sum_{m = 1}^{i} n_{k x}}, if E_{y} = 0, and E_{y} = 0.1$ \[{{E}_{y}}=\frac{\sum\limits_{k=1}^{i}{{{n}_{x}}}\times \sum\limits_{k=1}^{2}{{{n}_{y}}}}{\sum\limits_{k=1}^{2}{\sum\limits_{m=1}^{i}{{{n}_{kx}}}}},\text{if}{{E}_{y}}=0,\text{and }{{E}_{y}}=0.1\]

The discretization method based on statistical tests will select the segmentation point with larger value of χ^ι as the effective segmentation point. The method is local, static and tutored discretization method.

Information entropy based discretization methods have been studied most extensively. The basic idea of this method is to apply the class information entropy as an evaluation criterion for the superiority or inferiority of segmentation points. The class information entropy of the division formed by the partition point $c_{j}^{'} \in P_{i} (0 < j < k_{i})$ $c_{j}^{\prime }\in {{P}_{i}}(0<j<{{k}_{i}})$ of attribute cli is: (5) $E (c_{i}, c_{j}^{'}; U) = \frac{| U_{i_{c}} |}{| U |} E n t (U_{i_{c}}) + \frac{| U_{i_{c}} |}{| U |} E n t (U_{i_{c}})$ \[E({{c}_{i}},c_{j}^{\prime };U)=\frac{|{{U}_{{{i}_{c}}}}|}{|U|}Ent({{U}_{{{i}_{c}}}})+\frac{|{{U}_{{{i}_{c}}}}|}{|U|}Ent({{U}_{{{i}_{c}}}})\]

3)

GA-based problem solving for discretization of continuous attribute sets

Genetic Algorithm (GA) is a highly parallel, stochastic, adaptive search algorithm that draws on the natural selection and natural genetic mechanisms in biology, which uses structured random exchange techniques to combine the best survival factors in each structure of a population to form the best code strings and make them evolve from generation to generation to ultimately obtain a satisfactory optimization result [25]. In this paper, we transform the segmentation point selection problem of continuous attribute discretization into an optimization seeking problem of segmentation point combination, and propose a local, dynamic, and tutored discretization method. Firstly, the partition point space is genetically coded to form a chromosome with the partition point codes, and the fitness function based on rough set theory is used to inspire and guide the evolution, and ultimately get the more optimal partition point combination code string that can fully reflect the effect of the discretization, so as to find all the partition points of the discretized continuous attribute set.

(1)

Genetic coding

Represent all segmentation points as binary strings of definite length, where each segmentation point is associated with a part of the string. Specifically, let the set of continuous attributes C′ = {c₁,c₂,…,c_n}, and for any c_i ∈ C′ choose a binary code of length t_i to represent segmentation point $c_{j}^{'} (j \in (1, 2, \dots, k, - 1))$ $c_{j}^{\prime }(j\in (1,2,\cdots ,k,-1))$, then the string length of all segmentation points representing attribute c_i is l(i)(k_i–1). The value correspondence between segmentation point $c_{j}^{'}$ $c_{j}^{\prime }$ and the binary code of length l(i) can be determined by the following equation: (6) $c_{i}^{'} = s_{i} + \frac{\sum_{s = 1}^{l (s)} m (s) 2^{s - 1}}{2^{l (s)} - 1} (e_{i} - s_{i})$ \[c_{i}^{\prime }={{s}_{i}}+\frac{\sum\limits_{s=1}^{l(s)}{m}(s){{2}^{s-1}}}{{{2}^{l(s)}}-1}({{e}_{i}}-{{s}_{i}})\]

Where m(s) is the encoded value of bit s in a binary code of length t(i). The binary string formed by encoding all the attributes in c′ is of length: (7) $l = \sum_{i = 1}^{n} l (i) (k_{i} - 1)$ \[l=\sum\limits_{i=1}^{n}{l}(i)({{k}_{i}}-1)\]

Thus, the size of the search space for the continuous attribute set discretization problem is 2^l. The choice of I(i) is related to the size of the argument domain U. For example, if |U|= 200, continuous attribute set C′ = {c₁,c₂,c₃},k₁ = k₂ = 4, k₃ = 3, is chosen for I(1) = I(2) = I(3) = 5, then I = 5×3+5×3+5×2 = 40, the search space size of the problem is 2⁴⁰ ≈ 10¹².

(2)

Adaptation function

Rough set theory relies on the classification ability of the knowledge in analyzing the decision table, for decision table A = {U,C ∪ {d}}, the classification ability of the knowledge c′ ⊆ C decision based on the VP-MD model is: (8) $k = γ_{_{A}} (C^{'}, d) = \frac{C a r d (\underset{_{X \in U / d}}{\cup} {\underline{B}}_{_{β, δ_{0}}} (X))}{C a r d (U)}$ $k={{\gamma }_{_{A}}}({C}',d)=\frac{Card(\underset{_{X\in U/d}}{\mathop{\bigcup }}\,{{{\underset{\raise0.3em\hbox{$\smash{\scriptscriptstyle-}$}}{B}}}_{_{\beta ,{{\delta }_{0}}}}}(X))}{Card(U)}$

γ_A(C′,d) gives applied knowledge c′ can correctly classify the percent of d classes to be used as a fitness function for the genetic algorithm.

(3)

Genetic operators

a) Replication operator. Replicates individuals from the current population into the new population with a probability proportional to the fitness value, the replication process applies a gambit technique to select the string to be replicated. The effect of the replication operator will increase the average fitness value of the population.

b) Hybridization operator. With some probability p_e select any 2 chromosomes from the mating pool for multipoint hybridization. The method is as follows: pick 2 chromosome strings and determine with probability whether or not they hybridize; if no hybridization occurs, take another 2 chromosome strings; otherwise, first generate m random numbers r(i)(c_i ∈ C′) ranging from 1 to l(i)(k,–1)–1, and then the paired 2 strings exchange bits from $\sum_{i = 1}^{1} l (j) (k_{i} - 1) + r (i) + 1$ $\sum\limits_{i=1}^{1}{l}(j)({{k}_{i}}-1)+r(i)+1$ to $\sum_{j = 1}^{n - 1} I (j) (k_{i} - 1) + l (i) (k_{i} - 1)$ $\sum\limits_{j=1}^{n-1}{I}(j)({{k}_{i}}-1)+l(i)({{k}_{i}}-1)$ in correspondence with each other.

c) Mutation operator. Randomly change some bits on a chromosome string with a small probability p. The method is as follows: pick 1 chromosome strings, determine with probability whether they are mutated or not, if not mutated, take another chromosome string, otherwise, generate m random numbers r(i)(c_i ∈ C′) ranging from 1 to l(i)(k_j–1), and then change the $\sum_{j} = 1^{n - 1} I (j) (k_{j} - 1) + r (i)$ $\sum\limits_{j}{=}{{1}^{n-1}}I(j)({{k}_{j}}-1)+r(i)$th bit of the string.

(4)

Algorithm flow

The process is designed according to the simple genetic algorithm as follows:

Step 1: Determine the relevant parameters of the genetic algorithm: population size N, maximum number of generations M, hybridization probability p, mutation probability p_n, downtime criterion.

Step 2: Initialize the population: randomly generate N chromosomes that represent the set of partition points.

Step 3: Convert the decision table A into A^p (N in total) according to the set of split points represented by each individual in the population.

Step 4: Calculate the adaptation value of each individual in the population: according to decision table a′, calculate the categorical energy of knowledge c′ relative to D γ_A^p(C′,D).

Step 5: Apply replication, hybridization and mutation operators to generate the next generation population.

Step 6: If the stopping condition is satisfied, designate the best string of individuals appearing in any generation as the result of the execution of the genetic algorithm and exit the program, otherwise, go to Step 3.

2.3.3

Trusted 3.0 network security risk assessment index approximation

Since rough set is a discrete knowledge inference system based on symbolic operations, it is required that the values in the decision table must be discrete data [26]. Trusted 3.0 cybersecurity risk assessment indicator data items are usually continuous or qualitative values, for which preprocessing of sample data for trusted 3.0 cybersecurity risk assessment is required. Data preprocessing needs to quantify the qualitative values, and usually adopts equal distance division, equal frequency division, discretization first method combining Boolean logic and Rough set theory, and discretization algorithm based on the importance of attributes, etc., but such processing will also bring some loss of information. Combined with the characteristics of trusted 3.0 network security risk assessment index data, this paper adopts the following methods for sample data preprocessing.

Definition 1: Let S = (U,C ∪ {d}) be a cybersecurity decision-making system, V_a = {v₁,v₂,…,v_l} be a set of trusted 3.0 cybersecurity risk assessment metrics (set of conditional attributes), and d be an assessment result (decision attribute). If a is a qualitative attribute (e.g., string type, enumeration type), the similarity of attribute value v_i,v_j is defined as: (9) $μ_{a} (ν_{i}, ν_{j}) = {\begin{array}{l} 1, ν_{i} = ν_{j} \\ 0, ν_{i} \neq ν_{j} \end{array}$ \[{{\mu }_{a}}({{\nu }_{i}},{{\nu }_{j}})=\left\{ \begin{array}{*{35}{l}} 1,{{\nu }_{i}}={{\nu }_{j}} \\ 0,{{\nu }_{i}}\ne {{\nu }_{j}} \\ \end{array} \right.\]

If a is a discrete numeric attribute (e.g., integer), the similarity of attribute value v_i,v_j is defined as: (10) $μ_{a} (ν_{i}, ν_{j}) = 1 - \frac{| ν_{i} - ν_{j} |}{M - 1}$ \[{{\mu }_{a}}({{\nu }_{i}},{{\nu }_{j}})=1-\frac{|{{\nu }_{i}}-{{\nu }_{j}}|}{M-1}\]

where M is the number of discrete attribute values. If a is a continuous-valued attribute (e.g., real type), the similarity of attribute value v_i,v_j is defined as: (11) $μ_{a} (v_{i}, v_{j}) = 1 - \frac{| v_{i} - v_{j} |}{a_{\max} - a_{\min}}$ \[{{\mu }_{a}}({{v}_{i}},{{v}_{j}})=1-\frac{|{{v}_{i}}-{{v}_{j}}|}{{{a}_{\max }}-{{a}_{\min }}}\]

where a_max and a_min are the maximum and minimum values of attribute a, respectively.

Definition 2: Let S = (U,C ∪ {d}) be a trusted 3.0 cybersecurity risk assessment system, C = {a₁,a₂,…,a_l} be the set of assessment metrics, and d be the assessment result, then the similarity of object x_i,x_j is defined as: (12) $μ_{C} (x_{i}, x_{j}) = \frac{1}{l} \sum_{k = 1}^{l} μ_{a_{k}} (ν_{i_{k}}, ν_{j_{k}})$ \[{{\mu }_{C}}({{x}_{i}},{{x}_{j}})=\frac{1}{l}\sum\limits_{k=1}^{l}{{{\mu }_{{{a}_{k}}}}}({{\nu }_{{{i}_{k}}}},{{\nu }_{{{j}_{k}}}})\]

where v_{i_k},v_{j_k} is the value of object x_i,x_j with respect to assessment metric a_k, respectively.

Some attributes, though of discrete enumerative type, can be converted to discrete numeric type if their values can be ordered. For example, the indicator security vulnerability in trusted 3.0 cybersecurity risk assessment usually takes three enumerated values: high-risk, dangerous, and general, which can be ordered according to the degree of harm, and thus can be converted into discrete numeric values when calculating the similarity between the elements.

