自动高效的网络安全评估方法

Automated and Efficient Network Security Assessment Approach

网络安全评估是提高网络安全性的基本步骤之一。目前的评估方法通常需要手工操作,带来较大的评估开销,很难应用到大规模复杂网络,无法快速响应用户请求。提出了一种高效的自动化评估方法来解决这些问题。为了实现评估的自动化,对多个弱点资源(如NVD、Bugtraq等)的脆弱性信息进行分析,将它们关联起来,形成一个包含40000多个已知弱点的大型综合弱点数据库。为了提高评估效率,利用"原子域"的概念,提出了一种新的攻击图生成方法,相比于传统的方法,大大减少了攻击图生成开销。构建贝叶斯评估模型,基于变量消元,提出了一种新的评估方法,简化了模型中的贝叶斯推理。由于能自动化部署贝叶斯攻击图概率信息,新方法能实现评估的自动化,并且可以应用到大规模网络,快速完成评估任务,还可为网络管理员提供量化判断依据,以快速应对大型复杂网络中不断变化的安全态势。

Network security assessment is one of fundamental methods in improving network security. Current assessment methods usually involve manual operations, and require heavy processing overhead. As a result, they are not applicable to large complicated networks and cannot provide fast responses needed. This paper proposes an auto- mated assessment approach to address these issues. Firstly, to automate the evaluation process, it analyzes vulnera- bility information obtained from multiple vulnerability sources （NVD and Bugtraq, etc.）, and then correlates them and builds a large integrated vulnerability database consisting of over 40,000 currently-known vulnerabilities. Sec- ondly, to improve the evaluation efficiency, it proposes a new attack graph generation method by exploring the con- cept of ＂atomic domain＂, which significantly reduces generation overhead, compared with traditional methods. Fur- thermore, the paper constructs a Bayesian evaluation model, and proposes a variable elimination based method which exploits to simplify the Bayesian inference in the model. As assigning probability information to a Bayesianattack graph automatically, the proposed method can automate the evaluation process, thus is applicable to large-scale networks and can provide fast responses. In addition, the proposed evaluation method provides quantitative justification for network administrators to quickly respond to the dynamic changes of security situations in large complicated networks.