网络安全风险评估关键技术研究
|
摘要
随着计算机技术和网络技术的快速发展,计算机以及网络的应用已深入到了政治、经济、军事和社会等各领域,然而随之而来的网络安全问题也日益突出。为了应对日益严峻的网络安全问题,各种网络安全防御和控制技术应需而生。网络安全风险评估技术作为一种主动防御技术,在安全事件未发生时主动分析和评估自身存在的安全风险和安全隐患,从而能够未雨绸缪,防范于未然;在安全事件正在发生时及时分析和评估安全事件的威胁态势状况,并根据评估结果采取适当的风险控制措施,从而能够及时遏制威胁的蔓延。因此,准确高效地进行网络安全风险评估对保障网络或信息系统的安全具有重要的意义。本文在分析已有工作的基础上,对网络安全风险评估的关键技术进行了深入的研究,主要包括以下三个方面:
在定性评估方面,针对攻击图分析中的两个重要问题:最优原子攻击修复集问题和最优初始条件修复集问题,定义了原子攻击拆分加权攻击图和初始条件拆分加权攻击图,将最优原子攻击修复集问题和最优初始条件修复集问题分别归结于原子攻击拆分加权攻击图中的最小S-T割集问题和初始条件拆分加权攻击图中的最小S-T割集问题,并证明其等价性。在此基础上提出了基于网络流的具有多项式复杂度的算法。实验表明,与已有成果相比,该算法具有较高的性能和很好的可扩展性,能应用于大规模攻击图的分析中。
在定量评估方面,(1)针对已有的贝叶斯攻击图模型无法表达网络运行环境因素对攻击发生可能性的影响,提出了广义贝叶斯攻击图模型,该模型涵盖了攻击者利用网络或信息系统中存在的脆弱性发动一步或多步攻击的各种可能性,攻击发生的不确定性,以及环境影响因素对攻击发生可能性的影响,在保留贝叶斯攻击图已有优点的基础上,进一步拓展了语义,引入了攻击收益和威胁状态变量,使得广义贝叶斯攻击图能够包括被评估网络或信息系统的业务应用环境和环境威胁信息对攻击可能性的影响,以及这些影响在广义贝叶斯网络上的传播,使得广义贝叶斯攻击图能够更真实地反映网络或信息系统中的网络攻击发生可能性的现实情况。(2)提出了基于广义贝叶斯攻击图的层次化定量评估方法,该方法利用广义贝叶斯攻击图表达被评估网络或信息系统中攻击者利用存在的脆弱性发动一步或多步攻击的各种可能性,攻击发生的不确定性,以及环境影响因素对攻击发生可能性的影响。在构建广义贝叶斯攻击图的基础上,提出了节点攻击概率、主机攻击概率、网络攻击概率三个层次攻击概率的计算方法,以及节点风险值、主机风险值和网络风险值三个层次风险值计算方法,使得安全管理员能够在节点、主机和网络三个层次了解网络的安全风险状况。实验表明,该方法更加切合被评估网络或信息系统的攻击发生可能性的真实情况,使得评估结果更客观准确。并且从理论和实验都证明了已有的基于贝叶斯攻击图的方法是本方法的一个特例,因此,本方法具有更广泛的应用价值。
在实时评估方面,(1)针对入侵检测系统产生的警报存在大量的误报问题和漏报问题,提出D-S证据攻击图模型,该模型利用D-S证据理论将安全警报得到的证据融合到攻击图中所关联的节点上,并在攻击图中进行前向和后向的信度传递,更新相应节点的预测支持因子和后验支持因子,进而计算节点攻击信度和节点预测信度。该模型既利用了D-S证据理论对不确定信息的融合处理能力,又利用了攻击图上脆弱点利用之间的关联关系优势,使得该模型能够有效地抑制安全警报中存在的误报和漏报问题。(2)提出基于D-S证据攻击图模型的增量式实时评估方法,该方法从空间上分为检测层、攻击图层、主机层和网络层四个层次,在时间上分为初始化阶段和实时更新阶段。该方法由于利用D-S证据攻击图模型很好地抑制了安全警报中存在的误报和漏报问题,对安全警报进行关联和融合,然后计算节点、主机和网络三个层次的攻击信度和预测信度,从而能够准确地进行攻击场景还原和攻击行为预测,并计算相应的威胁值和最终的网络安全态势值,从而获得了网络或信息系统在节点、主机以及网络三个层面的安全威胁态势状况,具有完善的功能。由于该方法是一种增量式的评估方法,并且具有线性的算法复杂度,实时性能较高。实验表明,该方法能够客观准确地进行攻击场景还原和攻击行为预测,并得出符合客观情况的实时网络安全威胁态势,并且,该方法具有高性能高可扩展性的特点,能应用于大规模网络或信息系统的实时评估之中。
With the rapid development of computer and computer network technologies recently, computer and computer networks have played an increasingly important role in the fields of politics, economy, military, and social life. However, the network security problems have become increasingly prominent. In order to deal with the increasingly serious network security issues, a variety of network security defense and control technologies emerged. As one of proactive security defense technologies, network security risk assessment techniques are used to assess security risks in the network or information system before the security events occur and assess the threat situation after security events occur. And the appropriate risk control measures are taken based on the risk assessment results. Therefore, effective and efficient network security risk assessment methods are of great significance to the protection of network or information system security. Based on the study and analysis of related works, we carried out in-depth research of key technologies for network security risk assessment. The major contributions of the dissertation are summarized as follows.
On the aspect of qualitative assessment, we discussed two important issues in attack graph analysis:the optimal atomic-attack repair set problem and the optimal initial-condition repair set problem. Then we defined the Atomic-attacks Split Weighted Attack Graph (ASWAG) and the Initial-condition Split Weighted Attack Graph (ISWAG) and converted the former two problems into the minimum S-T cut problems in ASWAG and ISWAG. The conversions were proved to be equivalent. Two network flow based algorithms with polynomial time complexity were proposed. Experimental results showed that the algorithms are more efficient and scale better than existing methods. We can use them to analyze large-scale attack graphs.
On the aspect of quantitative assessment, our work includes two parts as follows.(1) We proposed Generalized Bayesian Attack Graph (GBAG) model for existing Bayesian Attack Graph (BAG) model can not express the impact of the environmental factors on the probabilities of attacks. The GBAG model covers the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. The semantics are expanded in the GBAG model by introduced the attack gains and the threat state variables with the advantages of BAG retained. And the GBAG model can reflect the true attack probabilities more objectively due to the expansions.(2) Hierarchical quantitative assessment method based on GBAG was proposed. The method used GBAG to cover the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. Node attack probabilities, node risk values, host attack probabilities, host risk values, network attack probabilities and network risk value are computed based on the constructed GBAG, so that security administrators can understand the security situations in the three levels. Experimental results show that the results of our method are identical with the real situation, which means our method leads to more objective and accurate results. And theoretical and experimental proofs show that the method based BAG is a special case of our method, which means our method has a wider range of applications.
On the aspect of real-time assessment, our work also includes two parts as follows.(I) False positives and false negatives are prevalent in the alerts generated by intrusion detection systems. We proposed the D-S evidence Attack Graph Model (DSAGM) to deal with the problem caused by false positives and false negatives in real-time assessment. Alerts are assigned with certainty factors. And the D-S combination rule is used to combine the related alerts corresponding to the same node in the attack graph. The credibility is propagated in the attack graph forwardly and backwardly, and the prediction support factors and posteriori support factors of the related nodes are updated. Node attack certainty factors and prediction attack certainty factors are updated later. The model does not only take advantage of the capability of uncertain information fusion of D-S evidence theory, but also take use of the relationships of exploiting the vulnerabilities in the attack graph, so that the model can effectively deal with the problems caused by false positives and false negatives.(2) The incremental real-time assessment method based on DSAGM was proposed. The framework of the method includes four layers:detection layer, attack graph layer, host layer and network layer, and contains two phases:initialization phase and real-time phase. The method use DSAGM to deal with the problems caused by false positives and false negatives, and computed the attack certainty factors and prediction attack certainty factors of each node, each hosts and the network, so that the method can reconstruct the attack scene and predict attack behaviors in future accurately. The corresponding threat values and the final network security awareness value are computed, so that the security administrators can understand the threat situations in the levels of nodes, hosts and the network. The method is an incremental assessment method and the algorithms in the method have linear complexity, so that the method is very efficient. Experimental results show that the method can reconstruct the attack scene and predict attack behaviors in future accurately and objectively, and lead to objective network security awareness value that consistent with the real-time network security threat situation. And the method is efficient and has good scalability, so that it can be applied to the real-time assessment of large-scale networks or information systems.
