网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (4): 48-55.doi: 10.11959/j.issn.2096-109x.2018031

• 学术论文 • 上一篇    下一篇

网络动态防御体系下主机安全威胁分析方法

李立勋1,2,张斌1,2,董书琴1,2   

  1. 1 信息工程大学,河南 郑州 450001
    2 河南省信息安全重点实验室,河南 郑州 450001
  • 修回日期:2018-03-28 出版日期:2018-04-01 发布日期:2018-05-30
  • 作者简介:李立勋(1994-),男,四川都江堰人,信息工程大学硕士生,主要研究方向为动态目标防御。|张斌(1969-),男,河南郑州人,信息工程大学教授、博士生导师,主要研究方向为网络空间安全。|董书琴(1990-),男,河北邢台人,信息工程大学博士生,主要研究方向为网络空间态势感知。
  • 基金资助:
    河南省基础与前沿技术研究计划基金资助项目(2014302903);信息保障技术重点实验室开放基金资助项目(KJ-15-109);信息工程大学新兴科研方向培育基金资助项目(2016604703)

Host security threat analysis approach for network dynamic defense

Lixun LI1,2,Bin ZHANG1,2,Shuqin DONG1,2   

  1. 1 Information Engineering University,Zhengzhou 450001,China
    2 Henan Province Information Security Key Laboratory,Zhengzhou 450001,China
  • Revised:2018-03-28 Online:2018-04-01 Published:2018-05-30
  • Supported by:
    The Foundation and Frontier Technology Research Project of Henan Province(2014302903);Infor-mation Protection Technology Key Laboratory Open Fund Project(KJ-15-109);New Research Direction Cultivation Fund of Information Engineering University(2016604703)

摘要:

分析网络动态防御体系下的主机安全威胁必须考虑动态变换给主机脆弱性造成的不确定性。为此,首先,利用随机抽样模型对网络动态防御变换周期和变换空间给主机脆弱性造成的不确定性进行量化,并结合通用漏洞评分系统 CVSS (common vulnerability scoring system)计算入侵者针对单个脆弱性的入侵成功概率;其次,为避免多脆弱性情况下的入侵路径搜索过程出现自环,引入节点访问队列并提出改进的递归深度优先入侵路径搜索算法;然后基于求得的脆弱性入侵成功概率计算多脆弱性多入侵路径情况下的主机安全威胁度;最后,在典型网络动态防御环境中进行实验,验证了方法的可用性和有效性。

关键词: 网络安全, 网络动态防御, 主机安全威胁分析, 入侵成功概率, 入侵者权限转移图

Abstract:

Calculating the host security threat in network dynamic defense (NDD) situation has to consider the vulnerabilities’ uncertainty because of dynamic mutation.Firstly,the vulnerabilities’ uncertainty caused by the mutation space and the mutation period was calculated by random sampling model,and combined with the CVSS,the attack success probability formula of single vulnerability was derived.Secondly,to avoid self-loop during the path searching process in multiple vulnerabilities situation,an improved recursive depth first algorithm which combined with node visited queue was proposed.Then,the host security threat was calculated based on attack success probability in the situation of multiple vulnerabilities and paths.Finally,approach’s availability and effectiveness were verified by an experiment conducted in a typical NDD situation.

Key words: cyber security, network dynamic defense, host security threat analysis, attack success probability, at-tacker privilege transfer graph

中图分类号: 

No Suggested Reading articles found!