A Network Security Situational Assessment Method Considering Spatio-Temporal Correlations

Abstract

Network security situational assessment is crucial for network monitoring and management. Existing methods often fail to consider spatio-temporal correlations, limiting their accuracy. This paper proposes a method that integrates these correlations for improved assessment. The method first addresses the challenges posed by numerous nodes and large time-series data by designing an anomaly detection approach based on network state fluctuations and symmetry. It filters time window data to identify key symmetrical patterns, reducing computational overhead. Next, an assessment metric is developed for a single time window, incorporating both temporal and spatial components. Temporal assessment measures fluctuations between consecutive time windows, while spatial assessment identifies four types of abnormal spatial situations. Finally, assessment results across time windows are aggregated, considering both historical and current events. Historical event impacts are attenuated using a decay function, while current events are weighted by their progression stage. Experiments using multiple network datasets validate the method’s effectiveness and reasonableness in assessing network security. The average execution time of the BP method is 3.8987 s. The average execution time of the proposed method is 0.2117 s, saving 3.687 s compared to the BP method. The average execution time of the LSTM (Long Short-Term Memory) method is 0.9427 s, saving 2.956 s compared to the BP method, but it is still 0.731 s slower than the proposed method.

1. Introduction

In the digital age, the rapid advancement of technologies such as network communication and big data has significantly enriched and facilitated our lives. However, these advancements have also introduced a range of network security challenges. On 7 January 2025, the China Cybersecurity Association released the Cybersecurity Situation Report for December 2024. The report revealed that, in November 2024, approximately 253,308 DDoS attacks were blocked, 3.847 billion malicious programs were intercepted, and over 41.392 billion attacks were detected and defended against, representing an 18.4% month-on-month increase. This growing threat landscape has highlighted the importance of Network Security Situation Awareness (NSSA) technology.

NSSA encompasses several components, including situational element extraction, situational understanding, and situational prediction. Among these, network security situation assessment is a critical aspect of NSSA. Its primary goal is to collect various security factors from the network system and use a security indicator system to build an assessment model, enabling a comprehensive evaluation of the network’s security state. Unlike research focused on individual security events, network security situational assessment aims to provide a holistic evaluation of both current and potential threats to the network system [1]. It dynamically reflects the network’s operational state, offering a macro-level understanding of its security posture, which, in turn, aids in decision making and strengthens overall security.

Faced with increasingly complex network environments, current network security situational assessment methods encounter several challenges, such as large-scale networks, numerous nodes, and the diversification of attack techniques. The evaluation data typically exhibit high dimensionality and a large scale, along with complex spatio-temporal relationships [2]. Ensuring evaluation accuracy while improving operational efficiency has become a key issue that needs to be addressed. Existing network security situational assessment methods have alleviated these problems to some extent and made significant progress. However, many of these methods rely on model predictions of attack event probabilities rather than directly evaluating the underlying metrics that represent the network state [3,4]. While some models consider underlying metrics such as memory and CPU usage, they fail to effectively capture the spatial distribution changes between the states of multiple nodes [5,6]. Consequently, these methods still have limitations in addressing the aforementioned challenges. Designing an efficient and accurate network security situational assessment model has thus become a critical research direction in the field of network security.

To address the aforementioned challenges, this paper proposes a network security situational assessment method that evaluates low-level indicators capable of representing the states of network nodes. The method quantifies the temporal and spatial variations of multi-node anomalous states as evaluation factors. Additionally, two types of anomaly event assessment functions are introduced. The goal is to ensure evaluation efficiency while placing a strong emphasis on the spatio-temporal dynamics of network node states. The main contributions of this study are as follows:

• Anomaly Event Identification Method: Given the large number of nodes and the massive volume of time-series data in the network to be assessed, we propose a novel anomaly event identification method based on network state fluctuations. This method uniquely transforms the multidimensional time-series matrix of node states into a consolidated network state time-series dataset. It not only identifies periods of anomalous state fluctuations but also retains time window data of abnormal events that significantly influence subsequent assessments while eliminating irrelevant data to minimize computational overhead. The novelty of this approach lies in its ability to efficiently capture and focus on critical anomaly events that drive network security changes while filtering out less impactful data, enhancing both the precision and efficiency of the assessment process.
• Spatio-Temporal Situational Assessment for a Single Time Window: (1) Temporal Assessment: An anomalous node set is constructed for each time window, containing all nodes with abnormal states within that window. Considering the varying impact of anomalous node states on the network’s situational dynamics based on node types, a weighted accumulation of abnormal states, based on node importance, is used to represent the anomalous state for each time window. The magnitude of fluctuations in anomalous states between adjacent time windows is then quantified and used as an evaluation factor for the temporal situational assessment. (2) Spatial Assessment: A node state spatial distribution matrix is constructed for each time window, where each matrix element includes information about the node’s upper-level nodes in the network topology. This allows for the identification of spatial domains formed by interconnected nodes within the matrix. In designing the spatial situational impact factor, it is considered that the impact on the overall situation from multiple anomalous nodes forming a connected domain in the spatial distribution is significantly greater than the impact from scattered anomalous nodes. Therefore, a situational impact assessment function for spatial domains is introduced. The difference in the spatial distribution of anomalous states between adjacent time windows is quantified and used as an evaluation factor for the spatial situational assessment.
• Comprehensive Spatio-Temporal Assessment: All situational assessment components across all time windows and abnormal events are aggregated. Abnormal events are categorized into historical and current events. (1) A historical anomaly event assessment function is proposed, based on a decay coefficient, where the situational assessment results gradually attenuate as the distance between the assessment window and the current time window increases. (2) A current anomaly event assessment function is proposed, based on the impact of event progression stages. This function quantifies the development of abnormal events by calculating the slope of changes in the number of anomalous nodes within the assessment window. A slope-based dynamic influence function is designed, where greater changes in node quantity (higher slope) correspond to higher impact weights, thus more accurately reflecting the dynamic influence of current anomaly events on network security posture.

The remainder of this paper is organized as follows: in Section 2, related work is introduced, outlining the progress of existing research on network security situational assessment and the unresolved issues; Section 3 provides the foundational knowledge for this study; Section 4 presents the proposed spatio-temporal network situational assessment method based on anomaly events; Section 5 validates the effectiveness of the proposed method through experimental comparisons and data analysis; finally, Section 6 concludes this paper.

2. Related Works

Network security situation assessment is a method that analyzes the operation data of a network over a recent period using algorithmic models, resulting in an assessment that reflects the current network security status [7]. In order to better safeguard network security, many scholars have conducted in-depth research on the issue of network security situation assessment. Currently, network security situation assessment algorithms are mainly categorized into two directions: mathematical models [8,9] and machine learning [10,11], as shown in

Table 1. Overview and comparison of situation assessment methods.

Approach	Year	Author(s)	Characteristics
Mathematical Mode	2022	Jinwei Yang et al. [12]	Assessment method based on attack graph
Mathematical Mode	2022	Chen Long et al. [13]	Using improved CRITIC and gray correlation analysis
Mathematical Mode	2023	Xu Zhi et al. [14]	Using hidden Markov and artificial immunization
Mathematical Mode	2023	Xu Jian et al. [15]	Assessment method based on evidential reasoning
Mathematical Mode	2024	QingQing Yang et al. [16]	Using a selection covariance matrix process
Machine Learning	2022	Xiao Peng et al. [17]	Assessment method based on IABC and clustering
Machine Learning	2022	Zhang Ran et al. [18]	Assessment model based on SAA-SSA-BPNN
Machine Learning	2022	Yang Hongyu et al. [19]	Assessment method based on parallel feature extraction network and attention mechanism improved BiGRU
Machine Learning	2023	Ren Gaoke et al. [20]	Using GA-LightGBM based on PRF-RFECV feature optimization
Machine Learning	2023	Baoshan Xie et al. [21]	Using feature optimization and improved SSA-LightGBM
Machine Learning	2023	Sun Junfeng et al. [22]	Using TCP-BiLSTM
Machine Learning	2024	Chen Qiuqiong et al. [23]	Assessment method based on MIDBO-SVR
Machine Learning	2024	Zhao Dongmei et al. [24]	Assessment model based on improved selective kernel convolutional neural network and support vector machine
Machine Learning	2024	Guo Shangwei et al. [25]	Assessment method based on fusion model
Machine Learning	2024	Peng Xingwei et al. [26]	Assessment method based on deep learning

.