在定性评估方面,针对攻击图分析中的两个重要问题:最优原子攻击修复集问题和最优初始条件修复集问题,定义了原子攻击拆分加权攻击图和初始条件拆分加权攻击图,将最优原子攻击修复集问题和最优初始条件修复集问题分别归结于原子攻击拆分加权攻击图中的最小S-T割集问题和初始条件拆分加权攻击图中的最小S-T割集问题,并证明其等价性。在此基础上提出了基于网络流的具有多项式复杂度的算法。实验表明,与已有成果相比,该算法具有较高的性能和很好的可扩展性,能应用于大规模攻击图的分析中。
在定量评估方面,(1)针对已有的贝叶斯攻击图模型无法表达网络运行环境因素对攻击发生可能性的影响,提出了广义贝叶斯攻击图模型,该模型涵盖了攻击者利用网络或信息系统中存在的脆弱性发动一步或多步攻击的各种可能性,攻击发生的不确定性,以及环境影响因素对攻击发生可能性的影响,在保留贝叶斯攻击图已有优点的基础上,进一步拓展了语义,引入了攻击收益和威胁状态变量,使得广义贝叶斯攻击图能够包括被评估网络或信息系统的业务应用环境和环境威胁信息对攻击可能性的影响,以及这些影响在广义贝叶斯网络上的传播,使得广义贝叶斯攻击图能够更真实地反映网络或信息系统中的网络攻击发生可能性的现实情况。(2)提出了基于广义贝叶斯攻击图的层次化定量评估方法,该方法利用广义贝叶斯攻击图表达被评估网络或信息系统中攻击者利用存在的脆弱性发动一步或多步攻击的各种可能性,攻击发生的不确定性,以及环境影响因素对攻击发生可能性的影响。在构建广义贝叶斯攻击图的基础上,提出了节点攻击概率、主机攻击概率、网络攻击概率三个层次攻击概率的计算方法,以及节点风险值、主机风险值和网络风险值三个层次风险值计算方法,使得安全管理员能够在节点、主机和网络三个层次了解网络的安全风险状况。实验表明,该方法更加切合被评估网络或信息系统的攻击发生可能性的真实情况,使得评估结果更客观准确。并且从理论和实验都证明了已有的基于贝叶斯攻击图的方法是本方法的一个特例,因此,本方法具有更广泛的应用价值。
在实时评估方面,(1)针对入侵检测系统产生的警报存在大量的误报问题和漏报问题,提出D-S证据攻击图模型,该模型利用D-S证据理论将安全警报得到的证据融合到攻击图中所关联的节点上,并在攻击图中进行前向和后向的信度传递,更新相应节点的预测支持因子和后验支持因子,进而计算节点攻击信度和节点预测信度。该模型既利用了D-S证据理论对不确定信息的融合处理能力,又利用了攻击图上脆弱点利用之间的关联关系优势,使得该模型能够有效地抑制安全警报中存在的误报和漏报问题。(2)提出基于D-S证据攻击图模型的增量式实时评估方法,该方法从空间上分为检测层、攻击图层、主机层和网络层四个层次,在时间上分为初始化阶段和实时更新阶段。该方法由于利用D-S证据攻击图模型很好地抑制了安全警报中存在的误报和漏报问题,对安全警报进行关联和融合,然后计算节点、主机和网络三个层次的攻击信度和预测信度,从而能够准确地进行攻击场景还原和攻击行为预测,并计算相应的威胁值和最终的网络安全态势值,从而获得了网络或信息系统在节点、主机以及网络三个层面的安全威胁态势状况,具有完善的功能。由于该方法是一种增量式的评估方法,并且具有线性的算法复杂度,实时性能较高。实验表明,该方法能够客观准确地进行攻击场景还原和攻击行为预测,并得出符合客观情况的实时网络安全威胁态势,并且,该方法具有高性能高可扩展性的特点,能应用于大规模网络或信息系统的实时评估之中。
With the rapid development of computer and computer network technologies recently, computer and computer networks have played an increasingly important role in the fields of politics, economy, military, and social life. However, the network security problems have become increasingly prominent. In order to deal with the increasingly serious network security issues, a variety of network security defense and control technologies emerged. As one of proactive security defense technologies, network security risk assessment techniques are used to assess security risks in the network or information system before the security events occur and assess the threat situation after security events occur. And the appropriate risk control measures are taken based on the risk assessment results. Therefore, effective and efficient network security risk assessment methods are of great significance to the protection of network or information system security. Based on the study and analysis of related works, we carried out in-depth research of key technologies for network security risk assessment. The major contributions of the dissertation are summarized as follows.
On the aspect of qualitative assessment, we discussed two important issues in attack graph analysis:the optimal atomic-attack repair set problem and the optimal initial-condition repair set problem. Then we defined the Atomic-attacks Split Weighted Attack Graph (ASWAG) and the Initial-condition Split Weighted Attack Graph (ISWAG) and converted the former two problems into the minimum S-T cut problems in ASWAG and ISWAG. The conversions were proved to be equivalent. Two network flow based algorithms with polynomial time complexity were proposed. Experimental results showed that the algorithms are more efficient and scale better than existing methods. We can use them to analyze large-scale attack graphs.
On the aspect of quantitative assessment, our work includes two parts as follows.(1) We proposed Generalized Bayesian Attack Graph (GBAG) model for existing Bayesian Attack Graph (BAG) model can not express the impact of the environmental factors on the probabilities of attacks. The GBAG model covers the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. The semantics are expanded in the GBAG model by introduced the attack gains and the threat state variables with the advantages of BAG retained. And the GBAG model can reflect the true attack probabilities more objectively due to the expansions.(2) Hierarchical quantitative assessment method based on GBAG was proposed. The method used GBAG to cover the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. Node attack probabilities, node risk values, host attack probabilities, host risk values, network attack probabilities and network risk value are computed based on the constructed GBAG, so that security administrators can understand the security situations in the three levels. Experimental results show that the results of our method are identical with the real situation, which means our method leads to more objective and accurate results. And theoretical and experimental proofs show that the method based BAG is a special case of our method, which means our method has a wider range of applications.
On the aspect of real-time assessment, our work also includes two parts as follows.(I) False positives and false negatives are prevalent in the alerts generated by intrusion detection systems. We proposed the D-S evidence Attack Graph Model (DSAGM) to deal with the problem caused by false positives and false negatives in real-time assessment. Alerts are assigned with certainty factors. And the D-S combination rule is used to combine the related alerts corresponding to the same node in the attack graph. The credibility is propagated in the attack graph forwardly and backwardly, and the prediction support factors and posteriori support factors of the related nodes are updated. Node attack certainty factors and prediction attack certainty factors are updated later. The model does not only take advantage of the capability of uncertain information fusion of D-S evidence theory, but also take use of the relationships of exploiting the vulnerabilities in the attack graph, so that the model can effectively deal with the problems caused by false positives and false negatives.(2) The incremental real-time assessment method based on DSAGM was proposed. The framework of the method includes four layers:detection layer, attack graph layer, host layer and network layer, and contains two phases:initialization phase and real-time phase. The method use DSAGM to deal with the problems caused by false positives and false negatives, and computed the attack certainty factors and prediction attack certainty factors of each node, each hosts and the network, so that the method can reconstruct the attack scene and predict attack behaviors in future accurately. The corresponding threat values and the final network security awareness value are computed, so that the security administrators can understand the threat situations in the levels of nodes, hosts and the network. The method is an incremental assessment method and the algorithms in the method have linear complexity, so that the method is very efficient. Experimental results show that the method can reconstruct the attack scene and predict attack behaviors in future accurately and objectively, and lead to objective network security awareness value that consistent with the real-time network security threat situation. And the method is efficient and has good scalability, so that it can be applied to the real-time assessment of large-scale networks or information systems.
引文
[1]中国互联网络信息中心.第31次中国互联网络发展状况统计报告.2013年1月.
[2]国家互联网应急中心.2012年我国互联网网络安全态势综述.2013年3月.
[3]PandaLabs.2009 Annual Report.2010年1月.
[4]360安全中心.2012年浏览器安全与发展形势报告.2013年3月.
[5]北京瑞星信息技术有限公司.2009年上半年中国大陆地区互联网安全报告.2009年7月.
[6]中国互联网络信息中心.全球互联网统计信息跟踪报告.第18期,2006年7月.
[7]CERT/CC. CERT/CC Statistics 1995-2008. Available online: http://www.cert.org/stats/fullstats.htm#historic.
[8]Defense USA Department Of. Trusted Computer System Evaluation Criteria[S]. DoD-5200, 28-STD[R],DoD,1985.
[9]Communities Office for Omcial Publications of European. ITSEC. Information Technology System Evaluation Criteria Version 1.2[S],1991.
[10]Board Common Criteria Editing. Common Criteria of Information Technology Security Evaluation[S],1998.
[11]ISO/IEC 15408-1. Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCISE)-Part 1 General Model[S],1999.
[f2]ISO/IEC 15408-2. Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCISE)-Part 2 Security Functional Requirements[S],1999.
[13]ISO/IEC 15408-3. Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCISE)-Part 3 Security Assurance Requirements[S],1999.
[14]Institute British Standards. BS 7799-1. Information Security Management[S]. Code of Practice for Infomation Security Management Systems,1999.
[15]Institute British Standards. BS 7799-2. Information Security Management[S]. Code of Practice for Infomation Security Management Systems,1999.
[16]ISO/IEC 17799. Information Technology-Code of Practice for Information Security Management[S],2000.
[17]ISO/IEC 17799. Information Technology-Code of Practice for Information Security Management^],2005.
[18]ISO/IEC TR 13335-1. Information Technology-Guidelines for the Mnagement of IT Security-Part 1:Concepts and Models of IT Security[S],1997.
[19]ISO/IEC TR 13335-2. Information Technology-Guidelines for the Mnagement of IT Security-Part 2:Managing and Planning IT Security[S],1998.
[20]ISO/IEC TR 13335-3. Information Technology-Guidelines for the Mnagement of IT Security-Part 3:Techniques for the Management of IT Security [S],1998.
[21]ISO/IEC TR 13335-4. Information Technology-Guidelines for the Mnagement of IT Security-Part 4:Selections of Safeguards[S],2000.
[22]ISO/IEC TR 13335-5. Information Technology-Guidelines for the Mnagement of IT Security-Part 5:Management guidance on Network Security[S],2001.
[23]ISO/IEC 27001. Information technology-Security techniques-Information security management systems-Requirements[S],2005.
[24]GB 17859-1999.计算机信息系统安全保护等级划分准则[S].中国标准出版社,北京,1999年9月.
[25]GB/T 18336.1-2001.信息技术安全技术信息技术信息安全评估准则第1部分:简介和一般模型[S].中华人民共和国国家标准,2001.
[26]GB/T 18336.2-2001.信息技术安全技术信息技术信息安全评估准则第2部分:安全功能要求[S].中华人民共和国国家标准,2001.
[27]GB/T 18336.3-2001.信息技术安全技术信息技术信息安全评估准则第3部分:安全保证要求[S].中华人民共和国国家标准,2001.
[28]GB/T 19716-2005.信息技术信息安全管理实用规则[S].中华人民共和国国家标准,2005.
[29]GB/T 19715.1-2005.信息技术信息技术安全管理指南第1部分:信息技术安全概念和模型[S].中华人民共和国国家标准,2005.
[30]GB/T 20984-2007.信息安全技术信息系统的风险评估规范[S].中华人民共和国国家标准,2007.
[31]McPhee W. Operating System Integrity in OS/VS2, IBM Sys. J.,13(3),1974, pp.230-52.
[32]Bishop M, Bailey D. A Critical Analysis of Vulnerability Taxonomies[R]. Technical Report CSE296211, Department of Computer Science, University of California at Davis,1996.
[33]汪立东.操作系统安全评估与审计增强[学位论文].哈尔滨工业大学博士论文,哈尔滨,2002.
[34]邢栩嘉,林闯,蒋屹新.计算机系统脆弱性评估研究[J].计算机学报,27(1),2004,PP.1-11.
[35]李昀,李伟华.安全脆弱点描述语言[J].计算机工程与应用,(12),2002.
[36]Tidwell T, Larson R, Fitch K, et al. Modeling Internet Attacks[C]. In:Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY,5-6 June,2001.
[37]杨阔朝,蒋凡.安全漏洞的统一描述研究[J].计算机工程与科学,28(10),2006.
[38]刘楠,罗军勇,问斌.基于XML的安全漏洞通用描述语言[J].计算机应用与软件,22(6),2005.
[39]张永铮,方滨兴,云晓春.基于的计算机弱点形式化描述语言CVDL[C]. In:全国网络与信息安全技术研讨会,2007,PP.123-129.
[40]The Nessus Attack Scripting Language Reference Guide. Available online: http://www.virtualblueness.net/nasl.html.
[41]AVDL. Available online: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl.
[42]OVAL. Available online:http://oval.mitre.org/.
[43]Farmer D, Spafford E. The Cops Security Checker System[R]. Technical Report CSD-TR-993. Department of Computer Sciences, Purdue University, September 1991.
[44]OVAL Scanner, http://oval.mitre.orgy/oval/about/documents.html.
[45]ISS. Available online:http://www.iss.com.
[46]NMAP. Available online:http://www.insecure.org/nmap/index.html.
[47]Nessus Scanner. Available online:http://www.nessus.org.
[48]Passive Vulnerability Scanner. Available online: http://www.tenablesecurity.com/products/pvs.
[49]Helmer G, Wong J, Slagell M, et al. A Software Fault Tree Approach to Requirements Analysis of all Intrusion Detection System [J]. Requirements Engineering Journal,7(4),2002, pp.207-220.
[50]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究[J].通信学报,26(12),2005,PP.100-109.
[51]张涛,胡铭曾,云晓春等.基于故障树的计算机安全性分析模型[J].高技术通讯,15(7),2005,PP.18-23.
[52]Schneier B. Attack Trees [J]. Dr. Dobb's Journal,24(12),1999, pp.21-29.
[53]Moore A, Ellison R, Linger R. Attack Modeling for Information Security and Survivability. Technical Note, CMU/SEI-2001-TN-001,2001.
[54]Dawkins J, Campbell C, Hale J. Modeling Network Attacks:Extending the Attack Tree Paradigm[C]. In:Proc of Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Johns Hopkins University, June,2002.
[55]Clark K, Tyree S, Dawkins J, et al. Qualitative and Quantitative Analytical Techniques for Network Security Assessment[C]. In:Proc of 2004 Information Assurance Workshop of the 5th Annual IEEE SMC, Hawaii, USA, IEEE Press,2004, pp.321-328.
[56]Ray I, Poolsapassit N. Using Attack Trees to Identify Malicious Attacks from Authorized Insiders[C]. In:Proc of the 10th European Symposium on Research in Computer Security, Milan, Italy,2005.
[57]Dalton G, Mills R. Analyzing Attack Trees Using Generalized Stochastic Petri Nets[C]. In: Proc of the 7th IEEE Workshop on Information Assurance, NY, USA,2006, pp.116-123.
[58]Dewri R, Poolsappasit N, Ray I, et al. Optimal Security Hardening Using Multi-objective Optimization on Attack Tree Models of Networks[C]. In:Proceedings of the 14th ACM conference on Computer and communications security,2007, pp.204-213.
[59]肖道举,马慧,陈晓苏.一种结构化的网络攻击建模方法[J].华中科技大学学报(自然科学版),34(2),2006,pp.70-72.
[60]甘早斌,吴平,路松峰等.基于扩展攻击树的信息系统安全风险评估[J].计算机应用研究,24(11),2007,PP.153-156.
[61]王辉,刘淑芬.改进的最小攻击树攻击概率生成算法[J].吉林大学学报(工学版),37(5),2007,PP.1142-1147.
[62]段友祥,王海峰.基于改进攻击树的网络攻击模式形式化研究[J].中国石油大学学报(自然科学版),31(1),2007,PP.144-147.
[63]Mcdermott J. Attack Net Penetration Testing[C]. In:Proc of the 2000 New Security Paradigms Workshop, Ballycotton, County Cork, Ireland, ACM Press,2000, pp.15-22.
[64]Helmer C, Wong J, Slagell M, et al. Software Fault Tree and Colored Petri net based Specification, Design and Implementation of Agent-based Intrusion Detection System [J]. Requirements Engineering,7(4),2000, pp.207-220.
[65]Laborde R, Nasser B, Grasset F, et al. A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies [J]. Electronic Notes in Theoretical Computer Science,2005, pp.117-142.
[66]Dacier M, Deswartes Y, Kaaniche M. Quantitative Assessment of Operational Security Models and Tools[R]. Technical Report Research Report 96493, LAAS,1996.
[67]Ortalo R, Deswarte Y. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security [J]. In:IEEE Transactions on Software Engineering,25(5),1999, pp.633-650.
[68]Phillips C, Swiler L. A graph-based system for network-vulnerability analysis[C].In:Proc. of the workshop on new security paradigms,1998, pp.71-79.
[69]Swiler L, Phillips C, Ellis D, et al. Computer-attack graph generation tool[C]. In:Proc. of DARPA Info. Surv. Conf.& Expo. II, vol.2,2001, pp.307-321.
[70]Ramakrishnan C, Sekar R. Model-based Vulnerability Analysis of Computer Systems[C]. In: Proc of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, NY, USA,1998.
[71]Ramakrishnan C, Sekar R. Model-based Analysis of Configuration Vulnerabilities [J]. Journal of Computer Security,2002,10(1-2), pp.189-209.
[72]Ritchey R, Ammann P. Using Model Checking to Analyze Network Vulnerabilities[C]. In: Proc. of the IEEE Symposium on Security and Privacy,2000, pp.156-165.
[73]Sheyner O, Jha S, Wing JM, et al. Automated generation and analysis of attack graphs[C]. In: Proc. of the IEEE Symp on Security and Privacy, IEEE Computer Society Press,2002, pp.273-284.
[74]Sheyner O, Wing J. Tools for Generating and Analyzing Attack Graphs[C]. In:Proc. of Workshop on Formal Methods for Comp. and Objects,2004, pp.344-371.
[75]Shahriari H, Jalili R. Using CSP to Model and Analyze Transmission Control Vulnerabilities Within the Broadcast Network[C]. In:Proc the IEEE International Networking and Communication Conference (INCC'2004), Pakistan, IEEE Press,2004, pp.42-47.
[76]Hewett R, Kijsanayothin P. Host-Centric Model Checking for Network Vulnerability Analysis[C].In:Annual Computer Security Applications Conference (ACSAC 2008),2008, pp.225-234.
[77]Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis[C]. In:Proc. of the 9th ACM Conf. on Computer and Communications Security, New York, ACM Press,2002, pp.217-224.
[78]Ammann P, Pamula J, Street J, et al. A host-based approach to network attack chaining analysis[C]. In:Proc. of the 21st Annual Computer Security Applications Conference,2005, pp.72-84.
[79]Lippmann R, Ingols K. An annotated review of past papers on attack graphs[R]. Technical Report, ESC-TR-2005-054, MIT Lincoln Laboratory,2005.
[80]Lippmann, R, Ingols K, Scott C, et al. Validating and Restoring Defense in Depth Using Attack Graphs[C]. In:Proc. of the Military Com. Conf.,2006, pp.1-10.
[81]Ingols K, Lippmann R, Piwowarski K. Practical Attack Graph Generation for Network Defense[C]. In:Proc. of Comp. Sec. App. Conf.,2006, pp.121-130.
[82]Qu X, Govindavajhala S, Appel A. MulVal:a logic-based network security analyzer[C]. In: the 14th USENIX Security Symposium, MD, USA, ACM Press,2005, pp.113-128.
[83]Ou X, Boyer W, McQueen M. A scalable approach to attack graph generation[C]. In:Proc. of the 13th ACM Conf. on Computer and Communications Security, Alexandria, ACM Press, 2006, pp.336-345.
[84]MulVal. Available online:http://people.cis.ksu.edu/-xou/mulval/.
[85]Diptikalyan Saha. Extending logical attack graphs for efficient vulnerability analysis[C]. In: Proceedings of the 15th ACM conference on Computer and Communications Security, NY, ACM Press,2008.
[86]Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs[C]. In:Proc. of the 15th IEEE Computer Security Foundations Workshop, Cape Breton, IEEE Computer Society, 2002, pp.49-63.
[87]Noel S, Jajodia S, O'Berry B, et al. Efficient minimum-cost network hardening via exploit dependency graphs[C]. In:Proc. of the 19th Annual Computer Security Applications Conf. Las Vegas, IEEE Computer Society Press,2003, pp.86-95.
[88]Wang L, Noel S, Jajodia S. Minimum-Cost network hardening using attack graphs [J]. Computer Communications,29(18),2006, pp.3812-3824.
[89]Chen F, Zhang Y, Su JS, and et al. Two formal analyses of attack graphs [J]. Journal of Software,21(4),2010, pp.838-848.
[90]Mehta V, Bartzis C, Zhu H. Ranking Attack Graphs[C]. In:Proc of the 9th International Symposium on Recent Advances in Intrusion Detection, Hamburg, Germany, Springer Press, 2006, pp.127-144.
[91]Monica B, Marci G, Franco S. Inside Pagerank [J]. ACM Transactions on Internet Technology,2005, pp.92-128.
[92]Dantu R, Loper K, Kolan P. Risk Management Using Behavior based Attack Graphs[C]. In: Proc of 2004 International Conference on Information Technology, Coding and Computing(ITCC 2004), Las Vegas, Nevada, USA, IEEE Press,2004.
[93]Dantu R, Kolan P. Risk management using behavior based Bayesian networks[C]. In:IEEE International Conference on Intelligence and Security Informatics, May,2005.
[94]Dantu R, Kolan P, Akl R, et al. Classification of Attributes and Behavior in Risk Management Using Bayesian Networks[C]. In:Proc of 2007 Intelligence and Security Informatics(ISI 2007), New Brunswick, New Jersey, USA, IEEE Press,2007, pp.71-74.
[95]Dantu R, Kolan P, Cangussu J. Network Risk Management Using Attacker Profiling [J]. Security and Comm. Networks vol.2,2009, pp.83-96.
[96]Wang L, Singhal A, Jajodia S. Measuring the Overall Security of Network Configurations Using Attack Graphs[C]. In:Proc. of 21st Ann.IFIP WG 11.3 Working Conf. Data and Application Security,2007, pp.98-112,
[97]Wang L, Islam T, Long T, et al. An Attack Graph-Based Probabilistic Security Metric[C]. In: Proc. of 22nd Ann. IFIP WG 11.3 Working Conf. Data and Applications Security,2008, pp.283-296.
[98]Frigault M, Wang L. Measuring Network Security Using Bayesian Network-Based Attack Graphs[C]. In:Proc.32nd Ann. IEEE Int'l Computer Software Applications Conf.,2008, pp.698-703.
[99]Frigault M, Wang L. Singhal A, et al. Measuring Network Security Using Dynamic Bayesian Network[C]. In:Proc. of 14th ACM Workshop Quality of Protection,2008.
[100]Xie P, Li J, Ou X, et al. Using Bayesian Networks for Cyber Security Analysis[C]. In:Proc. 40th IEEE/IFIP Int'l Conf. Dependable Systems and Networks,2010.
[101]Poolsappasit N, Dewri R, Ray I. Dynamic Security Risk Management Using Bayesian Attack Graphs [J]. IEEE Transactions on Dependable and Secure Computing,9(1),2012, pp.61-74.
[102]王永杰,鲜明,刘进等.基于攻击图模型的网络安全评估研究[J].通信学报,28(3),2007,pp.29-34.
[103]叶云,徐锡山,贾焰等.基于攻击图的网络安全概率计算方法[J].计算机学报,33(10), 2010,pp.1987-1996.
[104]Cramm. A Practitioner's View of CRAMM [EB/OL]. Available online: http://www.gammassl.co.uk/.
[105]Introduction to Security Risk Analysis [EB/OL]. Available online: http://www.security-risk-analysis.com/introcob.htm.
[106]Cora. International Security Technology [EB/OL]. Available online: http://www.ist-usa.com.
[107]NIST. Risk Management Guide for Information Technology Systems[R]. NIST-SP-800-30, 2001.
[108]GAO. Information Security Risk Assessment Practices of Leading Organizations [Z]. Exposure Draft, U.S. General Accounting Office.1999.
[109]Risk analysis in@RISK [EB/OL]. Available online: http://www.palisade.comPatml/fisk.asp.
[110]Office General Accounting. AIMD-99-139,1999.
[111]Wright. Third generation risk management practice. Computer fraud and security [M]. Elsevier,1992, pp.9-12.
[112]Haimes Y. Risk Modeling, Assessment, and Management,3rd Edition [M]. New York, Wiley Series in Systems Engineering,1998.
[113]Hoffman L. Computer security risk analysis. New Risks:Issues and Management [M]. Plenum Press, New York,1990, pp.371-377.
[114]Tregear J, Consultant S. Risk Assessment[R]. Information Security Technical Report.6(3), 2001, pp.19-27.
[115]Davies Gareth. Risk Analysis Generations-The evolution of Risk Analysis [EB/OL],1999. Available online:http://csweb.rau.ac.za/deth/research/article_page.htm.
[116]Bennett S, Kailay M. An application of qualitative risk analysis to computer security for the commercial sector[R]. Information Security Technical Report,6(3),2001, pp.28-36.
[117]FIPS-65, Guidelines for Automatic Data Processing Risk Analysis. NIST,1975.
[118]Une M, Matsumoto T. A framework to evaluate security and cost of time stamping schemes [J]. IEICE transactions on fundamentals of electronics communications and computer sciences E85A(1), JAN 2002, pp.125-139.
[119]Sanders WH. Stochastic methods for dependability, performability, and security evaluafion[J]. Lecture Notes in Computer Science 3099,2004, pp.97-97.
[120]Chen Y, Jensen C, et al. A General Risk Assessment of Security in Pervasive Computing[R]. Technical Report TCD-CS-2003-45, Department of Computer Science, Trinity College Dublin, November 2003.
[121]David A, David T. Assessing Risk Probability:Alternative Approaches[C]. In:Proc.2004 PMI Global Congress Proceedings,2004.
[122]Shawn A, Butler. Security Attribute Evaluation Method [Dissertation]. Carnegie Mellon University, Doctoral Thesis, May 2003.
[123]Shawn A, Butler. Security Attribute Evaluation Method:A Cost-Benefit Approach[C]. In: Proc. International Conference on Software Engineering, May 2002.
[124]Jelen, G, Williams, J. A Practical Approach to Measuring Assurance[C]. In:14th Annual Computer Security Applications Conference, December 7-11,1998.
[125]Foss, J, Barbosa S. Assessing Computer Security Vulnerability [J]. Operating System Review,29(3),1995, pp.3-13.
[126]朱而刚,张素英.基于灰色评估的信息安全风险评估模型阴[J].信息安全与通信保密,(7),2004,pp.32-35.
[127]Endsley M. Design and evaluation for situation awareness enhancement[C]. In:Proceeding of the 32nd Human Factors Society Annual Meeting. Santa Monica,1988, pp.97-101.
[128]Bass T, Arbor A. Multisensor data fusion for next generation distributed intrusion detection systems[C]. In:Proceeding of IRIS National Symposium on Sensor and Data Fusion. Laurel, MD,1999, pp.24-27.
[129]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报,17(4),2006,pp.885-897.
[130]Ning P, Cui Y, Reeves D. Constructing attack scenarios through correlation of intrusion alerts[C]. In:Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02),2002, pp.245-254.
[131]Ning P, Xu D. Adapting query optimization techniques for efficient intrusion alert correlation[R], Technical report, NCSU, Department of Computer Science,2002.
[132]Ning P, Xu D. Learning attack strategies from intrusion alerts[C]. In:Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03),2003.
[133]Ning P, Xu D, Healey C, et al. Building attack scenarios through integration of complementary alert correlation methods[C]. In:Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS'04),2004, pp.97-111.
[134]Ning P, Cui Y, Reeves D, et al. Techniques and tools for analyzing intrusion alerts [J]. ACM Transactions on Information and System Security,7(2),2004, pp.274-318.
[135]Wang L, Liu A, Jajodia S. Using Attack Graph for Correlating, Hypothesizing, and Predicting Intrusion Alerts [J]. Computer Comm,29(15), Nov.2006, pp.2917-2933.
[136]Wang L, Liu A, Jajodia S. An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts[C]. In:Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS 2005),2005, pp.247-266.
[137]Sabata B, Ornes C. Multi-source evidence fusion for cyber-situation assessment[C]. In: Proceedings of Multisensor, Multisource Information Fusion Conference. Bellingham: SPIE,2006, pp.1-9.
[138]Sudit M, Stotz A, Holender M. Measuring situational awareness and resolving inherent high-level fusion obstacle[C]. In:Proceedings of SPIE 2006, Kissimmee, Florida, USA, 2006, pp.1-9.
[139]Qu Zhao-Yang, Li Ya-Ying, Li Peng. A network security situation evaluation method based on D-S evidence theory[C]. In:Proceedings of the 2010 International Conference on Environmental Science and Information Application Technology, Washington, DC, IEEE Computer Society,2010, pp.496-499.
[140]韦勇,连一峰,冯登国.基于信息融合的网络安全态势评估模型[J].计算机研究与发展,46(3), March,2009, pp.353-362.
[141]梅海彬,龚俭.多1DS环境中基于可信度的警报关联方法研究[J].通信学报,32(4),April,2011, pp.138-146.
[142]诸葛建伟,王大为,陈昱等.基于D-S证据理论的网络异常检测方法[J].软件学报,17(3), March,2006, pp.463-471.
[143]Lu J, Yang X, Zhang G. Support vector machine-based multi-source multi-attribute information integration for situation assessment [J]. Expert Systems with Application,34(2), 2007, pp.1333-1340.
[144]Braun J, Jeswani S. Information fusion of large number of sources with support vector machine technique[C]. In:Proceedings of SPIE 2003, Orlando, FL, USA,2003, pp.13-23.
[145]Zhang J, Wang K, Yue Q. Data fusion algorithm based on functional link artificial neural networks[C]. In:Proceedings of the 6th World Congress on Intelligent Control and Automation, Dalian China,2006, pp.2806-2810.
[146]Ourston D, Matzner S, Stump W, et al. Applications of hidden Markov models to detecting multi-stage network attacks[C]. In:Proceedings of the 36th Hawaii International Conference on System Sciences, Washington, DC, IEEE Computer Society,2003, pp.334-342.
[147]Ames A, Valeur F, Vigna G, et al. Using Hidden Markov Models to Evaluate the Risks of Intrusions[C]. In:Proc the 9th International Symposium on Recent Advances in Intrusion Detection, Hamburg, Germany,Springer Press,2006, pp.145-164.
[148]Ames A, Sallhammar K, Haslum K, et al. Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems[C]. In:Proc the 2005 International Conference on Computational Intelligence and Security, Xi'an China, Springer Press,2005, pp.388-397.
[149]Sallhammar K, Ames A. Multisensor Real-Time Risk Assessment Using Continuous-Time Hidden Markov Models[C]. In:Proc the 2006 International Conference on Computational Intelligence and Security, Guangzhou, China, Springer Press,2006, pp.694-703.
[150]Wasserkrug S, Etzion O, Gal A. Inference and prediction of uncertain events in active systems:A language and execution model [EB/OL]. Available online: http://ftp.informatik.rwthaachen.de/Publications/CEUR-WS/Vol-76/wasserkrug.pdf.
[151]Gal A. Managing uncertainty in schema matching with top-k schema mappings [J]. Journal on Data Semantics Ⅵ,2006, pp.90-114.
[152]Oxenham M, Challa S, Morelande M. Fusion of disparate identity estimates for shared situation awareness in a networkcentric environment [J]. Information Fusion,7(4),2006, pp.395-417.
[153]Holsopple J, Yang S, Sudit M. TANDI:Threat assessment of network data and information [EB/OL]. Available online:https://ritdml.rit.edu/handle/1850/10737.
[154]Cormen T, Leiserson C, Rivest R, et al. Introduction to Algorithms[M]. Second Edition, The MIT Press,2001.
[155]Cheriyan J, Maheshwari S. Analysis of preflow push algorithms for maximum network flow [J]. SI AM Journal on Computing,18(6),1989, pp.1057-1086.
[156]Boris V, Cherkassky, Andrew V. at al. On implementing the push-relabel method for the maximum flow problem [J]. Algorithmica,19(4),1997, pp.390-410.
[157]Neapolitan R. Learning Bayesian Networks [M]. Prentice Hall,2003.
[158]Dempster A. Upper and lower probabilities induced by a multivalued mapping [J]. The Annals of Mathematical Statistics,38(2),1967, pp.325-339.
[159]Shafer, Glenn. A Mathematical Theory of Evidence[M], Princeton University Press,1976
[160]Buchanan B, Shortliffe E. Rule Based Expert Systems:The MYCIN Experiments of the Stanford Heuristic Programming Project [M]. Addison-Wesley,1984.
[161]MIT Lincoln Lab.2000 DARPA Intrusion Detection Scenario Specific Data Sets [EB/OL]. Available online: http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.ht ml.
[2]国家互联网应急中心.2012年我国互联网网络安全态势综述.2013年3月.
[3]PandaLabs.2009 Annual Report.2010年1月.
[4]360安全中心.2012年浏览器安全与发展形势报告.2013年3月.
[5]北京瑞星信息技术有限公司.2009年上半年中国大陆地区互联网安全报告.2009年7月.
[6]中国互联网络信息中心.全球互联网统计信息跟踪报告.第18期,2006年7月.
