摘要
针对安全态势评估领域的权限有效性评估指标,融合网络流量、入侵检测系统(IDS)报警和扫描信息,提出一种全新的权限有效性定量评估方法.该方法将用户权限作为安全目标,基于网络会话构建威胁用户权限的入侵迹,并使用M arkov数学模型度量安全目标失败的平均入侵代价,进而定量评估权限有效性.实验结果表明,当系统遭受缓冲区溢出攻击时,权限有效性指数接近于0.该方法能够实时评估缓冲区溢出攻击对系统权限有效性的威胁,有效监控黑客行为引起的系统安全态势变化.与其他评估方法相比,该方法考虑了报警之间的因果关系,降低了IDS误报以及无效入侵信息对安全态势评估精度的影响,有助于管理员了解黑客入侵步骤、决策系统安全状况以及识别高危险的入侵路径.
Aiming at the evaluation index of privilege validity in the area of security situation aware- ness, a novel method of quantitatively assessing privilege validity is put forward by syncretizing net-work traffic, intrusion detection system (IDS) alerts and scanning information. Regarding user privilege as the security objective, intrusion footprints threatening the user privilege are constructed based on network sessions. Then, mean intrusion efforts for compromising the security objective are calculated by Markov model and further used to quantitatively assess privilege validity. The experimental results show that the value of privilege validity is close to 0 when the monitored network system is subjected to the attack of the buffer overflow. This method can real-timely assess the threat of buffer overflow exploits on the system's privilege validity, and effectively monitor the variations of security situation caused by hackers' illegal action. Compared with other evaluation methods, it takes into account the causal relationship between alerts and reduces the effect of IDS positive and invalid alerts on the precision of security situation assessment. Moreover, it helps administrators understand hackers' attack steps, judge security status and identify the intrusion footprint with high risk.
出处
《东南大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2009年第4期742-746,共5页
Journal of Southeast University:Natural Science Edition
基金
国家自然科学基金资助项目(60605019
6077209)
国家教育部博士点基金资助项目(20070248002)
国家高技术研究发展计划(863计划)资助项目(2007AA01Z473)
