English | 中文

手机二维码
 
【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 928次   下载 1737 本文二维码信息
码上扫一扫!
web服务器拟态防御原理验证系统测试与分析
张铮,马博林,邬江兴
分享到: 微信 更多
(数字工程与先进计算国家重点实验室 郑州 中国 450001;国家数字交换系统工程技术研究中心 郑州 中国 450002)
摘要:
web服务器拟态防御原理验证系统是基于拟态防御原理的新型web安全防御系统,利用异构性、冗余性、动态性等特性阻断或扰乱网络攻击,以达成系统安全风险可控的要求。针对传统的测试方法实施于web服务器拟态防御原理验证系统中存在不足、不适应复杂安全功能测试以及难以实现准确度量等问题,本文提出了适用于拟态防御架构的web服务器测试方法,基于让步规则改进了灰盒测试,还丰富了漏洞和后门利用复杂度的含义。并以此为基础设计适于该系统的测试方案、测试原则和测试方法,在性能、兼容性、功能实现、HTTP协议一致性,安全性这些方面进行了全面的测试和分析。
关键词:  拟态防御原理  灰盒测试  利用复杂度  测试原则  测试用例  测试分析  测试
DOI:10.19363/j.cnki.cn10-1380/tn.2017.01.002
投稿时间:2016-09-13最后修改时间:2016-12-03
基金项目:本课题得到国家重点研发计划(2016YFB0800104),上海市科学技术委员会科研计划项目(14DZ1105300)和国家自然科学基金(61572520)资助。
The Test and Analysis of Prototype of Mimic Defense in Web Servers
ZHANG Zheng,MA Bolin,WU Jiangxing
State key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;National Digital Switching System Engineering & Technological R & D Center, Zhengzhou 450002, China
Abstract:
Prototype of mimic defense in web servers is a new type of web security defense system based on mimic security defense theory, which makes use of heterogeneity, redundancy, dynamic and other characteristics to block or disrupt the network attacks, in order to achieve the requirement of controlling system security risk. The traditional web services testing methods are inadequate and do not meet the complex security testing requirements and have difficulty in accurate measurement. This paper presents a web services testing method which is applicable to mimic defense architecture, improve gray-box testing method based on concession rule and enriches the meaning of exploiting complexity of vulnerability and back door. Based on this, this paper puts forward the test projects, test principles and test methods for the newly system. It covers comprehensive test and analysis on aspects of performance, compatibility, function, HTTP protocol conformance, security.
Key words:  Micmic defense theory  Gray-Box testing method  exploiting complexity  test principle  test case  test analysis  test