基于随机松弛优选策略的网络脆弱性弥补算法

doi:10.11959/j.issn.1000-436x.2015027

摘要/Abstract

摘要：

为了在大规模网络中构建代价最小的脆弱性弥补方案，提出了一种基于随机松弛优选策略的网络脆弱性弥补算法 (MCNHA-SLOS)，并分析了算法的有效性。MCNHA-SLOS 是一种近似最优算法，通过在全部弥补方案空间的一系列随机松弛子空间中进行迭代计算，使近似最优弥补方案必定落入低代价弥补方案空间中。实例分析和仿真结果表明，MCNHA-SLOS具有高效、精度可控、渐近最优等特点，能够应用于大规模网络环境。

关键词: 网络脆弱性, 攻击图, 网络脆弱性弥补, 随机松弛优选

Abstract:

To construst a minimum-cost network hardening (MCNH) scheme in large-scale network,a stochastic loose optimize strategy based algorithm (MCNHA-SLOS) was proposed,and its effectiveness was analyzed.MCNHA-SLOS was a near-optimal approximation algorithm,which could achieve iterative computations in the array of sparse spaces of the whole plan space,so that the near-optimal scheme must exist in the low cost plan space.Instantiation analysis and experimental results show that the MCNHA-SLOS algorithm to be efficient,precision controllable and asymptotically optimal,and thus very applicable for large-scale network.

Key words: network vulnerability, attack graph, minimum-cost network hardening, stochastic loose optimize strategy

赵光胜,程庆丰,孙永林. 基于随机松弛优选策略的网络脆弱性弥补算法[J]. 通信学报, 2015, 36(1): 237-245.

Guang-sheng ZHAO,Qing-feng CHENG,Yong-lin SUN. Minimum-cost network hardening algorithm based on stochastic loose optimize strategy[J]. Journal on Communications, 2015, 36(1): 237-245.

图/表 14

表1

图1

图2

图3

图4

表2

图5

图6

图7

图8

表3

表4

图9

图10

参考文献 24

[1]	JHA S , SHEYNER O , WING J M . Two formal analyses of attack graphs[A]. Proceedings of 15th IEEE Computer Security Foundations Workshop[C]. 2002.
[2]	NOEL S , JAJODIA S , O'BERRY B , JACOBS M , et al. Efficient minimum-cost network hardening via exploit dependency graphs[A]. Proceedings of 19th Annual Computer Security Applications Conference[C]. 2003.86-95.
[3]	WANG L Y , NOEL S , JAJODIA S . Minimum-cost network hardening using attack graphs[J]. Computer Communications, 2006,29(18): 3812-3824.
[4]	HOMER J , , et al. From Attack Graphs to Automated Configuration Management-An Iterative Approach[R]. Kansas State University Technical Report, 2008.
[5]	SI J Q , ZHANG B , MAN D P , et al. Approach to making strategies for network security enhancement based on attack graphs[J]. Journal on Commurtications, 2009,30(2): 123-128.
[6]	CHEN F , WANG L Y , SU J S . An efficient approach to minimum-cost network hardening using attack graphs[A]. Proceedings of the 4th International Conference on Information Assurance and Security[C]. 2008. 209-212.
[7]	CHEN F , ZHANG Y , SU J S , et al. Two formal analyses of attack graphs[J]. Journal of Software, 2010,21(4): 838-848.
[8]	CHEN F . A Hierarchical Network Security Risk Evaluation Approach Based on Multi-goal Attack Graph[D]. National University of Defense Technology, 2008.
[9]	ALBANESE M , JAJODIA S , NOEL S . Time-efficient and cost- effective network hardening using attack graphs[A]. Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)[C]. 2012. 1-12.
[10]	DIAMAH A , MOHAMMADIA M , BALACHANDRAN B . Network security evaluation method via attack graphs and fuzzy cognitive maps[J]. Intelligent Decision Technologies, 2012,16: 433-440.
[11]	SWILER L P , PHILLIPS C , ELLIS D , et al. Computer-attack graph generation tool[A]. Proceedings of DARPA Information Survivability Conference ＆Exposition II[C]. 2001. 307-321.
[12]	SHEYNER O , HAINES J , JHA S , et al. Automated generation and analysis of attack graphes[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. 2002. 273-284.
[13]	SHEYNER O . Scenario Graphs and Attack Graphs[D]. Carnegie Mellon University, 2004.
[14]	AMMANN P , WIJESEKERA D , KAUSHIK S . Scalable,graph-based network vulnerability analysis[A]. Proceedings of the 9th ACM Conference on Computer and Communications Security[C]. 2002. 217-224.
[15]	LIPPMANN R P , et al. An Annotated Review of Past Papers on Attack Graphs[R]. MIT Lincoln Laboratory, 2005.
[16]	LIPPMANN R P , INGOLS K W , SCOTT C , et al. Evaluating and Strengthening Enterprise Network Security Using Attack Graphs[R]. ESC-TR-2005-064,MIT Lincoln Laboratory, 2005.
[17]	OU X M , GOVINDAVAJHALA S , APPEL A W . MulVAL:a logic-based network security analyzer[A]. Proceedings of 14th USENIX Security Symposium[C]. 2005,8.
[18]	OU X M , BOYER W F , MCQUEEN M A . A scalable approach to attack graph generation[A]. Proceedings of 13th ACM conference on Computer and Communications Security[C]. 2006. 336-345.
[19]	CHEN F , TU R , ZHANG Y , et al. Two scalable approaches to analyzing network security using compact attack graphs[A]. Proceedings of International Symposium on Information Engineering and Electronic Commerce[C]. 2009. 90-94.
[20]	CHEN F , SUN J S , HAN W B . AI planning-based approach of attack graph generation[J]. Journal of PLA University of Science and Technology, 2008,9(5): 460-465.
[21]	MAN D P , ZHOU Y , YANG W , et al. Method to generate attack graphs for assessing the overall security of networks[J]. Journal on Commurtications, 2009,30(3): 1-5.
[22]	HOMER J , VARIKUTI A , OU XM , et al. Improving attack graph visualization through data reduction and attack grouping[A]. Proceedings of 5th International Workshop on Visualization for Cyber Security[C]. 2008. 68-79.
[23]	HARBORT Z , LOUTHAN G , HALE J , et al. Techniques for attack graph visualization and interaction[A]. Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research[C]. 2011.
[24]	ALHOMIDI M A , REED M J . Attack graphs representations[A]. Proceedings of 4th Computer Science and Electronic Engineering Conference (CEEC)[C]. 2012.83-88.

