Journal on Communications ›› 2022, Vol. 43 ›› Issue (2): 89-99.doi: 10.11959/j.issn.1000-436x.2022030
• Papers • Previous Articles Next Articles
Hongyu YANG1,2, Haihang YUAN2, Liang ZHANG3
Revised:
2022-01-11
Online:
2022-02-25
Published:
2022-02-01
Supported by:
CLC Number:
Hongyu YANG, Haihang YUAN, Liang ZHANG. Host security assessment method based on attack graph[J]. Journal on Communications, 2022, 43(2): 89-99.
"
主机 | Nattack | Nhost_1 | Nhost_2 | Nhost_3 | Nhost_4 | Nhost_5 | Nhost_6 | Nhost_7 | Nhost_8 | Nhost_9 |
Nattack | — | 连通 | 连通 | 连通 | — | — | — | — | — | — |
Nhost_1 | — | — | 连通 | — | — | — | 连通 | — | — | — |
Nhost_2 | — | — | — | — | — | — | 连通 | — | — | — |
Nhost_3 | — | — | 连通 | — | 连通 | 连通 | — | — | — | — |
Nhost_4 | — | — | — | — | — | — | — | — | 连通 | — |
Nhost_5 | — | — | — | — | — | — | 连通 | — | — | — |
Nhost_6 | — | — | — | — | — | — | — | 连通 | — | — |
Nhost_7 | — | — | — | — | — | — | — | — | — | — |
Nhost_8 | — | — | — | — | — | 连通 | — | — | — | 连通 |
Nhost_9 | — | — | — | — | — | 连通 | — | — | — | — |
注:—表示未连通。 |
"
主机 | 主机名称 | 漏洞CVE标识 | VE |
Nhost_1 | 管理控制主机 | CVE-2014-0226(f1) | 0.859 |
Nhost_2 | 应用服务器 | CVE-2015-1635(f2) | 1 |
Nhost_3 | 应用服务器 | CVE-2015-2578(f3) | 0.859 |
CVE-2016-3125(f4) | 1 | ||
Nhost_4 | 业务主机 | CVE-2015-0014(f5) | 1 |
Nhost_5 | 业务主机 | CVE-2007-0038(f6) | 0.859 |
Nhost_6 | 数据库服务器 | CVE-2016-0639(f7) | 1 |
CVE-2016-3471(f8) | 0.392 | ||
CVE-2016-3477(f9) | 0.314 | ||
Nhost_7 | 备份数据库服务器 | CVE-2016-3461(f10) | 0.315 |
Nhost_8 | 配置管理主机 | CVE-2006-2370(f11) | 1 |
Nhost_9 | 运行监控主机 | CVE-2003-0252(f12) | 1 |
"
主机 | 攻击路径 | 最大攻击概率 |
Nhost_1 | Nattack-Nhost_1 | 0.21 |
Nattack-Nhost_2 | ||
Nhost_2 | Nattack-Nhost_1-Nhost_2 | 0.49 |
Nattack-Nhost_3-Nhost_2 | ||
Nhost_3 | Nattack-Nhost_3 | 0.24 |
Nhost_4 | Nattack-Nhost_3-Nhost_4 | 0.16 |
Nattack-Nhost_3-Nhost_5 | ||
Nhost_5 | Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_5 | 0.14 |
Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_9-Nhost_5 | ||
Nattack-Nhost_1-Nhost_6 | ||
Nattack-Nhost_2-Nhost_6 | ||
Nattack-Nhost_1-Nhost_2-Nhost_6 | ||
Nhost_6 | Nattack-Nhost_3-Nhost_2-Nhost_6 | 0.1 |
Nattack-Nhost_3-Nhost_5-Nhost_6 | ||
Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_5-Nhost_6 | ||
Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_9-Nhost_5-Nhost_6 | ||
Nattack-Nhost_1-Nhost_6-Nhost_7 | ||
Nattack-Nhost_2-Nhost_6-Nhost_7 | ||
Nattack-Nhost_1-Nhost_2-Nhost_6-Nhost_7 | ||
Nhost_7 | Nattack-Nhost_3-Nhost_2-Nhost_6-Nhost_7 | 0.005 |
Nattack-Nhost_3-Nhost_5-Nhost_6-Nhost_7 | ||
Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_5-Nhost_6-Nhost_7 | ||
Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_9-Nhost_5-Nhost_6-Nhost_7 | ||
Nhost_8 | Nattack-Nhost_3-Nhost_4-Nhost_8 | 0.14 |
Nhost_9 | Nattack-Nhost_3-Nhost_4-Nhost_8-Nhost_9 | 0.11 |
"
主机 | C | I | A | 资产重要性 |
Nhost_1 | 0.309 2 | 0.326 0 | 0.364 7 | 3.04 |
Nhost_2 | 0.297 2 | 0.338 7 | 0.346 1 | 3.03 |
Nhost_3 | 0.274 3 | 0.360 6 | 0.365 1 | 3.22 |
Nhost_4 | 0.377 7 | 0.344 2 | 0.278 1 | 1.85 |
Nhost_5 | 0.287 6 | 0.366 1 | 0.346 4 | 2.33 |
Nhost_6 | 0.178 2 | 0.517 9 | 0.303 9 | 4.06 |
Nhost_7 | 0.386 6 | 0.364 6 | 0.248 8 | 4.61 |
Nhost_8 | 0.189 1 | 0.408 9 | 0.402 1 | 2.5 |
Nhost_9 | 0.308 7 | 0.380 6 | 0.310 7 | 1.67 |
[1] | 吴晨思, 谢卫强, 姬逸潇 ,等. 网络系统安全度量综述[J]. 通信学报, 2019,40(6): 14-31. |
