基于复杂网络的网络系统脆弱点发现方法研究
|
摘要
利用复杂网络寻找网络系统中的脆弱点可以从网络拓扑结构的角度出发,利用节点的拓扑性质研究其脆弱性,这可以有效的解决攻击图等脆弱性评估手段无法处理规模过大的网络的问题。通过对李鹏翔等的节点删除方法进行改进,计算动态删除节点后网络平均最短路径变化,模拟网络中节点在受到攻击后无法使用,从而导致的网络整体性能的变化。使得评估时不仅考虑删除节点对网络破坏程度,同时兼顾了对网络的效率的影响,从而可以更有效的针对脆弱点布置防御措施。
Using complex networks to find vulnerable points in network systems can be carried out from the perspective of the topology of the network. We can research the vulnerability of nodes based on their topological characteristics.This can effectively solve the problem that the vulnerability assessment methods such as attack graphs cannot handle large-scale networks. Through the improvement of the node deletion method of Li Pengxiang, the average shortest path change of the network after the dynamic deletion of the node is calculated, and the nodes in the simulated network cannot be used after being attacked, thereby causing the change of the overall performance of the network. The evaluation not only considers the degree of network damage caused by deleting nodes, but also takes into account the impact on the efficiency of the network, so that defensive measures can be deployed more effectively against the vulnerable points.
Using complex networks to find vulnerable points in network systems can be carried out from the perspective of the topology of the network. We can research the vulnerability of nodes based on their topological characteristics.This can effectively solve the problem that the vulnerability assessment methods such as attack graphs cannot handle large-scale networks. Through the improvement of the node deletion method of Li Pengxiang, the average shortest path change of the network after the dynamic deletion of the node is calculated, and the nodes in the simulated network cannot be used after being attacked, thereby causing the change of the overall performance of the network. The evaluation not only considers the degree of network damage caused by deleting nodes, but also takes into account the impact on the efficiency of the network, so that defensive measures can be deployed more effectively against the vulnerable points.
引文
[1]“ISC Internet Domain Survey”,Internet System Consortium,https://www.isc.org/network/survey/,Sept 2018.
[2]“The forty-second statistical report on China's Internet development”,China Internet Network Information Center,http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201808/P020180820630889299840.pdf,Sept 2018.(“第42次中国互联网络发展状况统计报告”,中国互联网络信息中心,http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201808/P020180820630889299840.pdf,Sept 2018.)
[3]“National Vulnerability Database”,NVD,http://nvd.nist.gov/,Sept2018.
[4]“China Internet network security report 2017”,CNCERT,http://www.cert.org.cn/publish/main/upload/File/2017annual(1).pdf,Sept 2018.(“2017年中国互联网网络安全报告”,国家互联网应急中心,http://www.cert.org.cn/publish/main/upload/File/2017annual(1).pdf,Sept 2018.)
[5]W.H.Cunningham.“Optimal attack and reinforcement of a network”.J.assoc.comput.mach,vol.32,no.3,pp.549-561,1985.
[6]O.Sheyner,J.Haines,S.Jha,R.Lippmann,J.M.Wing.“Automated Generation and Analysis of Attack Graphs”.IEEE Security&Privacy Magazine,vol.1971,pp.273,2002.
[7]W.Jia,“Research on vulnerability assessment method of computer network[Ph.D.dissertation],”University of Science and Technology of China,2012.(贾炜.“计算机网络脆弱性评估方法研究[博士学位论文],”中国科学技术大学,2012.)
[8]L.Wang,C.Yao,A.Singhal,and S.Jajodia.“Interactive Analysis of Attack Graphs Using Relational Queries”.Lecture Notes in Computer Science,vol.4127,pp.119-132,2008.
[9]F.Chen,Y.Zhang,A.H.Bao and J.S.Su.“Research on quantitative assessment of network vulnerability based on attack graph”,Computer Engineering and Science,vol.32,no.10,pp.8-11,2010.(陈锋,张怡,鲍爱华,苏金树.“基于攻击图的网络脆弱性量化评估研究”.计算机工程与科学,2010,32(10):8-11.)
[10]H.Kim,J.Reich,A.Gupta,M.Shahbaz,and N.Feamster.“Kinetic:verifiable dynamic network control”.Usenix NSDI.2015.
