摘要
脆弱性评估是信息系统安全工程的重要组成部分,是建立信息系统安全体系的基础和前提。本文分析了脆弱性评估所涉及的主要内容,包括国内外现状、评估体系模型、评估标准、评估方法、评估过程等,探讨了国内外测评体系,总结分析了脆弱性评估方法现状和特点。
本文指出了目前信息脆弱性评估需要解决的问题,分析了引发脆弱性的深层的原因。探讨了安全控制策略面临的挑战,探讨了控制策略的方法和思想,并且提出了对应的安全控制策略。
本文结合安全控制提出了一个IP网络安全管理流程,流程中阐述了安全IP网络应该遵守的制度,并且重点就网络脆弱性评估模型做了改进,实现了一个脆弱性分析和安全控制的系统,总结了系统的特点,展望了信息安全风险评估的发展前景。
从系统测试结果来看,系统的功能模型构建和操作是有效的,能够为决策者提供支持,整个研究基本上实现了预定目标。
The vulnerability analysis is very important to the security of information systems, which is the base and premise in the construction of the security of information system. The major content of vulnerability analysis, including the information security risk assessment and evaluation criteria, assessment methods and evaluation process are analyzed in this paper.
The current vulnerability analysis need to be solved is proposed in the paper, the deep-seated reason of the vulnerability is discussed also. The challenges of the control strategy are proposed, and methods and ideas of control strategy are discussed, and then corresponding security control strategies are put forward.
The IP network security management processes in the combination with security control is proposed in the paper, the strategies in process should comply is introduced, and then the improvement of the network vulnerability assessment model is proposed, a vulnerability analysis and security control system is realized, and the characteristics of the system is summed up, and the future work of information security risk assessment is discussed.
From the experimental results, the system function model construction and operations are effective, which can provide support for decision-makers; the study largely achieved the desired goal.
引文
[1]邢栩嘉,林闯,蒋屹新.基于网络的计算机脆弱性评估.计算机学报, 2004, 27 (1) : 1-11
[2]林闯,彭雪海.可信网络研究.计算机学报, 2005, 28 ( 5) :751-758
[3]王宇,卢昱.基于访问路径的网络安全脆弱性分析.计算机应用研究,2008,25 (6) : 1796-1798
[4]卢昱,王宇.计算机网络安全与控制技术.北京:科学出版社. 2005
[5]王玉龙,杨放春,孙其博.基于模型的网络脆弱性定量分析方法.北京邮电大学学报, 2008, 31 (4) : 58-61
[6] Vardi Y, Zhang Cunhui. Measures of network vulnerability. IEEE Signal Processing Letters, 2007, 14 (5):313-316
[7]赵青松,宋如顺.网络脆弱性研究.计算机应用, 2003, 23 ( 9) :47-49
[8] Schneier B. Attack Trees[J ] . Dr. Dobb’s Journal, 1999, (10)
[9]徐良华,史洪,朱鲁华.脆弱性分类技术综述.小型微型计算机系统. 2006, 27 (4):627-633
[10]贾炜等.基于贝叶斯网络近似推理的网络脆弱性评估方法.通信学报, 2008, 29 (10) : 191-198
[11]董良喜,王嘉祯.计算机网络脆弱性评价研究.计算机工程与应用, 2003, 20 (1) : 157-161
[12] Eric Knight. Computer Vulnerabilities [M]. 2000
[13]王永杰等.一种计算机网络脆弱性评估系统的设计.计算机工程,2006,32 (17) : 200-202
[14]冯登国,张阳,张玉清.信息安全风险评估综述.通信学报. 2004, 25(7): 10-18
[15]张义荣,鲜明,赵志超.计算机网络攻击效果评估技术研究.国防科技大学学报, 2002, 24 (5) : 24-28
[16] Sheyner O. Scenario Graphs and Attack Graphs[D]. Department of Computer Science, CMU, 2004
[17] Sheyner O. Automated Generation and Analysis of Attack Graphs[C].Proceeding of the 2002 IEEE Symposium on Security and Privacy, 2002.
