期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一种基于攻击图的安全威胁识别和分析方法 被引量:34

A Security Threats Identification and Analysis Method Based on Attack Graph
在线阅读 下载PDF
导出
摘要 业务系统安全管理需要网络攻击图来评估系统整体安全性或态势,同时又需要对那些可能严重危害系统安全的脆弱性利用威胁进行重点分析和优先处置.现有安全威胁识别和分析方法无法兼顾这两个方面,也无法处理脆弱性利用威胁分析过程中的不确定性问题.作者提出了一种安全威胁识别和分析方法.利用颜色Petri网(CPN)定义网络攻击图,并给出了网络攻击图生成NAGG算法,根据攻击模型分析结果生成网络攻击图;给出了基于CPN仿真的网络攻击图分解NAGD算法,可一次性分解出各脆弱性利用威胁对应的子攻击图,所述子攻击图不存在循环路径且最长攻击路径不超过预设值.并给出了一种脆弱性利用威胁度评估VETE算法,将子攻击图转换为不确定性推理规则集,采用D-S证据推理计算各子攻击图所对应安全威胁的威胁度,以确定安全威胁处置优先级.最后以一个典型Web应用系统为例,验证了所述安全威胁识别和分析方法的有效性. Business system's security management needs to assess the system security situation by using network attack graph. It also needs to analyze the threats exploiting security vulnerabili- ties. Current security threat identification and analysis methods cannot handle the upper two problems very well at the same time. It cannot handle uncertainties occurred in the process of vul- nerability exploiting threat analysis, either. A security threat identification and analysis method is proposed in this paper. The network attack graph is defined via Colored Petri Net (CPN) and an algorithm named NAGG is proposed to construct network attack graph based on the simulation results. We also give an algorithm named NAGD to simultaneously decompose network attack graph into several sub-attack-graphs, each corresponding to a specific vulnerability exploiting threat. The graph is loop-free and its longest attack path is limited to a certain predefined value. In order to prioritize all security threats for disposal, a vulnerability exploiting threat evaluatingmethod named VETE is given to convert sub-attack graph into uncertain inference rule set. This method uses D-S evidence inference engine to calculate threat degree of each threat corresponding to the sub-attack-graph. At last, a typical Web application system is used as an example to vali- date the effectiveness of the proposed method.method named VETE is given to convert sub-attack graph into uncertain inference rule set. This method uses D-S evidence inference engine to calculate threat degree of each threat corresponding to the sub-attack-graph. At last, a typical Web application system is used as an example to vali- date the effectiveness of the proposed method.
作者 吴迪 连一峰 陈恺 刘玉岭
机构地区 中国科学院软件研究所 中国科学院研究生院 信息网络安全公安部重点实验室(公安部第三研究所) 信息安全共性技术国家工程研究中心
出处 《计算机学报》 EI CSCD 北大核心 2012年第9期1938-1950,共13页 Chinese Journal of Computers
基金 国家“八六三”高技术研究发展计划项目基金(2009AA01Z439,2011AA01A203) 国家自然科学基金(61100226) 北京市自然科学基金(4122085) 信息网络安全公安部重点实验室(公安部第三研究所)开放基金(C10606)资助~~
关键词 攻击模型 网络攻击图 子攻击图 颜色PETRI网 不确定性推理 D-S证据理论 attack model network attack graph sub-attack-graph Colored Petri Net (CPN) uncertainty reasoning D-S theory
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献24

  • 1Ritchey R, Ammann P. Using model checking to analyze network vulnerabilities//Proceedings of the 2000 IEEE Symposium on Research on Security and Privacy. Oakland, California, USA, 2000:156 -165.
  • 2Ammann P, Wijesekera D, Kaushik S. Scalable, graph- based network vulnerability analysis//Proceedings of the 9th ACM Conference on Computer and Communications Security. Washington, DC, USA, 2002: 217-224.
  • 3Cheung S, Lindqvist U, Fong M W. Modeling multi-step cy her attacks for scenario recognition//Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX III). Washington, DC, USA, 2003: 284-292.
  • 4Mehta V, Bartzis (2, Zhu H F. Ranking attack graphs// Zamboni D, Kruegel C eds. RAID 2006. Lecture Notes in Computer Science 4219. Berlin Heidelberg: Sprlnger-Verlag, 2006, 127-144.
  • 5Wang LY, Noel S, Jajodia S. Minimum-cost network hard ening using attack graphs. Computer Communications, 2006, 29(18) : 3812-3824.
  • 6Sheyner O, Haines J, Jha S, Lippmann R, Wing J M. Auto mated generation and analysis of attack graphs//Proceedings of the 2002 IEEE Symposium on Security and Privacy. Berkeley, California, USA, 2002:273-284.
  • 7Jajodia S, Noel S, O' Berry B. Topological analysis of net work attack vulnerability//Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security. Singapore, 2007:2-2.
  • 8Ingols k, Lippmann R, Piwowarski K. Practical attack graph generation for network defense//Proceedings of the 22nd An nual Computer Security Applications Conference. Miami Beach, Florida, USA, 2006:121-130.
  • 9Ingols K, Chu M, Lippmann R, Webster S, Boyer S. Mod eling modern network attacks and countermeasures using attack graphs//Proceedings of the 25th Annual Computer Security Applications Conference. Honolulu, Hawaii, USA, 2009:117-126.
  • 10Ou X M, Boyer W F, McQueen M A. A scalable approach to attack graph generation//Proceedings of the 13th ACM Conference on Computer and Communications Security. Alexandria, Virginia, USA, 2006, 336-345.

二级参考文献28

  • 1张永铮,云晓春,胡铭曾.基于特权提升的多维量化属性弱点分类法的研究[J].通信学报,2004,25(7):107-114. 被引量:35
  • 2经小川,胡昌振,谭惠民.网络协同攻击及其检测方法研究[J].计算机应用,2004,24(11):25-27. 被引量:10
  • 3周忠宝,董豆豆,周经伦.贝叶斯网络在可靠性分析中的应用[J].系统工程理论与实践,2006,26(6):95-100. 被引量:90
  • 4冯萍慧,连一峰,戴英侠,鲍旭华.基于可靠性理论的分布式系统脆弱性模型[J].软件学报,2006,17(7):1633-1640. 被引量:31
  • 5Swiler LP,Phillips C,Gaylor T.A graph-based network-vulnerability analysis system.Technical Report,SANDIA Report No.SAND 97-3010/1,1998.
  • 6Swiler LP,Phillips C,Ellis D,Chakerian S.Computer-Attack graph generation tool.In:Proc.of the 2nd DARPA Information Survivability Conf.& Exposition.Los Alamitos:IEEE Computer Society Press,2001.307-321.
  • 7Lippmann RP,Ingols KW.An annotated review of past papers on attack graphs.Technical Report,ESC-TR-2005-054,MIT Lincoln Laboratory,2005.
  • 8Ritchey R,Ammann P.Using model checking to analyze network vulnerabilities.In:Proc.of the 2000 IEEE Symp.on Security and Privacy.Oakland:IEEE Computer Society Press,2000.156-165.
  • 9Sheyner O,Jha S,Wing JM,Lippmann RP,Haines J.Automated generation and analysis of attack graphs.In:Hinton H,Blakley B,Abadi M,Bellovin S,eds.Proc.of the IEEE Symp.on Security and Privacy.Oakland:IEEE Computer Society Press,2002.273-284.
  • 10Jha S,Sheyner O,Wing J.Two formal analyses of attack graphs.In:Proc.of the 15th IEEE Computer Security Foundations Workshop.Cape Breton:IEEE Computer Society,2002.49-63.

共引文献103

同被引文献247

引证文献34

二级引证文献306

计算机学报
2012年 第9期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部