[11]X.J.Wang,B.Sun,Y.W.Liao,and C.B.Xiang.“Vulnerability assessment of Bayes attribute attack graph network”.Journal of Beijing University of Posts and Telecommunications,vol.38,no.4,pp.110:116,2015.(王秀娟,孙博,廖彦文,相从斌.“贝叶斯属性攻击图网络脆弱性评估”.北京邮电大学学报,2015,38(4):110-116.)
[12]X.Ou,W.F.Boyer,M.A.Mcqueen.“A scalable approach to attack graph generation”in ACM Conference on Computer and Communications Security(CCS'06),pp.336-345,2006.
[13]X.Ou,S.Govindavajhala,A.W.Appel.“MulVAL:a logic-based network security analyzer”.Usenix Security Symposium,pp.8-8,2005.
[14]Z.Sun,Z.Z.Wu and Q.M.Li.“Modeling and generation method of traffic attack graph”,software,no.4,2018.(孙哲,巫中正,李千目.“流量攻击图的建模与生成方法”.软件,第4期,2018.)
[15]W.Jia,D.G.Feng and Y.F.Lian.“Computer network vulnerability assessment method based on network centrality”,Journal of the Chinese Academy of Sciences,vol.29,no.4,pp.529-535,2012.(贾炜,冯登国,连一峰.“基于网络中心性的计算机网络脆弱性评估方法”.中国科学院大学学报,,2012,29(4):529-535.)
[16]W.X.Zhang,Q.Li,W.P.Wang,and H.B.Li.“Comprehensive analysis method for vulnerability of complex systems”,Journal of National University of Defense Technology,vol.38,no.2,pp.150-155,2016.(张旺勋,李群,王维平,李海兵.“复杂系统脆弱性综合分析方法”.国防科技大学学报,2016,38(2):150-155.)
[17]J.Guo.“Vulnerability analysis of power communication network based on complex network theory[master dissertation],”North China Electric Power University,2010.(郭静.“基于复杂网络理论的电力通信网脆弱性分析[硕士学位论文],”华北电力大学,2010.)
[18]S.Wassermen,K.Faust.“Social network analysis:methods and applications”.Ca-mbridge;Camridge University Press,1994.
[19]P.Bonacich.“Factoring and weighting approaches to status scores and clique identification”.Journal of Mathematical Sociology,vol.2,no.1,pp.113-120,1972.
[20]P.Bonacich.“Technique for analyzing overlapping memberships”.Sociological Methodology,vol.4,no.4,pp.176-185,1972.
[21]K.Stephenson,M.Zelen.“Rethinking Centrality:Methods and Applications”.Social Networks,vol.11,pp.1-37,1989.
[22]D.Yan,S.B.Zhang,K.Zong and Z.H.Hu.“Identification method of key nodes in complex networks based on AHP-entropy weight method”.Journal of Guangxi University:Natural Science Edition,vol.41,no.6,pp.1933-1939,2016.(严栋,张世斌,宗康,胡志华.“基于AHP-熵权法的复杂网络关键节点识别方法”.广西大学学报:自然科学版,2016,41(6):1933-1939.)
[23]F.H.Zhao and B.Yang.“Comprehensive evaluation method of node importance in complex networks”,Journal of Wuhan University of Technology(information and Management Engineering Edition),no.4,pp.461-464,2015.(赵凤花,杨波.“复杂网络节点重要性的综合评价方法”.武汉理工大学学报(信息与管理工程版),2015(4):461-464.)
[24]X.C.Guo,R.N.Ma and G.Wang.“Comprehensive evaluation method of node importance in complex networks”,computer simulation,vol.34,no.7,pp.264-268,2017.(郭晓成,马润年,王刚.“复杂网络中节点重要性综合评价方法研究”.计算机仿真,2017,34(7):264-268.)
[25]J.Xu.”A new method of research system--core and core degree method”,Systems Engineering and Electronics,no.6,pp.1-10,1994.(许进.“一种研究系统的新方法-核与核度法”.系统工程与电子技术,第6期,1994(6):1-10.)
[26]J.Xu.“core and core degree theory of systems and its application”,Xidian University Press,1994.(许进.“系统核与核度理论及其应用”.西安电子科技大学出版社,1994.)