Decision information system attribute approximation algorithm:

Input: a decision information system S = (U,C ∈ {d}), where C = {a₁,a₂,…,a_l} is a conditional attribute that takes continuous or discrete values and d is a decision attribute that takes discrete values.

Step 1: Calculate the two-by-two similarity between the objects (calculated as in Definition 2) to obtain the fuzzy similarity matrix R.

Step 2: Calculate the transfer closure $\hat{R}$ \[\hat{R}\] of the fuzzy matrix R ( $\hat{R}$ \[\hat{R}\] is a fuzzy equivalence relation) and determine the threshold λ as follows:

1) Order the values of the elements of the fuzzy matrix $\hat{R}$ \[\hat{R}\] from largest to smallest, as in α₁ > α₂ > … > a_k (k is the number of different values in $\hat{R}$ \[\hat{R}\]):

2) Make i = 1.

3) For λ_i ∈ (α_i+1,α_i], perform clustering (equivalence classes determined by conditional attributes) at the λ_i level by $\hat{R}$ \[\hat{R}\] for U, i.e., if $μ_{\hat{R}} (x_{i}, x_{j}) > λ_{i}$ ${{\mu }_{{\hat{R}}}}({{x}_{i}},{{x}_{j}})>{{\lambda }_{i}}$, then x_i,x_j is in the same class, and compute the degree of compatibility at the λ_i level. If its degree of compatibility is less than 1, go to (5).

4) If i < k–1, then i = i+1, go to (3).

5) Determine the read value of fuzzy clustering is α_i.

Step 3: Initialize the attribute approximation set: B←C.

Step 4: Make j = 1.

Step 5: For a_j ∈ B, classify U for conditional attribute set B–{a_j} under threshold α_i in the same way as Definition 2 and Step 2. If POS_{B–(a_j)}(D) = POS_B(D), then B←B–{a_j}.

Step 6: If j < n, then j = j+1, go to step 5.

Step 7: Output attribute approximation set B.

For decision information system S = (U,C ∪ {d}), S = (U,C ∪ {d}) is said to be fully parsimonious if all attributes in C are indistinguishable and there are no duplicate objects with exactly the same attribute values in U.

2.3.4

Trusted 3.0 network security risk assessment rule extraction

According to the above analysis, computer trusted 3.0 cybersecurity risk assessment can be regarded as a decision system with continuous attribute values S = (U,C ∪ {d}V,f), where the non-empty finite set X = {x₁,x₂,…,x_n} denotes the sample set of trusted 3.0 cybersecurity risk assessment. Conditional attribute set C = {a₁,a₂,…,a_m} denotes the trusted 3.0 network security risk assessment indicator set. Decision attribute d denotes the assessment result of cybersecurity. V = V_C ∪ V_d is the set of attribute values, V_C = {V_a|a∈C} is the set of conditional attribute values, V_d is the set of decision attribute values, and the value V_ij(i = 1,2,…,n; j = 1,2,…,m) of the ith object on the jth conditional attribute is continuously varying. The information function f:U×(C ∪ {d})→V indicates that there is f(x,a) ∈ V_a for ∀ a ∈ C,x ∈ U.

Based on the above discussion, this paper proposes a trusted 3.0 network security risk assessment rule based on mixed attribute values (continuous values, qualitative discrete values, and quantitative discrete values). In order to eliminate the influence of different metric units of different indicators, before calculating the similarity matrix, the continuous value data are first normalized.

Step 1: Normalize the continuous attribute values with the following formula: (13) $x^{'} = \frac{x - a_{\min}}{a_{\max} - a_{\min}}$ \[{x}'=\frac{x-{{a}_{\min }}}{{{a}_{\max }}-{{a}_{\min }}}\]

where a_max and a_min are the maximum and minimum values of attribute a, respectively.

Step 2: The Trusted 3.0 Cybersecurity Risk Assessment System S = (U,C ∪ {d}) is simplified according to the above proposed attribute simplification algorithm to obtain the simplified decision information system S = (U,C′ ∪ {d}), C′ = {a₁,…,a_s}.

Step 3: From S = (U,C′ ∪ {d}) and the thresholds λ determined during attribute approximation, an equivalent categorization U/ind(C′) = {X₁,…,X_n}, U/ind(d) = {Y₁,…,Y_m} based on the security assessment metrics C′ and the assessment results is obtained.

Step 4: For each $u \in X_{i}, u = (a_{1}^{i}, \dots, a_{m}^{i})$ $u\in {{X}_{i}},u=(a_{1}^{i},\cdots ,a_{m}^{i})$, here if a_j is a discrete attribute value, then $a_{j}^{i} = a_{j}$ $a_{j}^{i}={{a}_{j}}$ if a_j is a continuous attribute value: (14) $a_{j}^{i} = \frac{\sum_{u_{k} \in X_{i}} f (u_{k}, a_{j})}{| X_{i} |}$ \[a_{j}^{i}=\frac{\sum\limits_{{{u}_{k}}\in {{X}_{i}}}{f}({{u}_{k}},{{a}_{j}})}{|{{X}_{i}}|}\]

Step 5: Construct decision rule: $\land_{k = 1}^{m} (a_{k}, a_{k}^{i}) \to Y_{k}$ $\wedge _{k=1}^{m}({{a}_{k}},a_{k}^{i})\to {{Y}_{k}}$, here X_i ∈ Y_ki,i = 1,2,…,n,k_i = 1,2,…,s.

Step 6: Transform the [0, 1] interval value to the original value with the formula: (15) $x = (a_{max} - a_{min}) x^{'} + a_{min}$ $x=({{a}_{\text{max}}}-{{a}_{\text{min}}}){{x}^{\prime }}+{{a}_{\text{min}}}$

2.3.5

Network Security Risk Assessment Modeling

After completing the above process, the model construction can be carried out according to the obtained decision rules to obtain an operational trusted 3.0 network security risk assessment model. According to the analysis and decision rules in the previous section, refer to the international and domestic standard descriptions of risk assessment, summarize the decision rules, and build the trusted 3.0 network security risk assessment model as shown in Fig. 2.

3

Empirical analysis

3.1

Algorithm Validation

In order to verify the effectiveness of the GA-based continuous attribute set discretization analysis method, this paper compares it with the equal frequency split-box (FreDiv) and ExtChi2 algorithms, which are tested by using the datasets (Iris, Breast, Wine, and Sonar) in UCI. The basic information of the selected data is shown in Table 1. The number of categories in the selected dataset is between 3 and 5.

Table 1.

Data set information description

Data set	Number of continuous properties	Class number	Instance number
Iris	6	3	132
Breast	11	3	631
Wine	9	4	241
Sonar	68	5	213

As a comparison, the above four datasets are discretized using the discretization algorithm proposed in this paper, equal frequency binning, ExtChi2.ExtChi2 algorithm is an improved algorithm based on ChiMerge using x² statistic. In this paper, Support Vector Machines (SVMs) are used to classify the discretized set of breakpoints. Java language programming is used to implement the algorithm of this paper, and different discrete algorithms are used to run the classification process, and a total of 20 tests are conducted, and 80% of each dataset is randomly selected as the training set and the remaining 20% is used as the test set during the test. After completing the above settings for the classification process, the comparison of the prediction accuracy of several discretization algorithms obtained is shown in Figure 3. According to the analysis of the experimental result data, the method of this paper is better than ExtChi2 algorithm when dealing with larger amount of data and number of attributes.ExtChi2 algorithm has achieved 100% result in prediction accuracy when dealing with Iris dataset, the main reason for this is that the ExtChi2 algorithm is bottom-up and its effect of dealing with smaller amount of data is better than that of the top-down effect. Although the prediction accuracy of FreDiv is all 100%, this equal frequency binning method does not really discretize, but only divides the attributes into fixed lengths, which does not achieve the effect of discretization, so in the end, we should also pay attention to whether the spatial dimensions of the discretization have been reduced or not.

3.2

Experimental analysis

3.2.1

Experimental data

In order to test the reasonableness and correctness of the proposed discrete rough set based trusted 3.0 network security risk assessment method in this paper, Matlab 7.0 is borrowed to conduct simulation experiments. Based on DARPA1999 intrusion detection dataset, 100 samples of monitoring data are taken as experimental data. Firstly, the original data are normalized with the normalization formula $x_{i}^{'} = \frac{x_{i} - x_{\min}}{x_{\max} - x_{\min}}$ \[x_{i}^{'}=\frac{{{x}_{i}}-{{x}_{\min }}}{{{x}_{\max }}-{{x}_{\min }}}\], and the value of [0, 1] is obtained after processing. Then the 100 experimental data are divided into 90 training sample sets and 10 test sample sets for this trusted 3.0 network security risk assessment experiment.

3.2.2

Trusted 3.0 network security risk assessment index system

In the trusted 3.0 network security risk assessment, the selection of the evaluation index system is the key to the evaluation research, which will directly affect the accuracy of the whole evaluation results. The evaluation index system should reflect the basic characteristics and basic conditions of the network security posture as much as possible. In this paper, the network security posture indicators are divided into four independent first-level indicators: vulnerability, disaster tolerance, threat and stability. Each first-level indicator contains several second-level indicators, as follows:

1) Secondary indicators related to vulnerability. There are the number of vulnerabilities, the number of security devices, the network topology, the types of services and the number of open ports of key devices.

2) Secondary indicators related to disaster tolerance. There are bandwidth, the number of security devices, the number of concurrent threads in the subnet as long as the server supports, the frequency of key devices accessing the mainstream security network, and so on.

3) Secondary metrics related to threateningness. There are the number of alarms, bandwidth utilization, historical rate of security events, data inflow, IP distribution, etc.

4) Secondary indicators related to stability. There are the average survival time of key devices, the rate of change of subnet traffic, the average fault-free time of subnets, and the number of surviving key devices in subnets.

3.2.3

Analysis of assessment results

This paper takes the threatening indicators as an example, and uses the trusted 3.0 network security risk assessment method based on BP neural network and the trusted 3.0 network security risk assessment method based on discrete rough set in this paper to conduct a comparative study to analyze the superiority of the rough set method.

After the analysis of rough set theory, nine secondary indicators are screened out respectively: a indicates the number of alarms. b indicates the bandwidth utilization rate. c indicates the security event rate. d indicates the service distribution of key devices. e indicates the data inflow. f indicates the growth rate of inflow. g indicates the distribution of packets with different protocols. h indicates the distribution of packets with different sizes. i indicates the distribution of source IPs of packets flowing into the network. .

Let the condition attribute in the decision information table be a posture indicator. The decision attributes are categorized as 1 for high. 2 for medium. 3 for low. After rough set theory approximation and kerneling, the simplest decision information is obtained as shown in Table 2. A total of 10 rules are extracted.

Table 2.

The simplest decision information table

Rule	Condition									Decision D
Rule	a	b	c	d	e	f	g	h	i	Decision D
1	1	2	3	-	2	-	3	1	-	1
2	1	-	2	-	-	3	-	-	1	1
3	-	3	2	-	-	1	-	2	3	3
4	-	-	-	2	3	-	-	1	3	2
5	3	-	2	-	1	-	-	2	1	2
6	3	-	1	-	-	2	2	-	2	3
7	-	3	-	-	-	1	-	3	2	3
8	2	-	1	-	-	2	3	1	2	2
9	1	-	-	3	-	-	-	3	-	1
10	3	2	-	1	-	2	3	3	-	3

The comparison of the actual and desired outputs of the test samples through Matlab 7.0 simulation experiments is obtained as shown in Table 3. The maximum relative error of the test sample is 2.54%.

