期刊文献+

自动高效的网络安全评估方法 被引量:1

Automated and Efficient Network Security Assessment Approach
下载PDF
导出
摘要 网络安全评估是提高网络安全性的基本步骤之一。目前的评估方法通常需要手工操作,带来较大的评估开销,很难应用到大规模复杂网络,无法快速响应用户请求。提出了一种高效的自动化评估方法来解决这些问题。为了实现评估的自动化,对多个弱点资源(如NVD、Bugtraq等)的脆弱性信息进行分析,将它们关联起来,形成一个包含40000多个已知弱点的大型综合弱点数据库。为了提高评估效率,利用"原子域"的概念,提出了一种新的攻击图生成方法,相比于传统的方法,大大减少了攻击图生成开销。构建贝叶斯评估模型,基于变量消元,提出了一种新的评估方法,简化了模型中的贝叶斯推理。由于能自动化部署贝叶斯攻击图概率信息,新方法能实现评估的自动化,并且可以应用到大规模网络,快速完成评估任务,还可为网络管理员提供量化判断依据,以快速应对大型复杂网络中不断变化的安全态势。 Network security assessment is one of fundamental methods in improving network security. Current assessment methods usually involve manual operations, and require heavy processing overhead. As a result, they are not applicable to large complicated networks and cannot provide fast responses needed. This paper proposes an auto- mated assessment approach to address these issues. Firstly, to automate the evaluation process, it analyzes vulnera- bility information obtained from multiple vulnerability sources (NVD and Bugtraq, etc.), and then correlates them and builds a large integrated vulnerability database consisting of over 40,000 currently-known vulnerabilities. Sec- ondly, to improve the evaluation efficiency, it proposes a new attack graph generation method by exploring the con- cept of "atomic domain", which significantly reduces generation overhead, compared with traditional methods. Fur- thermore, the paper constructs a Bayesian evaluation model, and proposes a variable elimination based method which exploits to simplify the Bayesian inference in the model. As assigning probability information to a Bayesianattack graph automatically, the proposed method can automate the evaluation process, thus is applicable to large-scale networks and can provide fast responses. In addition, the proposed evaluation method provides quantitative justification for network administrators to quickly respond to the dynamic changes of security situations in large complicated networks.
出处 《计算机科学与探索》 CSCD 2012年第8期698-707,共10页 Journal of Frontiers of Computer Science and Technology
基金 国家自然科学基金No.60973009 中国博士后科学基金No.20100470256~~
关键词 安全评估 变量消元 贝叶斯网 量化评估 security assessment variable elimination Bayesian networks quantitative assessment
  • 相关文献

参考文献11

  • 1Lippmann R P, lngols K W. An annotated review of past papers on attack graphs[R]. Linoln Lab, MIT, 2005.
  • 2Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis[C]//Proceedings of the 9th ACM Conference on Computer and Communications Secu- rity (CCS '02). New York, NY, USA: ACM, 2002:217-224.
  • 3Ingols K W, Lippmann R, Piwowarski K. Practical attack graph generation for network defense[C]//Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC '06). Washington, DC, USA: IEEE Computer Society, 2006: 121-130.
  • 4Nicol D M, Sanders W H, Trivedi K S. Model-based evalua- tion: from dependability to security[J]. IEEE Transactions on Dependability and Secure Computing, 2004, 1(1): 48-65.
  • 5Sheyner O, Haines J, Jha S, et al. Automated generation and analysis of attack graphs[C]//Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP '02), Oakland, CA, May 2002. Washington, DC, USA: IEEE Computer Society, 2002: 273.
  • 6Liu Yu, Man Hong. Network vulnerability assessment using Bayesian networks[J]. Proceedings of the SPIE, 2005, 5812 (1): 61-71.
  • 7Jajodia S, Noel S. Topological vulnerability analysis: a pow- erful new approach for network attack prevention, detec- tion, and response[M]//Algorithms, Architectures, and Infor- mation Systems Security. Singapore: World Scientific Press, 2007.
  • 8Hewett R, Kijsanayothin P. Host-centric model checking for network vulnerability analysis[C]//Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC '08). Washington, DC, USA: IEEE Computer Society, 2008: 225-234.
  • 9Vu H L, Khaw K K, Chen T, et al. A new approach for network vulnerability analysis[C]//Proceedings of the 33rd IEEE Con- ference on Local Computer Networks (LCN 2008), Oct 14-17, 2008: 200-206.
  • 10Bobbio A, Portinale L, Minichino M, et al. Improving the analysis of dependable systems by mapping fault trees into Bayesian networks[J]. Reliability Engineering and System Safety, 2001, 71(3): 249-260.

同被引文献4

引证文献1

二级引证文献5

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部