| 摘要: |
| 随着现代社会对网络系统依赖程度的日益增强,网络安全问题受到普遍关注。网络安全度量是指在理解网络环境的基础之上,建立合适指标体系和度量方法,评估网络的安全性。本文采用攻击图这种网络脆弱性分析技术,在对目标网络和攻击者建模的基础之上,根据两者之间的相互关系生成攻击图模型,分析不同的攻击路径。借鉴CVSS对单一漏洞的量化指标,以及节点间概率转换关系,提出攻击伸缩性机理。结合CVSS指标和攻击图,计算攻击伸缩性数值,并以此作为网络安全度量的方法,最后总结了当前网络安全度量的发展现状以及面临的挑战。 |
| 关键词: 攻击图模型 安全度量 攻击伸缩性 安全评估 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2019.01.05 |
| Received:September 30, 2018Revised:November 27, 2018 |
| 基金项目:本课题得到国家重点研发计划项目(No.2016YFB0800700);国家自然科学基金项目(No.61572460,No.61272481);信息安全国家重点实验室的开放课题(No.2017-ZD-01);国家发改委信息安全专项项目[No.(2012)1424];国家111项目(No.B16037)资助 |
|
| Research on network security measurement based on attack graph |
| ZHAO Song,WU Chensi,XIE Weiqiang,JIA Ziyi,WANG He,ZHANG Yuqing |
| School of Network and Information Security, Xidian University, Xi'an 710071, China;National Computer Network Intrusion Prevention Center, University of Chinese Academy of Sciences, Beijing 101408, China |
| Abstract: |
| With the increasing dependence of modern society on network systems, network security issues have received widespread attention. Network security metrics are based on understanding the network environment, establishing appropriate indicator systems and metrics, and assessing network security. In this paper, using the network vulnerability analysis technology of attack graph, based on the modeling of the target network and the attacker, the attack graph model is generated based on the relationship between the two, and various possible attack paths are analyzed. This paper draws on CVSS's quantitative index of single vulnerability, and proposes the mechanism of attack scalability. Combine the CVSS indicator and the attack graph to calculate the attack scalability value and use it as a method of network security metrics. Finally, it summarizes the current development status of network security metrics and analyzes the main challenges. |
| Key words: attack graph model security metrics attack scalability security assessment |