Many scholars have employed mathematical modeling approaches for assessing network security situations. In 2022, considering the characteristics of intrusion detection and attack graphs in situational awareness, Jinwei Yang et al. [12] proposed a network security situational awareness technology based on intrusion detection by combining both. This method first improves the accuracy of intrusion detection, ensuring data accuracy, and then combines the intrusion detection results with attack graphs generated by MulVAL, using a hidden Markov model to assess the current network situation. However, further research and empirical analysis are needed to verify the universality and practicality of the method. In 2022, Chen Long et al. [13] identified a flaw in traditional gray relational analysis methods, which do not consider the correlation between indicators and the deficiencies in quantitative standards when handling network security situations. They proposed an improved CRITIC method based on the coefficient of variation combined with a quantitative gray relational analysis algorithm. This method calculates the weights of each indicator by incorporating activation entropy and the coefficient of variation and then applies these weights to an improved superiority–inferiority sequence comparison analysis algorithm to compute the quantified value of network security situations. However, this model handles sequence data in a single-dimensional way and requires more data to verify its effectiveness and reliability. In 2023, aiming to overcome the shortcomings of the Markov model in determining the network security state transition probabilities, which rely on expert experience and are overly subjective, Xu Zhi et al. [14] proposed a method based on artificial immune algorithms and the hidden Markov model for network security situational assessment. This method describes the network security state transition process using a hidden Markov model in the context of power information collection networks, and calculates the transition probability matrix between different states using the artificial immune algorithm. Finally, it combines the risk loss vector to obtain the security situation assessment value. The feasibility of this method was verified by experiments, but the different definitions of security states in the early-stage data could affect the evaluation results. In 2023, based on the peak values of attack and normal behavior, Xu Jian et al. [15] proposed a security strategy combining attack and normal behavior to measure the changes in network security situations. They introduced a dual-layer evidence reasoning rule, setting factors such as traffic, CPU utilization, memory consumption, and disk usage as lower-level attributes and the top-level attribute as the wireless network security situation level. The reliability and rationality of this method were verified by experiments, but it lacks practical evaluation methods. In 2024, QingQing Yang et al. [16] proposed a model based on the assessment indicators affecting industrial Internet network security, which uses the ER iterative algorithm and mutation method to fuse the evaluation indicators. Based on the fusion results, they established a security situation assessment model and optimized the model parameters using the Selection Covariance Matrix Adaptive Evolution Strategy (S-CMA-ES). This method effectively addresses the issue of reduced modeling accuracy caused by insufficient data, but the evaluation model does not consider the spatial relationships between multiple nodes.

Several scholars have also applied machine learning techniques to assess network security situations. In 2022, Xiao Peng et al. [17] used the improved density peak clustering algorithm for clustering analysis, resulting in multiple data classifications. They then optimized the parameters of an RBF neural network using the IABC algorithm and trained data within each category to assess network security situational awareness. However, when dealing with large amounts of data, the clustering algorithm’s computational complexity is high, and the results are difficult to interpret and overly reliant on data. In 2022, Zhang Ran et al. [18] used a simulated annealing algorithm to optimize the sparrow search algorithm, improving BP neural networks for network security situational awareness. They proposed an SAA-SSA-BPNN-based assessment model, solving issues such as the sparrow search algorithm getting stuck in local optima and BP neural networks’ difficulty in determining optimal weights and thresholds. This improved assessment accuracy and convergence speed, but BP neural networks’ time complexity was affected by sample size and was relatively high. In 2022, Yang Hongyu et al. [19] proposed an improved BiGRU-based method for network security situational assessment, incorporating an attention mechanism to enhance the BiGRU network. This method solves the efficiency issues that BiGRU faces when learning long sequence data. The experimental results show that this method provides higher accuracy and efficiency, though the model has many parameters and is prone to overfitting. In 2023, RenGaoke et al. [20] proposed a GA-LightGBM network security situational awareness model based on PRF-RFECV feature selection. They used parallel random forests to select important features, combined with recursive feature elimination with cross-validation to select the optimal feature set, and used the global search properties of a Genetic Algorithm (GA) to choose the best parameters for LightGBM. This method solved the high-dimensionality problem of situational factors and showed good performance in accuracy and evaluation. However, the introduction of the GA algorithm significantly reduced the model’s performance. In 2023, Baoshan Xie et al. [21] proposed a method combining an improved SSA algorithm based on piecewise chaotic mapping and a firefly disturbance strategy with LightGBM to address LightGBM’s parameter configuration complexity and improve convergence speed. The experiments showed that the proposed model has high accuracy and low error, but the model requires large amounts of data for training and needs further improvement to increase its practical applicability. In 2023, Sun Junfeng et al. [22] proposed a prediction method based on a Temporal Convolutional Network (TCN) and Bi-directional Long Short-Term Memory (Bi-LSTM) networks to address the issues of low prediction accuracy and slow convergence in existing network security situational prediction models. This method uses the TCN to learn sequence features, incorporating an attention mechanism to highlight influential features, and Bi-LSTM to capture the forward and backward context of the data. It optimizes hyperparameters using Particle Swarm Optimization (PSO). The experiments demonstrated that this model learns time-series data features effectively, but it is complex, has many parameters, and is prone to overfitting. In 2024, Chen Qiuqiong et al. [23] proposed the MIDBO algorithm to improve the optimization performance of the DBO algorithm. This algorithm optimizes the kernel function parameters and penalty factors of a Support Vector Regression (SVR) machine, constructing a MIDBO-SVR-based network security situational awareness model. The experiments demonstrated that this model excels in accuracy but relies heavily on kernel function selection, which significantly impacts SVR’s performance. Different data types may require different kernel functions, and the model is prone to overfitting with high-dimensional data. In 2024, Zhao Dongmei et al. [24] proposed a network security situational awareness model based on an improved selective convolution kernel CNN and Support Vector Machine (SVM). This model uses an improved selective convolution kernel to replace the traditional convolution kernel for feature extraction, enhancing the adaptability of the receptive field changes in the CNN and strengthening the correlation between features. The extracted features are then input into the SVM for classification, with grid optimization used to globally optimize SVM parameters. The experimental results show that this model increases accuracy compared to traditional SVM models, but it still has higher computational complexity than traditional CNN models. In 2024, Guo Shangwei et al. [25] proposed a deep-learning-based approach for network security situational awareness. The model processes inputs through convolutional layers to capture local features, GRU layers for temporal dynamics, and self-attention modules to assign different weights to parts of the sequence to highlight key information. This design allows the model to capture both local structures and global dependencies, adaptively focusing on key sequence information to handle complex sequence data. The experimental results show that the model outperforms traditional models in certain evaluation metrics, but its generalization ability needs improvement to cope with the impacts of unknown attack types on situational awareness. In 2024, Peng Xingwei et al. [26] proposed an Internet of Things security situational awareness model based on deep learning. This model combines BiGRU and Transformer attention networks for attack type classification. BiGRU captures long-term dependencies within sequences, while the Transformer captures relationships between different time steps using self-attention mechanisms. The experimental results show that the proposed method significantly outperforms earlier methods in both efficiency and accuracy.

After reviewing the research on security situation assessment, it was found that most scholars focus primarily on improving machine learning models, with emphasis on enhancing model efficiency and prediction accuracy. These improvements typically involve predicting the probability of various attacks by learning data features, and then using these probabilities, along with the known impacts of attacks, to assess network security situations. However, the existing assessment models heavily rely on the predictions of attack types and lack the ability to perceive the impact of unknown attacks on the situation. Some researchers have applied mathematical models to assess the state features of networks, but these approaches often overlook the consideration of spatio-temporal variations between network nodes. As a result, there remains room for improvement in network security situation assessment. To enhance both the efficiency and accuracy of situation assessments and further refine research in this field, it is necessary to incorporate the spatio-temporal correlations between network nodes and their resulting impacts on the security situation.

3. Preliminaries

3.1. Description of Problem

A network, as a complex system, consists of various interconnected nodes arranged in a specific topology, which together form an integrated structure designed to meet diverse operational needs. In this paper, we assume a general network topology, as shown in Figure 1.

The network comprises multiple types of nodes, including security devices, routing equipment, data transmission devices, servers, and end-user systems. A security device, such as a firewall, acts as a barrier to filter malicious access and attacks from external networks, ensuring the protection of internal network resources. Routers facilitate the exchange and forwarding of data between different sub-networks within the system. Data transmission devices, such as switches, manage communication between end-user systems within local subnets. Servers, equipped with specific service ports, offer essential services like web hosting and file sharing, supporting the overall operation and fulfilling various application needs of the network. During network operation, the system generates a substantial volume of multi-node temporal data. These node data not only exhibit temporal variations but also reveal spatial changes through the analysis of the network topology structure.

3.2. Node State Time-Series Matrix

At each moment in a network system, each node generates a state value to represent its current operational status. In fact, at each moment, each network node has various available metrics to describe its operational state, such as the average number of bytes transmitted per second, the mean inter-arrival time of packets, and the standard deviation of packet lengths. These metrics effectively reflect the system’s operational condition. In practical applications, one or more of these metrics can be selected to comprehensively represent the operational state of a node, depending on the specific requirements.

To simplify the analysis and computation, this paper chooses an abstract metric to represent the operational state of each network node rather than using specific performance metrics directly. It is assumed that this abstract metric integrates information from multiple dimensions and effectively reflects changes in the node’s operational state. In the context of network security situational awareness, the data object consists of the state data of multiple nodes over a period of time. To facilitate subsequent calculations and analysis, this paper designs a node state time-series matrix that aims to represent the changes in the state of each node in the network system during this time period.

Let the network system consist of n nodes, and the time interval for collecting network system state data be $\Delta t$. The time interval $\Delta t$ is considered as the length of a basic time window. Therefore, the data collected at each sampling point represent the state of all network nodes within a basic time window. Define the situational assessment time window as $[p,q]$, where p is the start time of the window and q is the end time. The situational assessment time window $[p,q]$ contains m basic time windows, calculated as follows:

$$m={\displaystyle \frac{q-p+1}{\Delta t}}$$

(1)

In each time window, the data represent an n-dimensional node state sequence. The network node state data for all time windows within the situational assessment time window $[p,q]$ can be organized into a node state time-series matrix $X_{p:q}$, expressed as follows:

$$X_{p:q}=\left[\begin{array}{ccccc}{x}_{1,1}& \dots & x_{1,t}& \dots & x_{1,m}\\ ⋮& \ddots & ⋮& \ddots & ⋮\\ x_{i,1}& \dots & x_{i,t}& \dots & x_{i,m}\\ ⋮& \ddots & ⋮& \ddots & ⋮\\ x_{n,1}& \dots & x_{n,t}& \dots & x_{n,m}\end{array}\right]$$

(2)

n represents the number of nodes in the network system, and m represents the number of time windows in the time interval $[p,q]$. $x_{i,t}$ represents the state value of the i-th node in the t-th time window. The i-th row of the matrix $x_{i,:}=\left[x_{i,1},x_{i,2},\dots ,x_{i,m}\right]$ represents the state values of the i-th node over m consecutive time windows. The t-th column of the matrix $x_{:,t}={\left[x_{1,t},x_{2,t},\dots ,x_{n,t}\right]}^T$ represents the state values of all nodes in the t-th time window.

The node state time-series matrix intuitively describes the state changes of the network system over a continuous time period, providing the data foundation for subsequent spatio-temporal relationship mining and analysis. The time-series state data of all nodes in the network over a period of time are the core object of network security situational assessment. The network security situational assessment problem can be formalized as solving the value of a function $A\left(X_{p:q}\right)$, where the independent variable is the time-series state data matrix $X_{p:q}$ formed by the state of all nodes in the network within the time window $[p,q]$. The specific form of this function is defined as follows:

$$A\left(X_{p:q}\right)=A_e\left(X_{p:q}\right)+A_{e^{\prime }}\left(X_{p:q}\right)$$

(3)

where $A_e\left(X_{p:q}\right)$ is the quantified situational assessment value of historical anomaly events in $X_{p:q}$, reflecting the impact of historical events on the network security posture within a specific time frame. The quantitative formula for historical abnormal events is detailed in Formula (25); $A_{e^{\prime }}\left(X_{p:q}\right)$ is the quantified situational assessment value of current anomaly events in $X_{p:q}$, reflecting the impact of ongoing anomaly events on the network security posture. The quantitative formula for current abnormal events is detailed in Formula (27).

4. Network Spatio-Temporal Situational Assessment Method Based on Anomaly Events

4.1. Situational Assessment Model

To address issues in current network security situational awareness scenarios, such as single evaluation dimensions, low awareness efficiency, and overly coarse quantification granularity, this paper proposes a network spatio-temporal situational assessment method based on anomaly events. The method evaluates the developmental trends of time-series state data for multiple network nodes from spatio-temporal dimensions, aiming to maximize the quality of situational awareness while ensuring evaluation efficiency, as shown in Figure 2.

First, time-series state data for network nodes over a specified duration are collected and cached on the server. The state of a network node is composed of multiple feature metrics, such as memory usage and packet processing efficiency. For simplicity, this paper assumes that each node has a state value to represent its current security status and that the network topology remains unchanged during operation.

Second, due to the massive scale of time-series data for network node states, comprehensive analysis of all time-series data would hinder evaluation efficiency. To address this, multidimensional time-series state data of nodes are converted into one-dimensional network state time-series data. By detecting anomalies in network state fluctuations, the time windows of historical and current anomaly events are identified. The node state time-series data corresponding to these anomaly event time windows are then passed as input parameters to the evaluation module. This preprocessing method significantly reduces the scope of data processing, thereby improving evaluation efficiency.

Finally, within the evaluation module, the state fluctuations and spatial distribution differences between adjacent time windows are quantified. On one hand, for historical anomaly event data, a situational assessment function is employed based on the fluctuation in features and spatial distribution changes, weighted by a decay rate. On the other hand, for current anomaly event data, a situational assessment function is applied based on the fluctuation in features and spatial distribution changes, weighted by the development stage of the events.

The entire model consists of the following four modules: node state data caching, anomaly event detection preprocessing, situational assessment impact factors, and the situational assessment module.

(1)

Node State Data Caching

The node state data caching module is essential for collecting state data from various nodes across the network system and transmitting them to the caching server. This task is accomplished through the coordinated efforts of the scheduling process and the collection agent, each fulfilling specific roles within the architecture, as illustrated in Figure 2. The scheduling agent, deployed on a dedicated scheduling server, is responsible for generating the initial parameters needed for data collection. These parameters, including collection frequency and state representation parameters, are derived based on the network system’s characteristics. The state representation parameters can be adjusted according to the specific requirements of the system. Once the parameters are defined, the scheduling process transmits them to the collection agent. The collection process is designed to receive the data at the caching server and store them efficiently. It also organizes the collected data into a time-series format. This final step results in the creation of a time-series matrix that captures the node states, enabling efficient analysis and continuous monitoring of the network system over time.

(2)

Anomaly Event Detection Preprocessing

The anomaly event detection preprocessing module filters out time-series data containing abnormal state fluctuations from the node state time-series matrix and passes only relevant data to the situational assessment module. This preprocessing step helps to reduce computational complexity by eliminating irrelevant data, ensuring that only significant information is considered for further analysis. In the process of anomaly event detection, the module utilizes the maximum value of multiple node states within each time window to represent the network state for that specific window. This transformation simplifies the node state time-series matrix into a one-dimensional network state time-series sequence. By considering both the intensity and duration of network state anomalies, the system is able to detect anomaly events more effectively. This approach not only improves the detection accuracy but also streamlines the process, as it significantly reduces the dimensionality of the data. Additionally, the module outputs the start and end time windows for each detected anomaly event, marking the precise periods during which anomalies occur. Special attention is given to the possibility that the current time window may be part of an incomplete anomaly event, which is essential for accurate detection. By converting the multi-dimensional node state time-series data into a one-dimensional network state time-series sequence, the efficiency of anomaly event detection is greatly improved. Furthermore, by identifying and focusing on specific anomaly event windows, the situational assessment module only needs to evaluate the node state time-series data within these windows, thus significantly enhancing the overall model evaluation efficiency.

(3)

Situational Assessment Impact Factors

To evaluate changes in network security situational awareness, this paper introduces two impact factors for situational assessment: the abnormal state quantification value I and the spatial anomaly distribution quantification value $S_p$ as illustrated in Figure 2. These two factors are essential for accurately capturing both temporal and spatial variations in network anomalies. The first impact factor, I, represents the quantification of abnormal state values within a time window. In this model, the abnormal state quantification accounts for the varying influence of different network nodes on the overall network security posture. This influence is determined by the node importance, which is computed using the eigenvector centrality algorithm. The eigenvector centrality method calculates the relative importance of each node within the network, considering the network’s topology. This node importance value, $C\left(v\right)$, is then incorporated as a weight factor during the quantification of abnormal state values for each time window. By comparing the abnormal state quantification values between consecutive time windows, the model captures the degree of temporal variation in abnormal network behavior, which is crucial for identifying trends and potential threats in multi-dimensional time-series data.The second impact factor, $S_p$, focuses on the spatial distribution of abnormal states. For each time window, the model constructs a node state spatial distribution matrix $B_t$ based on the underlying network topology. This matrix characterizes the spatial relationships between abnormal nodes at a given point in time. The spatial distribution quantification value $S_p$ is then derived from this matrix, which reflects how the abnormal nodes are distributed across the network’s spatial domain. The model accounts for four distinct spatial distribution patterns, each representing different configurations of abnormal nodes, such as scattered or connected anomalies. In particular, the model recognizes that connected abnormal nodes have a much greater impact on the overall situational awareness than scattered anomalies. To address this, a spatial domain impact assessment function is designed, which calculates the influence of spatially connected abnormal nodes on the network’s security posture. By computing the differences in both the abnormal state quantification values and the spatial anomaly distribution quantification values between adjacent time windows, the model captures the dynamic changes in both temporal and spatial dimensions within the network. These two factors together enable a comprehensive assessment of the network’s security situation, allowing for efficient detection and analysis of anomalies in a multi-dimensional time-series data context.

(4)

Situational Assessment Module

The input data for the situational assessment module include the changes in node abnormal states and spatial anomaly distributions between adjacent time windows within an anomaly event window. This paper categorizes anomaly events into historical anomaly events and current anomaly events. Historical anomaly events refer to events that have been completed relative to the current time window, while current anomaly events refer to events that are still ongoing, with the network state in the current event window remaining in an abnormal state. To ensure the rationality of the assessment, this paper proposes two types of situational assessment methods for anomaly event window data. For historical anomaly events, as the time window moves farther from the current time window, the impact of the influencing factors within the historical anomaly event window on the overall network security posture diminishes over time. To account for the time decay effect, we design a situational assessment formula based on time decay when performing the calculations. The situational assessment output for all anomaly events in the node state time-series matrix $X_{p:q}$ is denoted as $A_e\left(X_{p:q}\right)$.

For current anomaly events, the network abnormal state within the time window is still evolving, and the current time window is in the midst of the event’s development stage. In comparison to historical anomaly events, current anomaly events may have a more significant impact on the future network security posture. The current time window may be in the growth phase, peak stabilization phase, or decline phase of the event. The impact on the network security posture varies depending on the stage of the event. To address this, this paper introduces a situational determination window. By analyzing the dynamic changes in abnormal state nodes within this window, the different stages of event development for the current time window are determined. Based on this, a situational assessment formula incorporating the influence of event stages is designed. The situational assessment output for current anomaly events in the node state time-series matrix $X_{p:q}$ is denoted as $A_{e^{\prime }}\left(X_{p:q}\right)$.

4.2. Anomaly Event Detection Preprocessing Based on State Fluctuations

The node state time-series matrix $X_{p:q}$ represents the dataset obtained by sampling the states of multiple nodes within the time interval $[p,q]$ at fixed time intervals. The time interval between adjacent sampling points is defined as a time window. To improve evaluation efficiency, this paper proposes a data preprocessing method for anomaly event detection based on state fluctuations. This method identifies time periods in $X_{p:q}$ with anomalous fluctuations, retains key data that significantly impact subsequent evaluations, and removes irrelevant data to reduce computational overhead and enhance detection accuracy.

(1)

Network State

To quickly and effectively perceive the overall operational state of the network system, the maximum value of all node states within each time window is used to represent the network state for that time window. The network state $s_i$ of the i-th time window is defined as follows:

$$s_i=max(x_{i,1},\dots ,x_{i,j},\dots ,x_{i,n}),i\in [1,m]$$

(4)

where $x_{i,j}$ represents the state of the j-th node in the i-th time window, and m denotes the number of time windows in the node state time-series matrix $X_{p:q}$.

By using the maximum node state value as a representation, the multidimensional node state time-series matrix $X_{p:q}$ is transformed into one-dimensional network state time-series data for subsequent anomaly event detection.

$$S_{p:q}=\{s_1,\dots ,s_i,\dots ,s_m\}$$

(5)

(2)

Anomaly Event Determination Criteria

In a network system, fluctuations in the network state are frequently linked to anomaly events, and these fluctuations may occasionally exhibit symmetrical patterns [27]. To effectively identify these anomalous fluctuations, this paper proposes a threshold-based anomaly event determination method. An anomaly event $e_i$ is determined if the network state in every time window within a continuous time duration exceeds a predefined threshold $\phi$ and the length of the continuous time windows exceeds the minimum threshold $\vartheta$. The determination criteria are as follows:

$$s_t>\phi ,\forall t\in [t_{istart},t_{iend}]and{t}_{iend}-t_{istart}>\vartheta$$

(6)

where $s_t$ represents the network state value in the t-th time window. $\phi$ denotes the network state threshold. $t_{istart}$ and $t_{iend}$ represent the start and end time windows of anomaly event $e_i$, respectively. $\vartheta$ denotes the minimum number of consecutive time windows for an anomaly event.

(3)

Anomaly Event Detection Preprocessing Algorithm

For the node state time-series matrix $X_{p:q}$, if the network state of the last time window exceeds the threshold $\phi$, the algorithm outputs both the set of historical anomaly events and a current anomaly event. Otherwise, it only outputs the set of historical anomaly events.

The historical anomaly events satisfy the anomaly event determination criteria, where the fluctuation amplitude exceeds the threshold and the duration meets the minimum threshold condition. Each anomaly event records its start and end time windows. The set of historical anomaly events $E_{p:q}$ is expressed as follows:

$$E_{p:q}=\{(e_{1-start},e_{1-end}),\dots ,(e_{i-start},e_{i-end}),\dots ,(e_{k-start},e_{k-end})\}$$

(7)

where k represents the number of historical anomaly events identified in the node state time-series matrix $X_{p:q}$. $e_{i_{start}}$ denotes the start time window of the i-th historical anomaly event, and $e_{i_{end}}$ denotes the end time window of the i-th historical anomaly event.

The current anomaly event refers to a scenario where the network state in the last time window q of the node state time-series matrix $X_{p:q}$ still exceeds the anomaly threshold, indicating that the anomaly event is ongoing and in the developmental stage. In this case, such an anomaly event is defined as the current anomaly event, and the algorithm outputs the start time window of the current anomaly event. The start time window of the current anomaly event is denoted as $e_{cur}$. The anomaly event detection preprocessing algorithm is as follows:

• Event Start: When the network state first exceeds the threshold $\phi$, the start time of the event is marked.
• Event End: If the network state drops below the threshold again and the duration of the anomaly event meets the minimum threshold $\vartheta$, this time period is marked as a historical anomaly event.
• Historical Anomaly Event Output: After traversing the network state time-series data $S_{p:q}$, the algorithm outputs the start and end time windows of all detected historical anomaly events.
• Current Anomaly Event: If the network state in the last time window of the time-series data $S_{p:q}$ exceeds the threshold $\phi$, it indicates that the anomaly event is ongoing and not yet finished. The algorithm outputs the start time window of the current anomaly event.

4.3. Spatio-Temporal Situational Impact Assessment

4.3.1. Node State Spatial Distribution Matrix for Time Windows

Based on the historical anomaly events and current anomaly event time windows obtained through the anomaly event detection preprocessing algorithm, the node state time-series matrix $X_{p:q}$ is used to extract the time-series data for k historical anomaly event windows and one current anomaly event window. The situational assessment is then performed on the node state time-series data for these anomaly event windows.

To more accurately quantify the situational impact, it is necessary not only to identify which nodes are in an abnormal state within each time window but also to determine the locations of these nodes within the actual network topology. For this purpose, this paper proposes a method that converts the node state sequence into a node state spatial distribution matrix based on the network topology structure. The specific process is as follows.

For $\forall t\in [e_{i-start},e_{i-end}]$, the state sequence of n nodes in the t-th time window, denoted as $x_{:,t}={[x_{1,t},x_{2,t},\dots ,x_{n,t}]}^T$, is extracted from the node state time-series matrix $X_{p:q}$. Combining the positions of these nodes within the network topology, the node spatial distribution matrix $B_t$ is constructed. The subscript index i represents the hierarchical level of the node in the network topology, numbered from the topmost level downward, with values in the range $1,2,\dots$. The subscript index j represents the node’s index within the i-th hierarchical level, numbered sequentially from left to right, with values in the range $1,2,\dots$. The superscript index c represents the index of the parent node of the current node within its hierarchical level.

The element $b_{i,j}^c$ of the node state spatial distribution matrix $B_t$ represents the state value of the j-th node in the i-th layer of the network topology. The state value is derived from the node state sequence $x_{:,t}$. The structural form of the matrix $B_t$ is as follows:

$$B_t=\left[\begin{array}{cccc}{b}_{1,1}^0& b_{1,2}^0& \dots & b_{1,g}^0\\ b_{2,1}^0& b_{2,2}^0& \dots & b_{2,g}^0\\ \dots & \dots & \dots & \dots \\ b_{m,1}^0& b_{m,2}^0& \dots & b_{m,g}^0\end{array}\right]$$

(8)

Each row of the matrix corresponds to a hierarchical level in the network topology, and each column corresponds to the index of a node within that level. By constructing the node state spatial distribution matrix $B_t$, it is possible to represent both the state values of abnormal nodes and their spatial distribution within the network topology. This provides spatial distribution information for situational impact assessment.

As shown in Figure 3, the nodes in the network topology can be divided into five hierarchical levels. According to the construction rules of the node state spatial distribution matrix, this topology can be transformed into a tree structure. For example, the nodes $b_{5,1}^7$, $b_{5,2}^7$, and $b_{5,3}^7$ represent the first, second, and third nodes in the fifth level, respectively. These nodes correspond to Host 7 through Host 9 in the network topology. Their upper-layer control node is the seventh node in the fourth level, which corresponds to Switch 4 in the network topology.

In the tree structure, missing nodes are filled with zeros to form a complete node state spatial distribution matrix $B_t$. Its specific form is as follows:

$$B_t=\left[\begin{array}{ccccccccc}{b}_{1,1}^0& 0& 0& 0& 0& 0& 0& 0& 0\\ b_{2,1}^1& 0& 0& 0& 0& 0& 0& 0& 0\\ b_{3,1}^1& b_{3,2}^1& b_{3,3}^1& 0& 0& 0& 0& 0& 0\\ b_{4,1}^1& b_{4,2}^1& b_{4,3}^1& b_{4,4}^2& b_{4,5}^2& b_{4,6}^2& b_{4,7}^3& b_{4,8}^3& b_{4,9}^3\\ b_{5,1}^7& b_{5,2}^7& b_{5,3}^7& 0& 0& 0& 0& 0& 0\end{array}\right]$$

4.3.2. Abnormal Node Set for Time Windows

Through the transformation of the node state spatial distribution matrix, the node state time-series data for $k-1$ historical anomaly event windows, filtered from the node state time-series matrix $X_{p:q}$, can be converted into a time-series sequence of node state spatial distribution matrices. Each element in this time-series sequence corresponds to a node state spatial distribution matrix for a specific time window, which not only identifies the nodes in an abnormal state during the current time window but also clarifies their locations within the actual network topology.

In consecutive time windows, the number of abnormal nodes and their positional changes in the topology reflect the spatio-temporal situational impact of the anomaly event. To facilitate the statistics of abnormal nodes, this paper defines the abnormal node set $A_t$, which stores all abnormal nodes in the node state spatial distribution matrix $B_t$. The specific method is as follows:

• For the node state spatial distribution matrix $B_t$, check the state value of each node in the matrix to determine whether it exceeds the predefined threshold $\phi$.
• If the state value of a node exceeds the threshold, add the node to the abnormal node set $A_t$.
• Finally, the abnormal node set $A_t$ contains all nodes in $B_t$ whose state values exceed the threshold $\phi$.

The abnormal node set $A_t$ is defined as the set of abnormal nodes corresponding to the t-th time window in the node state time-series matrix $X_{p:q}$:

$$A_t=\left\{\left(b_{i,j}^c\right)\right|b_{i,j}^c\in B_{t}and{b}_{i,j}^c>\phi \}$$

(9)

Using the above method, the abnormal node set not only identifies the state of abnormal nodes but also reflects the spatio-temporal distribution characteristics of these nodes in conjunction with the network topology.

4.3.3. Node Importance

In different time windows, the importance of nodes in the abnormal node set $A_t$ varies, and some symmetrical patterns in their impact on network security posture may emerge. Nodes with lower importance have a weaker influence on the future network security posture, while nodes with higher importance may have a more significant impact. To quantify the influence of nodes on the network security posture, this paper employs the eigenvector centrality method to calculate the importance of each node in the network. Eigenvector centrality measures the global influence of nodes in the network based on the principal eigenvector of the adjacency matrix [28,29]. The specific calculation process is as follows.

Constructing the Adjacency Matrix: Given a network $G=(V,E)$, where V and E represent the sets of nodes and edges, respectively, construct the adjacency matrix L. For any nodes $i,j\in V$,

$$L_{ij}=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}\mathrm{there}\mathrm{is}\mathrm{an}\mathrm{edge}\mathrm{between}\mathrm{node}i\mathrm{and}\mathrm{node}j,\hfill \\ 0,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

(10)

Computing Eigenvalues and Eigenvectors: Perform eigenvalue decomposition on the adjacency matrix L to obtain the eigenvalue set $\left\{{\lambda }_k\right\}$ and the corresponding eigenvector set $\left\{x_k\right\}$. The principal eigenvector $x_{max}$ is the eigenvector associated with the largest eigenvalue ${\lambda }_{max}$.

Normalizing the Eigenvector: To ensure that the node importance values are non-negative and their sum equals 1, normalize each component $x_{max,i}$ of the principal eigenvector $x_{max}$ by taking its absolute value. The eigenvector centrality of node $v_i$ is as follows:

$$C\left(v_i\right)={\displaystyle \frac{|x_{max,i}|}{{\sum }_{j\in V}\left|x_{max,j}\right|}}.$$

(11)

Through the above steps, the eigenvector centrality of each node in the network can be calculated. This metric effectively measures the importance of nodes within the global network structure.

4.3.4. Quantifying Changes in Abnormal Node Spatial Distribution

• Domain Definition

To quantify the impact of the connectivity among multiple nodes on network security posture, this paper defines a domain as a set of abnormal nodes that can be connected through a control node. In the abnormal node set $A_t$, for each node $b_{i,j}^k\in A_t$, it is determined whether these nodes can form a multi-branch tree through connections via control nodes. Each multi-branch tree formed by nodes in $A_t$ through control nodes is considered a domain and is denoted as $f_{t\_i}$, where t represents the time window index within the time interval $[p,q]$ and i is the index of the domain in the domain set.

Each domain $f_{t\_i}$ contains a set of nodes that are interconnected via control nodes. If there exist multiple multi-branch trees in the abnormal node set $A_t$ that can be formed through control nodes, these trees constitute a domain set denoted as $F_t$, represented as follows:

$$F_t=\{f_{t\_1},f_{t\_2},\dots ,f_{t\_n}\}$$

(12)

where n represents the number of multi-branch trees formed by the abnormal node set $A_t$ through connections via control nodes, which is equivalent to the number of domains in the current time window. $f_{t\_i}$ denotes the i-th multi-branch tree, that is, the i-th domain in the abnormal node set $A_t$.

2.

Four Types of Spatial Distribution Abnormal Situations

By analyzing the abnormal node sets across different time windows, the dynamic changes in the number of abnormal nodes and their spatial correlation characteristics can be revealed. The changes in the number of abnormal nodes reflect the scale variation of anomaly events in the current network, while the spatial correlation among abnormal nodes reveals the propagation trend of anomaly events within the network topology. Based on this, this paper proposes and defines four typical spatio-temporal abnormal situations:

(1)

Spatial Single-Point Abnormal Situation

When $|A_t| =1$, it indicates that the node state spatial distribution matrix $B_t$ for the t-th time window contains only one abnormal node. This scenario is referred to as a spatial single-point abnormal situation, as shown in Figure 4.

This situation may occur in the early phase of an anomaly event or due to a brief surge in normal traffic, and is typically characterized by a lack of symmetry in the distribution of the abnormalities. In this case, since there is only one abnormal node, its impact on the overall network security is very limited, with a particularly small impact. For instance, as illustrated in Figure 4, in the t-th time window, the state value of node $b_{4,3}^1$ is the only one exceeding the anomaly threshold $\phi$, indicating that the network is experiencing a spatial single-point anomaly. Node $b_{4,3}^1$ represents an isolated abnormal node within the network, and its anomalous state exerts a minimal impact on the overall network structure.

(2)

Spatial Scattered-Point Abnormal Situation

When $|A_t| >1$ and any two nodes i and j in the abnormal node set $A_t$ are neither adjacent nor belong to the same upper-level control node, it indicates that the node state spatial distribution matrix $B_t$ for the t-th time window contains multiple abnormal elements. These abnormal elements are spatially isolated, leading to a spatial scattered-point abnormal situation, as shown in Figure 5.

This situation, which may exhibit some degree of symmetry, is typically observed during the early development phase or the concluding phase of an anomaly event. Given the spatial isolation of the abnormal nodes, their overall impact on the network remains relatively limited. For instance, as illustrated in Figure 5, in the t-th time window, the state values of nodes $b_{4,3}^1$, $b_{4,6}^2$, and $b_{5,1}^7$ exceed the anomaly threshold $\phi$. However, these three nodes are neither adjacent nor belong to the same upper-level control node. As a result, the network is in a spatial scattered-point abnormal situation, where the abnormalities are spatially isolated. This configuration indicates that the anomaly event is not clustered but instead dispersed across distinct regions of the network. Consequently, while multiple abnormal nodes are detected, their limited spatial proximity suggests that their collective impact on the overall network structure and security is minimal.

(3)

Spatial Single-Domain Abnormal Situation

When $|A_t| >1$ and all elements $b_{i,j}^c$ in the abnormal node set $A_t$ can form a multi-branch tree through their control node, this scenario is referred to as a spatial single-domain abnormal situation, as shown in Figure 6.

In this scenario, the abnormal nodes belong to the same domain in the network topology, are spatially connected, and exhibit a locally concentrated distribution, often with some degree of symmetry in their arrangement. Such situations are typically observed during the outbreak phase of an anomaly event, where the impact on the overall network is likely to intensify significantly. For example, as illustrated in Figure 6, in the t-th time window, the state values of the network nodes $b_{3,1}^1$, $b_{4,1}^1$, and $b_{4,2}^1$ exceed the anomaly threshold $\phi$. Notably, $b_{4,1}^1$ and $b_{4,2}^1$ share the same upper-level control node $b_{3,1}^1$, and these three nodes collectively form a multi-branch tree structure. This configuration indicates that the abnormal nodes are spatially connected and form a cohesive group within the same domain of the network. Therefore, the network is in a spatial single-domain abnormal situation, characterized by a concentration of anomalies within a localized region. This type of abnormality typically signals the early stages of an escalation in the anomaly event, where the spatial concentration of the abnormal nodes suggests a potential for a more widespread network anomaly impact.

(4)

Spatial Multi-Domain Abnormal Situation

If $|A_t| >1$ and all elements $b_{i,j}^c$ in the abnormal node set $A_t$ can form multiple multi-branch tree structures through their control nodes, this scenario is referred to as a spatial multi-domain abnormal situation, as shown in Figure 7.

In this scenario, the abnormalities are simultaneously distributed across multiple domains, indicating that the impact of the anomaly has propagated to several areas within the network. Some degree of symmetry is often observed in the spatial distribution of these abnormalities. This pattern typically signifies the rapid progression of the anomaly event, which has the potential to cause significant disruptions to the overall network. For example, as shown in Figure 7, in the t-th time window, the state values of nodes $b_{3,2}^1$, $b_{3,3}^1$, $b_{4,1}^1$, $b_{4,3}^1$, $b_{4,4}^2$, $b_{4,7}^3$, $b_{4,8}^3$, $b_{5,2}^7$, and $b_{5,3}^7$ exceed the anomaly threshold $\phi$. These nodes collectively form three distinct multi-branch tree structures. Nodes $b_{4,1}^1$ and $b_{4,3}^1$ form one multi-branch tree structure, while nodes $b_{3,2}^1$ and $b_{4,4}^2$ form another. The third multi-branch tree structure is formed by nodes $b_{5,2}^7$, $b_{5,3}^7$, $b_{4,7}^3$, $b_{4,8}^3$, and $b_{3,3}^1$. This configuration indicates that the abnormal elements are distributed across multiple domains, signifying a spatial multi-domain abnormal situation. This type of anomaly pattern suggests that the impact of the event has spread across different regions of the network, with a significant potential to disrupt its overall stability and functionality.

3.

Situational Impact Assessment Value of Spatial Domains

The more nodes present within a spatial domain, the more widespread the anomaly distribution, and the greater its impact. Based on this consideration, this paper proposes the calculation formula for the impact assessment value $D\left(f_{t\_i}\right)$ of a domain as follows:

$$D\left(f_{t\_i}\right)={\omega }_1·\sum _{v\in V\left(f_{t\_i}\right)}C\left(v\right)+{\omega }_2·u\left(\right|f_{t\_i}\left|\right)$$

(13)

where ${\sum }_{v\in V\left(f_{t\_i}\right)}C\left(v\right)$ represents the importance of all nodes within the domain, calculated as the sum of the importance metrics of all nodes v in the domain $f_{t\_i}$. ${\omega }_1$ and ${\omega }_2$ are weight coefficients that control the contributions of node importance and node quantity to the overall impact value, respectively.

$$u\left(\right|f_{t\_i}\left|\right)=e^{\epsilon ·|f_{t\_i}|}$$

(14)

where $|f_{t\_i}|$ is the number of nodes in the i-th domain of the abnormal node set $A_t$, and $\epsilon$ is a constant controlling the growth rate of node influence. As the number of nodes increases, the spatial situational value grows exponentially.

4.

Changes in the Spatial Distribution of Abnormal Nodes Across Adjacent Time Windows

(1)

Spatial Distribution Quantification Value for Single-Point or Scattered-Point Abnormal Situations

For the current time window t, if its spatial distribution is classified as a single-point abnormal situation or a scattered-point abnormal situation, the spatial distribution quantification value is calculated as the sum of the importance of all abnormal nodes. The formula is as follows:

$$S_{p\_t}=\sum _{v\in S_t}C\left(v\right)$$

(15)

where $C\left(v\right)$ represents the importance measure of node v. $S_t$ represents the set of abnormal nodes in the t-th time window.

(2)

Spatial Distribution Quantification Value for Single-Domain or Multi-Domain Abnormal Situations

For the current time window t, if its spatial distribution is classified as a single-domain abnormal situation or a multi-domain abnormal situation, the quantification of the spatial distribution impact considers both the importance of the domains and the importance of other scattered abnormal nodes in the current time window. The formula is as follows:

$$S_{p\_t}=\sum _{v\in S_t-F_t}C\left(v\right)+\sum _{f_{t\_i}\in F_t}D\left(f_{t\_i}\right)$$

(16)

where ${\sum }_{v\in S_t-F_t}C\left(v\right)$ represents the importance of all scattered abnormal nodes in the t-th time window. ${\sum }_{f_{t\_i}\in F_t}D\left(f_{t\_i}\right)$ represents the impact assessment value of all domains in the t-th time window.

(3)

Spatial Distribution Change

The spatial distribution change, denoted as $\Delta S_{p\_t}$, represents the change in spatial distribution of the abnormal node set $S_t$ in the t-th time window relative to the abnormal node set $S_{t-1}$ in the $(t-1)$-th time window within the node state time-series matrix $X_{p:q}$. This metric characterizes the changes in the spatial distribution’s situational features. The formula is as follows:

$$\Delta S_{p\_t}=S_{p\_t}-S_{p\_t-1}$$

(17)

If $\Delta S_{p\_t}>0$, it indicates that the spatial distribution of abnormal nodes is expanding and the impact of the anomaly is increasing. If $\Delta S_{p\_t}<0$, it indicates that the spatial distribution of abnormal nodes is contracting and the impact of the anomaly is decreasing.

4.3.5. Changes in Abnormal Node State Values Across Adjacent Time Windows

Through anomaly event detection preprocessing, the node state time-series data for anomaly event windows with abnormal network states are filtered from the node state time-series matrix $X_{p:q}$. To quantify the impact of node state changes between adjacent time windows within an anomaly event window on the event development, this paper proposes the following method to quantify abnormal state changes.

Assume that the abnormal node sets in two adjacent time windows are as follows:

$$S_{t-1}=\{b_{i,j}^k\mid i=1,2,\dots ,m;j=1,2,\dots ,p;k\in {\mathbb{Z}}^{+}\}$$

(18)

$$S_t=\{a_{i,j}^k\mid i=1,2,\dots ,m;j=1,2,\dots ,p;k\in {\mathbb{Z}}^{+}\}$$

(19)

where $S_{t-1}$ and $S_t$ represent the set of all abnormal nodes whose state values exceed the threshold in the $(t-1)$-th and t-th time window within the time interval $[p,q]$, respectively.

Since the abnormal node sets in the two adjacent time windows may differ, the calculation considers the following cases:

Nodes Present in Both $S_t$ and $S_{t-1}$: If the indices $i,j$ of nodes $a_{i,j}^k$ and $b_{i,j}^k$ fully match, it indicates that the nodes occupy the same position in the network topology and represent the same node across different time windows. The state change for such nodes is calculated as follows:

$$c_{i,j}^k=a_{i,j}^k-b_{i,j}^k$$

(20)

Newly Added Nodes in $S_t$: If a node $a_{i,j}^k\in S_t$ but $a_{i,j}^k\notin S_{t-1}$, it indicates that the node is a newly added abnormal node. The state change for such nodes is calculated as follows:

$$c_{i,j}^k=a_{i,j}^k-0$$

(21)

Disappearing Nodes in $S_{t-1}$: If a node $b_{i,j}^k\in S_{t-1}$ but $b_{i,j}^k\notin S_t$, it indicates that the node is a disappearing abnormal node. The state change for such nodes is calculated as follows:

$$c_{i,j}^k=0-b_{i,j}^k$$

(22)

Finally, the set of abnormal node state differences is obtained as follows:

$$\Delta S_t=\left\{c_{i,j}^k\right\}$$

(23)

where $c_{i,j}^k$ represents the state value difference of a node, and the indices $i,j,k$ describe the node’s location in the network topology.

To quantify the impact of abnormal states on the overall network security posture, both the magnitude of node state changes and the importance of nodes must be considered. Therefore, the abnormal state change magnitude $\Delta I_t$ is defined as follows:

$$\Delta I_t=\sum _{c_{i,j}^k\in \Delta S_t}{c}_{i,j}^k·C\left(c_{i,j}^k\right)$$

(24)

where $c_{i,j}^k\in \Delta S_t$ represents the abnormal node state difference in the t-th time window compared to the $(t-1)$-th time window. $C\left(c_{i,j}^k\right)$ represents the importance of the abnormal node that caused the state difference.

If $\Delta I_t>0$, it indicates that the intensity of abnormal node states in the t-th time window is higher than in the $(t-1)$-th time window, meaning that the anomaly’s impact is increasing. Conversely, if $\Delta I_t<0$, it indicates that the anomaly’s impact is decreasing.

4.3.6. Situational Assessment Method

Through anomaly event detection and preprocessing, the node state time-series data for $k-1$ historical anomaly event windows and one current anomaly event window are filtered from the node state time-series matrix $X_{p:q}$. The situational impact assessment is performed on the node state time-series data within these anomaly event windows.

(1)

Situational Assessment of Historical Anomaly Event Windows

The node state time-series data in historical anomaly event windows correspond to anomaly events that have already concluded relative to the current time window. These events may have a sustained impact on the future network security posture over a certain period. The state abnormal changes and spatial distribution changes between adjacent time windows in historical anomaly events can reflect the degree of situational change. If the differences between adjacent time windows are significant, it indicates a rapid rise or fall in the event’s development, which may significantly affect the posture in the near future.

Based on this analysis, the situational assessment formula for completed anomaly events is designed as follows:

$$A_e\left(X_{p:q}\right)=\sum _{\tau \in T}{e}^{-\lambda (t-\tau )}·[\alpha ·\Delta I_{\tau }+\beta ·\Delta S_{p\_\tau }]$$

(25)

where T represents the set of time windows for the historical anomaly event set $\{e_1,e_2,$$\dots ,e_{k-1}\}$. $\Delta I_{\tau }$ represents the change in anomaly state values between the $\tau$-th time window and the previous time window. $\Delta S_{p\_\tau }$ represents the change in spatial distribution between the $\tau$-th time window and the previous time window. $\alpha ,\beta$ are weight coefficients for state abnormal changes and spatial distribution changes, respectively. $e^{-\lambda (t-\tau )}$ is a temporal decay function, where $\lambda >0$ controls the decay rate.

(2)

Situational Assessment of the Current Anomaly Event Window

The node state time-series data in the current anomaly event window represent ongoing anomaly events in relation to the current time window, with a potential symmetric pattern in how the abnormalities are distributed. These events have not yet concluded, and the current time window represents the development phase of the event. Compared to historical anomaly events, current anomaly events may have a more significant impact on the future network security posture.

The current time window may fall into one of three phases of event development: growth, peak stabilization, or decline. Each phase impacts the network security posture differently. Based on this, a situational determination window is introduced to analyze the dynamic changes in the abnormal state node set $S_t$ within the determination window. The slope $k_t$ obtained through linear fitting serves as the basis for determining the event’s development phase in the current time window. For a given time window set $\{t-w,t-w+1,\dots ,t\}$, where the number of abnormal nodes in each time window i is $N_i=\left|S_i\right|$, the slope $k_t$ is calculated as follows:

$$k_t={\displaystyle \frac{{\sum }_{i=1}^w(i-\overline{i})(N_{t-w+i-1}-\overline{N})}{{\sum }_{i=1}^w{(i-\overline{i})}^2}}$$

(26)

where w is the size of the situational determination window. $\overline{i}$ is the mean index of the time windows. $\overline{N}$ is the mean number of abnormal nodes.

Based on the value of $k_t$, the event development phase is divided into three categories:

Growth Phase: $k_t>ϵ$, where the slope is positive and greater than the threshold. This indicates a rapid increase in the number of abnormal nodes, meaning that the anomaly event is expanding or intensifying.

Decline Phase: $k_t<-ϵ$, where the slope is negative and less than the threshold. This indicates a rapid decrease in the number of abnormal nodes, meaning that the anomaly event is weakening or nearing its end.

Stable Phase:$-ϵ\le k_t\le ϵ$, where the slope is close to zero. This indicates that the number of abnormal nodes is changing slowly, meaning that the event is in a stable state.

Based on the above analysis, the situational assessment formula for the current anomaly event is designed as follows:

$$A_{e^{\prime }}\left(X_{p:q}\right)=\sum _{\tau \in T^{\prime }}[f\left(k_{\tau }\right)·(\alpha ·\Delta I_{\tau }+\beta ·\Delta S_{p\_\tau })]$$

(27)

where $T^{\prime }$ represents the set of time windows for the current anomaly event $e_k$. $\Delta I_{\tau }$ represents the change in anomaly state values between the $\tau$-th time window and the previous time window. $\Delta S_{p\_\tau }$ represents the change in spatial distribution between the $\tau$-th time window and the previous time window. $\alpha ,\beta$ are weight coefficients for state value changes and spatial distribution changes, respectively. $\eta$ adjusts the influence of the phase. $f\left(k_{\tau }\right)$ is a situational phase impact function, dynamically adjusting the situational weight for each time window based on the slope $k_{\tau }$, defined as follows:

$$f\left(k_{\tau }\right)=\eta e^{k_{\tau }}$$

(28)

During the stable phase ($k_{\tau }\approx 0$), $f\left(k_{\tau }\right)\approx 1$, meaning that it has no effect on the situational weight of the current time window. During the growth phase ($k_{\tau }>0$), $f\left(k_{\tau }\right)>1$, increasing the weight of the current time window. During the decline phase ($k_{\tau }<0$), $f\left(k_{\tau }\right)<1$, reducing the weight of the current time window.

5. Evaluation

5.1. Experimental Settings

The hardware platform for this experiment is a personal computer configured with an Intel(R) Core(TM) i7-8550U CPU @ 1.80 GHz (maximum frequency 1.99 GHz), 16.0 GB of memory, and a 64-bit Windows operating system, manufactured by Lenovo Technology Co., Ltd. in Shanghai, China. The experimental environment is Python 3.8. In the experiment, the ENSP simulator is used to construct a local area network system, which consists of 17 nodes. The network topology is shown in Figure 3. Using the eigenvector centrality-based method proposed in Section 4.3.3, the importance of each node in the network is calculated, and the results are shown in

Table 2. Node importance values based on eigenvector centrality.

Node	n1	n2	n3	n4	n5	n6	n7	n8	n9
Importance	0.0539	0.1407	0.0962	0.0962	0.1211	0.0368	0.0368	0.0368	0.0368
Node	n10	n11	n12	n13	n14	n15	n16	n17
Importance	0.0368	0.0368	0.0828	0.0464	0.0464	0.0317	0.0317	0.0317

.

Among the nodes, $n5$ has the highest importance, with a value of 0.1211. This is because $n5$ not only directly connects to a larger number of adjacent nodes but also benefits from the high importance of its neighboring node $n12$. Node $n12$ is directly connected to $n15$, $n16$, and $n17$, further enhancing the global influence of $n5$. Therefore, in the entire network, $n5$ has the highest importance and the greatest influence.

5.2. Experimental Simulation and Validation

(1)

Experimental Setup

The number of nodes is set to $n=17$ and the number of time windows to $m=20$. Random variables following a Gaussian distribution are generated using the function $N(\mu ,\delta )$, with values constrained within the range $[0,1]$, where $\mu$ represents the mean and $\delta$ represents the variance.

Two sets of time-series data for node states are used in the experiment. Based on the fluctuation patterns of the network under normal operating conditions, the parameters are set as follows: $\mu =0.4$, $\delta =0.1$ for the first set of data; $\mu =0.3$, $\delta =0.1$ for the second set of data.

Each group includes a few abnormal nodes to simulate anomaly events. The time-series data of node states for the two groups are shown in Figure 8 and Figure 9.

(2)

Anomaly Event Detection and Preprocessing

Using the anomaly event detection preprocessing method proposed in Section 4.2, the two sets of node state time-series data were converted into corresponding network state time-series data. Subsequently, anomaly event detection was performed on the network state time-series data based on the network anomaly event determination criteria.

Based on the typical operational patterns of the network, the anomaly detection threshold for the network state was set to $\phi =0.5$, and the minimum duration for an anomaly event was defined as $\vartheta =4$ time windows. The resulting anomaly event detection outcomes for the two groups of node state time-series data are presented in Figure 10 and Figure 11, respectively.

In Figure 10, two historical anomaly events $e_1$ and $e_2$, as well as one current anomaly event $e^{\prime }$, are detected. The time windows for these events are as follows: Historical anomaly event $e_1$: time window $[t1,t4]$, historical anomaly event $e_2$: time window $[t9,t12]$, current anomaly event $e^{\prime }$: time window $[t16,t20]$.

In Figure 11, three historical anomaly events $e_1$, $e_2$, $e_3$, and one current anomaly event $e^{\prime }$ are detected. The time windows for these events are as follows: historical anomaly event $e_1$: time window $[t2,t5]$, historical anomaly event $e_2$: time window $[t7,t10]$, historical anomaly event $e_3$: time window $[t13,t16]$, current anomaly event $e^{\prime }$: time window $[t18,t20]$.

(3)

Distribution of Abnormal Node States Within Anomaly Event Time Windows

By applying the method outlined in Section 4.3.2, the abnormal node sets for each anomaly event time window were constructed. This method enables the identification of nodes exhibiting anomalous behavior during specific time frames. The abnormal node sets corresponding to the two groups of node state time-series data are illustrated in Figure 12 and Figure 13, respectively.

By utilizing the node state spatial distribution matrix introduced in Section 4.3.1, the spatial abnormal posture for each time window of an anomaly event can be derived. For instance, consider the historical anomaly event $e_1$ in Figure 12, which occurs within the time window $[t1,t4]$. Each time window contains one or more abnormal nodes, which together form spatial abnormal postures that may manifest as single-point or scattered-point distributions. These spatial abnormal postures are indicative of distinct network behaviors during the event. The distribution of these spatial abnormal postures across the corresponding time windows is presented in Figure 14, Figure 15, Figure 16, Figure 17, offering a detailed visualization of the temporal evolution of network anomalies.

As an example, consider the historical anomaly event $e_3$ in Figure 13, which occurs within the time window $[t13,t16]$. Each time window in this event contains multiple abnormal nodes, which collectively form spatial postures that may be either single-domain or multi-domain. These spatial abnormal postures are indicative of the varying network states during the event. The distribution of these spatial abnormal postures across the time windows is illustrated in Figure 18, Figure 19, Figure 20, Figure 21, providing a detailed view of the evolving network behavior.

(4)

Quantitative Assessment of Spatial Distribution and Node State Values

For the two sets of node state time-series data, the spatial distribution quantification values of the abnormal nodes within each event time window were computed using the method outlined in Section 4.3.4. Simultaneously, the state values of the abnormal nodes within each event time window were calculated using the approach described in Section 4.3.5. The results of these computations for both sets of node state time-series data are summarized in

Table 3. Quantitative assessment of spatial distribution and node state values in Group 1.

Anomaly Event	Time Window	Anomalous Nodes	Spatial Distribution Type	Anomalous Node State Value per Time Window	Spatial Distribution Value per Time Window
$e_1$	t1	n3	A1	0.068302	0.0962
$e_1$	t2	n6	A1	0.025392	0.0368
$e_1$	t3	n3, n7	A2	0.116246	0.133
$e_1$	t4	n6, n7, n8	A2	0.076544	0.1104
$e_2$	t9	n6, n9	A2	0.045632	0.0736
$e_2$	t10	n6, n7, n9, n10	A2	0.110768	0.08704
$e_2$	t11	n6, n9, n10, n12	A2	0.140852	0.1932
$e_2$	t12	n5, n6, n7, n9, n10	A2	0.185067	0.2683
$e^{\prime }$	t16	n12	A1	0.05382	0.0828
$e^{\prime }$	t17	n12, n13, n14	A2	0.138288	0.1756
$e^{\prime }$	t18	n12, n13, n6	A2	0.123332	0.166
$e^{\prime }$	t19	n12, n13, n6, n7, n9	A2	0.185088	0.2396
$e^{\prime }$	t20	n12, n13, n6, n7, n9, n10	A2	0.220012	0.2764

and

Table 4. Quantitative assessment of anomalous node state values and spatial distribution in Group 2.

Anomaly Event	Time Window	Anomalous Nodes	Spatial Distribution Type	Anomalous Node State Value per Time Window	Quantitative Value of Spatial Distribution per Time Window
$e_1$	t2	n3, n9, n10, n12	A2	0.1605018	0.2526
$e_1$	t3	n3, (n4, n9, n10), n12	A3	0.2235838	2.5047
$e_1$	t4	n3, (n4, n9, n10, n11)	A3	0.1817722	3.8940
$e_1$	t5	(n3, n6, n7), (n4, n9, n10, n11), n12	A4	0.3254392	6.1702
$e_2$	t7	n6, n9	A2	0.0433136	0.0736
$e_2$	t8	(n3, n6, n7), n9, n10	A3	0.1542706	2.3993
$e_2$	t9	(n3, n6, n7), (n4, n9, n10)	A4	0.2247756	4.6515
$e_2$	t10	(n3, n6, n7), (n4, n9), n12	A4	0.2640596	3.8342
$e_3$	t13	n6, n7, (n12, n15)	A3	0.1268152	1.4900
$e_3$	t14	n6, n7, (n12, n15, n16, n17)	A3	0.1593308	3.8571
$e_3$	t15	(n3, n6, n7), (n12, n15, n16, n17)	A4	0.2205453	6.1092
$e_3$	t16	(n3, n6, n7), (n4, n9, n10), (n12, n15, n16, n17)	A4	0.2130602	8.4350
$e^{\prime }$	t18	(n3, n7, n8), n10	A3	0.1445028	2.3625
$e^{\prime }$	t19	(n3, n7, n8), n10, n12	A3	0.1955842	2.4453
$e^{\prime }$	t20	(n3, n6, n7, n8), (n4, n9, n10), n12	A4	0.3087962	6.2064

.

(5)

Situational Assessment Based on Decay and Event Development Phases

Using the history-based situational assessment function introduced in Section 4.3.6 and the current-event development-phase-based assessment function in Section 4.3.6, the changes in anomalous node state values $\Delta I$ and spatial distribution $\Delta S_p$ for adjacent time windows of anomaly events were calculated.

For the assessment, the following parameters were set based on the network’s statistical behavior: decay coefficient: $\lambda =1$, situational determination window coefficient: $\omega =3$.

Three evaluation experiments were conducted on the two sets of node state time-series data using different weight coefficients for time-situational impact $\alpha$ and spatial-situational impact $\beta$. The results are shown in

Table 5. Situational assessment results in Group 1.

Anomaly Event	From Time Window	To Time Window	$\Delta \mathit{I}$	$\Delta \mathbf{Sp}$	${\mathit{A}}_{\mathit{e}}(\mathit{\alpha }=0.5, \mathit{\beta }=0.5)$	${\mathit{A}}_{\mathit{e}}(\mathit{\alpha }=1, \mathit{\beta }=0)$	${\mathit{A}}_{\mathit{e}}(\mathit{\alpha }=0, \mathit{\beta }=1)$
$e_1$	t1	t2	−0.04291	−0.0594	−2.87$\times {10}^{-10}$	−2.40$\times {10}^{-10}$	−3.33$\times {10}^{-10}$
$e_1$	t2	t3	0.090854	0.0962	1.42$\times {10}^{-9}$	1.38$\times {10}^{-9}$	1.47$\times {10}^{-9}$
$e_1$	t3	tt4	−0.039702	−0.0226	−1.29$\times {10}^{-9}$	−1.64$\times {10}^{-9}$	−9.36$\times {10}^{-10}$
$e_2$	t9	t10	0.065136	0.7968	7.20$\times {10}^{-6}$	1.09$\times {10}^{-6}$	1.33$\times {10}^{-5}$
$e_2$	t10	t11	0.030084	−0.6772	−1.47$\times {10}^{-5}$	1.37$\times {10}^{-6}$	−3.07$\times {10}^{-5}$
$e_2$	t11	t12	0.044215	0.0751	7.36$\times {10}^{-6}$	5.46$\times {10}^{-6}$	9.27$\times {10}^{-6}$
$e^{\prime }$	t16	t17	0.084468	0.0928	0.6549216	0.6241388	0.6857044
$e^{\prime }$	t17	t18	−0.014956	−0.0096	−0.0333751	−0.0406546	−0.0260955
$e^{\prime }$	t18	t19	0.061756	0.0736	0.1839679	0.1678702	0.2000655
$e^{\prime }$	t19	t20	0.034924	0.0368	0.1607223	0.1565185	0.1649262

and

Table 6. Situational assessment results in Group 2.

Anomaly Event	From Time Window	To Time Window	$\Delta \mathit{I}$	$\Delta \mathbf{Sp}$	${\mathit{A}}_{\mathit{e}}(\mathit{\alpha }=0.5, \mathit{\beta }=0.5)$	${\mathit{A}}_{\mathit{e}}(\mathit{\alpha }=1, \mathit{\beta }=0)$	${\mathit{A}}_{\mathit{e}}(\mathit{\alpha }=0, \mathit{\beta }=1)$
$e_1$	t2	t3	0.063082	2.2521	1.76$\times {10}^{-8}$	9.61$\times {10}^{-10}$	3.43$\times {10}^{-8}$
$e_1$	t3	t4	−0.0418116	1.3893	2.79$\times {10}^{-8}$	−1.73$\times {10}^{-9}$	5.75$\times {10}^{-8}$
$e_1$	t4	t5	0.143667	2.2762	1.36$\times {10}^{-7}$	1.62$\times {10}^{-8}$	2.56$\times {10}^{-7}$
$e_2$	t7	t8	0.110957	2.3257	2.75$\times {10}^{-6}$	2.51$\times {10}^{-7}$	5.26$\times {10}^{-6}$
$e_2$	t8	t9	0.07050504	2.2521	7.14$\times {10}^{-6}$	4.33$\times {10}^{-7}$	1.38$\times {10}^{-5}$
$e_2$	tt9	t10	0.03928396	−0.8173	−6.50$\times {10}^{-6}$	6.56$\times {10}^{-7}$	−1.37$\times {10}^{-5}$
$e_3$	t13	t14	0.0325156	2.3671	0.0010941	2.97$\times {10}^{-5}$	0.0021585
$e_3$	t14	t15	0.0612145	2.2521	0.0028671	1.52$\times {10}^{-4}$	0.0055825
$e_3$	t15	t16	−0.0074851	2.3257	0.0078102	−5.04$\times {10}^{-5}$	0.0156707
$e^{\prime }$	t18	t19	0.0510814	0.0828	0.1819637	0.1388536	0.2250737
$e^{\prime }$	t19	t20	0.113212	3.7610	14.313489	0.8365298	27.790447

.

Note: $A1$ represents a spatial single-point abnormal posture; $A2$ represents a spatial scattered-point abnormal posture; $A3$ represents a spatial single-domain abnormal posture; $A4$ represents a spatial multi-domain abnormal posture.

The situational postures in Table 5 (corresponding to the first set of node state time-series data) are predominantly single-point or scattered-point abnormal postures, while those in Table 6 (corresponding to the second set of data) are primarily single-domain or multi-domain abnormal postures. From the comparison of the data in Table 5 and Table 6, it can be observed that the situational assessment values in Table 6 are generally higher than those in Table 5.

In the situational assessment of historical anomaly events, a temporal decay factor was introduced, while in the assessment of current anomaly events, an influence function based on the event development phase was added. From the results in Table 5 and Table 6, it can be seen that the situational assessment values of current anomaly events are significantly higher than those of historical events.

For example, in the second set of data shown in Figure 13, the spatial distribution of the historical anomaly event $e_3$ (time interval $[13,16]$) exhibits a gradual enhancement trend. From the results in Table 6, corresponding to Event ID 3, the situational assessment values indeed show a progressive increase over the time interval.

In the situational assessment of current anomaly events, an influence function related to the development slope of the event phase was added based on the assessment window’s phase. For the first set of node state time-series data shown in Table 3, the current anomaly event time window is $[16,20]$ and the anomalous node counts for each time window are $\{1,3,3,5,6\}$. The slope values calculated using Equation (26) are $\{0,2,1,1,1.5\}$, with the maximum slope of 2 occurring at assessment window 17. From the results for time windows 16 to 17 in Table 5, it is evident that the slope has the most significant impact on the situational assessment.

Similarly, for the second set of node state time-series data shown in Table 4, the current anomaly event time window is $[18,20]$ and the anomalous node counts are $\{4,5,8\}$. The slope values calculated using Equation (26) are $\{0,1,2\}$, with the maximum slope of 2 occurring at assessment window 20. From the results for time windows 19 to 20 in Table 6, it is evident that the slope also has the most significant impact on the situational assessment.

5.3. Validation of Method Effectiveness

To evaluate the reliability of the proposed method, experiments were conducted using the CICIDS2017 dataset, published by the Canadian Institute for Cybersecurity. This dataset includes both benign traffic and a variety of up-to-date, common attack scenarios, making it closely representative of real-world data. The experimental setup adhered to the configuration outlined in Section 5.1. For the experiment, the dataset file collected on Friday morning was selected, during which a Botnet ARES attack occurred between 10:02 a.m. and 11:02 a.m. The status time-series data for 12 hosts over 240 time steps were extracted from a total of 190,911 entries. The proposed method was then applied to compute the situational values based on the extracted time-series data. The results of the network security assessment are presented in Figure 22.

As illustrated in Figure 22, before 09:40, the network situational value remains relatively low, indicating that the network is in a stable state without any external attacks. Subsequently, the situational value increases sharply, peaking at 09:50, and then fluctuates within a higher range. This suggests that the network is likely to be under attack, which objectively corroborates the occurrence of a Botnet ARES attack between 10:00 and 11:00. The situational value begins to decline around 11:20. This demonstrates that the evaluation value computed by the proposed method accurately reflects the network’s security posture, highlighting its practical applicability.

Since the evaluation criteria employed by the proposed method differ from those of existing approaches, this study adopts evaluation efficiency as the comparison metric to further emphasize the advantages of the proposed approach. The comparison involves the BP algorithm from reference [18] and the Bi-LSTM algorithm from reference [22]. The experiments were conducted over 100 iterations, organized into 10-cycle periods, with the time for each period being recorded and used as the basis for comparison. The quantified evaluation times for the three methods are shown in Figure 23.

From the result of Figure 23, it can be seen that the proposed method consistently demonstrates a lower evaluation time across all experimental cycles. This results in a significant reduction in algorithmic complexity and a substantial improvement in computational efficiency, thereby providing a reliable theoretical foundation for the rapid assessment of network security posture.

6. Conclusions

To address issues such as model complexity, high computational cost, and insufficient accuracy in network security situational assessment, this paper proposes a novel network security situational assessment method. By identifying abnormal state fluctuations, the method filters out time window data of anomaly events with significant impacts on assessment, thereby reducing computational overhead. Additionally, it considers spatio-temporal situational impact factors and designs dynamic impact weighting functions for situational assessment based on the characteristics of historical anomaly events and current anomaly events. Specifically, the assessment functions incorporate a decay rate for historical anomaly events and a development-phase-based dynamic impact weighting for current anomaly events. Since the proposed algorithm does not rely on the volume of data and directly evaluates the underlying state indicators of nodes, it demonstrates a clear advantage in assessment efficiency when compared to attack type prediction algorithms that require data learning. Additionally, the algorithm takes into account the spatio-temporal relationships among multiple nodes, making it more applicable in scenarios involving multi-node network attacks. Future research will focus on two main directions: first, conducting in-depth studies on the evaluation metrics to improve assessment quality; and, second, exploring the feasibility of situational assessment for large-scale data and further optimizing the algorithm to enhance evaluation efficiency.