计算机科学

计算机科学 ›› 2016, Vol. 43 ›› Issue (10): 130-134.doi: 10.11896/j.issn.1002-137X.2016.10.024

• 信息安全 • 上一篇    下一篇

一种基于攻防图的网络安全防御策略生成方法

戚湧,莫璇,李千目   

  1. 南京理工大学计算机科学与工程学院 南京210094,南京理工大学计算机科学与工程学院 南京210094,南京理工大学计算机科学与工程学院 南京210094
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受国家自然科学基金项目(61272419)资助

Improved Network Security Defense Strategy Generation Method Based on Attack-Defense Graph

QI Yong, MO Xuan and LI Qian-mu   

  • Online:2018-12-01 Published:2018-12-01

PDF (PC)

517

摘要: 复杂的网络多步攻击是当前典型的强目的性网络攻击方式,状态攻防图技术是对其进行建模分析的一种有效方案。但是,当前主流的状态攻防图技术在实施过程中存在众多局限性,如原子攻击成功概率的计算、攻击危害指数定义,使得在实际应用中如果实施人员的经验不足,则很难反映出真实网络安全态势。分析现有基于状态攻防图的网络安全防御策略生成方法的不足,改进脆弱点危害评分标准,引入攻击累计成功概率及主机信息资产值的概念,重新定义原子攻击危害指数与攻击路径危害指数的计算方式,对安全策略生成所需考虑的因素进行扩充,对安全策略的生成方法进行优化,实现攻击场景建模和攻击意图挖掘。最后通过算例分析验证了改进的方法更加易于实施和客观分析,为管理人员做出合理的防御决策提供了有效的辅助。

关键词: 攻防图,CVSS,网络安全,防御策略

Abstract: Complex multi-step cyber-attack is a typical network attack method with strong purpose,and state attack-defense graph is an effective method for modeling and analyzing this problem.But it still has some limitation in practice,for example,the computation of the success probability of atomic attack and the definition of attack severity index are not so reasonable.When the operator is not experienced enough,it is very likely that the result can hardly reflect the realsecurity situation of the network.By analyzing the shortages of existing security defense strategy generation method,the attack severity index of atomic attack and attack path were redefined by improving the vulnerability scoring standard and introducing the concepts like accumulated attack success probability and value of information asset.In this way,the considerations for security defense strategy generation is enlarged and the generation method is optimized,to realize the attack scene modeling and the attack intention mining.At last,a case study is made to prove the feasibility and the objectivity of the improved method,which can provide the network managers with effective assistant.

Key words: Attack-defense graph,CVSS,Network security,Defense strategy

[1] Yigit B,Gur G,Alagoz F.Cost-Aware Network Hardening with Limited Budget Using Compact Attack Graphs[C]∥2014 IEEE Military Communications Conference (MILCOM).IEEE,2014:152-157
[2] Dantu R,Loper K,Kolan P.Risk management using behaviorbased attack graphs[C]∥International Conference on Information Technology:Coding and Computing(ITCC 2004).Las Vegas:IEEE,2004:445-449
[3] Poolsappasit N,Dewri R,Ray I.Dynamic security risk management using bayesian attack graphs[J].IEEE Transactions on Dependable and Secure Computing,2012,9(1):61-74
[4] Albanese M,Jajodia S,Noel S.Time-efficient and cost-effective network hardening using attack graphs[C]∥2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).IEEE,2012:1-12
[5] Wang S,Zhang Z,Kadobayashi Y.Exploring attack graph for cost-benefit security hardening:A probabilistic approach[J].Computers & Security,2013,32:158-169
[6] Luo Zhi-yong,Sun Guang-lu,Liu Jia-hui,et al.Application of attack graphs algorithms in intrution prevention system[J].Journal of Yunnan University,2012,34(3):271-275(in Chinese) 罗智勇,孙广路,刘嘉辉,等.攻击图算法在入侵防御系统中的应用[J].云南大学学报(自然科学版),2012,34(3):271-275
[7] Liu Gang,Li Qian-mu,Zhang Hong.Defense strategy generation method for network security based on state attack-defense graph[J].Journal of Computer Applications,2013,33(S1):121-125(in Chinese) 刘刚,李千目,张宏.基于状态攻防图模型的网络安全防御策略生成方法[J].计算机应用,2013,33(S1):121-125
[8] Mell P,Scarfone K.Improving the common vulnerability scoring system[J].IET Information Security,2007,1(3):119-127
[9] Wang Yu-long,Yi Yang.PVL:A Novel Metric for Single Vulnerability Rating and Its Application in IMS[J].Journal of Computational Information Systems,2012,8(2):579-590
[10] Spanos G,Angelis L.Impact Metrics of Security Vulnerabilities:Analysis and Weighing[J].Information Security Journal A Global Perspective,2015,24(1-3):1-15
[11] Ye Yun,Xu Xi-shan,Jia Yan,et al.An Attack Graph Based Probabilistics Computing Approach of Network Security[J].Chinese Journal of Computers,2010,33(10):1987-1996(in Chinese)叶云,徐锡山,贾焰,等.基于攻击图的网络安全概率计算方法[J].计算机学报,2010,33(10):1987-1996
[12] Li Qing-peng,Wang Bu-hong,Wang Xiao-dong,et al.Network security assessment based on probabilities of attack graph nodes[J].Application Research of Computers,2013,0(3):906-908(in Chinese) 李庆朋,王布宏,王晓东,等.基于攻击图节点概率的网络安全度量方法[J].计算机应用研究,2013,30(3):906-908
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发