基于攻击图的网络安全风险分析及控制方法研究
|
摘要
网络世界面临着无处不在的脆弱性以及可能遭受来自各方面的威胁和攻击,安全风险是必然存在的,对安全风险分析是进行网络安全主动防御的一项重要内容,对网络安全技术的研究具有重要的意义,是目前的研究热点之一。
网络安全风险分析就是要尽可能的了解目前与未来的网络风险所在,充分分析这些风险的严重程度,做到对症下药,防患于未然,主动保护计算机和网络的安全,将系统遭受攻击和破坏的可能性较低到最小程度。
本文首先分析了传统的风险分析方法,总结了传统风险分析与风险分析本质的关系,研究了一般的网络安全风险分析方法,及各自的优、缺点。结合实际的风险评估工作,总结出传统风险评估方法的具有对资产和漏洞关联性优点,对威胁判断主观性大的缺点;而从当前基于攻击方法的研究不能联系资产的业务价值的特点,设计了一个安全风险分析与控制模型。模型中采用基于攻击图的风险分析方法,在提取目标系统及其弱点信息和攻击行为特征的基础上,模拟攻击者的入侵状态改变过程,生成攻击状态图,并给出其生成算法。利用攻击图识别出了潜在的威胁及其所涉及的主体、客体和行为,经过定量评估得到各种入侵路径的风险程度,为分析风险状况和制定风险控制策略提供了依据,根据风险分析结果,使用漏洞修补作为风险控制的方法,并通过量化计算方法来验证漏洞修补的效果。
最后,通过典型实验环境,分析验证了该分析方法的实用性及有效性,通过仿真实验验证了分析过程的科学性。
The network world is facing the vulnerabilities that exist everywhere in the network, threats and attacks that come from various aspects. Security risk exists inevitably. The security risk assessment which is an important and actively defense technology in network security, has the vital significance to the network security technology research, and is one of present research hotspots.
The network security risk analysis will understand as far as possible whether there are risks at present or at the future network, and it fully analyses influence degree of these risks, so that we may achieve acts appropriately to the situation, prevent accidents before they occur, and protect the computer and the network security on own initiative, and make the possibility of system attacked and the destroyed lowers to the most mild degree.
Firstly this paper concludes the relationship between the traditional risk assessment and risk analysis. Secondly it analyses some of general risk analysis methods of network security, and each of their advantages and disadvantages analysis included. In light of the actual work, it concludes that the method of traditional risk assessment has the advantage of relevance of assets and loopholes, and has the disadvantage of subjective judgments on the threat; and the current research of method based on attack can not associate the value of assets to risk analysis. So it raises a model of security risk analysis and control, in the model it takes the method of risky analysis based on attacks, and the information about target network and intruder is studied and described. By correlating the system’s vulnerabilities and attacker’s behaviors, attack state graph (A S G) is introduced, and its generating algorithm presented. In ASG the state transfer during the attack process is simulated. Then the ASG is used to find out all the routes of the attacker’s pervasion, and then to evaluate the threatened location and risk degree, which provides a useful evidence and guidance for making risk decision. Following the result of risky analysis, it uses the method of mending loopholes for controlling the risk, and verifies the effectiveness of vulnerability patch through quantitative method.
Finally a virtual network environment is given to illustrate the applicability of this risk analysis method, then it validates its effectiveness to network security analysis and quantitative assessment, and also the process of analysis is verified scientifically through the simulating experiments.
网络安全风险分析就是要尽可能的了解目前与未来的网络风险所在,充分分析这些风险的严重程度,做到对症下药,防患于未然,主动保护计算机和网络的安全,将系统遭受攻击和破坏的可能性较低到最小程度。
本文首先分析了传统的风险分析方法,总结了传统风险分析与风险分析本质的关系,研究了一般的网络安全风险分析方法,及各自的优、缺点。结合实际的风险评估工作,总结出传统风险评估方法的具有对资产和漏洞关联性优点,对威胁判断主观性大的缺点;而从当前基于攻击方法的研究不能联系资产的业务价值的特点,设计了一个安全风险分析与控制模型。模型中采用基于攻击图的风险分析方法,在提取目标系统及其弱点信息和攻击行为特征的基础上,模拟攻击者的入侵状态改变过程,生成攻击状态图,并给出其生成算法。利用攻击图识别出了潜在的威胁及其所涉及的主体、客体和行为,经过定量评估得到各种入侵路径的风险程度,为分析风险状况和制定风险控制策略提供了依据,根据风险分析结果,使用漏洞修补作为风险控制的方法,并通过量化计算方法来验证漏洞修补的效果。
最后,通过典型实验环境,分析验证了该分析方法的实用性及有效性,通过仿真实验验证了分析过程的科学性。
The network world is facing the vulnerabilities that exist everywhere in the network, threats and attacks that come from various aspects. Security risk exists inevitably. The security risk assessment which is an important and actively defense technology in network security, has the vital significance to the network security technology research, and is one of present research hotspots.
The network security risk analysis will understand as far as possible whether there are risks at present or at the future network, and it fully analyses influence degree of these risks, so that we may achieve acts appropriately to the situation, prevent accidents before they occur, and protect the computer and the network security on own initiative, and make the possibility of system attacked and the destroyed lowers to the most mild degree.
Firstly this paper concludes the relationship between the traditional risk assessment and risk analysis. Secondly it analyses some of general risk analysis methods of network security, and each of their advantages and disadvantages analysis included. In light of the actual work, it concludes that the method of traditional risk assessment has the advantage of relevance of assets and loopholes, and has the disadvantage of subjective judgments on the threat; and the current research of method based on attack can not associate the value of assets to risk analysis. So it raises a model of security risk analysis and control, in the model it takes the method of risky analysis based on attacks, and the information about target network and intruder is studied and described. By correlating the system’s vulnerabilities and attacker’s behaviors, attack state graph (A S G) is introduced, and its generating algorithm presented. In ASG the state transfer during the attack process is simulated. Then the ASG is used to find out all the routes of the attacker’s pervasion, and then to evaluate the threatened location and risk degree, which provides a useful evidence and guidance for making risk decision. Following the result of risky analysis, it uses the method of mending loopholes for controlling the risk, and verifies the effectiveness of vulnerability patch through quantitative method.
Finally a virtual network environment is given to illustrate the applicability of this risk analysis method, then it validates its effectiveness to network security analysis and quantitative assessment, and also the process of analysis is verified scientifically through the simulating experiments.
引文
[1]思科系统(中国)网络技术有限公司.下一代网络安全[M].北京邮电大学出版社.2006.
[2]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报, 2004,7(25).
[3] Cunningham W H.Optimal attack and reinforcement of a network [J].Journal of the ACM(JACM),1985,32(3):549-561.
[4] Zerkle D,Levitt K.NetKuang-a multi-host configuration vulnerability checker[C] Proceedings, 6th USENIX Security Symposium,SanJose,California,1996,The USENIX Association, 1996,195-201.
[5] Schneier B.Attack trees[J]. Dr Dobb’s Journal,1999,24(12):21-29.
[6] Helmer G,Wong J,Slagell M,et al.Software fault tree and colored Petri net based specification,design and implementation of agent-based Intrusion Detection System[J]. Requirements Engineering, 2000,7(4):207-220.
[7] McDermott J.Attack net penetration testing Proceedings[C].2000 New Security Paradigms Workshop(NSPW’00),Cork,Ireland, ACM/SIGSAC,2000,15-21.
[8] Swiler L P,Phillips C,Ellis D,et al.Computer-attack graph generation tool[C]. Proceedings,DARPA Information Survivability Conference and Exposition(DISCEX II’01),Vol 2,Anaheim,California,IEEE Computer Society,2001,1307-1321.
[9] Swiler L P,Phillips C,Gaylor T.A graph-based network-vulnerability analysis system, SAND97-3010/1[R]. Sandia National Laboratories,Albuquerque,New Mexico and Livermore, California,1998.
