期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于分布并行处理的攻击图构建方法研究 被引量:3

Study of Attack Graph Construction Based on Distributed Parallel Processing
下载PDF
导出
摘要 针对大规模复杂网络系统安全性分析中存在的问题,提出一种基于分布并行处理的攻击图构建方法。首先,该方法站在防御者的角度,将所有具有脆弱性的主机作为攻击目标,采用正向、广度优先搜索的策略构建攻击图,解决了已有方法中的攻击目标固定、单一的问题;其次,重点研究了脆弱性分析优化处理技术,从分布并行处理的角度将不同区域的目标网络进行脆弱性分析任务划分,通过多网络脆弱性分析引擎的分布并行处理技术来满足扩展性的要求,解决了已有方法存在的复杂度高、扩展性能低,难以适用于大规模复杂网络系统的问题;最后,采用限制攻击步骤数的优化策略,解决了攻击图生成过程中存在的状态爆炸问题。实验结果表明,该方法可以提高攻击图生成的效率,并且能大大降低攻击图生成时的系统资源消耗,而且本文所提方法对于大规模复杂网络系统的整体安全性具有应用价值。 In order to resolve the existed problems when analyzing large and complex network systems, a novel attack graph construction method is proposed which is based on distributed parallel processing tech- nology. Firstly, from the defender's point of view, all the vulnerable hosts are considered as attack tar- gets, using positive, breadth-first search strategy to construct attack graph, which resolves the problem of which the attack target is defined and single in the existed methods. Secondly, the optimization technolo- gy is researched, and the total network is divided into different areas, through multi-engine parallel pro- cessing technology, to meet the distribution scalability requirements, the problem of existed methods with high complexity and low scalability is resolved, and which is difficult for large-scale complex network. Fi- nally, the optimization strategy, limited number of attack steps is used, which resolves the existing state explosion problem when constructing the attack graph. Experimental results show that this method can im- prove the efficiency of attack graph' s generation, and reduce the system resource consumption greatly, and it has value for assessing the security of large-scale complex network.
作者 马俊春 孙继银 王勇军 赵宝康 陈珊
机构地区 国防科学技术大学计算机学院 第二炮兵工程学院 中国人民解放军
出处 《兵工学报》 EI CAS CSCD 北大核心 2012年第1期109-115,共7页 Acta Armamentarii
基金 国家863项目(2009AA01Z432) 国家自然科学基金项目(60873215)
关键词 计算机系统结构 大规模网络 网络安全 攻击图 分布并行处理 computer system architecture large-scale network network security attack graph distrib- uted parallel processing
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献12

  • 1Ortalo R, Dewarte Y, Kaaniche M. Experimenting with quantita- tive evaluation tools for monitoring operation security [ J ]. IEEE Transactions on Software Engineering, 1999, 25 (9 - 10) : 633 - 650.
  • 2Swiler L P, Phillips C, Gaylor T. A graph-based network-vulnera- bility analysis system, SAND97-3010/1 JR]. Sandia National La- boratories, Albuquerque, New Mexico and Livermore: 1998.
  • 3Michener J. System insecurity in the internet age [ J]. IEEE Software, 1999, 16(4):62-69.
  • 4Ritchey R, Ammann P. Using model checking analyze network vulnerability[ C ] //Proceedings of IEEE Symposium on Security and Privacy. 2001:156 - 165.
  • 5Swiler L P, Phillips C, Ellis D, et al. Computer-attack graph gen- eration tool [ C ] //Proceedings DARPA Information Survivability Conference and Exposition ( DISCEX II' O1 ), Vol 2. Anaheim: IEEE Computer Society, 2001 : 1307 - 1321.
  • 6Cuppens F. Alert correlation in a cooperative intrusion detection framework[ C] //Proceedings of the 2002 IEEE Symposium on Se- curity and Privacy, Washington, DC: IEEE Computer Society, 2002.
  • 7冯萍慧,连一峰,戴英侠,李闻,张颖君.面向网络系统的脆弱性利用成本估算模型[J].计算机学报,2006,29(8):1375-1382. 被引量:28
  • 8王永杰,鲜明,刘进,王国玉.基于攻击图模型的网络安全评估研究[J].通信学报,2007,28(3):29-34. 被引量:56
  • 9陆余良,夏阳.主机安全量化融合模型研究[J].计算机学报,2005,28(5):914-920. 被引量:29
  • 10Ning P, Xu D. Learning attack strategies from intrusion alerts[ C] //Proceedings of the 10" ACM Conference on Computer and Com- munications Security. New York: ACM Press, 2003 : 200 - 209.

二级参考文献41

  • 1林闯,汪洋,李泉林.网络安全的随机模型方法与评价技术[J].计算机学报,2005,28(12):1943-1956. 被引量:92
  • 2Ortalo R., Deswarte Y., Kaaniche M.. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 1999, 25(5): 633~650
  • 3Thorhuus R.. Software fault injection testing[M.S. dissertation]. Ericsson Telecom, Stockholm Sweden, 2000
  • 4Parsons S.. Some qualitative approaches to applying the dempster-shafer theory. Information and Decision Technologies, 1994, 19: 321~337
  • 5Saaty T.L.. How to make a decision: The analytic hierarchy process. European Journal of Operational Research, 1990, 48: 9~26
  • 6Dacier M.. Towards quantitative evaluation of computer security[Ph. D. dissertation]. Institut National Polytechnique de Toulouse, 1994
  • 7Dacier M. , Deswarte Y. , Kaniche M.. Quantitative assessment of operational security: Models and tools. LAAS: Technical Report 96493, 1996
  • 8Ortalo R. , Deswarte Y.. Information systems security: Specification and quantitative evaluation. In: DeVa ESPRIT Long Term Research Project No. 20072-2nd Year Report, 1997, 561-584
  • 9Ortalo R. , Deswarte Y. , Kaniche M.. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 1999, 25(5):633-650
  • 10Phillips C. , Swiler L.. A graph-based system for network vulnerability analysis. In, Proceedings of the ACM New Security Paradigms Workshop, 1998, 71-79

共引文献105

同被引文献16

引证文献3

二级引证文献12

兵工学报
2012年 第1期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部