| 基于环境因素与攻击能力的网络脆弱性评估模型 |
| 其他题名 | Network Vulnerability Evaluation Model Based-on Environment Factor and Attack Ability
|
| 张海霞
|
| 2008-01-14
|
| 学位授予单位 | 中国科学院软件研究所
|
| 学位 | 博士
|
| 学位授予地点 | 软件研究所
|
| 关键词 | 脆弱性评估
安全状态图
环境因素破坏值
攻击能力威胁值
安全状态域
|
| 摘要 | 随着网络规模的不断发展、应用服务的日益普及,以及用户数目的逐年增加,网络已经渗透到人们生活的各个方面。由于普遍存在着资源管理分散、安全意识薄弱和防护手段缺乏等问题,网络系统正面临着严峻的安全形势。脆弱性评估技术能够有效分析网络脆弱性的利用路径及其可能性,对网络的安全状况作出量化评估,指导我们以最小的修复代价获取最大的安全回报。因此,脆弱性评估技术已逐渐成为网络安全领域的研究热点。
论文在对现有的脆弱性评估方法进行调研分析的基础上,提出了基于环境因素与攻击能力的网络脆弱性评估模型。首先给出了包含环境因素和攻击能力在内的网络安全状态核心要素及相关概念的定义,描述了针对主机信息、连通关系、攻击者信息、安全状态等脆弱性相关元素的模型化方法;利用网络元素的模型化参数作为输入,根据网络环境变化因素和攻击能力增长因素,提出了安全状态图的生成算法,通过限定攻击路径的长度来生成规模可控并具备较好完备性的网络安全状态图,由此得到网络存在的潜在脆弱性利用路径;在此基础上,借鉴风险评估流程中的资产识别方法,提出了安全状态域及其趋向指数的概念,利用所生成的安全状态图,基于环境因素与攻击能力进行脆弱性量化评估,通过结合攻击过程中网络状态的转变对攻击过程不同阶段的安全性进行衡量。最后,论文通过对实例网络的脆弱性评估,验证了所提出的网络脆弱性评估模型的适用性和有效性。
网络脆弱性评估模型能够帮助我们定位目标系统的关键脆弱性及其量化评判尺度,通过攻击过程不同阶段目标系统所呈现的安全特征,掌控网络的动态安全状况,为网络系统的安全策略制定、态势分析及趋势预测提供参考依据。 |
| 其他摘要 | With the constant development of network scale, application services became increasingly popular, as well as the number of users has increased year by year. All these facts show that, network has been throughout all corners of people’s lives. Because of the remediation of network resource management, the weakness of user’s security consciousness and the lack of defense means, network system is facing a tough security situation. Vulnerability evaluation can help us to analyze the exploit path of vulnerabilities and its possibilities, and to evaluate network security quantitatively. The result of vulnerability evaluation can guide us to get security return in the smallest fixing cost. Vulnerability evaluation has become a hot topic in the field of network security.
On the basis of development and analysis of existing methods, this dissertation proposed a new network vulnerability evaluation model based on environment factor and attack ability. First of all, it gives core factors of network security, which including environment factors and attack ability, and related definitions; and it describes the corresponding model methods of vulnerability-related elements such as hosts information, connectivity relationship, attacker information and security states etc. After that, using the model of network elements as input parameters, according to the factors of network environment changing and attack ability increasing, the Security State Graph(SSG) generate algorithm is proposed, which generate scale-controllable and completeness-good Security State Graph(SSG) of target network by limiting the length of attack path. Based on the SSG and referencing the asset recognition methods during the process of risk evaluation, the definition of Security State Region(SSR) and the Coefficient of SSR(C_SSR) is proposed. Then, considering the Destroy Value of Environment (DVE) and the Threat Value of Attack (TVA), we can evaluate vulnerabilities quantitatively; and combining network state’s transfer during the attack process, we can evaluate network security of different attack phrases. In the later part, it gives a whole vulnerability evaluation example to validate availability and effectiveness of the model proposed in this paper.
Network vulnerability evaluation model can help us locate the key vulnerability of target system and set quantitative judge scale. Through security characters of target system appeared in different attack phrases, we can control dynamic security status of network, which will give good reference for the making of security policy, the security trend analysis and security tendency forensic. |
| 页数 | 127
|
| 语种 | 中文
|
| 内容类型 | 学位论文
|
| URI标识 | http://ir.iscas.ac.cn/handle/311060/5612
|
| 专题 | 中科院软件所_中科院软件所
|
推荐引用方式
GB/T 7714 |
张海霞. 基于环境因素与攻击能力的网络脆弱性评估模型[D]. 软件研究所. 中国科学院软件研究所,2008.
|
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论