基于OVAL的漏洞评估系统研究
|
摘要
随着计算机网络技术的迅速发展,网络安全问题己成为当前网络技术研究的重点。漏洞评估技术能够检测网络系统潜在的安全漏洞和脆弱性,评估网络系统的安全状况,是实现网络安全的重要技术之一。
现有漏洞扫描、网络安全评估等安全工具不能满足现在网络安全的需要,没有一种标准化的方法和符合标准的产品或服务,不能准确检测出系统存在的漏洞、补丁错误、配置错误等问题,不能很好地实现各种网络安全产品和服务间兼容和互操作。这使得网络安全评估依然严峻。
针对这些现状,本文研究了基于国际OVAL(open vulnerability and assessment language开放漏洞评估语言)的漏洞评估系统。目的是研究标准化的漏洞描述方法,实现漏洞描述、漏洞检测过程、漏洞评估地标准化,以及网络的整体安全态势的评估;基于OVAL的漏洞评估系统也能很好的解决与其他安全产品的互操作问题。漏洞评估系统采用一个控制中心与多代理的系统架构。
本文研究了当前漏洞检测评估的现状与发展。主要分析了当前的一些洞检测产品,漏洞描述向规范化、结构化、标准化方向发展;研究了漏洞产生的原因,漏洞的危害,漏洞的检测的原理,以及漏洞检测技术的发展。
本文研究了OVAL标准,对OVAL语言的定义,用OVAL定义漏洞,做了全面的研究。对单一漏洞安全级别,本文采用CVSS漏洞评估标准体系,本文对CVSS漏洞评分系统做了全面的研究,并用实例加以阐述。以OVAL漏洞定义和CVSS评分标准为基础,研究了基于安全案例的网络安全态势评估方法,对检测网络和系统的整体安全态势进行评估。
本文在前面的研究基础上,综合传统的漏洞检测评估技术以及最新的漏洞评估的技术和标准,分析和设计了基于OVAL的漏洞评估系统。对系统的设计目标、系统的流程、体系结构、基本的功能模块、各模块的逻辑关系等进行了详细的分析和设计。最后实现了基于OVAL的漏洞评估模型系统的主要功能模块,并做了测试,给出了测试报告。
With the rapid development of computer network technology, network security has becomed the focus of the current network technology. Vulnerabilitiy assessment technology can detect potential security vulnerabilities and assess the security situation of network .It is one of the most important network security technology.
Now there are many vunerability scanners and network security assessment tools, but they could not satisfy the demand of network security. However, there is not one standardized method and product or the service which conforms to the standard. The product and the service cannot accurately dectect the existence vulnerability, patch mistake and configuration mistake of the system.And each kind of network security product and the service can not be well compatible and operate mutually. This causes the network security assessment to be still stern.
In light of the status this paper has studied the vunerability assessment system based on the international open vulnerability and assessment language. The purpose is to study the standardized description method of the vulnerability and to realize the standardization of the vulnerability description and the process of the vulnerability detection and assessment and to assess the overall security situation of the network. The vunerability assessment system based on OVAL will be good to solve the problem of the compatibility. The vulnerability assessment system uses a control center with a multi-agent system architecture.
The paper has studied the present situation and the development of the current vulnerability detection and assessment technology. Current popular vulnerability dectection products have been analyzed. The vulnerability detection technology develop ahead standardization .The paper has studied the reasons that the cause vulnerabilities, the harm of the vulnerability, the vulnerability detection principle as well as the development.of the vulnerability detection technology.
The paper has studied the OVAL standard, the definition of the elements of the OVAL and the definition of the vulnerability with OVAL.To the single vulnerability security rank, this article uses the CVSS to assess it in the system.This article do the comprehensive research to the CVSS. CVSS assesses the vulnerability security rank from the basic factor, the life cycle factor and the environment factor. And this was elaborated with the example. Taking the oval vulnerability definition and the CVSS grading standard as foundations, the paper has studied network security situation assessment method based on the security case to assess the overall security situation of the network and the system.
