面向多步攻击的网络安全态势评估方法

doi:10.11959/j.issn.1000-436x.2017021

通信学报 ›› 2017, Vol. 38 ›› Issue (1): 187-198.doi: 10.11959/j.issn.1000-436x.2017021

• 学术通信 • 上一篇

面向多步攻击的网络安全态势评估方法

杨豪璞,邱辉,王坤

信息工程大学三院，河南郑州 450001

修回日期:2016-08-03 出版日期:2017-01-01 发布日期:2017-01-23
作者简介:杨豪璞（1993-），女，福建厦门人，信息工程大学硕士生，主要研究方向为APT攻击防御、博奕理论。|邱辉（1991-），男，河南周口人，信息工程大学硕士生，主要研究方向为网络安全态势感知、数据挖掘。|王坤（1975-），男，河南周口人，信息工程大学副教授，主要研究方向为信息安全、数据分析。
基金资助:
国家自然科学基金资助项目(61303074);国家自然科学基金资助项目(61309013);国家重点基础研究发展计划（“973”计划）基金资助项目(2012CB315900)

Network security situation evaluation method for multi-step attack

Hao-pu YANG,Hui QIU,Kun WANG

The Third Institute,Information Engineering University,Zhengzhou 450001,China

Revised:2016-08-03 Online:2017-01-01 Published:2017-01-23
Supported by:
The National Natural Science Foundation of China(61303074);The National Natural Science Foundation of China(61309013);The National Basic Research Program of China(2012CB315900)

摘要/Abstract

摘要：

为了分析多步攻击对网络系统的影响，准确、全面地反映系统的安全态势，提出一种面向多步攻击的网络安全态势评估方法。首先对网络中的安全事件进行场景聚类以识别攻击者；对每个攻击场景因果关联，识别出相应的攻击轨迹与攻击阶段；建立态势量化标准，结合攻击阶段及其威胁指数，实现对网络安全态势的评估。通过对2个网络攻防实验的测评分析表明，所提出的多步攻击分析方法符合实际应用，评估结果准确、有效。

关键词: 场景聚类, 多步攻击, 安全态势, 量化分析

Abstract:

Aiming at analyzing the influence of multi-step attack,as well as reflecting the system’s security situation accurately and comprehensively,a network security situation evaluation method for multi-step attack was proposed.This method firstly clustered security events into several attack scenes,which was used to identify the attacker.Then the attack path and the attack phase were identified by causal correlation of every scene.Finally,combined with the attack phase as well as the threat index,the quantitative standard was established to evaluate the network security situation.The proposed method is assessed by two network attack-defense experiments,and the results illustrate accuracy and effectiveness of the method.

Key words: scene clustering, multi-step attack, security situation, quantification analysis

中图分类号:

TP393.08

杨豪璞,邱辉,王坤. 面向多步攻击的网络安全态势评估方法[J]. 通信学报, 2017, 38(1): 187-198.

Hao-pu YANG,Hui QIU,Kun WANG. Network security situation evaluation method for multi-step attack[J]. Journal on Communications, 2017, 38(1): 187-198.

图/表 10

图1

图2

图3

表1

表2

图4

表3

图5

图6

图7

参考文献 20

[1]	吴迪, 连一峰, 陈恺 ,等. 一种基于攻击图的安全威胁识别和分析方法[J]. 计算机学报, 2012,35(6): 1938-1950.
	WU D , LIAN Y F , CHEN K ,et al. A security threats identification and analysis method based on attack graph[J]. Chinese Journal of Computers, 2012,35(6): 1938-1950.
[2]	田志宏, 余翔湛, 张宏莉 ,等. 基于证据推理网络的实时网络入侵取证方法[J]. 计算机学报, 2014,37(5): 1184-1194.
	TIAN Z H , YU X Z , ZHANG H L ,et al. A real-time intrusion forensics method based on evidence reasoning network[J]. Chinese Journal of Computer, 2014,37(5): 1184-1194.
[3]	ALHAZMI O H , MALAIYA Y K , RAY I . Measuring,analyzing and predicting security vulnerabilities in software systems[J]. Computers＆ Security, 2007,26(3): 219-228.
[4]	HANNES H , MATHIAS E , DENNIS A . Empirical analysis of system-level vulnerability metrics through actual attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(6): 825-837.
[5]	ENDSLEY M R , . Design and evaluation for situation awareness enhancement[C]// The Human Factors Society 32nd Annual Meeting. 1988: 97-101.
[6]	BASS T . Intrusion detection systems ＆ multisensory data fusion:creating cyberspace situational awareness[J]. Communications of the ACM, 2000,43(4): 99-105.
[7]	陈秀真, 郑庆华, 管晓宏 ,等. 层次化网络安全威胁态势量化评估方法[J]. 软件学报, 2006,17(4): 885-997.
	CHEN X Z , ZHENG Q H , GUAN X H ,et al. Quantitative hierarchical threat evaluation model for network security[J]. Journal of Software, 2006,17(4): 885-997.
[8]	韦勇, 连一峰, 冯登国 . 基于信息融合的网络安全态势评估模型[J]. 计算机研究与发展, 2009,46(3): 353-362.
[9]	MIRMOEINI F , KRISHNAMURTHY V . Reconfigurable Bayesian networks for hierarchical multi-stage situation assessment in battlespace[C]// The 39th Asilomar Conference on Signals,Systems and Computers. 2005
[10]	徐晓辉, 刘作良 . 基于 D-S 证据理论的态势评估方法[J]. 电光与控制, 2005,12(5): 36-37.
	XU X H , LIU Z L . A method for situation assessment based on D-S evidence theory[J]. Electronics Optics ＆ Control, 2005,12(5): 36-37.
[11]	ZHUO Y , ZHANG Q , GONG Z H . Network situation assessment based on RST[C]// Pacific-Asia Workshop on Computational Indulgence and Industrial Application. 2008: 502-506.
[12]	ZHOU Y , ZHANG Q , GONG Z H . Research and implementation of network transmission situation awareness[C]// WRI World Congress on Computer Science and Information Engineering. 2009: 210-214.
[13]	张勇, 谭笑彬, 崔孝林 ,等. 基于 Markov 博弈模型的网络安全态势感知方法[J]. 软件学报, 2011,22(3): 495-508.
	ZHANG Y , TAN X B , CUI X L ,et al. Network security situation awareness approach based on markov game model[J]. Journal of Software, 2011,22(3): 495-508.
[14]	YEE W , TANSU A , MARIMUTHU P . Security games for risk minization in automatic generation control[J]. IEEE Transactions on Power Systems, 2015,30(1): 223-232.
[15]	吕慧颖, 彭武, 王瑞梅 ,等. 基于时空关联分析的网络安全实时威胁识别与评估[J]. 计算机研究与发展, 2014,51(5): 1039-1049.
	LYU H Y , PENG W , WANG R M ,et al. A real-time network threat recognition and assessment method based on association analysis of time and space[J]. Journal of Computer Research and Development, 2014,51(5): 1039-1049.
[16]	CYRIL O , THOMAS O . Situational awareness in computer network defense principles,methods and applications[M]. Hershey: IGI Global SnippetPress, 2012
[17]	SCHIFFMAN M . Common vulnerability scoring system version 2.0[EB/OL]. .
[18]	FATEMEH K , BEHZAD A . Automatic learning of attack behavior patterns using Bayesian networks[C]// 6th International Symposium on Telecommunications (IST’2012). 2012: 999-1004
[19]	MIT LINCOLN LABORATORY. 2000 DARPA intrusion detection scenario specific data sets[EB/OL]. .
[20]	DEFCON Capture the flag traffic dump[EB/OL]. .

脆弱性信息	Mill	Pascal	Locke	www.af.mil
ICMP非法配置	√	√	√
SunRPC非法配置	√	√	√
Sadmind缓存区溢出(CVE-1999-0977)	√	√	√
RCP非法配置	√	√	√
SYN泛洪(CVE-1999-0116)				√
HINFO Query非法配置	√
FTP非法配置	√	√	√

攻击手段	利用漏洞	威胁值
IP扫描	ICMP非法配置	1
Sadmind Ping	SunRPC非法配置	2
Daemon安装	Sadmind 缓存区溢出(CVE-1999-0977)	10
Sadmind Exploit	RCP非法配置	4
DDoS	SYN泛洪(CVE-1999-0116)	10

时间	攻击状态	Mill	Locke	Pascal	www.af.mil	SA
09:51～09:52	阶段1	0.917	0.917	0.917	0	0.458 5
10:07～10:17	阶段2	0.918	0.918	0.918	0	0.733 9
10:33～10:35	阶段3	0.95	0.95	0.96	0	2.163 9
10:50	阶段4	0.94	0.94	0.94	0	2.727 9
11:27	阶段5	0	0	0	0.96	3.687 9

面向多步攻击的网络安全态势评估方法

Network security situation evaluation method for multi-step attack

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 20

相关文章 6

Metrics

推荐阅读 0

[1]	张玲翠, 许瑶冰, 李凤华, 房梁, 郭云川, 李子孚. 天地一体化信息网络安全动态赋能架构[J]. 通信学报, 2021, 42(9): 87-95.
[2]	杨宏宇,张旭高. 基于自修正系数修匀法的网络安全态势预测[J]. 通信学报, 2020, 41(5): 196-204.
[3]	琚安康,郭渊博,李涛,叶子维. 基于网络通信异常识别的多步攻击检测方法[J]. 通信学报, 2019, 40(7): 57-66.
[4]	胡浩,叶润国,张红旗,杨英杰,刘玉岭. 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017, 38(10): 122-134.
[5]	梅海彬,龚俭,张明华. 基于警报序列聚类的多步攻击模式发现研究[J]. 通信学报, 2011, 32(5): 63-69.
[6]	黎筱彦,王清贤,杨林. 网络安全态势指标体系及可视化技术研究[J]. 通信学报, 2011, 32(11A): 109-118.