WU C S , XIE W Q , JI Y X ,et al. Survey on network system security metrics[J]. Journal on Communications, 2019,40(6): 14-31. | |
[2] | 丁绍虎, 齐宁, 郭义伟 . 基于 M-FlipIt 博弈模型的拟态防御策略评估[J]. 通信学报, 2020,41(7): 186-194. |
DING S H , QI N , GUO Y W . Evaluation of mimic defense strategy based on M-FlipIt game model[J]. Journal on Communications, 2020,41(7): 186-194. | |
[3] | 罗智勇, 杨旭, 刘嘉辉 ,等. 基于贝叶斯攻击图的网络入侵意图分析模型[J]. 通信学报, 2020,41(9): 160-169. |
LUO Z Y , YANG X , LIU J H ,et al. Network intrusion intention analysis model based on Bayesian attack graph[J]. Journal on Communications, 2020,41(9): 160-169. | |
[4] | 席荣荣, 云晓春, 张永铮 . 基于环境属性的网络威胁态势量化评估方法[J]. 软件学报, 2015,26(7): 1638-1649. |
XI R R , YUN X C , ZHANG Y Z . Quantitative threat situational assessment based on contextual information[J]. Journal of Software, 2015,26(7): 1638-1649. | |
[5] | SHAN C , GAO J , HU C Z ,et al. Network risk assessment method based on asset correlation graph[C]// Trusted Computing and Information Security. Berlin:Springer, 2019: 65-83. |
[6] | POKHREL N R , TSOKOS C P . Cybersecurity:a stochastic predictive model to determine overall network security risk using Markovian process[J]. Journal of Information Security, 2017,8(2): 91-105. |
[7] | 李欢 . 基于贝叶斯网络攻击图的动态风险评估方法研究[D]. 秦皇岛:燕山大学, 2019. |
LI H . Research on dynamic risk assessment method based on Bayesian network attack diagram[D]. Qinhuangdao:Yanshan University, 2019. | |
[8] | HU H , ZHANG H Q , YANG Y J . Security risk situation quantification method based on threat prediction for multimedia communication network[J]. Multimedia Tools and Applications, 2018,77(16): 21693-21723. |
[9] | HU W H , ZHANG L , LIU X Y ,et al. Research on automatic generation and analysis technology of network attack graph[C]// Proceedings of 2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity),IEEE Intl Conference on High Performance and Smart Computing,(HPSC) and IEEE Intl Conference on Intelligent Data and Security. Piscataway:IEEE Press, 2020: 133-139. |
[10] | WANG W R , SHI F , ZHANG M ,et al. A vulnerability risk assessment method based on heterogeneous information network[J]. IEEE Access, 2020,8: 148315-148330. |
[11] | SUN X Y , DAI J , LIU P ,et al. Using Bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018,13(10): 2506-2521. |
[12] | 李鑫 . 基于攻击图的网络安全评估技术研究与实现[D]. 北京:北京邮电大学, 2017. |
LI X . Research and implementation of network security assessment technology based on attack graph[D]. Beijing:Beijing University of Posts and Telecommunications, 2017. | |
[13] | RUOHONEN J . A look at the time delays in CVSS vulnerability scoring[J]. Applied Computing and Informatics, 2019,15(2): 129-135. |
[14] | FREI S , MAY M , FIEDLER U ,et al. Large-scale vulnerability analysis[C]// Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense-LSAD’06. New York:ACM Press, 2006: 131-138. |
[15] | 葛海慧 . 信息安全风险多维动态管理模型及相关评估方法研究[D]. 北京:北京邮电大学, 2015. |
GE H H . Research on the multidimensional and dynamic information security risk management model and the related assessment algorithms[D]. Beijing:Beijing University of Posts and Telecommunications, 2015. | |
[16] | WANG R Y , GAO L , SUN Q ,et al. An improved CVSS-based vulnerability scoring mechanism[C]// Proceedings of 2011 Third International Conference on Multimedia Information Networking and Security. Piscataway:IEEE Press, 2011: 352-355. |
[17] | 国家质量监督检验检疫总局,中国国家标准化管理委员会. 信息安全技术信息安全风险评估规范:GB/T 20984-2007[S]. 北京:中国标准出版社, 2007. |