符号	含义
Plan	弥补方案
Approx-Opt-Plan	近似最优有效弥补方案
Opt-Plan	最优有效弥补方案
Plan-Space	弥补方案空间
Sparse-Space	弥补方案松弛子空间
Valid-Space	有效弥补方案空间
Superior-Space	优势弥补方案空间
Goal-Space	目标弥补方案空间
GeneratePlan()	随机弥补方案产生器
Valid()	弥补方案有效性判定函数
Cost()	弥补方案代价计算函数
N_Sparse	松弛子空间规模
N_iterate	迭代次数
P_Valid	有效比率
P_Superior	优势比率
P_Goal	目标达成概率

Cost(order)	Plan	Cost(order)	Plan	Cost(order)	Plan	Cost(order)	Plan
0(1)	00000	4(9)	11000	6(17)	00110	8(25)	10110
1(2)	00001	4(10)	00101	6(18)	10101	8(26)	01110
2(3)	10000	4(11)	00011	6(19)	10011	8(27)	11101
2(4)	01000	5(12)	10100	6(20)	01101	8(28)	11011
3(5)	00100	5(13)	10010	6(21)	01011	9(29)	10111
3(6)	00010	5(14)	01100	7(22)	11100	9(30)	01111
3(7)	10001	5(15)	01010	7(23)	11010	10(31)	11110
3(8)	01001	5(16)	11001	7(24)	00111	11(32)	11111

N_iterate	实验结果	平均代价	平均时间/s
32	30,12,30,30,30,30,12,30,30,30,10,30,30,30,30,30,30,30,30,30	27.2	0.1
128	11,30,12,10,10,11,30,10,12,10,30,30,11,30,30,11,11,30,30,12	18.55	0.3
512	10,10,10,11,8,30,13,8,10,12,10,11,12,12,11,9,10,9,11,9	11.3	0.95
2 048	9,9,10,9,10,10,8,10,9,9,9,10,10,10,10,8,9,9,10,9	9.35	2.75
8 192	9,8,9,8,9,8,9,8,8,8,8,8,9,9,9,9,9,8,8,8	8.45	7.75

N_Sparse	N_iterate(32)	N_iterate(128)	N_iterate(512)	N_iterate(2 048)	N_iterate(8 192)
N_Sparse(2)	21.7(0.05)	13.25(0.2)	11.05(0.45)	10.2(1)	9.5(2.15)
N_Sparse(4)	22.1(0.05)	14.45(0.2)	11.45(0.6)	9.85(1.5)	9.1(3.1)
N_Sparse(8)	25.7(0.1)	17.7(0.3)	11.1(0.75)	9.6(2.05)	8.75(4.5)
N_Sparse(16)	27.2(0.1)	18.55(0.3)	11.3(0.95)	9.35(2.75)	8.45(7.75)