Finaly the paper has combined the traditional technology of the vulnerability detection and the newest OVAL and analyzed and designed the vulnerability assessment system based on OVAL.The paper has analyzed the goal of the system design, the management process of the system, the system architecture, and the basic functional modules. Finally the paper implemented and tested the main modules of the vulnerability assessment system based on the OVAL.
现有漏洞扫描、网络安全评估等安全工具不能满足现在网络安全的需要,没有一种标准化的方法和符合标准的产品或服务,不能准确检测出系统存在的漏洞、补丁错误、配置错误等问题,不能很好地实现各种网络安全产品和服务间兼容和互操作。这使得网络安全评估依然严峻。
针对这些现状,本文研究了基于国际OVAL(open vulnerability and assessment language开放漏洞评估语言)的漏洞评估系统。目的是研究标准化的漏洞描述方法,实现漏洞描述、漏洞检测过程、漏洞评估地标准化,以及网络的整体安全态势的评估;基于OVAL的漏洞评估系统也能很好的解决与其他安全产品的互操作问题。漏洞评估系统采用一个控制中心与多代理的系统架构。
本文研究了当前漏洞检测评估的现状与发展。主要分析了当前的一些洞检测产品,漏洞描述向规范化、结构化、标准化方向发展;研究了漏洞产生的原因,漏洞的危害,漏洞的检测的原理,以及漏洞检测技术的发展。
本文研究了OVAL标准,对OVAL语言的定义,用OVAL定义漏洞,做了全面的研究。对单一漏洞安全级别,本文采用CVSS漏洞评估标准体系,本文对CVSS漏洞评分系统做了全面的研究,并用实例加以阐述。以OVAL漏洞定义和CVSS评分标准为基础,研究了基于安全案例的网络安全态势评估方法,对检测网络和系统的整体安全态势进行评估。
本文在前面的研究基础上,综合传统的漏洞检测评估技术以及最新的漏洞评估的技术和标准,分析和设计了基于OVAL的漏洞评估系统。对系统的设计目标、系统的流程、体系结构、基本的功能模块、各模块的逻辑关系等进行了详细的分析和设计。最后实现了基于OVAL的漏洞评估模型系统的主要功能模块,并做了测试,给出了测试报告。
With the rapid development of computer network technology, network security has becomed the focus of the current network technology. Vulnerabilitiy assessment technology can detect potential security vulnerabilities and assess the security situation of network .It is one of the most important network security technology.
Now there are many vunerability scanners and network security assessment tools, but they could not satisfy the demand of network security. However, there is not one standardized method and product or the service which conforms to the standard. The product and the service cannot accurately dectect the existence vulnerability, patch mistake and configuration mistake of the system.And each kind of network security product and the service can not be well compatible and operate mutually. This causes the network security assessment to be still stern.
In light of the status this paper has studied the vunerability assessment system based on the international open vulnerability and assessment language. The purpose is to study the standardized description method of the vulnerability and to realize the standardization of the vulnerability description and the process of the vulnerability detection and assessment and to assess the overall security situation of the network. The vunerability assessment system based on OVAL will be good to solve the problem of the compatibility. The vulnerability assessment system uses a control center with a multi-agent system architecture.
The paper has studied the present situation and the development of the current vulnerability detection and assessment technology. Current popular vulnerability dectection products have been analyzed. The vulnerability detection technology develop ahead standardization .The paper has studied the reasons that the cause vulnerabilities, the harm of the vulnerability, the vulnerability detection principle as well as the development.of the vulnerability detection technology.
The paper has studied the OVAL standard, the definition of the elements of the OVAL and the definition of the vulnerability with OVAL.To the single vulnerability security rank, this article uses the CVSS to assess it in the system.This article do the comprehensive research to the CVSS. CVSS assesses the vulnerability security rank from the basic factor, the life cycle factor and the environment factor. And this was elaborated with the example. Taking the oval vulnerability definition and the CVSS grading standard as foundations, the paper has studied network security situation assessment method based on the security case to assess the overall security situation of the network and the system.
Finaly the paper has combined the traditional technology of the vulnerability detection and the newest OVAL and analyzed and designed the vulnerability assessment system based on OVAL.The paper has analyzed the goal of the system design, the management process of the system, the system architecture, and the basic functional modules. Finally the paper implemented and tested the main modules of the vulnerability assessment system based on the OVAL.
引文
[1]CNCERT/CC 2005 年网络安全工作报告 国家计算机网络应急技术处理协调中心 2005 1-3 页
[2]Matthew Wojcik ,David Proulx ,Jonathan Baker Introduction to OVAL The MITRE Corporation July 2005 1-14
[3]张玉清,戴祖锋,谢崇斌编著 安全扫描技术 清华大学出版社 2004 1-224 页
[4]The MITRE Corporation. "The Open Vulnerability and Assessment Language (OVAL) Initiative." Bedford, MA: MITRE Corporation http://oval.mitre.org
[5]王磊.计算机安全漏洞研究:[硕士学位论文]. 西安:西安电子科技大学,2004 5-9页
[6]劳虎.废话 XML.pdf 两只老虎工作室 www.2tigers.net 1-112 页
[7]David C. Fallside ,Priscilla Walmsley XML Schema Part 0: Primer Second Edition W3C Recommendation 28 October 2004 .http://www.w3.org/TR/xmlschema-0/
[8]The MITRE Corporation. "The Common Vulnerabilities and Exposures (CVE) Initiative." Bedford, MA: MITRE Corporation http://cve.mitre.org.
[9]Open Vulnerability and Assessment Language Element Dictionary .The MITRE Corporation 26 May 2006 1-21
[10]National Institute of Standards and Technology. "Federal Information Security Management Act of 2002. Title III - Information Security." EGovernment Act (Public Law 107-347), Dec. 2002 http://csrc.nist.gov/policies/FISMA-final.pdf.
[11]Ziring, Neal. "Specification for the Extensible Configuration Checklist Description Format (XCCDF)." Ed. John Wack. Washington: National Institute of Standards and Technology, Jan. 2005 http://csrc.nist.gov/checklists/docs/xccdf-spec-1.0.pdf.
[12] http://www.avdl.org/
[13]John T.chambers, john w.thompson.SYMANTEC CORPORATION COMMON VULNERABILITY SCORING SYSTEM. NATIONAL INFRASTRUCTURE ADVISORY COUNCIL October 12, 2004 ,1-21
[14]陈国良. 网络安全量化评估方法研究:博士学位论文. 合肥:中国科技大学,2003 83-95
[15]严蔚敏,吴伟民.数据结构.北京:清华大学出版社,2001,186-192
[16]孙小妹,王 拓. 一种主机和网络相结合的安全评估系统.计算机应用,2003 年9 月 14-16 页
[17]毕鲁雁.一种基于移动 Agent 的分布式入侵检测系统的设计与实现:硕士学位论文 济南:山东大学 2005 1-50 页
[18]冯研.网络安全风险评估系统的分析与设计:硕士学位论文 西安:西北大学 2006 1-50
[19]William Wu, Frederick Yip, Eunice Yiu, Pradeep Ray University of New South Wales, Australia. Integrated Vulnerability Management System for Enterprise Networks .IEEE 2003 03 1528-1533.
[20]Baino Paul.Evaluation of security risks associated with networked information systems Royal Melbourne Institute of Tchnology . M.Bus(IT) Thesis ,RMIT 2001 1-117
[21]Robert A. Martin, MITRE Corporation.Transformational Vulnerability Management Through Standards .The Journal of Defense Software Engineering.May 2005 Issue 1-11
[22]游启胜, 陈奕明.中央大学信息管理学系计算机网络实验室.以合作式防火墙实现合作防御与纵深防御. 2003-11 CSIT
[23]游刃基线安全系统技术白皮书.深圳市大成天下信息技术有限公司 2005.5 1-19 页
[24]陈夕华, 李生红. 漏洞扫描的中央控管模型研究. 计算机工程与应用 2004.3 134-138 页
[25]DOM Level 1 Specification, W3C Recommendation of October 1, 1998http://xml.apache.org/xerces-c/
[26]DOM Level 2 Core Specification, W3C Recommendation of November 13, 2000
[27]DOM Level 2 Traversal and Range Specification, W3C Recommendation of November 13, 2000
[28]吕孝刚, 刘海燕,荆涛 Windows 主机扫描系统的设计与实现计算机工程与设计 2005.8 2198-2201 页
[29]汤云革, 刘嘉勇. 漏洞主动分析及预测攻击的新模型. 计算机安全 2005.7 23-25 页
[30]戴文华, 桂学勤. 基于 TCP 连接的网络漏洞扫描器的设计与实现. 福建电脑 2005 第 10 期 96-97 页
[31]许艳蕊,钟求喜, 胡华平. 网络漏洞扫描系统的功能分析与CIM建模 计算机工程与科学. 2006.2 16-19 页
[32]沈伟锋.面向攻击的网络漏洞扫描技术研究及系统实现:[硕士学位论文]. 西安:西北工业大学,2004 1-56 页
[33]卿斯汉 网络安全检测的理论和实践(一)计算机系统应用 2001.11 24-28 页
[34]卿斯汉 网络安全检测的理论和实践(二)计算机系统应用 2001.12 44-46 页
[35]卿斯汉 网络安全检测的理论和实践(三)计算机系统应用 2002.1 44-68 页
[36]卿斯汉 网络安全检测的理论和实践(四)计算机系统应用 2002.2 44-67 页
[37]汪渊,蒋凡,陈国良. 基于安全案例推理的网络安全分析方法研究与应用 小型微型计算机系统 2003.12 2081-2085 页
[38]刘楠,罗军勇. 基于 xml 的安全漏洞通用描述语言 计算机应用与软件 2005.6 8-12 页
[39]刘小览,许敏佳. 基于 XML 的网络安全技术 计算机工程 2006.1 164-166 页
[40]Eastlake D,Reagle J. XML Encryption Syntax and Processing[R].W3C Candidate Recommendation, http://wwww.3.org/TR/xmlenc-core/, 2002.
[41]Hallam-BakerP. XML Key Management Specification(XKMS20.)[R].W3C Candidate Recommendation,http://wwww.3.org/TR/xkms2/,2002.
[42] Eastlake D, Reagle J, Solo D.XML-signature Syntax and Processing[R].W3C Recommendation, http://wwww.3o.rg/TR/xmldsig-core,2002
[43]刘立华,叶念渝. 基于 XML 的软件系统信息交流.网络信息技术,2005 年43-47
[44]毕鲁雁.一种基于移动 Agent 的分布式入侵检测系统的设计与实现 济南:山东大学 2005 1-50 页
[45]戴祖锋.基于 BS7799 的安全风险评估系统的研究及设计实现:硕士学位论文 西安:西安电子科技大学 2004 1-59
[46]张涛. 网络安全指标量化和智能评估研究:硕士学位论文 合肥:中国科技大学 2003 1-60
[47]FIRST.org, Inc. The Common Vulnerability Scoring System(CVSS). 2005 http://www.first.org/cvss/cvss-dhs-12-02-04.pdf.
[48]张宝锋. 统一安全管理平台技术研究:硕士学位论文 成都:四川大学 2005 1-50
[49]汪楚娇,蒋志雄,王拓.基于模糊数学的网络安全风险评估模型 网络安全技术与应用. 2003 第 10 期 8-40 页
[50]刘勃,周荷琴. 基于贝叶斯网络的网络安全评估方法研究 计算机科学与工程2004.11 111-113 页
[51] Open Vulnerability and Assessment Language -Element Dictionary: Core Result, 26 May 2006 http://oval.mitre.org/
[52] Open Vulnerability and Assessment Language -Element Dictionary: Core System Characteristics, 26 May 2006 http://oval.mitre.org/
[53] Open Vulnerability and Assessment Language -Element Dictionary: Windows System Characteristics, 26 May 2006 http://oval.mitre.org/
[2]Matthew Wojcik ,David Proulx ,Jonathan Baker Introduction to OVAL The MITRE Corporation July 2005 1-14
[3]张玉清,戴祖锋,谢崇斌编著 安全扫描技术 清华大学出版社 2004 1-224 页
[4]The MITRE Corporation. "The Open Vulnerability and Assessment Language (OVAL) Initiative." Bedford, MA: MITRE Corporation http://oval.mitre.org
[5]王磊.计算机安全漏洞研究:[硕士学位论文]. 西安:西安电子科技大学,2004 5-9页
[6]劳虎.废话 XML.pdf 两只老虎工作室 www.2tigers.net 1-112 页
[7]David C. Fallside ,Priscilla Walmsley XML Schema Part 0: Primer Second Edition W3C Recommendation 28 October 2004 .http://www.w3.org/TR/xmlschema-0/
[8]The MITRE Corporation. "The Common Vulnerabilities and Exposures (CVE) Initiative." Bedford, MA: MITRE Corporation http://cve.mitre.org.
[9]Open Vulnerability and Assessment Language Element Dictionary .The MITRE Corporation 26 May 2006 1-21
[10]National Institute of Standards and Technology. "Federal Information Security Management Act of 2002. Title III - Information Security." EGovernment Act (Public Law 107-347), Dec. 2002 http://csrc.nist.gov/policies/FISMA-final.pdf.
[11]Ziring, Neal. "Specification for the Extensible Configuration Checklist Description Format (XCCDF)." Ed. John Wack. Washington: National Institute of Standards and Technology, Jan. 2005 http://csrc.nist.gov/checklists/docs/xccdf-spec-1.0.pdf.
[12] http://www.avdl.org/
[13]John T.chambers, john w.thompson.SYMANTEC CORPORATION COMMON VULNERABILITY SCORING SYSTEM. NATIONAL INFRASTRUCTURE ADVISORY COUNCIL October 12, 2004 ,1-21
[14]陈国良. 网络安全量化评估方法研究:博士学位论文. 合肥:中国科技大学,2003 83-95
[15]严蔚敏,吴伟民.数据结构.北京:清华大学出版社,2001,186-192
[16]孙小妹,王 拓. 一种主机和网络相结合的安全评估系统.计算机应用,2003 年9 月 14-16 页
[17]毕鲁雁.一种基于移动 Agent 的分布式入侵检测系统的设计与实现:硕士学位论文 济南:山东大学 2005 1-50 页
[18]冯研.网络安全风险评估系统的分析与设计:硕士学位论文 西安:西北大学 2006 1-50
[19]William Wu, Frederick Yip, Eunice Yiu, Pradeep Ray University of New South Wales, Australia. Integrated Vulnerability Management System for Enterprise Networks .IEEE 2003 03 1528-1533.
[20]Baino Paul.Evaluation of security risks associated with networked information systems Royal Melbourne Institute of Tchnology . M.Bus(IT) Thesis ,RMIT 2001 1-117
[21]Robert A. Martin, MITRE Corporation.Transformational Vulnerability Management Through Standards .The Journal of Defense Software Engineering.May 2005 Issue 1-11
[22]游启胜, 陈奕明.中央大学信息管理学系计算机网络实验室.以合作式防火墙实现合作防御与纵深防御. 2003-11 CSIT
[23]游刃基线安全系统技术白皮书.深圳市大成天下信息技术有限公司 2005.5 1-19 页
[24]陈夕华, 李生红. 漏洞扫描的中央控管模型研究. 计算机工程与应用 2004.3 134-138 页
[25]DOM Level 1 Specification, W3C Recommendation of October 1, 1998http://xml.apache.org/xerces-c/
[26]DOM Level 2 Core Specification, W3C Recommendation of November 13, 2000
[27]DOM Level 2 Traversal and Range Specification, W3C Recommendation of November 13, 2000
[28]吕孝刚, 刘海燕,荆涛 Windows 主机扫描系统的设计与实现计算机工程与设计 2005.8 2198-2201 页
[29]汤云革, 刘嘉勇. 漏洞主动分析及预测攻击的新模型. 计算机安全 2005.7 23-25 页
[30]戴文华, 桂学勤. 基于 TCP 连接的网络漏洞扫描器的设计与实现. 福建电脑 2005 第 10 期 96-97 页
[31]许艳蕊,钟求喜, 胡华平. 网络漏洞扫描系统的功能分析与CIM建模 计算机工程与科学. 2006.2 16-19 页
[32]沈伟锋.面向攻击的网络漏洞扫描技术研究及系统实现:[硕士学位论文]. 西安:西北工业大学,2004 1-56 页
[33]卿斯汉 网络安全检测的理论和实践(一)计算机系统应用 2001.11 24-28 页
[34]卿斯汉 网络安全检测的理论和实践(二)计算机系统应用 2001.12 44-46 页
[35]卿斯汉 网络安全检测的理论和实践(三)计算机系统应用 2002.1 44-68 页
[36]卿斯汉 网络安全检测的理论和实践(四)计算机系统应用 2002.2 44-67 页
[37]汪渊,蒋凡,陈国良. 基于安全案例推理的网络安全分析方法研究与应用 小型微型计算机系统 2003.12 2081-2085 页
[38]刘楠,罗军勇. 基于 xml 的安全漏洞通用描述语言 计算机应用与软件 2005.6 8-12 页
[39]刘小览,许敏佳. 基于 XML 的网络安全技术 计算机工程 2006.1 164-166 页
[40]Eastlake D,Reagle J. XML Encryption Syntax and Processing[R].W3C Candidate Recommendation, http://wwww.3.org/TR/xmlenc-core/, 2002.
[41]Hallam-BakerP. XML Key Management Specification(XKMS20.)[R].W3C Candidate Recommendation,http://wwww.3.org/TR/xkms2/,2002.
[42] Eastlake D, Reagle J, Solo D.XML-signature Syntax and Processing[R].W3C Recommendation, http://wwww.3o.rg/TR/xmldsig-core,2002
[43]刘立华,叶念渝. 基于 XML 的软件系统信息交流.网络信息技术,2005 年43-47
[44]毕鲁雁.一种基于移动 Agent 的分布式入侵检测系统的设计与实现 济南:山东大学 2005 1-50 页
[45]戴祖锋.基于 BS7799 的安全风险评估系统的研究及设计实现:硕士学位论文 西安:西安电子科技大学 2004 1-59
[46]张涛. 网络安全指标量化和智能评估研究:硕士学位论文 合肥:中国科技大学 2003 1-60
[47]FIRST.org, Inc. The Common Vulnerability Scoring System(CVSS). 2005 http://www.first.org/cvss/cvss-dhs-12-02-04.pdf.
[48]张宝锋. 统一安全管理平台技术研究:硕士学位论文 成都:四川大学 2005 1-50
[49]汪楚娇,蒋志雄,王拓.基于模糊数学的网络安全风险评估模型 网络安全技术与应用. 2003 第 10 期 8-40 页
[50]刘勃,周荷琴. 基于贝叶斯网络的网络安全评估方法研究 计算机科学与工程2004.11 111-113 页
[51] Open Vulnerability and Assessment Language -Element Dictionary: Core Result, 26 May 2006 http://oval.mitre.org/
[52] Open Vulnerability and Assessment Language -Element Dictionary: Core System Characteristics, 26 May 2006 http://oval.mitre.org/
[53] Open Vulnerability and Assessment Language -Element Dictionary: Windows System Characteristics, 26 May 2006 http://oval.mitre.org/