在线监测的路由器安全威胁态势量化评估方法

doi:10.3969/j.issn.1000-436x.2013.11.008

Abstract

Abstract:

The concept of router safety performance was proposed based on the nature of router security issues and router attacks were classified. Then a method for router online security risk assessment quantification was also presented.The security risk factor of service decline was calculated by router bandwidth consumption and average CPU usage and the security risk factor of privilege escalation was calcu ated by the possibility of threat occurrence and severity based on the router attack classification. The router security threat status was evaluated combining weighting the importance of router and the security risk factor. The experiment results show the method is effective in calculating the quantitive risk of the router and helpful for administrators to assess security risks.

Key words: router security, threat situation, online monitoring, risk assessment

Jun-gang YANG,Li LIANG,Gu-jing LIU,Qian ZHANG,Chang-qing ZHANG. Method for router online security risk assessment quantification[J]. Journal on Communications, 2013, 34(11): 59-70.

Figures/Tables 22

References 23

[1]	龙门，夏靖波，张子阳等. 节点相关的隐马尔可夫模型的网络安全评估[J]. 北京邮电大学学报, 2010,33 (6): 121-124. LONG M , XIA J B , ZHANG Z Y , et al. Network security assessment based on node correlated HMM[J]. Journal of Beijing Un versity of Posts and Telecommunications, 2010,33 (6): 121-124.
[2]	张保稳，罗铮，薛质等. 基于全局权限图的网络风险评估模型[J]. 上海交通大学学报, 2010,44 (9): 1197-1200. ZHANG B W , LUO Z , XUE Z , et al. A network risk assessment model based on network global priviliege graph[J]. Journal o Shanghai Jiao-tong University, 2010,44 (9): 1197-1200.
[3]	STIJN V C . Threat Modeling for Web Application Using the STRIDE Model[D]. London: Royal Holloway University of London, 2004.
[4]	付钰，吴晓平，叶清 . 基于改进FAHP-BN的信息系统安全态势评估方法[J]. 通信学报, 2009,30 (9): 135-140. FU Y , WU X P , YE Q . Approach for information systems security situ-ation evaluation using improved FAHP and Bayesian network[J]. Journal on Communications, 2009,30 (9): 135-140.
[5]	NGUYEN H V , CHOI Y . Proactive detection of DdoS attacks utilizing k-NN classifier in an anti-DDos framework[J]. International Journal of Electrical, 2010,4 (4): 247-252.
[6]	谢柏林，余顺争 . 基于应用层协议分析的应用层实时主动防御系统[J]. 计算机学报, 2011,34 (3): 452-463. XIE B L , YU S Z . Application layer real-time proactive defense sys-tem based on application layer protocol analysis[J]. Cinese Journal of Computers, 2011,34 (3): 452-463.
[7]	LI Z F . Using support vector machines to enhance the performance of Bayesian face recognition[J]. IEEE Transactions on Information Fo-rensics and Security, 2007,2 (2): 174-180.
[8]	MCNAB C . Network Security Assessment[M]. New York: O'Reilley Media, Inc, 2007.
[9]	张永铮，方滨兴，迟悦 . 计算机弱点数据库综述与评价[J]. 计算机科学, 2006,33 (8): 19-21. ZHANG Y Z , FANG B X , CHI Y . Survey and evaluation on computer vulnerability database[J]. Computer Science, 2006,33 (8): 19-21.
[10]	周亮，李俊娥，陆天波等. 信息系统漏洞风险定量评估模型研究[J]. 通信学报, 2009,30 (2): 71-76. ZHOU L , LI J E , LU T B , et al. Research on quantitative assessment model on vulnerability risk for information system[J]. Journal on Communications, 2009,30 (2): 71-76.
[11]	KAMMERER R , FROMEL B , WASICEK A . Enhancing security in CAN systems using a star coupling router[A]. Proceedin of the 7th IEEE International Symposium on Industrial Embedded Systems[C]. Karlsruhe, Germany, 2012.237-246.
[12]	AL-IBRAHIM M , SAVSAR M , ADI W . A security analysis for label switching routers[A]. ACS/IEEE International Conference on Com-puter Systems and Applications[C]. Beirut, Lebanon, 2001.525-529.
[13]	WANG Z Q , ZHANG Y Q , LIU Q X . A research on vulnerability discovering for router protocols based on fuzzing[A]. 7th Inter-national ICST Conference on Communications and Networkng[C]. Kunming, China, 2012.245-250.
[14]	WU Y H , WU J P , XU K , et al. The design and implementation of router security subsystem based on IPSec[A]. 2002 IEEE Region 10 Conference on Compute4rs, Communications, Control and En-gineering[C]. Beijing, China, 2002.160-165.
[15]	VARET A , LARRIEU N . Design and development of an embedded aeronautical router with security capabilities[A]. 2012 Integrated Communications Navigation and Surveillance[C]. Washington, USA, 2012.1-14.
[16]	ROCA A , FLICH J , SILLA F , et al. A latency-efficient router archi-tecture for CMP systems[A]. 13th Euromicro Conference Digital System Design Architectures, Methods and Tools[C]. Lil e, France, 2010.165-172.
[17]	桂宾 . 路由器安全风险分析及规避策略[J]. 计算机安全, 2002,6: 16-18. GUI B . Research on router security risk analysis[J]. Computer Security, 2002,6: 16-18.
[18]	SCHUDEL G , SMITH D J . Router Security Strategies: Security IP Network Traffic Planes[M]. Cisco Press, 2008.
[19]	QU G Z , PAKASH J , KISHORE R , et al. A framework for network vulnerability analysis[EB/OL]. , 2003.
[20]	NTULI N , SUNYOUNG H . Detecting router cache snooping i named data networking[A]. 2012 International Conference on ICT Conver-gence[C]. Jeju Island, Korea, 2012.714-718.
[21]	HU N N , LI L , MAO Z M , et al A measurement study of Internet bottlenecks[A]. INFOCOM 2005 24th Annual Joint Confere of the IEEE Computer and Communications Societies[C]. Miami, USA, 2005.1689-1700.
[22]	ROESCH M , GREEN C . Snort uses manual, snort release 2.0.0.2003[EB/OL]. .
[23]	GB/T 20984-2007. 信息安全技术信息安全风险评估规范[S]．北京: 中国标准出版社, 2007.GB/T 20984-2007 Information Technology Security Evaluation Crite-ria[S]. Beijing: China Zhijian Publishing House, 2007.

Metrics

Recommended 0

No Suggested Reading articles found!

服务下降型		权限提升型
大流量攻击	路由欺骗	信息窃取
带宽耗尽型攻击	OSPF拒绝服务攻击	IP地址欺骗
	BGP拒绝服务攻击	路由欺骗
系统资源耗尽型攻击
	ICMP拒绝服务攻击	RIP欺骗	OSPF欺骗	IS-IS欺骗	BGP欺骗	IP源路由欺骗	ICMP重定向攻击
Telnet攻击
HTTP攻击
SNMP攻击		Telnet攻击、HTTP攻击、SNMP攻击、TFTP攻击、SSH攻击
TFTP攻击
SSH攻击

平均使用率	C
60%~61%	0.5
62%~63%	0.6
64%~65%	0.7
66%~67%	0.8
68%~8	0.9

Ease of Attack	对应流程图中等级
easy	简单
simple	容易
moderate	中等
difficult	困难

E₀	E₁	E₂	E₃	E₄	E₅	E₆	E₇	E₈	E₉
0.0	0.1	0.2	0.3	0.4	0.5	0.6	0.7	0.8	0.9

Sig_ priority	D_escalate
1	0.9
2	0.09
3	0.009
4	0.000 9

Method for router online security risk assessment quantification

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 22

References 23

Related Articles 12

Metrics

Recommended 0

序号	交换容量	流量重要程度	转发流量重要性赋值
1	[0,10 Mbit/s)	最低	2
2	[10 Mbit/s,100 Mbit/s)	非常低	3
3	[100 Mbit/s,1 Gbit/s)	低	4
4	[1 Gbit/s,10 Gbit/s)	中	5
5	[10 Gbit/s,40 Gbit/s)	高	6
6	[40 Gbit/s,100 Gbit/s)	非常高	7
7	[100 Gbit/s,∞)	最高	8

路由器位置	重要程度	赋值
核心路由器，重要部位	非常高	9
核心路由器，非重要部位	高	7
边缘路由器，重要部位	较高	5
边缘路由器，非重要部位	中	3
其他	低	1
注：可以按照具体情况再增加，赋值在1~10。

时间	CVE	运行服务	攻击数	平均CPU使用率	带宽占用率
8:00	CVE-1999-0111	{RIPv1}	10 000	63.1%	57 Mbit/s
10:00	CVE-1999-0111	{RIPv1}	100	35%	9.2 Mbit/s
12:00	CVE-2005-0068	{ICMP}	10 000	24.4%	6 Mbit/s
14:00	CVE-2002-1350	{BGP}	10 000	69.6%	78.9 Mbit/s
16:00	CVE-1999-0111	{RIPv1}	10 000	63.1%	57 Mbit/s
16:00	CVE-2005-0290	{HTTP}	1	63.1%	57 Mbit/s
18:00	CVE-2004-0714	{SNMP}	10 000	61%	56.2 Mbit/s

Router	路由器类型	软件版本信息	路由器重要性权重
Router 1 (core router)	Cisco 7606	Cisco IOS 12.1(10)E	0.78
Router 2 (edge router)	Cisco 2911	Cisco IOS 15.0(1)M	0.59
Router 3 (edge router)	Cisco 2511	Cisco IOS 12.0(2)T	0.21

[1]	Zhiyong LUO,Xu YANG,Jiahui LIU,Rui XU. Network intrusion intention analysis model based on Bayesian attack graph [J]. Journal on Communications, 2020, 41(9): 160-169.
[2]	Hongyu YANG,Fengyan WANG. Network threat situation assessment based on unsupervised multi-source data feature analysis [J]. Journal on Communications, 2020, 41(2): 143-154.
[3]	Xinyu WANG,Ben NIU,Fenghua LI,Kun HE. Risk assessing and privacy-preserving scheme for privacy leakage in APP [J]. Journal on Communications, 2019, 40(5): 13-23.
[4]	Hao LIU,Lian-ming ZHANG,Zhi-gang CHEN. Task-based access control mode of peer-to-peer network based on fuzzy theory [J]. Journal on Communications, 2017, 38(2): 44-52.
[5]	. Research on security of mobile payment for commercial bank [J]. Journal on Communications, 2014, 35(Z2): 18-139.
[6]	Xi CHEN,You-liang TIAN,Zhuo MA,Jian-feng MA. Research on security of mobile payment for commercial bank [J]. Journal on Communications, 2014, 35(Z2): 131-139.
[7]	Xiang GAO,Yue-fei ZHU,Sheng-li LIU,Jin-long FEI,Long LIU. Risk assessment model based on fuzzy Petri nets [J]. Journal on Communications, 2013, 34(Z1): 126-132.
[8]	. Risk assessment model based on fuzzy Petri nets [J]. Journal on Communications, 2013, 34(Z1): 16-132.
[9]	. Method for router online security risk assessment quantification [J]. Journal on Communications, 2013, 34(11): 8-70.
[10]	Biao SONG,Jian-ming ZHU. Evolution entropy risk assessment of ERP information security based on the business process [J]. Journal on Communications, 2012, 33(Z1): 210-215.
[11]	Dong-mei ZHAO,Jian-feng MA,Yue-sheng WANG. Model of fuzzy risk assessment of the information system [J]. Journal on Communications, 2007, 28(4): 51-56.
[12]	Yong-jie WANG,Ming XIAN,Jin LIU,Guo-yu WANG. Study of network security evaluation based on attack graph model [J]. Journal on Communications, 2007, 28(3): 29-34.