摘要
MulVAL是用于漏洞评估的攻击图生成工具,建立在两个现实中难以实现的假设的基础上。为了解决这一问题,提出了基于MulVAL改进的漏洞风险评估框架。首先,使用通用漏洞评分系统(CVSS)中的基础得分来计算漏洞的可利用性,以此来解决MulVAL默认漏洞的可利用性100%不足的问题;然后,使用贝叶斯理论来解决MulVAL默认漏洞之间相互独立的不足。在漏洞量化方面,由于可能存在2条及以上攻击路径的概率近似或相等的情况,因此将达到攻击目标所需的资源数量作为安全指标,筛选出最可能被攻击者采用的攻击路径。此外,防御方应同时使用具有综合性和针对性的漏洞扫描工具,以便更好地了解当前网络状况。
MulVAL is an attack graph generation tool for vulnerability assessment.It is based on two assumptions that are hard to achieve in reality.To solve these problems,an improved MulVAL framework for vulnerability assessment is proposed.First,the base score of Common Vulnerability Scoring System is used to calculate the exploitability of vulnerabilities,so as to solve the problem that MulVAL supposes the exploitability of each vulnerability is 100%.Then,Bayesian theory is used to address the problem that MulVAL supposes each vulnerability is independent.Finally,for the reason that the probability of two or more attack paths may be similar or equal,the number of resources required for reaching the attack target is also used as a security metric in this paper.It is necessary to find the most possible path that can be adopted by the attacker.The defender should use both comprehensive and targeted vulnerability scanners to achieve a better understanding of current network status.
作者
李红娇
何文豪
李晋国
LI Hongjiao;HE Wenhao;LI Jinguo(School of Computer Science and Technology Shanghai University of Electric Power,Shanghai200090,China)
出处
《上海电力大学学报》
CAS
2021年第6期557-562,566,共7页
Journal of Shanghai University of Electric Power
基金
国家自然科学基金(61403247,61702321)。
关键词
MulVAL
攻击图
通用漏洞评分系统
贝叶斯理论
资源数
漏洞风险评估
MulVAL
attack graph
common vulnerability scoring system
Bayesian theory
the number of resources
vulnerability risk assessment
