Institutional Repository
| 软件脆弱性的检测、分类与建库 | |
| 周武 | |
| Major | 计算机应用 |
| 1999 | |
| Degree Grantor | 中国科学院软件研究所 |
| Degree Level | 博士 |
| Place of Degree Grantor | 中国科学院软件研究所 |
| Keyword | 安全威胁 脆弱性 拒绝服务攻击 保密性 完整性 可用性 脆弱性检测 脆弱性分类 弱点数据库 |
| English Abstract | 计算机和通信技术的发展大大地推动了网络的应用范围,如电子商务、电子政务、金融虚拟社区等。但随之而来的安全性问题也与日俱增。系统面临的安全威胁主要来自以下几个方面:外部黑客的攻击;内部人员作案;拒绝服务攻击等。来自这些方面的安全威胁给系统的保密性、完整性以及服务的可用性都造成了极大的危害,也严重地影响着计算机与通信技术的进一步应用与发展。本文首先对几种主要的威胁进行了详细的分析,包括外部黑客的攻击、内部人员作案以拒绝服务攻击。在这些分析中,我们发现所有这些安全威胁之所以能够成功都于:它们利用了系统中存在的某种脆弱性。也就是说,系统中脆弱性的存在是系统受到各种安全威胁的根源,而保护计算机系统免遭安全危害的重点也就在于:研究各种脆弱性的前因后果,在这些分析工作的基础上,结合具体的工程实践,本文进一步描述了我们在软件脆弱性研究方面的一些成果与体会,主要包括软件脆弱性的检测、分类以及弱点数据库存的建设。脆弱性检测技术的目的在于:在攻击者发现并利用本系统的脆弱性之前检测出本系统的脆弱性,并设法修补。在对其它脆弱性检测产品(如ISS、SATAN)进行分析的基础上,我们设计了自己的脆弱性检测系统:ERCIST 安全检测系统。对各种软件脆弱性进行分类可以降低研究的复杂性,从繁杂的脆弱性表现形式以及手法多变的攻击方式中提取共性。在对各种软件脆弱性进行分类的基础上,我们可以建立弱点数据库以存储各种脆弱性信息,基于弱点数据库我们可能设计出更有效的安全产品。本文讨论了一个实际的弱点数据库的初步设计。 |
| Abstract | With the development of computer and communication technology, the application fields of computer network is widely expanded and new applications, such as electronic commerce, electronic government and virtual community, emerge. However, the security issues become more and more as well. The security threats our system faced come mainly from virus, denial of service, and the attack of hacker and insider. These threats compromise the confidentiality, integrity of the system and availability of services, and hinder enormously the further development and application of computer and communication technology. This dissertation analyses the main threats our system faced, including denial of service, the attack from hacker and insider. From these analyses, we get a conclusion that the origin of these security threats comes from the vulnerability in the system. Accordingly, the methods of protecting our system from these threats lie in analysising the cause and effect of these vulnerabilities from multi-view and apply varied security measure in accordance with varied vulnerabilities. Based on these analyses and the concrete engineering practices in our center, this dissertation describe further the effort in this field, including the detection of the vulnerabilities in the system, the classification of varied vulnerabilities, and the building of a vulnerability database. The vulnerabilities detection technology can detect the vulnerabilities in the system before the intruder exploit them, and fix or patch can be given afterward. We analysis the character of various vulnerability detection software, such as ISS and SATAN, and build our own vulnerability system, whose name is ERCIST vulnerability detector. Vulnerability classification can abstract common feature from much varied vulnerabilities and reduce the complexity of the study. Based on the classification of vulnerabilities, we build a vulnerability database to store all kinds of vulnerabilities, and based on this database we could find more efficient defensive mechanism. This dissertation describes the building of a vulnerability database. |
| Pages | 39 |
| Language | 中文 |
| Content Type | 学位论文 |
| URI | http://ir.iscas.ac.cn/handle/311060/7260 |
| Collection | 中科院软件所_中科院软件所 |
| Recommended Citation GB/T 7714 | 周武. 软件脆弱性的检测、分类与建库[D]. 中国科学院软件研究所. 中国科学院软件研究所,1999. |
| Files in This Item: | ||||||
| File Name/Size | DocType | Version | Access | License | ||
| LW002869.pdf(2524KB) | 限制开放 | -- | Application Full Text | |||
Items in the repository are protected by copyright, with all rights reserved, unless otherwise indicated.
Edit Comment