Journal of Computer Applications ›› 2019, Vol. 39 ›› Issue (6): 1719-1727.DOI: 10.11772/j.issn.1001-9081.2018102199

• Cyber security • Previous Articles     Next Articles

Network security measurment based on dependency relationship graph and common vulnerability scoring system

WANG Jiaxin, FENG Yi, YOU Rui   

  1. Information Engineering University, Zhengzhou Henan 450000, China
  • Received:2018-11-01 Revised:2018-12-21 Online:2019-06-17 Published:2019-06-10
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61309018).

基于依赖关系图和通用漏洞评分系统的网络安全度量

王佳欣, 冯毅, 由睿   

  1. 信息工程大学, 郑州 450000
  • 通讯作者: 王佳欣
  • 作者简介:王佳欣(1997-),女,河南信阳人,主要研究方向:计算机安全;冯毅(1981-),男,湖北武汉人,副教授,博士研究生,主要研究方向:网络安全、机器学习;由睿(1997-),男,山东烟台人,主要研究方向:计算机安全。
  • 基金资助:
    国家自然科学基金资助项目(61309018)。

Abstract: Administrators usually take some network security metrics as important bases to measure network security. Common Vulnerability Scoring System (CVSS) is one of the generally accepted network measurement method. Aiming at the problem that the existing network security measurement based on CVSS could not accurately measure the probability and the impact of network attack at the same time, an improved base metric algorithm based on dependency relationship graph and CVSS was proposed. Firstly, the dependency relationship of the vulnerability nodes in an attack graph was explored to build the dependency relationship graph. Then, the base metric algorithm of the vulnerability in CVSS was modified according to the dependency relationship. Finally, the vulnerability scores in the whole attack graph were aggregated to obtain the probability and the impact of network attack. The results of simulation with simulated attacker show that the proposed algorithm is superior to the algorithm of aggregating CVSS scores in terms of accuracy and credibility, and can get measurement results closer to the actual simulation results.

Key words: network security, Common Vulnerability Scoring System (CVSS), attack success rate, base metric, dependency relationship

摘要: 管理人员通常使用一些网络安全指标作为度量网络安全的重要依据。通用漏洞评分系统(CVSS)是目前人们普遍认同的网络度量方式之一。针对现有的基于CVSS的网络安全度量无法精确测量网络受到攻击的概率和影响两方面得分的问题,提出一种基于依赖关系图和CVSS的改进基础度量算法。首先发掘攻击图中漏洞节点的依赖关系,构建依赖关系图;然后根据依赖关系修改CVSS中漏洞的基础度量算法;最后聚合整个攻击图中的漏洞得分,得到网络受到攻击的概率及影响两方面的得分。采用模拟攻击者进行仿真实验,结果表明,该算法在算法精确度和可信度方面明显优于汇总CVSS分数算法,更加接近实际仿真结果。

关键词: 网络安全, 通用漏洞评分系统(CVSS), 攻击成功率, 基础度量, 依赖关系

CLC Number: