网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (9): 1-16.doi: 10.11959/j.issn.2096-109x.2018072

• 综述 •    下一篇

基于攻击图的网络安全度量研究综述

胡浩1,2(),刘玉岭3,张玉臣1,2,张红旗1,2   

  1. 1 信息工程大学三院,河南 郑州 450001
    2 河南省信息安全重点实验室,河南 郑州 450001
    3 中国科学院软件研究所可信计算与信息保障实验室,北京 100190
  • 修回日期:2018-08-10 出版日期:2018-09-15 发布日期:2018-10-15
  • 作者简介:胡浩(1989-),男,安徽池州人,信息工程大学博士生,主要研究方向为网络安全态势感知和图像秘密共享。|刘玉岭(1982-),男,山东济阳人,博士,中国科学院软件研究所副研究员,主要研究方向为网络安全态势感知。|张玉臣(1977-),男,河南郑州人,博士,信息工程大学副教授、硕士生导师,主要研究方向为风险评估、态势感知和密码管理。|张红旗(1962-),男,河北遵化人,博士,信息工程大学教授、博士生导师,主要研究方向为网络安全、风险评估、等级保护和信息安全管理。
  • 基金资助:
    国家高技术研究发展计划(“863”计划)基金资助项目(2015AA016006);国家重点研发计划基金资助项目(2016YFF0204002);国家重点研发计划基金资助项目(2016YFF0204003);郑州市科技领军人才基金资助项目(131PLJRC644);“十三五”装备预研领域基金资助项目(6140002020115);CCF-启明星辰“鸿雁”科研计划基金资助项目(2017003)

Survey of attack graph based network security metric

Hao HU1,2(),Yuling LIU3,Yuchen ZHANG1,2,Hongqi ZHANG1,2   

  1. 1 The Third Institute,Information Engineering University,Zhengzhou 450001,China
    2 Henan Key Laboratory of Information Security,Zhengzhou 450001,China
    3 Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China
  • Revised:2018-08-10 Online:2018-09-15 Published:2018-10-15
  • Supported by:
    The National High Technology Research and Development Program of China (863 Program)(2015AA016006);The National Key Research and Development Program of China(2016YFF0204002);The National Key Research and Development Program of China(2016YFF0204003);The Science and Technology Leading Talent Project of Zhengzhou(131PLJRC644);The Equipment Pre-research Foundation During the 13th Five-Year Plan Period(6140002020115);The CCF-Venus Hongyan Research Plan(2017003)

摘要:

网络安全度量面临的主要挑战之一,即如何准确地识别目标网络系统中入侵者利用脆弱性之间的依赖关系进行威胁传播,量化对网络系统的潜在影响。攻击图由于具备优越的可视化展示能力,是解决该问题的有效途径之一。首先,介绍了安全度量的概念、发展历程和通用测度模型;然后,阐述攻击图构建、分类和应用的相关研究;其次,提出一种基于攻击图的层次化安全度量框架,从关键“点”、攻击“线”和态势“面”3个层次总结归纳了现有网络安全度量方法;最后,阐述了目前研究面临的难点问题与发展趋势。

关键词: 网络安全度量, 攻击图, 安全漏洞, 告警分析, 量化评估

Abstract:

One of the main challenges of network security metrics is how to accurately identify the intrusion of the intruders exploiting the dependence between the vulnerabilities for threat propagation in the target network system as well as to quantify the potential impact on the network system.Because of its superior performance of visual display,the attack graph becomes one of the effective ways to solve the problem.Firstly,the concept,development and general metric models of security metrics were introduced.Secondly,the related researches with respect to attack graph construction,classification and application were discussed.Thirdly,a hierarchical framework for security metric using attack graph was proposed,and then existing methods of network security metric were summarized from three levels (key “point”,attack “line” and situation “plane”).Finally,the difficult issues and development trends for the current research were discussed.

Key words: network security metric, attack graph, security vulnerability, alert analysis, quantitative assessment

中图分类号: