计算机科学

计算机科学 ›› 2026, Vol. 53 ›› Issue (5): 435-445.doi: 10.11896/jsjkx.250300130

• 信息安全 • 上一篇    下一篇

基于攻击图的内生安全信息系统防御效果评估技术

崔涛1, 沈俊霞1, 陈琳1, 张云涛2, 陈墨楠2   

  1. 1 中国信息通信研究院 北京 100191
    2 北京邮电大学网络空间安全学院 北京 100876
  • 收稿日期:2025-03-24 修回日期:2025-06-26 发布日期:2026-05-08
  • 通讯作者: 张云涛(zyt1024@bupt.edu.cn)
  • 作者简介:(cuitao@caict.ac.cn)
  • 基金资助:
    国家重点研发计划(2022YFB3102800)

Technologies for Evaluating Defense Effectiveness of Endogenous Security Information Systems Based onAttack Graphs

CUI Tao1, SHEN Junxia1, CHEN Lin1, ZHANG Yuntao2, CHEN Monan2   

  1. 1 China Academy of Information and Communications Technology, Beijing 100191, China
    2 School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
  • Received:2025-03-24 Revised:2025-06-26 Online:2026-05-08
  • About author:CUI Tao,born in 1984,postgraduate,senior engineer,is a member of CCF(No.U3123M).His main research interest is network security.
    ZHANG Yuntao,born in 1993,Ph.D.His main research interests include software security and blockchain security,and so on.
  • Supported by:
    National Key Research and Development Program of China(2022YFB3102800).

PDF (PC)

228

摘要: 随着网络安全威胁的日益复杂化和多样化,传统防御技术已难以应对不断变化的攻击手段。内生安全技术作为一种新兴的防御理念,具有动态适应性和自我修复能力,特别是基于拟态防御机制的内生安全技术,凭借其动态性、异构性和冗余性,展现出较强的防御效果。对此,提出了一种基于攻击图的内生安全防御效果评估方法,通过构建网络攻击路径模型,量化分析内生安全信息系统在不同攻击场景下的防御效果。首先,利用攻击图建模技术描述网络中的节点脆弱性、攻击路径及其演化,量化攻击者行为特征。其次,结合内生安全技术的实施,分析其对攻击路径的影响,通过前后对比评估防御效果:构建了“点-线-面”层次化的安全度量框架,从节点的静态防御能力、攻击路径的动态防御能力到系统的弹性恢复能力,对内生安全中冗余特性的防御效果进行了评估。最后,通过仿真实验验证了该方法的有效性,为内生安全技术的防御效果量化评估提供了科学依据。

关键词: 内生安全, 拟态防御, 攻击图, 防御效果评估, 安全度量

Abstract: With the increasing complexity and diversity of cybersecurity threats,traditional defense techniques are struggling to cope with evolving attack methods.Endogenous security technologies,especially those based on metamorphic defense,exhibit strong defense capabilities due to their dynamic adaptability,heterogeneity,and redundancy.This paper proposes an evaluation method for the defense effectiveness of endogenous security technologies based on attack graph modeling.By constructing network attack path models,the method quantifies the defense effects of endogenous security technologies in various attack scena-rios.Firstly,attack graph modeling is employed to describe network node vulnerabilities,attack paths,and their evolution,enabling the quantitative analysis of attacker behavior.Next,the impact of endogenous security technologies on attack paths is examined,with pre-implementation and post-implementation comparisons to assess defense effectiveness.The paper establishes a hierarchical security measurement framework,assessing the defense capabilities of inherent security technologies in terms of static defense at the node level,dynamic defense at the attack path level,and resilience recovery at the system level.Finally,simulation experiments demonstrate the effectiveness of the proposed evaluation method,providing a scientific basis for the quantitative evaluation of endogenous security technologies.

