计算机应用 ›› 2012, Vol. 32 ›› Issue (03): 679-682.DOI: 10.3724/SP.J.1087.2012.00679

• 信息安全 • 上一篇    下一篇

漏洞威胁的关联评估方法

谢丽霞1,江典盛2,张利2,杨宏宇1   

  1. 1.中国民航大学 计算机科学与技术学院,天津 300300;
    2.中国信息安全测评中心 系统评估处,北京 100085
  • 收稿日期:2011-09-01 修回日期:2011-11-14 发布日期:2012-03-01 出版日期:2012-03-01
  • 通讯作者: 杨宏宇
  • 作者简介:谢丽霞(1974-),女,重庆人,副教授,主要研究方向:网络与信息安全;江典盛(1976-),男,福建福州人,副研究员,硕士,主要研究方向:网络与信息安全;张利(1973-),男,湖北黄石人,副研究员,博士,主要研究方向:网络与信息安全;杨宏宇(1969-),男,吉林长春人,教授,博士,主要研究方向:网络与信息安全。
  • 基金资助:

    国家自然科学基金资助项目(60776807,61179045);天津市科技计划重点项目(09JCZDJC16800);中国民航科技项目(MHRD201009,MHRD201021)。

Vulnerability threat correlation assessment method

XIE Li-xia1, JIANG Dian-sheng2, ZHANG Li2, YANG Hong-yu1   

  1. 1.School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China;
    2.Department of System Evaluation, China Information Technology Security Evaluation Center, Beijing 100085, China
  • Received:2011-09-01 Revised:2011-11-14 Online:2012-03-01 Published:2012-03-01
  • Contact: YANG Hong-yu

摘要: 针对目前网络安全评估方法不能有效解决漏洞的关联性评价问题,提出一种基于漏洞间关联性的网络漏洞威胁评估方法。以攻击图为评估数据源,兼顾前序节点和后序节点的多样性,融合从前向后入(FI)方法和从后向前出(BO)方法,采用优化贝叶斯网络方法和加权平均法计算路径漏洞与主机漏洞的威胁值,得到关联环境下的漏洞量化评估结果。实验结果表明,该方法能有效弥补传统方法孤立评估漏洞的不足,能够更为有效地表达出系统的安全特性。

关键词: 漏洞, 关联性, 攻击图, 路径评估, 主机评估

Abstract: Since the present network security assessment methods cannot evaluate vulnerability relevance effectively, a vulnerability threat assessment method based on relevance was presented. Firstly, an attack graph must be created as the source data. Secondly, by taking both pre-nodes and post-nodes diversity into consideration, integrating the methods of Forward In (FI) and Backward Out (BO), the authors calculated the probability of vulnerability being used on multiple attack routes through optimizing calculation formulas originating from Bayesian network, then the weighted average method was utilized to evaluate the risk of certain vulnerability on a particular host, and finally the quantitative results were achieved. The experimental results show that this method can clearly and effectively describe the security features of systems.

Key words: vulnerability, relevance, attack graph, route evaluation, host evaluation

中图分类号: