Chinese Journal of Network and Information Security ›› 2018, Vol. 4 ›› Issue (4): 1-11.doi: 10.11959/j.issn.2096-109x.2018019
• Comprehensive Reviews • Next Articles
Wenyan LIU,Shumin HUO,Qing TONG,Miao ZHANG,Chao QI
Revised:
2018-01-09
Online:
2018-04-01
Published:
2018-05-30
Supported by:
CLC Number:
Wenyan LIU,Shumin HUO,Qing TONG,Miao ZHANG,Chao QI. Research on models of network security evaluation and analysis[J]. Chinese Journal of Network and Information Security, 2018, 4(4): 1-11.
"
阶段 | 检测 | 拒绝 | 中断 | 降级 | 欺骗 | 摧毁 |
目标侦察 | 网页分析 | 防火墙 | MTD | 重定向 | 蜜罐 | — |
ACL | 拟态防御 | 蜜罐 | 拟态防御 | |||
武器化 | NIDS | NIPS | — | — | 蜜罐 | — |
拟态防御 | ||||||
交付 | 警惕的用户 | 代理过滤 | 反病毒 | 排队 | 蜜罐 | — |
MTD | 拟态防御 | |||||
拟态防御 | ||||||
利用 | HIDS | 补丁 | 数据执行保护 | 限制账号权限 | 蜜罐 | — |
MTD | 拟态防御 | |||||
拟态防御 | ||||||
安装 | HIDS | ‘chroot’ jail | 反病毒 | — | 蜜罐 | — |
MTD | 拟态防御 | |||||
拟态防御 | ||||||
命令和控 | NIDS | 防火墙 | NIPS | SinkHole | DNS重定向 | — |
ACL | MTD | SinkHole | ||||
拟态防御 | 蜜罐 | |||||
拟态防御 | ||||||
行动 | 日志审计 | 可信计算 | MTD | 服务质量 | 蜜罐 | 入侵容忍 |
入侵容忍 | 拟态防御 | 入侵容忍 | 拟态防御 | 拟态防御 | ||
拟态防御 | 拟态防御 | |||||
可信计算 |
"
模型特性 | 定性或定量 | 适用领域 | 特色及优势 | 不足 |
攻击树 | 定量 | 适于描述系统攻击过程,可用于推断系统面临的安全威胁 | 直观地表明和辅助分析系统存在的风险,易于理解 | 对大型、复杂、动态的网络防御系统难以灵活有效描述,状态空间爆炸 |
攻击图 | 定量 | 适于描述网络或信息系统中存在的脆弱点以及脆弱点之间的关联关系 | 直观展示攻击者利用目标网络脆弱性实施网络攻击的各种可能攻击路径,可自动发现未知的系统脆弱性及其之间的关系,进而全方位地对系统各类风险展开评估 | 状态空间爆炸,不适于对并发性和协作性的攻击过程进行建模和分析 |
攻击链 | 定性 | 适于对攻击过程进行建模 | 从链的角度较为细致刻画了一般攻击过程,有助于防御者针对性制定防御手段 | 仅描述了攻击,缺乏量化手段 |
攻击表面 | 定性 | 适于对不同版本不同配置的软件系统安全性进行比较 | 评价方式与系统所采用的具体实现方式无关,仅取决于系统的设计和固有属性 | 仅定性分析,具有相对性,类型不同系统难以严格度量和对比,未考虑攻击者能力等 |
网络传染病模型 | 定量 | 适于描述计算机病毒网络传播分析和控制 | 可实现对网络系统的整体分析和评估 | 抽象度较高,对节点的特殊性考虑不足 |
Petri网 | 定量 | 适于描述符合 Petri 网特性(如并发、同步和冲突等)的网络攻防系统 | 直观的图形表现,数学基础严密,有专门的可视化仿真建模分析工具 | 状态空间爆炸,对不符合Petri网特性的系统难以描述 |
自动机 | 定性 | 适于描述有状态转移的网络攻防系统 | 可以较好地模拟网络系统的运行状态及其动态转移的条件和过程,尤其是由各种安全事件导致的安全状态转移 | 对攻防细节如状态转移条件、属性和状态的概括等刻画不足,对复杂系统难以描述 |
[1] | 井维亮 . 基于攻击图的网络安全评估技术研究[D]. 哈尔滨:哈尔滨工程大学, 2008. |
JING W L . Research on network security assessment based on at-tack graph[D]. Harbin:Harbin Engineering University, 2008. | |
[2] | 高翔 . 网络安全评估理论及其关键技术研究[D]. 郑州:信息工程大学, 2014. |
GAO X . Research on the theory of network security and its key technology[D]. Zhengzhou:Information Engineering University, 2014. | |
[3] | 王国良, 鲁智勇 . 信息网络安全测试与评估[M]. 北京: 国防工业出版社, 2015. |
WANG G L , LU Z Y . Testing and evaluation of information net-work security[M]. Beijing: National Defense Industry Press, 2015. | |
[4] | 代廷合, 吴开贵 . 攻击树在多层网络攻击模型中的应用[J]. 网络安全技术与应用, 2009(1): 75-76. |
DAI T H , WU K G . Application of attack tree in multi level net-work attack model[J]. Network security technology and Applica-tion, 2009(1): 75-76. | |
[5] | 苘大鹏, 周渊, 杨武 ,等. 用于评估网络整体安全性的攻击图生成方法[J]. 通信学报, 2009,(3): 1-5. |
QIONG D P , ZHOU Y , YANG W . Method to generate attack graphs for assessing the overall security of networks[J]. Journal on Communications, 2009,(3): 1-5. | |
[6] | 鲁智勇, 冯超, 余辉 ,等. 网络安全性定量评估模型研究[J]. 计算机工程与科学, 2009,31(10): 18-22. |
LU Z Y , FENG C , YU H ,et al. A study of the quantitative evalua-tion model for network security[J]. Computer Engineering & Sci-ence, 2009,31(10): 18-22. | |
[7] | SANDOVAL J E , HASSELL S P . Measurement,identification and calculation of cyber defense metrics[C]// IEEE Military Communications Conference. 2010: 2174-2179. |
[8] | CAI G , WANG B , LUO Y ,et al. A model for evaluating and comparing moving target defense techniques based on generalized stochastic Petri net[M]. Springer Singapore, 2016: 184-197. |
[9] | JASIUL B , SZPYRKA M , LIWA J . Detection and modeling of cyber attacks with Petri nets[J]. Entropy, 2014,16(12): 6602-6623. |
[10] | JASIUL B , SZPYRKA M,?LIWA J . Malware behavior modeling with colored Petri nets[C]// The International Conference Computer Information Systems and Industrial Management. 20148838: 667-679. |
[11] | 杨艳峰, 李洁 . 基于有限状态自动机的安全评估模型分析[J]. 企业家天地, 2013(6): 125-126. |
YANG Y F , LI J . Analysis of safety assessment model based on fi-nite state automata[J]. Entrepreneurs World, 2013(6): 125-126. | |
[12] | 张峰, 秦志光 . 基于有限自动机的网络攻击系统研究[J]. 计算机科学, 2002,29(21): 160-162. |
ZHANG F , QIN Z G . Research on network attack system based on finite-state automata[J]. Computer Science, 2002,29(21): 160-162. | |
[13] | 卢继军, 黄刘生, 吴树峰 . 基于攻击树的网络攻击建模方法[J]. 计算机工程与应用, 2003,39(27): 160-163. |
LU J J , HUANG L S , WU S F . Network attack modeling method based on attack tree[J]. Computer Engineering and Applications, 2003,39(27): 160-163. | |
[14] | 陈建明, 龚尧莞 . 基于 SSE-CMM 的信息系统安全工程模型[J]. 计算机工程, 2003,29(16): 35-36. |
CHEN J M , GONG Y W . Security engineering model of infor-mation system based on SSE-CMM[J]. Computer Engineering, 2003,29(16): 35-36. | |
[15] | DANIEL GEER J , HOO K S , JAQUITH A . Information security:why the future belongs to the quants[J]. IEEE Security & Privacy Magazine, 2003,1(4): 24-32. |
[16] | CUNNINGHAM W H . Optimal attack and reinforcement of a network[J]. Journal of the ACM, 1985,32(3): 549-561. |
[17] | BRYANT B , SAIEDIAN H . A novel kill-chain framework for remote security log analysis with SIEM software[J]. Computers &Security, 2017. |
[18] | YADAV T , RAO A M . Technical aspects of cyber kill chain[C]// The International Symposium on Security in Computing and Communication. 2015: 438-452. |
[19] | HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare & Security Research, 2011,1(1): 80. |
[20] | 蔡桂林, 王宝生, 王天佐 ,等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 2016,53(5): 968-987. |
CAI G L , WANG B S , WANG T Z ,et al. Research and develop-ment of moving target defense technology[J]. Journal of Computer Research and Development, 2016,53(5): 968-987. | |
[21] | 邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10. |
WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10. | |
[22] | MANADHATA P K , WING J M . An attack surface metric[J]. IEEE Transactions on Software Engineering, 2011,37(3): 371-386. |
[23] | MANADHATA P , WING J , FLYNN M ,et al. Measuring the attack surfaces of two FTP daemons[C]// ACM Workshop on Quality of Protection. ACM, 2006: 3-10. |
[24] | Vargasdeleón C . On the global stability of SIS,SIR and SIRS epidemic models with standard incidence[J]. Chaos Solitons & Fractals, 2011,44(12): 1106-1110. |
[25] | MCDERMOTT J P , . Attack net penetration testing[C]// The Workshop on New Security Paradigms. 2001: 15-21. |
[26] | PAN P , ZHU X , MAO X . Research on security test for application software based on SPN[J]. Procedia Engineering, 2017,174: 1140-1147. |
[27] | MARSAN M A , . Stochastic Petri nets:an elementary introduction[C]// European Workshop on Applications and Theory in Petri Nets. 1988: 1-29. |
[28] | JENSEN K , KRISTENSEN L M , WELLS L . Coloured petri nets and CPN tools for modelling and validation of concurrent systems[J]. International Journal on Software Tools for Technology Transfer, 2007,9(3-4): 213-254. |
[29] | MAJI P , GANGULY N , SAHA S ,et al. Cellular automata machine for pattern recognition[J]. Lecture Notes in Computer Science, 2002,2493: 270-281. |
[30] | 秦志光, 刘锦德 . 安全系统的有限自动机[J]. 电子科技大学学报, 1996(1): 72-75. |
QIN Z G , LIU J D . Finite automata of security system[J]. Journal of University of Electronic Science and Technology of China, 1996(1): 72-75. | |
[31] | 郭威, 邬江兴, 张帆 ,等. 基于自动机理论的网络攻防模型与安全性能分析[J]. 信息安全学报, 2016,1(4): 29-39. |
GUO W , WU J X , ZHANG F ,et al. A cyberspace attack and de-fense model with security performance analysis based on automata theory[J]. Journal of Cyber Security, 2016,1(4): 29-39. | |
[32] | 张峰, 秦志光 . 基于有限自动机的网络攻击系统研究[J]. 计算机科学, 2002,29(z1): 160-162. |
ZHANG F , QIN Z G . Research on network attack system based on finite automata[J]. Computer Science, 2002,29(z1): 160-162. | |
[33] | 彭文灵, 王丽娜, 张焕国 . 基于有限自动机的网络入侵容忍系统研究[J]. 小型微型计算机系统, 2005,26(8): 1296-1300. |
PENG W L , WANG L N , ZHANG H G . Research on network in-trusion tolerance system based on finite automata[J]. Journal of Chinese Computer Systems, 2005,26(8): 1296-1300. | |
[34] | HAN Y , LU W , XU S . Characterizing the power of moving target defense via cyber epidemic dynamics[C]// The 2014 Symposium and Bootcamp on the Science of Security. 2014:10. |
[1] | Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37. |
[2] | Heli WANG, Qiao YAN. Selfish mining detection scheme based on the characters of transactions [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 104-114. |
[3] | Long DAI, Jing ZHANG, Xuefeng FAN, Xiaoyi ZHOU. NLP neural network copyright protection based on black box watermark [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 140-149. |
[4] | Rongna XIE, Zhuhong MA, Zongyu LI, Ye TIAN. Encrypted traffic classification method based on convolutional neural network [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 84-91. |
[5] | Dong LI, Yanni HAO, Shenghui PENG, Ruijie ZI, Ximeng LIU. Network security of the National Natural Science Foundation of China: today and prospects [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 92-101. |
[6] | Fukang XING, Zheng ZHANG, Ran SUI, Sheng QU, Xinsheng JI. Qualitative modeling and analysis of attack surface for process multi-variant execution software system [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 121-128. |
[7] | Cong YI, Jun HU. Novel continuous identity authentication method based on mouse behavior [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 179-188. |
[8] | Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181. |
[9] | Yuxin WANG, Boqiang ZHANG, Hongtao XIE, Yongdong ZHANG. Tampered text detection via RGB and frequency relationship modeling [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 29-40. |
[10] | Menghan LI, Kejiang CHEN, Weiming ZHANG, Nenghai YU. Computationally secure steganography based on speech synthesis [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 134-141. |
[11] | Jie PAN, Lan YE, He ZHAO, Xinlei ZHANG. Defense strategy of industrial control worm based on SEIPQR model [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 169-175. |
[12] | Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14. |
[13] | Yang WANG, Guangming TANG, Shuo WANG, Jiang CHU. Defense mechanism of SDN application layer against DDoS attack based on API call management [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 73-87. |
[14] | Guyue LI, Aiqun HU. Exploration and practice on integration of ideological, political courses into professional courses of cyberspace security specialty [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 183-189. |
[15] | Xieli ZHANG, Yuefei ZHU, Chunxiang GU, Xi CHEN. Security protocol code analysis method combining model learning and symbolic execution [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 93-104. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|