[27]P.X.Li,Y.Q.Ren and Y.M.Xi.“A measure of the importance of network nodes(sets)”,Systems engineering,vol.22,no.4,pp.13-20,2004.(李鹏翔,任玉晴,席酉民.“网络节点(集)重要性的一种度量指标”.系统工程,2004,22(4):13-20.)
[28]L.Liu,W.Deng,F.Cai,L.Chen.“A new method for calculating node importance--priority method”.Chinese Journal of Management Science,vol.15,no.s1,pp.162-165,2007.(刘浪,邓伟,采峰,陈玲.“节点重要度计算的新方法--优先等级法”.中国管理科学,2007,15(s1):162-165.)
[29]M.E.J.Newman,D.J.Watts.“Renormalization group analysis of the small-world network model”.Physics Letters A,vol.263,no.4-6,pp.341-346,1999.
[30]D.J.Watts,S.H.Strogatz.“Collective dynamics of‘smallworld'networks”.nature,vol.393,no.6684,pp.440,1998.
[2]“The forty-second statistical report on China's Internet development”,China Internet Network Information Center,http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201808/P020180820630889299840.pdf,Sept 2018.(“第42次中国互联网络发展状况统计报告”,中国互联网络信息中心,http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201808/P020180820630889299840.pdf,Sept 2018.)
[3]“National Vulnerability Database”,NVD,http://nvd.nist.gov/,Sept2018.
[4]“China Internet network security report 2017”,CNCERT,http://www.cert.org.cn/publish/main/upload/File/2017annual(1).pdf,Sept 2018.(“2017年中国互联网网络安全报告”,国家互联网应急中心,http://www.cert.org.cn/publish/main/upload/File/2017annual(1).pdf,Sept 2018.)
[5]W.H.Cunningham.“Optimal attack and reinforcement of a network”.J.assoc.comput.mach,vol.32,no.3,pp.549-561,1985.
[6]O.Sheyner,J.Haines,S.Jha,R.Lippmann,J.M.Wing.“Automated Generation and Analysis of Attack Graphs”.IEEE Security&Privacy Magazine,vol.1971,pp.273,2002.
[7]W.Jia,“Research on vulnerability assessment method of computer network[Ph.D.dissertation],”University of Science and Technology of China,2012.(贾炜.“计算机网络脆弱性评估方法研究[博士学位论文],”中国科学技术大学,2012.)
[8]L.Wang,C.Yao,A.Singhal,and S.Jajodia.“Interactive Analysis of Attack Graphs Using Relational Queries”.Lecture Notes in Computer Science,vol.4127,pp.119-132,2008.
[9]F.Chen,Y.Zhang,A.H.Bao and J.S.Su.“Research on quantitative assessment of network vulnerability based on attack graph”,Computer Engineering and Science,vol.32,no.10,pp.8-11,2010.(陈锋,张怡,鲍爱华,苏金树.“基于攻击图的网络脆弱性量化评估研究”.计算机工程与科学,2010,32(10):8-11.)
[10]H.Kim,J.Reich,A.Gupta,M.Shahbaz,and N.Feamster.“Kinetic:verifiable dynamic network control”.Usenix NSDI.2015.
[11]X.J.Wang,B.Sun,Y.W.Liao,and C.B.Xiang.“Vulnerability assessment of Bayes attribute attack graph network”.Journal of Beijing University of Posts and Telecommunications,vol.38,no.4,pp.110:116,2015.(王秀娟,孙博,廖彦文,相从斌.“贝叶斯属性攻击图网络脆弱性评估”.北京邮电大学学报,2015,38(4):110-116.)
[12]X.Ou,W.F.Boyer,M.A.Mcqueen.“A scalable approach to attack graph generation”in ACM Conference on Computer and Communications Security(CCS'06),pp.336-345,2006.
[13]X.Ou,S.Govindavajhala,A.W.Appel.“MulVAL:a logic-based network security analyzer”.Usenix Security Symposium,pp.8-8,2005.
[14]Z.Sun,Z.Z.Wu and Q.M.Li.“Modeling and generation method of traffic attack graph”,software,no.4,2018.(孙哲,巫中正,李千目.“流量攻击图的建模与生成方法”.软件,第4期,2018.)