Table 3.

Rough set evaluation results

Sample number	Actual output	Expected output	Relative error/%	Threat level
91	0.887	0.865	2.54	Height
92	0.843	0.828	1.81	Medium
93	0.869	0.859	1.16	Height
94	0.826	0.817	1.1	Height
95	0.524	0.531	1.32	Low
96	0.324	0.325	0.31	Height
97	0.334	0.339	1.47	Height
98	0.861	0.875	1.6	Medium
99	0.212	0.207	2.42	Low
100	0.403	0.409	1.47	Low

The assessment of the testing data provided in this paper is based on the BP neural network assessment method, which consists of 9 input nodes, 4 hidden layer nodes, and 1 output node, and its assessment results are shown in Table 4. Comparing the experimental results shown in Table 2 and Table 3, it can be seen that the trusted 3.0 network security risk assessment method based on discrete rough set is more obvious than the BP neural network method, and the use of discrete rough set for assessment makes the relative error of the test samples <2.54%, which is obviously smaller than the relative error of the BP neural network assessment method <15.38%, which mainly lies in the use of the rough set theory for the assessment indicators This is mainly due to the use of rough set theory on the assessment indicators and data redundancy, high-dimensional processing, thus reducing the impact of unfavorable factors on the assessment.

Table 4.

BP neural network evaluation results

Sample number	Actual output	Expected output	Relative error/%	Threat level
91	0.875	0.865	1.16	Height
92	0.837	0.828	1.09	Medium
93	0.885	0.859	3.03	Height
94	0.862	0.817	5.51	Height
95	0.551	0.531	3.77	Low
96	0.375	0.325	15.38	Height
97	0.343	0.339	1.18	Height
98	0.837	0.875	4.34	Medium
99	0.201	0.207	2.9	Low
100	0.365	0.409	10.76	Low

To summarize: the rough set-based cybersecurity risk assessment model is very close to the expert's expected results, and it can be fully adapted to the comprehensive assessment of the trusted 3.0 cybersecurity posture in order to provide a reference when making decisions.

4

Conclusion

The study constructs a trusted 3.0 network security decision support system based on discrete rough sets, and constructs a trusted 3.0 network security risk assessment model in the rough set data analysis module of the system.

The GA-based continuous attribute set discretization analysis method applied in the model has the optimal discretization effect compared with the equal-frequency split box and ExtChi2 algorithm.

The discrete rough set based trusted 3.0 network security risk assessment method is compared with the BP neural network method. The relative error of the test samples under this paper's method is maximum 2.54%, and the relative error of the BP neural network assessment method is maximum 15.38%. It shows that the method of this paper can be more accurate for 3.0 network security risk assessment and provide a reliable basis for decision support.

Acknowledgement

Supported by Science and Technology Projects (Research on integration of distributed photovoltaic access and communication security based on endogenous security framework in new power systems) of Jilin Jineng Electric Power Communication Co., Ltd.

Langue:: Anglais

Périodicité:: 1 fois par an
Sujets de la revue:: Sciences de la vie, Sciences de la vie, autres, Mathématiques, Mathématiques appliquées, Mathématiques générales, Physique, Physique, autres

RSS Feed de la revue

A Trusted 3.0 Network Security Risk Assessment and Decision Support System Based on Discrete Rough Sets

Weijia Su

Shengda Wang

Danni Liu

Xiaofu Sun

Han Xu

Publié en ligne: 17 mars 2025

Reçu: 06 nov. 2024

Accepté: 19 févr. 2025

DOI: https://doi.org/10.2478/amns-2025-0224

Mots clésDiscrete rough set, Trusted 3.0, Rule extraction, Decision support system, Risk assessment

© 2025 Weijia Su et al., published by Sciendo

This work is licensed under the Creative Commons Attribution 4.0 International License.

Mots clés
Discrete rough set, Trusted 3.0, Rule extraction, Decision support system, Risk assessment