面向大规模网络安全加固的攻击图分析方法
|
摘要
针对以往攻击图分析方法复杂度较高,风险判别标准单一,生成的策略加固代价较高,难以适用于大规模网络环境等问题,提出了一种面向大规模网络安全加固的启发式攻击图分析方法。结合路径长度和通用漏洞评分系统对潜在攻击进行风险评估,通过设置阈值限制搜索范围,采用启发式算法降低求解加固策略的时间复杂度。实验结果表明,该方法能够在合理的运行时间内,明显地降低网络安全加固所需的代价,具有良好的可扩展性,能够适用于大规模网络。
Concerning the problems of high complexity, single risk assessment criterion, costly network security hardening and difficultly applying to large scale network environment in previous algorithms, this paper proposes a heuristic attack graph analysis method for large scale network security hardening. The method assesses the risks of attack paths by combining path length and common vulnerability scoring system, limits search scope with a threshold,and reduces the time complexity of hardening strategy generation method by using heuristic algorithm. The experimental results show that the method has good scalability and is suitable for large scale networks, and significantly reduces the cost of network security hardening with a reasonable running time.
Concerning the problems of high complexity, single risk assessment criterion, costly network security hardening and difficultly applying to large scale network environment in previous algorithms, this paper proposes a heuristic attack graph analysis method for large scale network security hardening. The method assesses the risks of attack paths by combining path length and common vulnerability scoring system, limits search scope with a threshold,and reduces the time complexity of hardening strategy generation method by using heuristic algorithm. The experimental results show that the method has good scalability and is suitable for large scale networks, and significantly reduces the cost of network security hardening with a reasonable running time.
引文
[1]Zang Yuqing,Li Xiaoyu,Zheng Chen,et al.2010 security vulnerability analysis and prospect[J].Netinfo Security,2011(2):69-72.
[2]Helmer G,Wong J,Slagell M,et al.A software fault tree approach to requirements analysis of an intrusion detection system[J].Requirements Engineering,2002,7(4):207-220.
[3]Schneier B.Attack trees[J].Dr Dobb's Journal,1999,24(12):21-29.
[4]Phillips C,Swiler L P.A graph-based system for networkvulnerability analysis[C]//Proceedings of the 1998 Workshop on New Security Paradigms,Charlottsville,Sep 22-25,1998.New York:ACM,1998:71-79.
[5]Ammann P,Wijesekera D,Kaushik S.Scalable,graph-based network vulnerability analysis[C]//Proceedings of the 9th ACM Conference on Computer and Communications Security,Washington,Nov 18-22,2002.New York:ACM,2002:217-224.
[6]Ingols K,Lippmann R,Piwowarski K.Practical attack graph generation for network defense[C]//Proceedings of the 22nd Annual Computer Security Applications Conference,Dec 11-15,2006.Washington:IEEE Computer Society,2006:121-130.
[7]Ou Xinming,Boyer W F,Mc Queen M A.A scalable approach to attack graph generation[C]//Proceedings of the 13th ACM Conference on Computer and Communications Security,Alexandria,Oct 30-Nov 3,2006.New York:ACM,2006:336-345.
[8]Ye Yun,Xu Xishan,Qi Zhichang,et al.Attack graph generation algorithm for large-scale network system[J].Journal of Computer Research and Development,2013,50(10):2133-2139.
[9]Ou Xinming,Govindavajhala S,Appel A W.Mul VAL:a logicbased network security analyzer[C]//Proceedings of the 14th USENIX Security Symposium,Baltimore,Jul 31-Aug 5,2005.Berkeley:USENIX Association,2005,14:8.
[10]Jajodia S,Noel S.Topological vulnerability analysis:a powerful new approach for network attack prevention,detection,and response[J].Algorithms,Architectures,and Information Systems Security,2007,3:285-305.
[11]Jha S,Sheyner O,Wing J.Two formal analyses of attack graphs[C]//Proceedings of the 15th IEEE Computer Security Foundations Workshop,Cape Breton,Jun 24-26,2002.Washington:IEEE Computer Society,2002:49-63.
[12]Noel S,Jajodia S,O'Berry B,et al.Efficient minimum-cost network hardening via exploit dependency graphs[C]//Proceedings of the 19th Annual Computer Security Applications Conference,Las Vegas,Dec 8-12,2003.Washington:IEEE Computer Society,2003:86-95.
[13]Wang Lingyu,Noel S,Jajodia S.Minimum-cost network hardening using attack graphs[J].Computer Communications,2006,29(18):3812-3824.
[14]Chen Feng,Zhang Yi,Su Jinshu,et al.Two formal analyses of attack graphs[J].Journal of Software,2010,21(4):838-848.
[15]Wu Jinyu,Jin Shuyuan,Yang Zhi.Analysis of attack graphs based on network flow method[J].Journal of Computer Research and Development,2011,48(8):1497-1505.
[16]Wang Shuzhen,Zhang Zonghua,Kadobayash Y.Exploring attack graph for cost-benefit security hardening:a probabilistic approach[J].Computers&Security,2013,32(1):158-169.
[17]Beasley J E.An algorithm for set covering problem[J].European Journal of Operational Research,1987,31(1):85-93.
[1]张玉清,李潇宇,郑晨,等.2010年安全漏洞态势分析与展望[J].信息网络安全,2011(1):69-72.
[8]叶云,徐锡山,齐治昌,等.大规模网络中攻击图自动构建算法研究[J].计算机研究与发展,2013,50(10):2133-2139.
[14]陈锋,张怡,苏金树,等.攻击图的两种形式化分析[J].软件学报,2010,21(4):838-848.
[15]吴金宇,金舒原,杨智.基于网络流的攻击图分析方法[J].计算机研究与发展,2011,48(8):1497-1505.
[2]Helmer G,Wong J,Slagell M,et al.A software fault tree approach to requirements analysis of an intrusion detection system[J].Requirements Engineering,2002,7(4):207-220.
[3]Schneier B.Attack trees[J].Dr Dobb's Journal,1999,24(12):21-29.
[4]Phillips C,Swiler L P.A graph-based system for networkvulnerability analysis[C]//Proceedings of the 1998 Workshop on New Security Paradigms,Charlottsville,Sep 22-25,1998.New York:ACM,1998:71-79.
[5]Ammann P,Wijesekera D,Kaushik S.Scalable,graph-based network vulnerability analysis[C]//Proceedings of the 9th ACM Conference on Computer and Communications Security,Washington,Nov 18-22,2002.New York:ACM,2002:217-224.
[6]Ingols K,Lippmann R,Piwowarski K.Practical attack graph generation for network defense[C]//Proceedings of the 22nd Annual Computer Security Applications Conference,Dec 11-15,2006.Washington:IEEE Computer Society,2006:121-130.
[7]Ou Xinming,Boyer W F,Mc Queen M A.A scalable approach to attack graph generation[C]//Proceedings of the 13th ACM Conference on Computer and Communications Security,Alexandria,Oct 30-Nov 3,2006.New York:ACM,2006:336-345.
[8]Ye Yun,Xu Xishan,Qi Zhichang,et al.Attack graph generation algorithm for large-scale network system[J].Journal of Computer Research and Development,2013,50(10):2133-2139.
[9]Ou Xinming,Govindavajhala S,Appel A W.Mul VAL:a logicbased network security analyzer[C]//Proceedings of the 14th USENIX Security Symposium,Baltimore,Jul 31-Aug 5,2005.Berkeley:USENIX Association,2005,14:8.
[10]Jajodia S,Noel S.Topological vulnerability analysis:a powerful new approach for network attack prevention,detection,and response[J].Algorithms,Architectures,and Information Systems Security,2007,3:285-305.
[11]Jha S,Sheyner O,Wing J.Two formal analyses of attack graphs[C]//Proceedings of the 15th IEEE Computer Security Foundations Workshop,Cape Breton,Jun 24-26,2002.Washington:IEEE Computer Society,2002:49-63.
[12]Noel S,Jajodia S,O'Berry B,et al.Efficient minimum-cost network hardening via exploit dependency graphs[C]//Proceedings of the 19th Annual Computer Security Applications Conference,Las Vegas,Dec 8-12,2003.Washington:IEEE Computer Society,2003:86-95.
[13]Wang Lingyu,Noel S,Jajodia S.Minimum-cost network hardening using attack graphs[J].Computer Communications,2006,29(18):3812-3824.
[14]Chen Feng,Zhang Yi,Su Jinshu,et al.Two formal analyses of attack graphs[J].Journal of Software,2010,21(4):838-848.
[15]Wu Jinyu,Jin Shuyuan,Yang Zhi.Analysis of attack graphs based on network flow method[J].Journal of Computer Research and Development,2011,48(8):1497-1505.
[16]Wang Shuzhen,Zhang Zonghua,Kadobayash Y.Exploring attack graph for cost-benefit security hardening:a probabilistic approach[J].Computers&Security,2013,32(1):158-169.
[17]Beasley J E.An algorithm for set covering problem[J].European Journal of Operational Research,1987,31(1):85-93.
[1]张玉清,李潇宇,郑晨,等.2010年安全漏洞态势分析与展望[J].信息网络安全,2011(1):69-72.
[8]叶云,徐锡山,齐治昌,等.大规模网络中攻击图自动构建算法研究[J].计算机研究与发展,2013,50(10):2133-2139.
[14]陈锋,张怡,苏金树,等.攻击图的两种形式化分析[J].软件学报,2010,21(4):838-848.
[15]吴金宇,金舒原,杨智.基于网络流的攻击图分析方法[J].计算机研究与发展,2011,48(8):1497-1505.