摘要
针对目前RFID(Radio Frequency Identification,射频识别技术)系统安全分析中忽略攻击事件对系统安全状态动态影响的问题,为了有效实现RFID系统的安全风险评估,文章提出了一种基于贝叶斯攻击图的RFID系统安全评估模型。该模型首先通过对RFID系统结构、所用协议进行分析确定系统的脆弱性漏洞及其依赖关系,建立攻击图。针对攻击图模型只能进行定性分析的问题,构建出相应的攻击图模型结构后可以结合贝叶斯理论对其进行量化。依据漏洞的利用难易度和影响程度建立RFID漏洞量化评价指标,计算出对应的原子攻击概率,然后以条件转移概率的形式将攻击节点与RFID系统的安全属性节点联系在一起,不仅能推断攻击者能够成功到达各个属性节点的风险概率,而且能够依据攻击者的不同行为动态展示系统风险状况的变化,实现评估不同状态下目标RFID系统的整体风险状况。实验表明,所提模型可以有效地计算出RFID系统整体的风险概率,为后续实施对应的安全策略提供理论依据。
Aiming at the problem of ignoring the dynamic influence of attack events on the system security state in the current RFID system security analysis,in order to effectively realize the security risk assessment of RFID system,we propose a security assessment model of RFID system based on Bayesian attack graph.The model firstly determines the vulnerability and dependence of the system by analyzing the RFID system structure and the protocol used,and establishes the attack diagram.For the problem that the attack graph model can only be qualitatively analyzed,the corresponding attack graph model structure can be quantified by combining Bayes theory.The RFID vulnerability quantitative evaluation index is established according to the exploit difficulty and impact degree of the vulnerability,the corresponding atomic attack probability is calculated,and then the attack node is associated with the security attribute node of the RFID system in the form of conditional transfer probability,which can not only infer the risk probability that the attacker can successfully reach each attribute node.Moreover,it can dynamically display the changes of the system risk status according to the different behaviors of the attacker,and realize the overall risk status of the target RFID system under different states.The experiment shows that the proposed model can effectively calculate the risk probability of the whole RFID system,and provide a theoretical basis for the subsequent implementation of the corresponding security strategy.
作者
马荟平
李鹏
肖航
朱枫
MA Hui-ping;LI Peng;XIAO Hang;ZHU Feng(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;Institute of Network Security and Trusted Computing,Nanjing 210023,China)
出处
《计算机技术与发展》
2024年第2期113-119,共7页
Computer Technology and Development
基金
国家自然科学基金(61872196,61872194,61902196)
江苏省科技支撑计划项目(BE2019740,BK20200753,20KJB520001)
江苏省高等学校自然科学研究重大项目(18KJA520008)
江苏省六大人才高峰高层次人才项目(RJFW-111)。
关键词
贝叶斯
射频识别技术
攻击图
原子攻击
属性节点
安全评估
Bayesian
radio frequency identification
attack graph
atomic attack
attribute node
security evaluation