[15]W.Jia,D.G.Feng and Y.F.Lian.“Computer network vulnerability assessment method based on network centrality”,Journal of the Chinese Academy of Sciences,vol.29,no.4,pp.529-535,2012.(贾炜,冯登国,连一峰.“基于网络中心性的计算机网络脆弱性评估方法”.中国科学院大学学报,,2012,29(4):529-535.)
[16]W.X.Zhang,Q.Li,W.P.Wang,and H.B.Li.“Comprehensive analysis method for vulnerability of complex systems”,Journal of National University of Defense Technology,vol.38,no.2,pp.150-155,2016.(张旺勋,李群,王维平,李海兵.“复杂系统脆弱性综合分析方法”.国防科技大学学报,2016,38(2):150-155.)
[17]J.Guo.“Vulnerability analysis of power communication network based on complex network theory[master dissertation],”North China Electric Power University,2010.(郭静.“基于复杂网络理论的电力通信网脆弱性分析[硕士学位论文],”华北电力大学,2010.)
[18]S.Wassermen,K.Faust.“Social network analysis:methods and applications”.Ca-mbridge;Camridge University Press,1994.
[19]P.Bonacich.“Factoring and weighting approaches to status scores and clique identification”.Journal of Mathematical Sociology,vol.2,no.1,pp.113-120,1972.
[20]P.Bonacich.“Technique for analyzing overlapping memberships”.Sociological Methodology,vol.4,no.4,pp.176-185,1972.
[21]K.Stephenson,M.Zelen.“Rethinking Centrality:Methods and Applications”.Social Networks,vol.11,pp.1-37,1989.
[22]D.Yan,S.B.Zhang,K.Zong and Z.H.Hu.“Identification method of key nodes in complex networks based on AHP-entropy weight method”.Journal of Guangxi University:Natural Science Edition,vol.41,no.6,pp.1933-1939,2016.(严栋,张世斌,宗康,胡志华.“基于AHP-熵权法的复杂网络关键节点识别方法”.广西大学学报:自然科学版,2016,41(6):1933-1939.)
[23]F.H.Zhao and B.Yang.“Comprehensive evaluation method of node importance in complex networks”,Journal of Wuhan University of Technology(information and Management Engineering Edition),no.4,pp.461-464,2015.(赵凤花,杨波.“复杂网络节点重要性的综合评价方法”.武汉理工大学学报(信息与管理工程版),2015(4):461-464.)
[24]X.C.Guo,R.N.Ma and G.Wang.“Comprehensive evaluation method of node importance in complex networks”,computer simulation,vol.34,no.7,pp.264-268,2017.(郭晓成,马润年,王刚.“复杂网络中节点重要性综合评价方法研究”.计算机仿真,2017,34(7):264-268.)
[25]J.Xu.”A new method of research system--core and core degree method”,Systems Engineering and Electronics,no.6,pp.1-10,1994.(许进.“一种研究系统的新方法-核与核度法”.系统工程与电子技术,第6期,1994(6):1-10.)
[26]J.Xu.“core and core degree theory of systems and its application”,Xidian University Press,1994.(许进.“系统核与核度理论及其应用”.西安电子科技大学出版社,1994.)
[27]P.X.Li,Y.Q.Ren and Y.M.Xi.“A measure of the importance of network nodes(sets)”,Systems engineering,vol.22,no.4,pp.13-20,2004.(李鹏翔,任玉晴,席酉民.“网络节点(集)重要性的一种度量指标”.系统工程,2004,22(4):13-20.)
[28]L.Liu,W.Deng,F.Cai,L.Chen.“A new method for calculating node importance--priority method”.Chinese Journal of Management Science,vol.15,no.s1,pp.162-165,2007.(刘浪,邓伟,采峰,陈玲.“节点重要度计算的新方法--优先等级法”.中国管理科学,2007,15(s1):162-165.)
[29]M.E.J.Newman,D.J.Watts.“Renormalization group analysis of the small-world network model”.Physics Letters A,vol.263,no.4-6,pp.341-346,1999.
[30]D.J.Watts,S.H.Strogatz.“Collective dynamics of‘smallworld'networks”.nature,vol.393,no.6684,pp.440,1998.