Key words: Endogenous security, Metamorphic defense, Attack graph, Defense effectiveness evaluation, Security measurement

中图分类号: 

  • TP393
[1]HE Z L,YU G Q.The Response Path for Ransomware Gover-nance in China[J].China Information Security,2024(8):23-27.
[2]WANG H Z,LIU J W.Research Status and Key Technologies of Network Endogenous Security[J].ZTE Technology Journal,2022,28(6):2-11.
[3]WU J X,ZOU H,ZHANG F,et al.Research on Several Issues of Digital Sovereignty and National Security[J].National Security Research,2023,(3):74-90,161.
[4]WU J X,ZOU H.Cultivating and Developing New Quality Security Capabilities:Building Highly Trusted and Reliable Data Infrastructure[J].China Network Information,2024(7):31-35.
[5]WU J X,ZOU H,XUE X Y.Cyber Resilience Enabled by Endogenous Security and Safety:Vision,Techniques,and Strategies[J].Strategic Study of CAE,2023,25(6):106-115.
[6]WU J X.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10.
[7]WU J X.An introduction to principles of mimic defense in cyber-space(Part 2)[J].Civil-Military Integration on Cyberspace,2017(2):43-47.
[8]SHANG X,LIU X Y,FENG Z H,et al.Research on Endogenous Security Technology of IaaS Cloud Platform[J].Information Security and Communications Privacy,2021(7):85-94.
[9]REN Q.The Research of Endogenous Security Control Struc-ture and Key Technologies for Software-Defined Networking[D].Zhengzhou:Information Engineering University,2022.
[10]FENG F.Research of Modeling for Mimic Defense and Mimic Defense Organization Structure in Application Layer Contain Method of Evaluating Security Level[D].Zhengzhou:Zhengzhou University,2019.
[11]LI J J.Research on evaluation method and technology of mimic security information system[J].Information Technology and Network Security,2019,38(4):33-36.
[12]YE Z W,GUO Y B,WANG C D,et al.Survey on application of attack graph technology[J].Journal on Communications,2017,38(11):121-132.
[13]HAN L,MEI Q,LU Y M,et al.Analysis and Study on AHP-Fuzzy Comprehensive Evaluation[J].China Safety Science Journal,2004,14(7):86-89.
[14]YANG X,LI H,WU J X,et al.Two-Dimensional Mimic Security Evaluation Model Integrating Generalized Stochastic Petri Nets[J].Science China Information Sciences,2020,50(12):1944-1960.
[15]MA H L,REN Q,YI P.Research on Modeling and Quantitative Evaluation Technology of Cyber Mimic Defense[J].ZTE Communications Technology,2022,28(6):57-62.
[16]HU H C,CHEN F C,WANG Z P.Discussion on Several Issues and Performance Evaluation of the DHR Model for Mimic Defense[J].Journal of Information Security,2016,1(4):40-51.
[17]DONG H,SHI Y,CHEN L.Research for cloud service platform safety metric index system based on endogenoussecurity[J].Information and Communications Technology and Policy,2023,49(2):75-81.
[18]DING S H,QI N,GUO Y W.Evaluation of mimic defense stra-tegybased on M-FlipIt game model[J].Journal on Communications,2020,41(7):186-194.
[19]DING S H.Research on Mimic Defense Mechanismand KeyTechnologies in InformationCommunication Networks[D].Zhengzhou:Information Engineering University,2020.
[20]OU Y S,HU W Y.Research and Application of Several Classical Search Algorithms[J].Computer Systems & Applications,2011,20(5):243-247.
[21]QIN Y Y,ZHU G Y,TIAN X N,et al.Research on Industrial Control Vulnerability Discovery and Analysis System Based on CVE Vulnerability Database[J].Information and Communications Technologies,2017,11(3):54-59.
[22]ZHANG B Y,WANG M.Research on Quantization Method of Network Attack and Defense Based on CVSS Vulnerability Score[J].Journal of Ordnance Equipment Engineering,2018,39(4):147-150.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市两江新区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发