[7]CERT/CC. CERT/CC Statistics 1995-2008. Available online: http://www.cert.org/stats/fullstats.htm#historic.
[8]Defense USA Department Of. Trusted Computer System Evaluation Criteria[S]. DoD-5200, 28-STD[R],DoD,1985.
[9]Communities Office for Omcial Publications of European. ITSEC. Information Technology System Evaluation Criteria Version 1.2[S],1991.
[10]Board Common Criteria Editing. Common Criteria of Information Technology Security Evaluation[S],1998.
[11]ISO/IEC 15408-1. Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCISE)-Part 1 General Model[S],1999.
[f2]ISO/IEC 15408-2. Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCISE)-Part 2 Security Functional Requirements[S],1999.
[13]ISO/IEC 15408-3. Information Technology-Security Techniques-Common Criteria for IT Security Evaluation (CCISE)-Part 3 Security Assurance Requirements[S],1999.
[14]Institute British Standards. BS 7799-1. Information Security Management[S]. Code of Practice for Infomation Security Management Systems,1999.
[15]Institute British Standards. BS 7799-2. Information Security Management[S]. Code of Practice for Infomation Security Management Systems,1999.
[16]ISO/IEC 17799. Information Technology-Code of Practice for Information Security Management[S],2000.
[17]ISO/IEC 17799. Information Technology-Code of Practice for Information Security Management^],2005.
[18]ISO/IEC TR 13335-1. Information Technology-Guidelines for the Mnagement of IT Security-Part 1:Concepts and Models of IT Security[S],1997.
[19]ISO/IEC TR 13335-2. Information Technology-Guidelines for the Mnagement of IT Security-Part 2:Managing and Planning IT Security[S],1998.
[20]ISO/IEC TR 13335-3. Information Technology-Guidelines for the Mnagement of IT Security-Part 3:Techniques for the Management of IT Security [S],1998.
[21]ISO/IEC TR 13335-4. Information Technology-Guidelines for the Mnagement of IT Security-Part 4:Selections of Safeguards[S],2000.
[22]ISO/IEC TR 13335-5. Information Technology-Guidelines for the Mnagement of IT Security-Part 5:Management guidance on Network Security[S],2001.
[23]ISO/IEC 27001. Information technology-Security techniques-Information security management systems-Requirements[S],2005.
[24]GB 17859-1999.计算机信息系统安全保护等级划分准则[S].中国标准出版社,北京,1999年9月.
[25]GB/T 18336.1-2001.信息技术安全技术信息技术信息安全评估准则第1部分:简介和一般模型[S].中华人民共和国国家标准,2001.
[26]GB/T 18336.2-2001.信息技术安全技术信息技术信息安全评估准则第2部分:安全功能要求[S].中华人民共和国国家标准,2001.
[27]GB/T 18336.3-2001.信息技术安全技术信息技术信息安全评估准则第3部分:安全保证要求[S].中华人民共和国国家标准,2001.
[28]GB/T 19716-2005.信息技术信息安全管理实用规则[S].中华人民共和国国家标准,2005.
[29]GB/T 19715.1-2005.信息技术信息技术安全管理指南第1部分:信息技术安全概念和模型[S].中华人民共和国国家标准,2005.
[30]GB/T 20984-2007.信息安全技术信息系统的风险评估规范[S].中华人民共和国国家标准,2007.
[31]McPhee W. Operating System Integrity in OS/VS2, IBM Sys. J.,13(3),1974, pp.230-52.
[32]Bishop M, Bailey D. A Critical Analysis of Vulnerability Taxonomies[R]. Technical Report CSE296211, Department of Computer Science, University of California at Davis,1996.
[33]汪立东.操作系统安全评估与审计增强[学位论文].哈尔滨工业大学博士论文,哈尔滨,2002.
[34]邢栩嘉,林闯,蒋屹新.计算机系统脆弱性评估研究[J].计算机学报,27(1),2004,PP.1-11.
[35]李昀,李伟华.安全脆弱点描述语言[J].计算机工程与应用,(12),2002.
[36]Tidwell T, Larson R, Fitch K, et al. Modeling Internet Attacks[C]. In:Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY,5-6 June,2001.
[37]杨阔朝,蒋凡.安全漏洞的统一描述研究[J].计算机工程与科学,28(10),2006.
[38]刘楠,罗军勇,问斌.基于XML的安全漏洞通用描述语言[J].计算机应用与软件,22(6),2005.
[39]张永铮,方滨兴,云晓春.基于的计算机弱点形式化描述语言CVDL[C]. In:全国网络与信息安全技术研讨会,2007,PP.123-129.
[40]The Nessus Attack Scripting Language Reference Guide. Available online: http://www.virtualblueness.net/nasl.html.
[41]AVDL. Available online: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl.
[42]OVAL. Available online:http://oval.mitre.org/.
[43]Farmer D, Spafford E. The Cops Security Checker System[R]. Technical Report CSD-TR-993. Department of Computer Sciences, Purdue University, September 1991.
[44]OVAL Scanner, http://oval.mitre.orgy/oval/about/documents.html.
[45]ISS. Available online:http://www.iss.com.
[46]NMAP. Available online:http://www.insecure.org/nmap/index.html.
[47]Nessus Scanner. Available online:http://www.nessus.org.
[48]Passive Vulnerability Scanner. Available online: http://www.tenablesecurity.com/products/pvs.
[49]Helmer G, Wong J, Slagell M, et al. A Software Fault Tree Approach to Requirements Analysis of all Intrusion Detection System [J]. Requirements Engineering Journal,7(4),2002, pp.207-220.
[50]张涛,胡铭曾,云晓春等.计算机网络安全性分析建模研究[J].通信学报,26(12),2005,PP.100-109.
[51]张涛,胡铭曾,云晓春等.基于故障树的计算机安全性分析模型[J].高技术通讯,15(7),2005,PP.18-23.
[52]Schneier B. Attack Trees [J]. Dr. Dobb's Journal,24(12),1999, pp.21-29.
[53]Moore A, Ellison R, Linger R. Attack Modeling for Information Security and Survivability. Technical Note, CMU/SEI-2001-TN-001,2001.
[54]Dawkins J, Campbell C, Hale J. Modeling Network Attacks:Extending the Attack Tree Paradigm[C]. In:Proc of Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Johns Hopkins University, June,2002.
[55]Clark K, Tyree S, Dawkins J, et al. Qualitative and Quantitative Analytical Techniques for Network Security Assessment[C]. In:Proc of 2004 Information Assurance Workshop of the 5th Annual IEEE SMC, Hawaii, USA, IEEE Press,2004, pp.321-328.
[56]Ray I, Poolsapassit N. Using Attack Trees to Identify Malicious Attacks from Authorized Insiders[C]. In:Proc of the 10th European Symposium on Research in Computer Security, Milan, Italy,2005.
[57]Dalton G, Mills R. Analyzing Attack Trees Using Generalized Stochastic Petri Nets[C]. In: Proc of the 7th IEEE Workshop on Information Assurance, NY, USA,2006, pp.116-123.
[58]Dewri R, Poolsappasit N, Ray I, et al. Optimal Security Hardening Using Multi-objective Optimization on Attack Tree Models of Networks[C]. In:Proceedings of the 14th ACM conference on Computer and communications security,2007, pp.204-213.
[59]肖道举,马慧,陈晓苏.一种结构化的网络攻击建模方法[J].华中科技大学学报(自然科学版),34(2),2006,pp.70-72.
[60]甘早斌,吴平,路松峰等.基于扩展攻击树的信息系统安全风险评估[J].计算机应用研究,24(11),2007,PP.153-156.
[61]王辉,刘淑芬.改进的最小攻击树攻击概率生成算法[J].吉林大学学报(工学版),37(5),2007,PP.1142-1147.
[62]段友祥,王海峰.基于改进攻击树的网络攻击模式形式化研究[J].中国石油大学学报(自然科学版),31(1),2007,PP.144-147.
[63]Mcdermott J. Attack Net Penetration Testing[C]. In:Proc of the 2000 New Security Paradigms Workshop, Ballycotton, County Cork, Ireland, ACM Press,2000, pp.15-22.
[64]Helmer C, Wong J, Slagell M, et al. Software Fault Tree and Colored Petri net based Specification, Design and Implementation of Agent-based Intrusion Detection System [J]. Requirements Engineering,7(4),2000, pp.207-220.
[65]Laborde R, Nasser B, Grasset F, et al. A Formal Approach for the Evaluation of Network Security Mechanisms Based on RBAC Policies [J]. Electronic Notes in Theoretical Computer Science,2005, pp.117-142.
