基于累积效应的网络脆弱性扩散分析方法

doi:10.11772/j.issn.1001-9081.2015.08.2169

计算机应用 ›› 2015, Vol. 35 ›› Issue (8): 2169-2173.DOI: 10.11772/j.issn.1001-9081.2015.08.2169

基于累积效应的网络脆弱性扩散分析方法

李艳, 黄光球, 张斌

西安建筑科技大学管理学院, 西安 710055

收稿日期:2015-02-11 修回日期:2015-03-26 出版日期:2015-08-10 发布日期:2015-08-14
通讯作者: 李艳(1984-),男(蒙古族),河北承德人,博士,CCF会员,主要研究方向:信息对抗、网络安全,sy_liyan137@126.com
作者简介:黄光球(1964-),男,湖南桃源人,教授,博士,主要研究方向:网络安全、复杂系统建模、分析与控制、系统工程; 张斌(1984-),男,陕西渭南人,博士,主要研究方向:网络安全、系统工程。
基金资助:
陕西省科学技术研究发展计划项目(2013K1117);陕西省重点学科建设专项资金资助项目(E08001);陕西省教育厅科技计划项目(12JK0789)。

New network vulnerability diffusion analysis method based on cumulative effect

LI Yan, HUANG Guangqiu, ZHANG Bin

School of Management, Xi'an University of Architecture and Technology, Xi'an Shaanxi 710055, China

Received:2015-02-11 Revised:2015-03-26 Online:2015-08-10 Published:2015-08-14

摘要/Abstract

摘要：

网络脆弱性评估是一种主动防范技术,意在攻击发生之前对安全态势进行分析进而制定防御措施,但传统的定量分析模型不能对实体间动态交互关系有很好的展现,而且大都不能得出风险扩散的全局化结果。将脆弱性扩散过程类比于社会网络中影响力传播过程,提出了基于累积效应的网络脆弱性扩散分析方法,定义的脆弱性扩散分析模型给出了细粒度级的主体关系结构,利用攻击效果累积特性提出的分析算法可以更准确地刻画脆弱性扩散规则,保证更好的影响范围。最后对该模型和算法进行了实例验证,在模型描述简洁性、分析结果准确性、安全建议合理性等方面的横向比较分析,验证了模型在评估结果直观性和制定成本最小安全措施等方面的优势。

关键词: 脆弱性扩散, 网络风险评估, 网络安全, 累积效应, 攻击模型

Abstract:

Network vulnerability assessment which intends to safety situation analysis and establishment of defensive measures before attack is a kind of active defense technology, but the traditional quantitative analysis models cannot show the dynamic interactive relationship between entities, and most of them cannot get global results for risk diffusion. With reference to the influence of social network in the process of communication, a new network vulnerability diffusion analysis method based on cumulative effect was proposed. The defined vulnerability diffusion analysis model described subject relation structure in a more detailed level, and the algorithm proposed by using the accumulation characteristics in attack effects described vulnerability diffusion rule more accurately to ensure better influence range. At last, the model and algorithm were verified by a typical example, the horizontal comparison analysis on some aspects such as simplicity of the model description, accuracy of the analysis results, rationality of the safety recommendations were given. The results show that the method has an advantage in visual assessment results and the formulation of the cost minimum security measures.

Key words: vulnerability diffusion, network risk assessment, network security, cumulative effect, attack model

中图分类号:

李艳, 黄光球, 张斌. 基于累积效应的网络脆弱性扩散分析方法[J]. 计算机应用, 2015, 35(8): 2169-2173.

LI Yan, HUANG Guangqiu, ZHANG Bin. New network vulnerability diffusion analysis method based on cumulative effect[J]. Journal of Computer Applications, 2015, 35(8): 2169-2173.

参考文献

[1] BRUCE L. Managed Vulnerability Assessment (MVA) — Mprove security by understanding your own vulnerabilities! [J]. Network Security, 2002(4):8-9.
[2] RITECHEY R W, AMMANN P. Using model checking to analyze network vulnerabilities [C]//S&P 2000: Proceedings of the 2000 IEEE Symposium on Research on Security and Privacy. Washington, DC: IEEE Computer Society, 2000: 156-165.
[3] AMMANN P,WIJESEKERA D, KAUSHIK S. Scalable, graph based network vulnerability analysis [C]//CCS '02: Proceedings of the 9th ACM Conference on Computer and Communications Security. New York: ACM, 2002: 217-224.
[4] SHEYNER O, HAINES J, JHA S, et al. Automated generation and analysis of attack graphs [C]//Proceedings of the 2002 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 2002: 273-284.
[5] WU D, LIAN Y, CHEN K, et al. A security threats identification and analysis method based on attack graph [J]. Chinese Journal of Computers, 2012, 35(9): 1938-1950. (吴迪, 连一峰, 陈恺, 等. 一种基于攻击图的安全威胁识别和分析方法[J]. 计算机学报, 2012, 35(9): 1938-1950.)
[6] INGOLS K, LIPPMANN R, PIWOWARSKI K. Practical attack graph generation for network defense [C]//ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference. Piscataway: IEEE, 2006: 121-130.
[7] INGOLS K, CHU M, LIPPMANN R, et al. Modeling modern network attacks and counter measures using attack graphs [C]//ACSAC '09: Proceedings of the 25th Annual Computer Security Applications Conference. Piscataway: IEEE, 2009: 117-126.
[8] HOMER J, VARIKUTI A, OU X, et al. Improving attack graph visualization through data reduction and attack grouping [C]//VizSec 2008: Proceedings of the 5th International Workshop on Visualization for Computer Security, LNCS 5210. Belin: Springer, 2008: 68-79.
[9] WANG Y, XIAN M, LIU J, et al. Study of network security evaluation based on attack graph model [J]. Journal on Communications, 2007, 28(3): 29-34. (王永杰,鲜明,刘进,等.基于攻击图模型的网络安全评估研究[J]. 通信学报, 2007, 28(3): 29-34.)
[10] ZHANG T, HU M, YUN X, et al. Research on computer network security analysis model [J]. Journal on Communications, 2006, 26(12): 100-109. (张涛,胡铭曾,云晓春,等.计算机网络安全性分析建模研究[J].通信学报,2006, 26(12):100-109.)
[11] CHEN X, ZHENG Q, GUAN X, et al. Quantitative hierarchical threat evaluation model for network security [J]. Journal of Software, 2006, 17(4): 885-897. (陈秀真,郑庆华,管晓宏,等.层次化网络安全威胁态势量化评估方法[J].软件学报,2006,17(4):885-897.)
[12] HE H, ZHANG H, WANG X, et al. Detriment quantitative assessment of the network security incident [J]. Journal of Harbin Institute of Technology, 2012, 44(5): 66-70. (何慧,张宏莉,王星,等.网络安全事件危害度的量化评估[J]. 哈尔滨工业大学学报, 2012, 44(5): 66-70.)
[13] YE Y, XU X, JIA Y. An attack graph-based probabilistic computing approach of network security [J]. Chinese Journal of Computers, 2010,33(10):1987-1996. (叶云,徐锡山,贾焰.基于攻击图的网络安全概率计算方法[J].计算机学报,2010,33(10):1987-1996.)
[14] CHEN X, FANG B, TAN Q, et al. Inferring attack intent of malicious insider based on probabilistic attack graph model [J]. Chinese Journal of Computers, 2014, 37(1):62-72. (陈小军,方滨兴,谭庆丰,等.基于概率攻击图的内部攻击意图推断算法研究[J].计算机学报,2014,37(1):62-72.)
[15] ZHANG Y, FANG B, CHI Y, et al. Risk propagation model for assessing network information systems [J]. Journal of Software, 2007, 18(1): 137-145. (张永铮,方滨兴,迟悦,等.用于评估网络信息系统的风险传播模型[J].软件学报,2007,18(1):137-145.)
[16] JIANG W, FANG B, TIAN Z, et al. Evaluating network security and optimal active defense based on attack-defense game mode [J]. Journal of Software, 2009, 32(4): 817-827. (姜伟,方滨兴,田志宏,等.基于攻防博弈模型的网络安全测评和最优主动防御[J].软件学报,2009,32(4):817-827.)
[17] WATTS D J. A simple model of global cascades on random networks [J]. Proceedings of the National Academy of Sciences of the United States of America, 2002, 99(9): 5766-5771.
[18] GOLDENBERG J, LIBAI B, MULLER E. Talk of the network: a complex systems look at the underlying process of word-of-mouth [J]. Marketing Letters, 2001, 12(3): 211-223.
[19] YOUNG H P. The diffusion of innovations in social networks, SFI Working Paper 2002-04-018 [R/OL]. Baltimore: The Johns Hopkins University, Department of Economics, 2002 [2015-03-17]. http://samoa.santafe.edu/media/workingpapers/02-04-018.pdf.

基于累积效应的网络脆弱性扩散分析方法

New network vulnerability diffusion analysis method based on cumulative effect

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	王月, 江逸茗, 兰巨龙. 基于改进三元组网络和K近邻算法的入侵检测[J]. 计算机应用, 2021, 41(7): 1996-2002.
[2]	张全龙, 王怀彬. 基于膨胀卷积和门控循环单元组合的入侵检测模型[J]. 计算机应用, 2021, 41(5): 1372-1377.
[3]	唐延强, 李成海, 宋亚飞. 基于改进粒子群优化和极限学习机的网络安全态势预测[J]. 计算机应用, 2021, 41(3): 768-773.
[4]	杭梦鑫, 陈伟, 张仁杰. 基于改进的一维卷积神经网络的异常流量检测[J]. 计算机应用, 2021, 41(2): 433-440.
[5]	池亚平, 莫崇维, 杨垠坦, 陈纯霞. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[6]	王佳欣, 冯毅, 由睿. 基于依赖关系图和通用漏洞评分系统的网络安全度量[J]. 计算机应用, 2019, 39(6): 1719-1727.
[7]	杜俊雄, 陈伟, 李雪妍. 基于物联网设备指纹的情境认证方法[J]. 计算机应用, 2019, 39(2): 464-469.
[8]	郭方方, 潮洛蒙, 朱建文. 基于相似连接的多源数据并行预处理方法[J]. 计算机应用, 2019, 39(1): 57-60.
[9]	张传浩, 谷学汇, 孟彩霞. 基于软件定义网络的反嗅探攻击方法[J]. 计算机应用, 2018, 38(11): 3258-3262.
[10]	孙文君, 苏旸, 曹镇. 非对称信息条件下APT攻防博弈模型[J]. 计算机应用, 2017, 37(9): 2557-2562.
[11]	谢丽霞, 王志华. 基于布谷鸟搜索优化BP神经网络的网络安全态势评估方法[J]. 计算机应用, 2017, 37(7): 1926-1930.
[12]	李方伟, 李骐, 朱江. 改进的基于隐马尔可夫模型的态势评估方法[J]. 计算机应用, 2017, 37(5): 1331-1334.
[13]	赵冬梅, 李红. 基于并行约简的网络安全态势要素提取方法[J]. 计算机应用, 2017, 37(4): 1008-1013.
[14]	朱江, 明月, 王森. 基于深度自编码网络的安全态势要素获取机制[J]. 计算机应用, 2017, 37(3): 771-776.
[15]	杨建喜, 戴楚屏, 姜停停, 丁正光. 基于支持向量机的4G室内物理层认证算法[J]. 计算机应用, 2016, 36(11): 3103-3107.