General Administration of Quality Supervision,Inspection and Quarantine of the People’s Republic of China,Standardization Administration of the People’s Republic of China. Information security technology-risk assessment specification for information security:GB/T 20984-2007[S]. Beijing:Standards Press of China, 2007. | |
[18] | 周爱民, 周彩霞, 欧阳晋焱 ,等. 基于指标适度标准化的界面风格美综合评价模型[J]. 浙江大学学报(工学版), 2020,54(12): 2273-2285. |
ZHOU A M , ZHOU C X , OUYANG J Y ,et al. Model of synthetic evaluation on interface stylistic beauty based on moderately standardized of index[J]. Journal of Zhejiang University (Engineering Science), 2020,54(12): 2273-2285. |
[1] | Zhiyong LUO, Yu ZHANG, Qing WANG, Weiwei SONG. Study of SDN intrusion intent identification algorithm based on Bayesian attack graph [J]. Journal on Communications, 2023, 44(4): 216-225. |
[2] | Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135. |
[3] | Wenjuan WANG, Xuehui DU, Dibin SHAN. Construction method of attack scenario in cloud environment based on dynamic probabilistic attack graph [J]. Journal on Communications, 2021, 42(1): 1-17. |
[4] | Zhiyong LUO,Xu YANG,Jiahui LIU,Rui XU. Network intrusion intention analysis model based on Bayesian attack graph [J]. Journal on Communications, 2020, 41(9): 160-169. |
[5] | Zi-wei YE,Yuan-bo GUO,Chen-dong WANG,An-kang JU. Survey on application of attack graph technology [J]. Journal on Communications, 2017, 38(11): 121-132. |
[6] | Hao HU,Run-guo YE,Hong-qi ZHANG,Ying-jie YANG,Yu-ling LIU. Quantitative method for network security situation based on attack prediction [J]. Journal on Communications, 2017, 38(10): 122-134. |
[7] | Wei-xin LIU,Kang-feng ZHENG,Bin WU,Yi-xian YANG. Alert processing based on attack graph and multi-source analyzing [J]. Journal on Communications, 2015, 36(9): 135-144. |
[8] | Guang-sheng ZHAO,Qing-feng CHENG,Yong-lin SUN. Minimum-cost network hardening algorithm based on stochastic loose optimize strategy [J]. Journal on Communications, 2015, 36(1): 237-245. |
[9] | Yun YE,Xi-shan XU,Yan JIA,Zhi-chang QI,Wen-cong CHENG. Research on the risk adjacency matrix based on attack graphs [J]. Journal on Communications, 2011, 32(5): 112-120. |
[10] | Zhi-jun WU,Lu WANG,Rong SHI. Approach of information security assessment for ATM system based on improved BP model of artificial neural network [J]. Journal on Communications, 2011, 32(2): 150-158. |
[11] | Kai ZHAO,Yi ZHANG,Ben LAI,Xiao-xing LI. Attack graph generation algorithm for large-scale network based on parallel [J]. Journal on Communications, 2011, 32(11A): 125-131. |
[12] | Da-peng MAN,Yuan ZHOU,Wu YANG,Yong-tian YANG. Method to generate attack graphs for assessing the overall security of networks [J]. Journal on Communications, 2009, 30(3): 1-5. |
[13] | Jia-quan SI,Bing ZHANG,Da-peng MAN,Wu YANG. Approach to making strategies for network security enhancement based on attack graphs [J]. Journal on Communications, 2009, 30(2): 125-130. |
[14] | Yong-jie WANG,Ming XIAN,Jin LIU,Guo-yu WANG. Study of network security evaluation based on attack graph model [J]. Journal on Communications, 2007, 28(3): 29-34. |
[15] | Tao ZHANG,Ming-zeng HU,Xiao-chun YUN,Yong-zheng ZHANG. Research on computer network security analysis model [J]. Journal on Communications, 2005, 26(12): 100-109. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|