[66]Dacier M, Deswartes Y, Kaaniche M. Quantitative Assessment of Operational Security Models and Tools[R]. Technical Report Research Report 96493, LAAS,1996.
[67]Ortalo R, Deswarte Y. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security [J]. In:IEEE Transactions on Software Engineering,25(5),1999, pp.633-650.
[68]Phillips C, Swiler L. A graph-based system for network-vulnerability analysis[C].In:Proc. of the workshop on new security paradigms,1998, pp.71-79.
[69]Swiler L, Phillips C, Ellis D, et al. Computer-attack graph generation tool[C]. In:Proc. of DARPA Info. Surv. Conf.& Expo. II, vol.2,2001, pp.307-321.
[70]Ramakrishnan C, Sekar R. Model-based Vulnerability Analysis of Computer Systems[C]. In: Proc of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, NY, USA,1998.
[71]Ramakrishnan C, Sekar R. Model-based Analysis of Configuration Vulnerabilities [J]. Journal of Computer Security,2002,10(1-2), pp.189-209.
[72]Ritchey R, Ammann P. Using Model Checking to Analyze Network Vulnerabilities[C]. In: Proc. of the IEEE Symposium on Security and Privacy,2000, pp.156-165.
[73]Sheyner O, Jha S, Wing JM, et al. Automated generation and analysis of attack graphs[C]. In: Proc. of the IEEE Symp on Security and Privacy, IEEE Computer Society Press,2002, pp.273-284.
[74]Sheyner O, Wing J. Tools for Generating and Analyzing Attack Graphs[C]. In:Proc. of Workshop on Formal Methods for Comp. and Objects,2004, pp.344-371.
[75]Shahriari H, Jalili R. Using CSP to Model and Analyze Transmission Control Vulnerabilities Within the Broadcast Network[C]. In:Proc the IEEE International Networking and Communication Conference (INCC'2004), Pakistan, IEEE Press,2004, pp.42-47.
[76]Hewett R, Kijsanayothin P. Host-Centric Model Checking for Network Vulnerability Analysis[C].In:Annual Computer Security Applications Conference (ACSAC 2008),2008, pp.225-234.
[77]Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis[C]. In:Proc. of the 9th ACM Conf. on Computer and Communications Security, New York, ACM Press,2002, pp.217-224.
[78]Ammann P, Pamula J, Street J, et al. A host-based approach to network attack chaining analysis[C]. In:Proc. of the 21st Annual Computer Security Applications Conference,2005, pp.72-84.
[79]Lippmann R, Ingols K. An annotated review of past papers on attack graphs[R]. Technical Report, ESC-TR-2005-054, MIT Lincoln Laboratory,2005.
[80]Lippmann, R, Ingols K, Scott C, et al. Validating and Restoring Defense in Depth Using Attack Graphs[C]. In:Proc. of the Military Com. Conf.,2006, pp.1-10.
[81]Ingols K, Lippmann R, Piwowarski K. Practical Attack Graph Generation for Network Defense[C]. In:Proc. of Comp. Sec. App. Conf.,2006, pp.121-130.
[82]Qu X, Govindavajhala S, Appel A. MulVal:a logic-based network security analyzer[C]. In: the 14th USENIX Security Symposium, MD, USA, ACM Press,2005, pp.113-128.
[83]Ou X, Boyer W, McQueen M. A scalable approach to attack graph generation[C]. In:Proc. of the 13th ACM Conf. on Computer and Communications Security, Alexandria, ACM Press, 2006, pp.336-345.
[84]MulVal. Available online:http://people.cis.ksu.edu/-xou/mulval/.
[85]Diptikalyan Saha. Extending logical attack graphs for efficient vulnerability analysis[C]. In: Proceedings of the 15th ACM conference on Computer and Communications Security, NY, ACM Press,2008.
[86]Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs[C]. In:Proc. of the 15th IEEE Computer Security Foundations Workshop, Cape Breton, IEEE Computer Society, 2002, pp.49-63.
[87]Noel S, Jajodia S, O'Berry B, et al. Efficient minimum-cost network hardening via exploit dependency graphs[C]. In:Proc. of the 19th Annual Computer Security Applications Conf. Las Vegas, IEEE Computer Society Press,2003, pp.86-95.
[88]Wang L, Noel S, Jajodia S. Minimum-Cost network hardening using attack graphs [J]. Computer Communications,29(18),2006, pp.3812-3824.
[89]Chen F, Zhang Y, Su JS, and et al. Two formal analyses of attack graphs [J]. Journal of Software,21(4),2010, pp.838-848.
[90]Mehta V, Bartzis C, Zhu H. Ranking Attack Graphs[C]. In:Proc of the 9th International Symposium on Recent Advances in Intrusion Detection, Hamburg, Germany, Springer Press, 2006, pp.127-144.
[91]Monica B, Marci G, Franco S. Inside Pagerank [J]. ACM Transactions on Internet Technology,2005, pp.92-128.
[92]Dantu R, Loper K, Kolan P. Risk Management Using Behavior based Attack Graphs[C]. In: Proc of 2004 International Conference on Information Technology, Coding and Computing(ITCC 2004), Las Vegas, Nevada, USA, IEEE Press,2004.
[93]Dantu R, Kolan P. Risk management using behavior based Bayesian networks[C]. In:IEEE International Conference on Intelligence and Security Informatics, May,2005.
[94]Dantu R, Kolan P, Akl R, et al. Classification of Attributes and Behavior in Risk Management Using Bayesian Networks[C]. In:Proc of 2007 Intelligence and Security Informatics(ISI 2007), New Brunswick, New Jersey, USA, IEEE Press,2007, pp.71-74.
[95]Dantu R, Kolan P, Cangussu J. Network Risk Management Using Attacker Profiling [J]. Security and Comm. Networks vol.2,2009, pp.83-96.
[96]Wang L, Singhal A, Jajodia S. Measuring the Overall Security of Network Configurations Using Attack Graphs[C]. In:Proc. of 21st Ann.IFIP WG 11.3 Working Conf. Data and Application Security,2007, pp.98-112,
[97]Wang L, Islam T, Long T, et al. An Attack Graph-Based Probabilistic Security Metric[C]. In: Proc. of 22nd Ann. IFIP WG 11.3 Working Conf. Data and Applications Security,2008, pp.283-296.
[98]Frigault M, Wang L. Measuring Network Security Using Bayesian Network-Based Attack Graphs[C]. In:Proc.32nd Ann. IEEE Int'l Computer Software Applications Conf.,2008, pp.698-703.
[99]Frigault M, Wang L. Singhal A, et al. Measuring Network Security Using Dynamic Bayesian Network[C]. In:Proc. of 14th ACM Workshop Quality of Protection,2008.
[100]Xie P, Li J, Ou X, et al. Using Bayesian Networks for Cyber Security Analysis[C]. In:Proc. 40th IEEE/IFIP Int'l Conf. Dependable Systems and Networks,2010.
[101]Poolsappasit N, Dewri R, Ray I. Dynamic Security Risk Management Using Bayesian Attack Graphs [J]. IEEE Transactions on Dependable and Secure Computing,9(1),2012, pp.61-74.
[102]王永杰,鲜明,刘进等.基于攻击图模型的网络安全评估研究[J].通信学报,28(3),2007,pp.29-34.
[103]叶云,徐锡山,贾焰等.基于攻击图的网络安全概率计算方法[J].计算机学报,33(10), 2010,pp.1987-1996.
[104]Cramm. A Practitioner's View of CRAMM [EB/OL]. Available online: http://www.gammassl.co.uk/.
[105]Introduction to Security Risk Analysis [EB/OL]. Available online: http://www.security-risk-analysis.com/introcob.htm.
[106]Cora. International Security Technology [EB/OL]. Available online: http://www.ist-usa.com.
[107]NIST. Risk Management Guide for Information Technology Systems[R]. NIST-SP-800-30, 2001.
[108]GAO. Information Security Risk Assessment Practices of Leading Organizations [Z]. Exposure Draft, U.S. General Accounting Office.1999.
[109]Risk analysis in@RISK [EB/OL]. Available online: http://www.palisade.comPatml/fisk.asp.
[110]Office General Accounting. AIMD-99-139,1999.
[111]Wright. Third generation risk management practice. Computer fraud and security [M]. Elsevier,1992, pp.9-12.
[112]Haimes Y. Risk Modeling, Assessment, and Management,3rd Edition [M]. New York, Wiley Series in Systems Engineering,1998.
[113]Hoffman L. Computer security risk analysis. New Risks:Issues and Management [M]. Plenum Press, New York,1990, pp.371-377.
[114]Tregear J, Consultant S. Risk Assessment[R]. Information Security Technical Report.6(3), 2001, pp.19-27.
[115]Davies Gareth. Risk Analysis Generations-The evolution of Risk Analysis [EB/OL],1999. Available online:http://csweb.rau.ac.za/deth/research/article_page.htm.
[116]Bennett S, Kailay M. An application of qualitative risk analysis to computer security for the commercial sector[R]. Information Security Technical Report,6(3),2001, pp.28-36.
[117]FIPS-65, Guidelines for Automatic Data Processing Risk Analysis. NIST,1975.
[118]Une M, Matsumoto T. A framework to evaluate security and cost of time stamping schemes [J]. IEICE transactions on fundamentals of electronics communications and computer sciences E85A(1), JAN 2002, pp.125-139.
[119]Sanders WH. Stochastic methods for dependability, performability, and security evaluafion[J]. Lecture Notes in Computer Science 3099,2004, pp.97-97.
[120]Chen Y, Jensen C, et al. A General Risk Assessment of Security in Pervasive Computing[R]. Technical Report TCD-CS-2003-45, Department of Computer Science, Trinity College Dublin, November 2003.
[121]David A, David T. Assessing Risk Probability:Alternative Approaches[C]. In:Proc.2004 PMI Global Congress Proceedings,2004.
[122]Shawn A, Butler. Security Attribute Evaluation Method [Dissertation]. Carnegie Mellon University, Doctoral Thesis, May 2003.
[123]Shawn A, Butler. Security Attribute Evaluation Method:A Cost-Benefit Approach[C]. In: Proc. International Conference on Software Engineering, May 2002.
[124]Jelen, G, Williams, J. A Practical Approach to Measuring Assurance[C]. In:14th Annual Computer Security Applications Conference, December 7-11,1998.
[125]Foss, J, Barbosa S. Assessing Computer Security Vulnerability [J]. Operating System Review,29(3),1995, pp.3-13.
[126]朱而刚,张素英.基于灰色评估的信息安全风险评估模型阴[J].信息安全与通信保密,(7),2004,pp.32-35.
[127]Endsley M. Design and evaluation for situation awareness enhancement[C]. In:Proceeding of the 32nd Human Factors Society Annual Meeting. Santa Monica,1988, pp.97-101.
[128]Bass T, Arbor A. Multisensor data fusion for next generation distributed intrusion detection systems[C]. In:Proceeding of IRIS National Symposium on Sensor and Data Fusion. Laurel, MD,1999, pp.24-27.
[129]陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报,17(4),2006,pp.885-897.
[130]Ning P, Cui Y, Reeves D. Constructing attack scenarios through correlation of intrusion alerts[C]. In:Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02),2002, pp.245-254.
[131]Ning P, Xu D. Adapting query optimization techniques for efficient intrusion alert correlation[R], Technical report, NCSU, Department of Computer Science,2002.
[132]Ning P, Xu D. Learning attack strategies from intrusion alerts[C]. In:Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03),2003.
[133]Ning P, Xu D, Healey C, et al. Building attack scenarios through integration of complementary alert correlation methods[C]. In:Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS'04),2004, pp.97-111.
[134]Ning P, Cui Y, Reeves D, et al. Techniques and tools for analyzing intrusion alerts [J]. ACM Transactions on Information and System Security,7(2),2004, pp.274-318.
[135]Wang L, Liu A, Jajodia S. Using Attack Graph for Correlating, Hypothesizing, and Predicting Intrusion Alerts [J]. Computer Comm,29(15), Nov.2006, pp.2917-2933.
[136]Wang L, Liu A, Jajodia S. An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts[C]. In:Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS 2005),2005, pp.247-266.
[137]Sabata B, Ornes C. Multi-source evidence fusion for cyber-situation assessment[C]. In: Proceedings of Multisensor, Multisource Information Fusion Conference. Bellingham: SPIE,2006, pp.1-9.
[138]Sudit M, Stotz A, Holender M. Measuring situational awareness and resolving inherent high-level fusion obstacle[C]. In:Proceedings of SPIE 2006, Kissimmee, Florida, USA, 2006, pp.1-9.
[139]Qu Zhao-Yang, Li Ya-Ying, Li Peng. A network security situation evaluation method based on D-S evidence theory[C]. In:Proceedings of the 2010 International Conference on Environmental Science and Information Application Technology, Washington, DC, IEEE Computer Society,2010, pp.496-499.
[140]韦勇,连一峰,冯登国.基于信息融合的网络安全态势评估模型[J].计算机研究与发展,46(3), March,2009, pp.353-362.
[141]梅海彬,龚俭.多1DS环境中基于可信度的警报关联方法研究[J].通信学报,32(4),April,2011, pp.138-146.
[142]诸葛建伟,王大为,陈昱等.基于D-S证据理论的网络异常检测方法[J].软件学报,17(3), March,2006, pp.463-471.
[143]Lu J, Yang X, Zhang G. Support vector machine-based multi-source multi-attribute information integration for situation assessment [J]. Expert Systems with Application,34(2), 2007, pp.1333-1340.
[144]Braun J, Jeswani S. Information fusion of large number of sources with support vector machine technique[C]. In:Proceedings of SPIE 2003, Orlando, FL, USA,2003, pp.13-23.
[145]Zhang J, Wang K, Yue Q. Data fusion algorithm based on functional link artificial neural networks[C]. In:Proceedings of the 6th World Congress on Intelligent Control and Automation, Dalian China,2006, pp.2806-2810.
[146]Ourston D, Matzner S, Stump W, et al. Applications of hidden Markov models to detecting multi-stage network attacks[C]. In:Proceedings of the 36th Hawaii International Conference on System Sciences, Washington, DC, IEEE Computer Society,2003, pp.334-342.
[147]Ames A, Valeur F, Vigna G, et al. Using Hidden Markov Models to Evaluate the Risks of Intrusions[C]. In:Proc the 9th International Symposium on Recent Advances in Intrusion Detection, Hamburg, Germany,Springer Press,2006, pp.145-164.
[148]Ames A, Sallhammar K, Haslum K, et al. Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems[C]. In:Proc the 2005 International Conference on Computational Intelligence and Security, Xi'an China, Springer Press,2005, pp.388-397.
[149]Sallhammar K, Ames A. Multisensor Real-Time Risk Assessment Using Continuous-Time Hidden Markov Models[C]. In:Proc the 2006 International Conference on Computational Intelligence and Security, Guangzhou, China, Springer Press,2006, pp.694-703.
[150]Wasserkrug S, Etzion O, Gal A. Inference and prediction of uncertain events in active systems:A language and execution model [EB/OL]. Available online: http://ftp.informatik.rwthaachen.de/Publications/CEUR-WS/Vol-76/wasserkrug.pdf.
[151]Gal A. Managing uncertainty in schema matching with top-k schema mappings [J]. Journal on Data Semantics Ⅵ,2006, pp.90-114.
[152]Oxenham M, Challa S, Morelande M. Fusion of disparate identity estimates for shared situation awareness in a networkcentric environment [J]. Information Fusion,7(4),2006, pp.395-417.
[153]Holsopple J, Yang S, Sudit M. TANDI:Threat assessment of network data and information [EB/OL]. Available online:https://ritdml.rit.edu/handle/1850/10737.
[154]Cormen T, Leiserson C, Rivest R, et al. Introduction to Algorithms[M]. Second Edition, The MIT Press,2001.
[155]Cheriyan J, Maheshwari S. Analysis of preflow push algorithms for maximum network flow [J]. SI AM Journal on Computing,18(6),1989, pp.1057-1086.
[156]Boris V, Cherkassky, Andrew V. at al. On implementing the push-relabel method for the maximum flow problem [J]. Algorithmica,19(4),1997, pp.390-410.
[157]Neapolitan R. Learning Bayesian Networks [M]. Prentice Hall,2003.
[158]Dempster A. Upper and lower probabilities induced by a multivalued mapping [J]. The Annals of Mathematical Statistics,38(2),1967, pp.325-339.
[159]Shafer, Glenn. A Mathematical Theory of Evidence[M], Princeton University Press,1976
[160]Buchanan B, Shortliffe E. Rule Based Expert Systems:The MYCIN Experiments of the Stanford Heuristic Programming Project [M]. Addison-Wesley,1984.
[161]MIT Lincoln Lab.2000 DARPA Intrusion Detection Scenario Specific Data Sets [EB/OL]. Available online: http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.ht ml.