[18] Char Sample, Symantec and Ianpoynter, Quantifying in The Network Environment: methods and Uses[M] . TICS, 2000
[19] Bruce Schneier , Attack Tree [ J ] . Doc Dob , 1999 ,(12) :138
[20] Qu Guangzhi ,Ramkiahore ,Tushneem ,et al. Vulnerability Analysis for Network Fault s and Attacks [M] .[ S. l ] : ITL Lab , the University of Arizona and University of Southern California ,2001
[21] Qu Guangzhi ,Jaya Prakash , Ramkiahore. A Framework for Network Vulnerability Analysis [M]. [S.l ] : ITL Lab ,the University of Arizona ,2002
[22]谢希仁.计算机网络.北京:电子工业出版社,1999
[23]王玥,蔡皖东,段琪.基于遗传算法的网络脆弱性计算方法.系统仿真学报. 2009, 21 (6):1628-1632
[24] ANDRESSM.计算机安全原理.北京:机械工业出版社. 2002
[25]邵立嵩,刘海燕,张佐.基于信任关系的脆弱性扫描系统的设计与实现.计算机应用. 2005,25(12) : 145-147
[26]缪志敏等.基于拓扑信息的网络修复.计算机工程, 2008, 34 (5) : 25-28
[27] Jha S, Sheyner O, Wing JM. Minimization and reliability analyses of attack graphs. Technical Report, CMU-CS-02-109, Carnegie Mellon University, 2002
[28] Sheyner O. Scenario graphs and attack graphs [Ph.D. Thesis]. Pittsburgh: Carnegie Mellon University, 2004
[29] Swiler LP, Phillips C, Gaylor T. A graph-based network-vulnerability analysis system. Technical Report, SANDIA Report No. SAND 97-3010/1, 1998
[30]冯萍慧等.基于可靠性理论的分布式系统脆弱性模型.软件学报, 2006, 17(7): 1633-1670
[31]汪生,孙乐昌,王新志.基于策略的网络脆弱性探测系统的研究与实现.计算机工程, 2006, 32(10):96-100
[32]李庆华,孟中楼,童健华.基于TCP/ IP的入侵检测评测技术研究.计算机工程与应用, 2004, 6(1): 147-150
[33]卢津榕,冯宝坤.解读黑客.北京:希望电子出版社,2001
[34] Harris B, Hunt R. TCP/ IP security threats and attack methods. Computer Communications, 1999, (22):885 - 897
[35]楚狂.网络安全与防火墙技术.北京:人民邮电出版社,2000
[36]赵海波.网络防火墙的设计和实现.上海:上海交通大学,2001
[37]张海霞等.基于安全状态域的网络评估模型.软件学报. 2009,20(2):451-561
[38]张世永.网络安全原理与应用.北京:科学出版社, 2003
[39]王晓薇等.典型的TCP/ IP协议脆弱性及常见攻击方法分析.空军工程大学学报. 2002,3(4) : 46-51
[40]曹成,周健,周红.网络安全与对策.合肥工业大学学报(自然科学版), 2007,30(9):1091- 1094
[41]邵梦,褚宝增,段岩.当前网络安全的评估研究.网络通讯与安全, 2007 , 21(40) : 685- 686
[42]程晓峰,赵禹.脆弱性检测工具研究.通信技术, 2009 ,42(4) : 151-153
[43] Stephent T Stachell, H B J Clifford. Linux IP协议栈源代码分析[M] .刘建国,等译.北京:机械工业出版社,2000
[44] Wright, G R , Stevens ,W R. TCP/ IP详解,卷2 :实现[M] .陆雪莹,等译.北京:机械工业出版社, 2000
[45] W Richard Stevens. TCP/ IP详解,卷1 :协议[M] .范建华,等译.北京:机械工业出版社, 2000
[46]葛志辉,李陶深. TCP/IP协议的脆弱性与相应的对策.信息技术, 2004 ,28(8):60-62
