网络安全事件传播态势影响因素的分析与研究
|
摘要
伴随着网络的应用与发展,互联网中充斥着大量的安全事件。网络攻击的速度越来越快、规模越来越大、自动化程度也越来越高。对网络安全事件进行态势感知,了解安全事件在网络中的传播特性,将具有十分重要的意义。
本文从网络安全事件的传播过程出发,对安全事件的传播态势进行分析,从中发掘出影响安全事件传播态势的三大要素:主机漏洞、安全事件的攻击特征和基础环境。主机漏洞的不同会影响该主机的感染概率,进而网络中不同的主机漏洞分布情况,便会对安全事件的传播产生影响;攻击方式的不同,会使安全事件具有不同的特性,表现在传播态势上也会有所不同;基础环境包括:拓扑结构、路由策略、网络带宽、网络延迟等,基础环境的改变亦会对传播态势有所影响,其中拓扑特性的不同对网络安全事件传播态势的影响,往往被人们所忽略,本文对其进行了较为深入的阐述,并从中提取出若干影响传播的描述拓扑结构的特征指标。
在提取出影响传播态势的因素后,本文以蠕虫这一安全事件为例,利用NS-2模拟器,模拟在不同影响因素下蠕虫的发生过程,对不同因素的影响进行了验证分析。
在综合考虑以上因素的基础上,本文最后提出了安全态势传播指数的这一特征指标参数,用以描述不同安全事件的传播态势,并给出了其形式化公式,并且对其在网络安全事件传播态势分析中的应用进行了探讨。
With the development and application of the network, Internet is flooded with a large number of security incidents. Network attack has increasingly rapid pace and its scale become larger and larger. The degree of automation has also been growing. It would have great significance to know the situation awareness and understand network security incidents in the propagation characteristics.
From the propagation process of network security incidents, we study the situation transmission and dig out three major factors from the impact of security incidents spread trend: the host vulnerability, the different attack mode of security incidents and the environmental characteristics. The host with different vulnerabilities will have different infected probability. Then the different distribution of network hosts with vulnerabilities will affect the spread of security incidents. Different modes of attacks will make security incidents have different characteristics and the performance in the spread will be different. Basic environment include topology, routing strategy, network bandwidth and network delay etc. The changes in the environment will also have an impact on the spread. The impact of topological characteristics is often overlooked by the people. This paper tries to carry more in-depth exposition about topological characteristics and extract several attributes to description the impact of them.
This paper use wormer as an example of security incidents. After extracting the affect factors, we use NS-2 simulator to simulate the behavior of wormer to test and analyse the influence of different factors.
Considering the above factors, this paper put forward a characteristic parameter to description the spread features which is called Security Situation Transmission Parameter. We give its formal formula and then discuss the application of the parameter in the analysis of the network security incidents situation transmission.
本文从网络安全事件的传播过程出发,对安全事件的传播态势进行分析,从中发掘出影响安全事件传播态势的三大要素:主机漏洞、安全事件的攻击特征和基础环境。主机漏洞的不同会影响该主机的感染概率,进而网络中不同的主机漏洞分布情况,便会对安全事件的传播产生影响;攻击方式的不同,会使安全事件具有不同的特性,表现在传播态势上也会有所不同;基础环境包括:拓扑结构、路由策略、网络带宽、网络延迟等,基础环境的改变亦会对传播态势有所影响,其中拓扑特性的不同对网络安全事件传播态势的影响,往往被人们所忽略,本文对其进行了较为深入的阐述,并从中提取出若干影响传播的描述拓扑结构的特征指标。
在提取出影响传播态势的因素后,本文以蠕虫这一安全事件为例,利用NS-2模拟器,模拟在不同影响因素下蠕虫的发生过程,对不同因素的影响进行了验证分析。
在综合考虑以上因素的基础上,本文最后提出了安全态势传播指数的这一特征指标参数,用以描述不同安全事件的传播态势,并给出了其形式化公式,并且对其在网络安全事件传播态势分析中的应用进行了探讨。
With the development and application of the network, Internet is flooded with a large number of security incidents. Network attack has increasingly rapid pace and its scale become larger and larger. The degree of automation has also been growing. It would have great significance to know the situation awareness and understand network security incidents in the propagation characteristics.
From the propagation process of network security incidents, we study the situation transmission and dig out three major factors from the impact of security incidents spread trend: the host vulnerability, the different attack mode of security incidents and the environmental characteristics. The host with different vulnerabilities will have different infected probability. Then the different distribution of network hosts with vulnerabilities will affect the spread of security incidents. Different modes of attacks will make security incidents have different characteristics and the performance in the spread will be different. Basic environment include topology, routing strategy, network bandwidth and network delay etc. The changes in the environment will also have an impact on the spread. The impact of topological characteristics is often overlooked by the people. This paper tries to carry more in-depth exposition about topological characteristics and extract several attributes to description the impact of them.
This paper use wormer as an example of security incidents. After extracting the affect factors, we use NS-2 simulator to simulate the behavior of wormer to test and analyse the influence of different factors.
Considering the above factors, this paper put forward a characteristic parameter to description the spread features which is called Security Situation Transmission Parameter. We give its formal formula and then discuss the application of the parameter in the analysis of the network security incidents situation transmission.
引文
1 Evan Hughes, Anil Somayaji. Towards Network Awareness. In the Proceedings of 19th Large Installation System Administration Conference. 2005. 113–124.
2 Top 10 Requirements for Next-Generation IDS. http://www.mcafee.com/ukllocal content/white-papers/wp_intruverttopl0.pdf
3 Perron, Gitton, Marie, Claude. On a generic fusion model in situation assessment processes dealing with disparate sources. Proceedings of the IEEE International Conference on Systems, Man and Cybernetics.1998. Vol.3: 11-14.
4 K. Ivan, B.V. Eva. Processing Modeling: A Situation Assessment Expert System. AIAA Computer in Aerospace VI conf. 1987. 120-124.
5 Caring, R.L. Naval, Situation Assessment Using a Real-Time Knowledge-Based System, Naval Engineering Journal, May 1999, ASNE, 173-187.
6 D.B.A, Knowledge-Based Decision Aid for Enhanced Situation Assessment, IEEE/AIAA Digital Avionics conf. 1994. 230-238.
7 John Cantwell, John Schubert. Reliable Force Aggregation Using a Refined Evidence Specification from Dempster-Shafer Clustering. In Proceedings of the Fourth Annual Conference on Information Fusion (FUSION 2001), Montreal, Canada. 7-10 August 2001. 543-549.
8 White F. Amodal for data fusion. SPIE Conference on Sensor fusion, Orlando. April, 1988. 234-240.
9 David F, Noble. Schema-Based Knowledge Elicitation for planning and Situation Assessment Aids. IEEE Trans On SMC. Vol.19, No 3, 1989. 473-482.
10 Jerome Azarwicz. Template-Based Multi-Agent Plan Recognition for Tactical Situation Assessment. Proceedings of 5th conference on artificial Intelligence Applications. l989. 630-640.
11 Weixiong Zhang. A Template-Based and Pattern-Driven Application to Situation Awareness and Assessment in Virtual Humans. Proceedings of the 4th International Conference on Autonomous Agents, Barcelona, Spain, June 2000. 423-430.
12 Mulgund Sandeep S, Harper K, A. Zacharias G. L, Situation Awareness Model for Pilot-in-the-Loop Evaluation, Proceedings of the 9th Conference on Computer Generated Forces and Behavior Representation, Orlando, FL (May), 2000. 723-730.
13 Richard D. A, An Adversarial Plan Recognition System for Multi-Agent Airborne Threats, ACM, 1992. 450-453.
14姚春燕,杨宏文等.态势估计中一种模糊时间推理方法.模糊系统与数学. Vol.14 No3,2000. 87-92.
15姚春燕,郁文贤.态势估计中一种基于最大后验概率估计的时间推理方法.国防科技大学学报. Vol.120 No 6, 1998. 69-74.
16姚莉,陈文伟.用于军事态势估计的协作知识模型.国防科技大学学报. Vol. 16( l ), 1994. 89-94.
17吴雾.态势评估关键技术的研究.西安电子科技大学博士论文. 1996. 23-50.
18刘大有,施海虎.规划识别中的时态推理.吉林大学自然科学学报. No.1, 1995. 123-126.
19陈亮.网络安全态势的分析方法及建立相关模型.上海交通大学硕士论文. 2005. 12-13.
20 Michael E. Whitman, Herbert J. Matord. Principles of Information Security. Canada: GEX Publishing Services. 2003. 27-81.
21 Gary Stonebumer, Alice Goguen, and Alexis Feringa. Risk Management Guide for Information Technology Systems. http://csrc.nist.govlpublications/nistpubs/800-30/sp800-30.pdf.
22 B.D. Jenkins. Security Risk Analysis And Management. A white paper. http://www.nr.no/~abie/RA_by_Jenkins.pdf. 1998.
23王毅刚,吴昌伦.信息安全风险评估的策划.信息技术与标准化. 2004(9).
24 Guan Bao-Chyuan, Lo Chi-Chum, Wang Ping, Hwang Jaw-Shi. Evaluation of information security related risks of an organization: The application of the mufti-criteria decision-making method. In the Proceedings of IEEE 37th Annual 2003 International Carnahan Conference on Security Technology. 2003. 168-175.
25张耀疆. 8S7799标准全面解析(新版). http://lwww.unnoo.com/files/uploadfile/securityservice/IS027001_by_aryasec.pdf
26郭红芳,曾向阳.风险分析方法研究[J].计算机工程. 2001, vol.27(3): 131-132.
27陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报, 2006, 17(4): 885-897.
28汪渊.网络安全量化评估方法研究[D].中国科学技术大学,博士学位学位. 2003.
29邢栩嘉,林闯,蒋屹立.计算机系统脆弱性评估研究[J].计算机学报. 2004,27(1): 1-11..
30卿斯汉,蒋建春.网络攻防技术原理与实战.科学出版社. 2004, 1.
31 CERT/CC Statistics 1988-2004. http://www.cert.org/stats/cert_stats.html
32翟饪,张玉清等.系统安全漏洞研究及数据库实现[J].计算机工程. 2004, vol.30(8): 68.
33林闯.计算机网络和计算机系统的性能评价.清华大学出版社,2001.
34 Lindqvist U, Jonsson E. How to Systematically Classify Computer Security Intrusions. In the Proceedings of the 1997 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, 1997. 154-163.
35 Kendall K. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems[Master Thesis]. Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1999
36诸葛建伟,叶志远,邹维.攻击技术分类研究[J].计算机工程. 2005, vo1.31(11): 21.
37 Magoni D. nem: A software for network topology analysis and modeling. In: Proc. of the MASCOTS 2002. IEEE Computer Society, 2002. 364-371.
38 Medina A, Lakhina A, Matta I, Byers J. BRITE: An approach to universal topology generation. In: Proc. of the MASCOTS 2001. Washington: IEEE Computer Society, 2001. 346-353.
39 Jared Winick, Sugih Jamin. Inet-3.0: Internet topology generator. Technical Report, CSE-TR-456-02, Ann Arbor: University of Michigan, 2002.
40 Magoni D, Pansiot JJ. Evaluation of Internet topology generators by power law and distance indicators. In: Proc. of the IEEE ICON 2002. Singapore: IEEE, 2002. 401-406.
41 The Network Simulator - NS2: Available on http://www.isi.edu/nsnam/ns, 2007.
42 Watts D J, Strogatz S H. Collective dynamics of small-world networks. Nature 393, 1998, 393-440 440-442.
43 Milgram S. The small-world problem. Psychology Today, 1967, 2, 60-67.
44 Barabasi A L, Albert R. Emergence of scaling in random networks. Science, 1999, 286-509.
45 Barabasi A L, Albert R, Jeong H. Mean-field theory for scale-free random networks. Physica A, 1999, 272-173.
46 Ebel H, Mielsch L I, Borbholdt S. Scale-free topology of e-mail networks. Phys. Rev. E, 2002, 66-035103.
47 Faloutsos M, Faloutsos P, Faloutsos C. On power-law relationships of the Internet topology. ACM SIGCOMM Computer Communication Review, 1999, 29(4): 251-262.
48 A lbert R, Barabasi A L. Statistical mechanics of complex networks[J]. Review Modern Physics, 2002. 47-97
49阂应骤.计算机网络路由研究综述.计算机学报. 2003, vo1.26: 6.
50周大.网络漏洞扫描系统的设计及实现[D].成都理工大学硕士学位论文. 2005, 32-33.
51 Fyodor. The art of port scanning. Phrack Magazine, 1997, 7(51): 11-17.
52 S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In USENIX Security Symposium, 2002. 149-167.
53 Zou CC, Towsley D, Gong W, Cai S. Routing worm: A fast, selective attack worm based on IP address information. Technical Report, TR-03-CSE-06,Electrical and Computer Engineering Department, University of Massachusetts, 2003.
54 Kephart JO, White SR. Measuring and modeling computer virus prevalence. In: Proc. of the IEEE Symp on Security and Privacy. Oakland, 1993. 2-15.
55 Dietrich Stauffer. Introduction to Statistical physics outside physics, Physica A 336. 2004. 1–5.
2 Top 10 Requirements for Next-Generation IDS. http://www.mcafee.com/ukllocal content/white-papers/wp_intruverttopl0.pdf
3 Perron, Gitton, Marie, Claude. On a generic fusion model in situation assessment processes dealing with disparate sources. Proceedings of the IEEE International Conference on Systems, Man and Cybernetics.1998. Vol.3: 11-14.
4 K. Ivan, B.V. Eva. Processing Modeling: A Situation Assessment Expert System. AIAA Computer in Aerospace VI conf. 1987. 120-124.
5 Caring, R.L. Naval, Situation Assessment Using a Real-Time Knowledge-Based System, Naval Engineering Journal, May 1999, ASNE, 173-187.
6 D.B.A, Knowledge-Based Decision Aid for Enhanced Situation Assessment, IEEE/AIAA Digital Avionics conf. 1994. 230-238.
7 John Cantwell, John Schubert. Reliable Force Aggregation Using a Refined Evidence Specification from Dempster-Shafer Clustering. In Proceedings of the Fourth Annual Conference on Information Fusion (FUSION 2001), Montreal, Canada. 7-10 August 2001. 543-549.
8 White F. Amodal for data fusion. SPIE Conference on Sensor fusion, Orlando. April, 1988. 234-240.
9 David F, Noble. Schema-Based Knowledge Elicitation for planning and Situation Assessment Aids. IEEE Trans On SMC. Vol.19, No 3, 1989. 473-482.
10 Jerome Azarwicz. Template-Based Multi-Agent Plan Recognition for Tactical Situation Assessment. Proceedings of 5th conference on artificial Intelligence Applications. l989. 630-640.
11 Weixiong Zhang. A Template-Based and Pattern-Driven Application to Situation Awareness and Assessment in Virtual Humans. Proceedings of the 4th International Conference on Autonomous Agents, Barcelona, Spain, June 2000. 423-430.
12 Mulgund Sandeep S, Harper K, A. Zacharias G. L, Situation Awareness Model for Pilot-in-the-Loop Evaluation, Proceedings of the 9th Conference on Computer Generated Forces and Behavior Representation, Orlando, FL (May), 2000. 723-730.
13 Richard D. A, An Adversarial Plan Recognition System for Multi-Agent Airborne Threats, ACM, 1992. 450-453.
14姚春燕,杨宏文等.态势估计中一种模糊时间推理方法.模糊系统与数学. Vol.14 No3,2000. 87-92.
15姚春燕,郁文贤.态势估计中一种基于最大后验概率估计的时间推理方法.国防科技大学学报. Vol.120 No 6, 1998. 69-74.
16姚莉,陈文伟.用于军事态势估计的协作知识模型.国防科技大学学报. Vol. 16( l ), 1994. 89-94.
17吴雾.态势评估关键技术的研究.西安电子科技大学博士论文. 1996. 23-50.
18刘大有,施海虎.规划识别中的时态推理.吉林大学自然科学学报. No.1, 1995. 123-126.
19陈亮.网络安全态势的分析方法及建立相关模型.上海交通大学硕士论文. 2005. 12-13.
20 Michael E. Whitman, Herbert J. Matord. Principles of Information Security. Canada: GEX Publishing Services. 2003. 27-81.
21 Gary Stonebumer, Alice Goguen, and Alexis Feringa. Risk Management Guide for Information Technology Systems. http://csrc.nist.govlpublications/nistpubs/800-30/sp800-30.pdf.
22 B.D. Jenkins. Security Risk Analysis And Management. A white paper. http://www.nr.no/~abie/RA_by_Jenkins.pdf. 1998.
23王毅刚,吴昌伦.信息安全风险评估的策划.信息技术与标准化. 2004(9).
24 Guan Bao-Chyuan, Lo Chi-Chum, Wang Ping, Hwang Jaw-Shi. Evaluation of information security related risks of an organization: The application of the mufti-criteria decision-making method. In the Proceedings of IEEE 37th Annual 2003 International Carnahan Conference on Security Technology. 2003. 168-175.
25张耀疆. 8S7799标准全面解析(新版). http://lwww.unnoo.com/files/uploadfile/securityservice/IS027001_by_aryasec.pdf
26郭红芳,曾向阳.风险分析方法研究[J].计算机工程. 2001, vol.27(3): 131-132.
27陈秀真,郑庆华,管晓宏等.层次化网络安全威胁态势量化评估方法[J].软件学报, 2006, 17(4): 885-897.
28汪渊.网络安全量化评估方法研究[D].中国科学技术大学,博士学位学位. 2003.
29邢栩嘉,林闯,蒋屹立.计算机系统脆弱性评估研究[J].计算机学报. 2004,27(1): 1-11..
30卿斯汉,蒋建春.网络攻防技术原理与实战.科学出版社. 2004, 1.
31 CERT/CC Statistics 1988-2004. http://www.cert.org/stats/cert_stats.html
32翟饪,张玉清等.系统安全漏洞研究及数据库实现[J].计算机工程. 2004, vol.30(8): 68.
33林闯.计算机网络和计算机系统的性能评价.清华大学出版社,2001.
34 Lindqvist U, Jonsson E. How to Systematically Classify Computer Security Intrusions. In the Proceedings of the 1997 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, 1997. 154-163.
35 Kendall K. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems[Master Thesis]. Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1999
36诸葛建伟,叶志远,邹维.攻击技术分类研究[J].计算机工程. 2005, vo1.31(11): 21.
37 Magoni D. nem: A software for network topology analysis and modeling. In: Proc. of the MASCOTS 2002. IEEE Computer Society, 2002. 364-371.
38 Medina A, Lakhina A, Matta I, Byers J. BRITE: An approach to universal topology generation. In: Proc. of the MASCOTS 2001. Washington: IEEE Computer Society, 2001. 346-353.
39 Jared Winick, Sugih Jamin. Inet-3.0: Internet topology generator. Technical Report, CSE-TR-456-02, Ann Arbor: University of Michigan, 2002.
40 Magoni D, Pansiot JJ. Evaluation of Internet topology generators by power law and distance indicators. In: Proc. of the IEEE ICON 2002. Singapore: IEEE, 2002. 401-406.
41 The Network Simulator - NS2: Available on http://www.isi.edu/nsnam/ns, 2007.
42 Watts D J, Strogatz S H. Collective dynamics of small-world networks. Nature 393, 1998, 393-440 440-442.
43 Milgram S. The small-world problem. Psychology Today, 1967, 2, 60-67.
44 Barabasi A L, Albert R. Emergence of scaling in random networks. Science, 1999, 286-509.
45 Barabasi A L, Albert R, Jeong H. Mean-field theory for scale-free random networks. Physica A, 1999, 272-173.
46 Ebel H, Mielsch L I, Borbholdt S. Scale-free topology of e-mail networks. Phys. Rev. E, 2002, 66-035103.
47 Faloutsos M, Faloutsos P, Faloutsos C. On power-law relationships of the Internet topology. ACM SIGCOMM Computer Communication Review, 1999, 29(4): 251-262.
48 A lbert R, Barabasi A L. Statistical mechanics of complex networks[J]. Review Modern Physics, 2002. 47-97
49阂应骤.计算机网络路由研究综述.计算机学报. 2003, vo1.26: 6.
50周大.网络漏洞扫描系统的设计及实现[D].成都理工大学硕士学位论文. 2005, 32-33.
51 Fyodor. The art of port scanning. Phrack Magazine, 1997, 7(51): 11-17.
52 S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In USENIX Security Symposium, 2002. 149-167.
53 Zou CC, Towsley D, Gong W, Cai S. Routing worm: A fast, selective attack worm based on IP address information. Technical Report, TR-03-CSE-06,Electrical and Computer Engineering Department, University of Massachusetts, 2003.
54 Kephart JO, White SR. Measuring and modeling computer virus prevalence. In: Proc. of the IEEE Symp on Security and Privacy. Oakland, 1993. 2-15.
55 Dietrich Stauffer. Introduction to Statistical physics outside physics, Physica A 336. 2004. 1–5.