[10] Ritchey R W,Ammann P.Using model checking to analyze network vulnerabilities[C]. Proceedings,IEEE Computer Society Symposium on Security and Privarcy (S&P2000) okland,Cnlifornia,2000,IEEE Computer society,2000,156-165
[11] Jha S,Sheyner O,Wing J.Two formal analyses of attack graphs[C]. Proceedings, 15th IEEE Computer Security Foundations Workshop (CSFW’15), Cape Breton,Nova Scotia,Canada,IEEE Computer Society,2002,49-63.
[12] Sheyner O,Haines J,Jha S,et al.Automated generation and analysis of attack graphs[C] .Proceedings,2002 IEEE Symposium onSecurity and Privacy(S&P 2002), Oakland, California, IEEE Computer Society,2002,254-265.
[13] Ammann P,Wijesekera D,Kaushik S.Scalable,graph-based network vulnerability analysis[C].Proceedings,9th ACM Conference on Computer and Communications Security (CCS’02), Washington DC,ACM,2002,217-224.
[14]邢栩嘉,林闯,蒋屹新.计算机系统脆弱性评估研究[J].计算机学报, 2004,27(1):1-11.
[15]冯萍惠,连一峰,戴英侠,鲍旭华.基于可靠理论的分布式系统脆弱性模型[J].软件学报.2006,(7).
[16]国务院信息化工作办公室.信息安全风险评估指南(GB征求意见稿)[S]. 2005.
[17]国务院信息化工作办公室.信息安全风险管理指南(GB征求意见稿)[S].2005.
[18]范红,冯登国,吴亚非.信息安全风险评估方法与应用[M].清华大学出版社, 2006,5 (1):25-42.
[19]阂京华等.信息系统安全风险的概念模型和评估模型[J].网络安全技术与应用,2004,(9).
[20] NIST:SP 800-26:Security Self-Assessment Guide for Information Technology systems[S]. 2001,11.
[21] NSTISSI 1000, National Information Assurance Certification and Accreditation Process [S].(NIACAP), 2000.4 http://www.nstisse.gov/Assets/Pdf/nstissi_1000.Pdf.
[22] NIST:SP 800-30:Risk Management Guide for Information Technology systems[S]. January, 2002.
[23]赵战生.信息安全风险评估[R].中国科学院研究生院信息安全国家重点实验室, 2004,7.
[24] Ortalo R,Deswarte Y.Information systems security:Specification and quantitative evaluation,20072[R].Toulouse,France:LAAS-CNRS & INRIA,1997.
[25] Ortalo R,Deswarte Y,Kaaniche M,Experimenting with quantitative evaluation tools for monitoring operational security[J]. IEEE Transactions on Software Engineering, 1999, 25(5):633-650.
[26] Guan Bao-Chyuan, Lo Chi-chun, WangPing, Hwang Jaw-Shi. Evaluation of information security related risks of an organization-The application of the multi-criteria decision-making method[C].37th Annual 2003 International Carnahan Conference on Security Technology.
[27]单国栋,戴英侠,王航.计算机漏洞分类研究[J].计算机工程, 2002,28(10).
[28] Snort users manual2.6.1. The snort Project [EB/01]. (2006.12.03). Http://www.snort.org/ docs/snort manual/2.6.1/snort manual.pdf.
[29]傅鹂,刘嘉伟,周贤林.基于业务的信息资产识别方法[J].通信技术. 2008,(3).
[30]张永峥,云晓春,胡铭曾.基于特权提升的多维量化属性弱点分类法的研究[J].通信学报, 2004,25(7):107-114.
[31] Zhang Yongzheng, Yun Xiaochun, Hu Mingzeng. Research on Privilege-escalating Based Vulnerability Taxonomy with Multi-dimensional Quantitative Attribute[J]. Journal of China Institute of Communications, 2004,25(7):107-114.
[32] Oleg Sheyner,Joshua Haines,Somesh Jha,Richard Lippmann,and Jeannette M.Wing.Automated generation and analysis of attack graphs.[C]In Proceedings of the 2002 IEEE Symposium onSecurity and Privacy,pages 254–265,2002.
[33] Bishop M,Bailev. critical analysis of vulnerability taxonomies,CSE-96-11[R].Department of Computer Science,University of california at Davis,1996.
[34] Cynthia Phillips and Laura Painton Swiler.A graph-based system for network vulnerability analysis.[C]//Proceedings of the 1998 workshop on New security paradigms,pages 71–79. ACM Press,1998.
[35]刘宝利,肖晓春,张根度.基于层次分析法的信息系统脆弱性评估方法[J].计算机科学,2006,33(1):1-12.
[36]陈思思,连一峰,贾伟.基于贝叶斯网络的脆弱性状态评估方法[J].中国科学院研究生院学报, 2008,25(5):1-11.
[37] Sheyner O. Scenario graphs and attack graphs[D]. Pittsburgh, USA:School of Computer Science,Carnegie Mellon University, 2004.
[38] Kewley D L,Bouchard J F.DARPA information assurance program dynamic defense experiment summary[J].IEEE Transactions on Systems,Man and Cybernetics,Part A:System and Humans,2001,31 (4):331-336.
[39] Panko R R.Corporate computer and network security [M].Upper Saddle River,New Jersey:Prentice Hall,2003.
[40] Federal Information Security Management Act[S]. 2002(FISMA),OMB Circular A-130.
[41] Information Security Management Systems-Specification with guildance for use. BS7799-2:2002[S]. BSI,Septmber,London.
[42] D'Ambrosio B,Takikawa M,Upper D,et al.Security situation assessment and response evaluation[C].Proceedings of DARPA Information Survivability Conf & ExpositionⅡ. Anaheirn, USA: IEEE, 2001,387-394.
[43]信息技术安全性评估准则[S].(简称CC)ISO/IEC 15408-1999,221-226.
[44]美国安全系统工程能力成熟度模型[S]. system security Engineering Capability Maturity Model3.0:512-514.
[45] Sharon H.Karin B.Solms R. A Business Approach to Effective Information Technology Risk Analysis and Management[J].Information Management&Computer Security.1996,4.
[46] Labuschagne L.Eloff J H P.Risk Analysis Generations-the Evolution of Risk Analysis [EB/OL].South Africa:Rand Afrikaans University,1999.
[47] Wright M.Third Generation Risk Management Practices[J].Computer Fraud&Security. 1999,2.
[48] Fletcher S K.Halbgewachs R.Jansma R M.Software System Risk Management and Assurance[C].Proceedings of the 1995 New Security Paradigms Workshop.SanDiego,CA,1995.
[49] Craft R.Wyss G.Vandewart R.An Open Framework for Risk Management[EB/OL]. CrystalCity,VA,US:National Information Systems Security Conference.1998.
[50] RhrigêS.Knorr K.Security Analysis of Electronic Business Processes[J].Electronic Commerce Research.2004,4.
[51] Gerber M.Solms R.From Risk Analysis to Security Requirements[J].Computers&Security. 2001,7.
[52] Yu Zhiwei.Tang Renzhong.Ye Fanbo.A Business Process Based Method on Security Requirements Analysis of Information Systems[C].The Proceedings of the 12th International Conference on Industrial Engineering and Engineering Management.Chongqing,China.2005.
[2]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报, 2004,7(25).
[3] Cunningham W H.Optimal attack and reinforcement of a network [J].Journal of the ACM(JACM),1985,32(3):549-561.
[4] Zerkle D,Levitt K.NetKuang-a multi-host configuration vulnerability checker[C] Proceedings, 6th USENIX Security Symposium,SanJose,California,1996,The USENIX Association, 1996,195-201.
[5] Schneier B.Attack trees[J]. Dr Dobb’s Journal,1999,24(12):21-29.
[6] Helmer G,Wong J,Slagell M,et al.Software fault tree and colored Petri net based specification,design and implementation of agent-based Intrusion Detection System[J]. Requirements Engineering, 2000,7(4):207-220.
[7] McDermott J.Attack net penetration testing Proceedings[C].2000 New Security Paradigms Workshop(NSPW’00),Cork,Ireland, ACM/SIGSAC,2000,15-21.
[8] Swiler L P,Phillips C,Ellis D,et al.Computer-attack graph generation tool[C]. Proceedings,DARPA Information Survivability Conference and Exposition(DISCEX II’01),Vol 2,Anaheim,California,IEEE Computer Society,2001,1307-1321.
[9] Swiler L P,Phillips C,Gaylor T.A graph-based network-vulnerability analysis system, SAND97-3010/1[R]. Sandia National Laboratories,Albuquerque,New Mexico and Livermore, California,1998.
[10] Ritchey R W,Ammann P.Using model checking to analyze network vulnerabilities[C]. Proceedings,IEEE Computer Society Symposium on Security and Privarcy (S&P2000) okland,Cnlifornia,2000,IEEE Computer society,2000,156-165
[11] Jha S,Sheyner O,Wing J.Two formal analyses of attack graphs[C]. Proceedings, 15th IEEE Computer Security Foundations Workshop (CSFW’15), Cape Breton,Nova Scotia,Canada,IEEE Computer Society,2002,49-63.
[12] Sheyner O,Haines J,Jha S,et al.Automated generation and analysis of attack graphs[C] .Proceedings,2002 IEEE Symposium onSecurity and Privacy(S&P 2002), Oakland, California, IEEE Computer Society,2002,254-265.
[13] Ammann P,Wijesekera D,Kaushik S.Scalable,graph-based network vulnerability analysis[C].Proceedings,9th ACM Conference on Computer and Communications Security (CCS’02), Washington DC,ACM,2002,217-224.
[14]邢栩嘉,林闯,蒋屹新.计算机系统脆弱性评估研究[J].计算机学报, 2004,27(1):1-11.
[15]冯萍惠,连一峰,戴英侠,鲍旭华.基于可靠理论的分布式系统脆弱性模型[J].软件学报.2006,(7).
[16]国务院信息化工作办公室.信息安全风险评估指南(GB征求意见稿)[S]. 2005.
[17]国务院信息化工作办公室.信息安全风险管理指南(GB征求意见稿)[S].2005.
[18]范红,冯登国,吴亚非.信息安全风险评估方法与应用[M].清华大学出版社, 2006,5 (1):25-42.
[19]阂京华等.信息系统安全风险的概念模型和评估模型[J].网络安全技术与应用,2004,(9).
[20] NIST:SP 800-26:Security Self-Assessment Guide for Information Technology systems[S]. 2001,11.
[21] NSTISSI 1000, National Information Assurance Certification and Accreditation Process [S].(NIACAP), 2000.4 http://www.nstisse.gov/Assets/Pdf/nstissi_1000.Pdf.
[22] NIST:SP 800-30:Risk Management Guide for Information Technology systems[S]. January, 2002.
[23]赵战生.信息安全风险评估[R].中国科学院研究生院信息安全国家重点实验室, 2004,7.
[24] Ortalo R,Deswarte Y.Information systems security:Specification and quantitative evaluation,20072[R].Toulouse,France:LAAS-CNRS & INRIA,1997.
[25] Ortalo R,Deswarte Y,Kaaniche M,Experimenting with quantitative evaluation tools for monitoring operational security[J]. IEEE Transactions on Software Engineering, 1999, 25(5):633-650.
[26] Guan Bao-Chyuan, Lo Chi-chun, WangPing, Hwang Jaw-Shi. Evaluation of information security related risks of an organization-The application of the multi-criteria decision-making method[C].37th Annual 2003 International Carnahan Conference on Security Technology.
[27]单国栋,戴英侠,王航.计算机漏洞分类研究[J].计算机工程, 2002,28(10).
[28] Snort users manual2.6.1. The snort Project [EB/01]. (2006.12.03). Http://www.snort.org/ docs/snort manual/2.6.1/snort manual.pdf.
[29]傅鹂,刘嘉伟,周贤林.基于业务的信息资产识别方法[J].通信技术. 2008,(3).
[30]张永峥,云晓春,胡铭曾.基于特权提升的多维量化属性弱点分类法的研究[J].通信学报, 2004,25(7):107-114.
[31] Zhang Yongzheng, Yun Xiaochun, Hu Mingzeng. Research on Privilege-escalating Based Vulnerability Taxonomy with Multi-dimensional Quantitative Attribute[J]. Journal of China Institute of Communications, 2004,25(7):107-114.
[32] Oleg Sheyner,Joshua Haines,Somesh Jha,Richard Lippmann,and Jeannette M.Wing.Automated generation and analysis of attack graphs.[C]In Proceedings of the 2002 IEEE Symposium onSecurity and Privacy,pages 254–265,2002.
[33] Bishop M,Bailev. critical analysis of vulnerability taxonomies,CSE-96-11[R].Department of Computer Science,University of california at Davis,1996.
[34] Cynthia Phillips and Laura Painton Swiler.A graph-based system for network vulnerability analysis.[C]//Proceedings of the 1998 workshop on New security paradigms,pages 71–79. ACM Press,1998.
[35]刘宝利,肖晓春,张根度.基于层次分析法的信息系统脆弱性评估方法[J].计算机科学,2006,33(1):1-12.
[36]陈思思,连一峰,贾伟.基于贝叶斯网络的脆弱性状态评估方法[J].中国科学院研究生院学报, 2008,25(5):1-11.
[37] Sheyner O. Scenario graphs and attack graphs[D]. Pittsburgh, USA:School of Computer Science,Carnegie Mellon University, 2004.
[38] Kewley D L,Bouchard J F.DARPA information assurance program dynamic defense experiment summary[J].IEEE Transactions on Systems,Man and Cybernetics,Part A:System and Humans,2001,31 (4):331-336.
[39] Panko R R.Corporate computer and network security [M].Upper Saddle River,New Jersey:Prentice Hall,2003.
[40] Federal Information Security Management Act[S]. 2002(FISMA),OMB Circular A-130.
[41] Information Security Management Systems-Specification with guildance for use. BS7799-2:2002[S]. BSI,Septmber,London.
[42] D'Ambrosio B,Takikawa M,Upper D,et al.Security situation assessment and response evaluation[C].Proceedings of DARPA Information Survivability Conf & ExpositionⅡ. Anaheirn, USA: IEEE, 2001,387-394.
[43]信息技术安全性评估准则[S].(简称CC)ISO/IEC 15408-1999,221-226.
[44]美国安全系统工程能力成熟度模型[S]. system security Engineering Capability Maturity Model3.0:512-514.
[45] Sharon H.Karin B.Solms R. A Business Approach to Effective Information Technology Risk Analysis and Management[J].Information Management&Computer Security.1996,4.
[46] Labuschagne L.Eloff J H P.Risk Analysis Generations-the Evolution of Risk Analysis [EB/OL].South Africa:Rand Afrikaans University,1999.
[47] Wright M.Third Generation Risk Management Practices[J].Computer Fraud&Security. 1999,2.
[48] Fletcher S K.Halbgewachs R.Jansma R M.Software System Risk Management and Assurance[C].Proceedings of the 1995 New Security Paradigms Workshop.SanDiego,CA,1995.
[49] Craft R.Wyss G.Vandewart R.An Open Framework for Risk Management[EB/OL]. CrystalCity,VA,US:National Information Systems Security Conference.1998.
[50] RhrigêS.Knorr K.Security Analysis of Electronic Business Processes[J].Electronic Commerce Research.2004,4.
[51] Gerber M.Solms R.From Risk Analysis to Security Requirements[J].Computers&Security. 2001,7.
[52] Yu Zhiwei.Tang Renzhong.Ye Fanbo.A Business Process Based Method on Security Requirements Analysis of Information Systems[C].The Proceedings of the 12th International Conference on Industrial Engineering and Engineering Management.Chongqing,China.2005.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |