中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
软件脆弱性的检测、分类与建库
作者: 周武
答辩日期: 1999
专业: 计算机应用
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 安全威胁 ; 脆弱性 ; 拒绝服务攻击 ; 保密性 ; 完整性 ; 可用性 ; 脆弱性检测 ; 脆弱性分类 ; 弱点数据库
摘要: 计算机和通信技术的发展大大地推动了网络的应用范围,如电子商务、电子政务、金融虚拟社区等。但随之而来的安全性问题也与日俱增。系统面临的安全威胁主要来自以下几个方面:外部黑客的攻击;内部人员作案;拒绝服务攻击等。来自这些方面的安全威胁给系统的保密性、完整性以及服务的可用性都造成了极大的危害,也严重地影响着计算机与通信技术的进一步应用与发展。本文首先对几种主要的威胁进行了详细的分析,包括外部黑客的攻击、内部人员作案以拒绝服务攻击。在这些分析中,我们发现所有这些安全威胁之所以能够成功都于:它们利用了系统中存在的某种脆弱性。也就是说,系统中脆弱性的存在是系统受到各种安全威胁的根源,而保护计算机系统免遭安全危害的重点也就在于:研究各种脆弱性的前因后果,在这些分析工作的基础上,结合具体的工程实践,本文进一步描述了我们在软件脆弱性研究方面的一些成果与体会,主要包括软件脆弱性的检测、分类以及弱点数据库存的建设。脆弱性检测技术的目的在于:在攻击者发现并利用本系统的脆弱性之前检测出本系统的脆弱性,并设法修补。在对其它脆弱性检测产品(如ISS、SATAN)进行分析的基础上,我们设计了自己的脆弱性检测系统:ERCIST 安全检测系统。对各种软件脆弱性进行分类可以降低研究的复杂性,从繁杂的脆弱性表现形式以及手法多变的攻击方式中提取共性。在对各种软件脆弱性进行分类的基础上,我们可以建立弱点数据库以存储各种脆弱性信息,基于弱点数据库我们可能设计出更有效的安全产品。本文讨论了一个实际的弱点数据库的初步设计。
英文摘要: With the development of computer and communication technology, the application fields of computer network is widely expanded and new applications, such as electronic commerce, electronic government and virtual community, emerge. However, the security issues become more and more as well. The security threats our system faced come mainly from virus, denial of service, and the attack of hacker and insider. These threats compromise the confidentiality, integrity of the system and availability of services, and hinder enormously the further development and application of computer and communication technology. This dissertation analyses the main threats our system faced, including denial of service, the attack from hacker and insider. From these analyses, we get a conclusion that the origin of these security threats comes from the vulnerability in the system. Accordingly, the methods of protecting our system from these threats lie in analysising the cause and effect of these vulnerabilities from multi-view and apply varied security measure in accordance with varied vulnerabilities. Based on these analyses and the concrete engineering practices in our center, this dissertation describe further the effort in this field, including the detection of the vulnerabilities in the system, the classification of varied vulnerabilities, and the building of a vulnerability database. The vulnerabilities detection technology can detect the vulnerabilities in the system before the intruder exploit them, and fix or patch can be given afterward. We analysis the character of various vulnerability detection software, such as ISS and SATAN, and build our own vulnerability system, whose name is ERCIST vulnerability detector. Vulnerability classification can abstract common feature from much varied vulnerabilities and reduce the complexity of the study. Based on the classification of vulnerabilities, we build a vulnerability database to store all kinds of vulnerabilities, and based on this database we could find more efficient defensive mechanism. This dissertation describes the building of a vulnerability database.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7260
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW002869.pdf(2524KB)----限制开放-- 联系获取全文

Recommended Citation:
周武. 软件脆弱性的检测、分类与建库[D]. 中国科学院软件研究所. 中国科学院软件研究所. 1999-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[周武]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[周武]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace