贝叶斯属性攻击图网络脆弱性评估

doi:10.13190/j.jbupt.2015.04.022

北京邮电大学学报 ›› 2015, Vol. 38 ›› Issue (4): 110-116.doi: 10.13190/j.jbupt.2015.04.022

贝叶斯属性攻击图网络脆弱性评估

王秀娟, 孙博, 廖彦文, 相从斌

北京工业大学计算机学院, 北京 100124

收稿日期:2015-07-03 出版日期:2015-08-28 发布日期:2015-08-28
作者简介:王秀娟(1979-),女,博士,研究生导师,E-mail:xjwang@bjut.edu.cn.

Computer Network Vulnerability Assessment Based on Bayesian Attribute Network

WANG Xiu-juan, SUN Bo, LIAO Yan-wen, XIANG Cong-bin

Computer Institute, Beijing University of Technology, Beijing 100124, China

Received:2015-07-03 Online:2015-08-28 Published:2015-08-28

摘要/Abstract

摘要：

为了准确全面地评估计算机网络脆弱性,对攻击图中存在的攻击环路、状态爆炸、难以量化分析等问题进行了研究,提出了属性攻击图向贝叶斯网络转化的方法和新的环路消除算法,并利用这两个算法建立贝叶斯属性攻击图模型.在该模型中,利用贝叶斯公式进行推导,得到评估指标的计算公式.利用通用漏洞评分系统数据计算节点的发生概率和评估指标,进行计算机网络脆弱性评估.通过进行实验分析,证明了该模型的可行性和有效性.与其他的脆弱性评估方法相比,该模型具有评估准确、计算简洁、动态量化评估的特点.

关键词: 攻击图, 贝叶斯网络, 脆弱性分析, 量化分析

Abstract:

For assessing the vulnerability of computer network accurately and comprehensively, the problem of attack loops, the state explosion and analyzing qualitatively were researched. The method of converting attribute attack graph to the Bayesian network and the new loop elimination algorithm was also proposed. By using these two algorithms, a new Bayesian attribute attack graph model was build. The formula of assessing indicators was derived by Bayesian formula. The data of common vulnerability scoring system was used to compute the probability of attribute nodes and indicators to conduct network vulnerability assessment. Experiments analysis proves the feasibility and effectiveness of the model. Compared with other methods of vulnerability assessment, this model has simple calculation which is suitable for dynamic quantitative assessment.

Key words: attack graph, Bayesian network, vulnerability analysis, quantitative analysis

中图分类号:

TP393.08

王秀娟, 孙博, 廖彦文, 相从斌. 贝叶斯属性攻击图网络脆弱性评估[J]. 北京邮电大学学报, 2015, 38(4): 110-116.

WANG Xiu-juan, SUN Bo, LIAO Yan-wen, XIANG Cong-bin. Computer Network Vulnerability Assessment Based on Bayesian Attribute Network[J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2015, 38(4): 110-116.

参考文献

[1] 钟尚勤, 徐国胜, 姚文斌, 等. 基于主机安全组划分的网络安全性分析[J]. 北京邮电大学学报, 2012, 35(1): 19-23. Zhong Shangqin, Xu Guosheng, Yao Wenbin et al. Network security analysis based on host-security-group [J]. Journal of Beijing University of Posts and Telecommunications, 2012, 35(1): 19-23.

[2] Sheyner O, Haines J, Jha S, et al. Automated generation and analysis of attack graphs [C]//Proceedings 2002 IEEE Symposium on Security and privacy, 2002: 273-284.

[3] 龙门, 夏靖波, 张子阳, 等. 节点相关的隐马尔可夫模型的网络安全评估[J]. 北京邮电大学学报, 2011, 33(6): 121-124. Long Men, Xia Jingbo, Zhang Ziyang, et al. Network security assessment based on node correlated HMM [J]. Journal of Beijing University of Posts and Telecommunications, 2011, 33(6): 121-124.

[4] 陈锋, 张怡. 基于攻击图的网络脆弱性量化评估研究[J]. 计算机工程与科学, 2010, 32(10): 8-11. Chen Feng, Zhang Yi. Research of quantitative vulnerability assessment based on attack graphs [J]. Computer Engineering & Science, 2010, 32(10): 8-11.

[5] 陈思思, 连一峰, 贾炜. 基于贝叶斯网络的脆弱性状态评估方法[J]. 中国科学院研究生院学报, 2008, 25(5): 639-648. Chen Sisi, Lian Yifeng, Jia Wei. A network vulnerability evaluation method based on Bayesian networks [J]. Journal of the Graduate School of the Chinese Academy of Sciences, 2008, 25(5): 639-648.

[6] 方研, 殷肖川, 李景志. 基于贝叶斯攻击图的网络安全量化评估研究[J]. 计算机应用研究, 2013, 30(9): 2763-2766. Fang Yan, Yin Xiaochuan, Li Jingzhi. Research of quantitative network security assessment based on Bayesian-attack graphs [J]. Application Research of Computers, 2013, 30(9): 2763-2766.

[7] Wang Lingyu, Yao Chao, Singhal A, et al. Interactive analysis of attack graphs using relational queries [M]. Data and Applications Security XX: Springer Berlin Heidelberg, 2006: 119-132.

[8] 贾炜. 计算机网络脆弱性评估方法研究[D]. 合肥: 中国科学技术大学, 2012. Jia Wei. The research on computer network vulnerabilities assessment methods [D]. Hefei: University of Science and Technology of China, 2012.

[9] Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using Bayesian attack graphs[J]. Dependable and Secure Computing, IEEE Transactions on, 2012, 9(1): 61-74.

[10] 叶云, 徐锡山. 基于攻击图的网络安全概率计算方法[J]. 计算机学报, 2010 (10): 1987- 1996. Ye Yun, Xu Xishan. An attack graph based probabilistic computing approach of network security [J]. Chinese Journal of computers, 2010 (10): 1987-1996.

贝叶斯属性攻击图网络脆弱性评估

Computer Network Vulnerability Assessment Based on Bayesian Attribute Network

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 6

编辑推荐

Metrics

本文评价

[1]	杨宏宇, 袁海航, 张良. 一种基于主机重要度的网络主机节点风险评估方法[J]. 北京邮电大学学报, 2022, 45(2): 16-21.
[2]	李永成, 刘树美, 于尧, 李爽. 兼顾路段和交叉口的路网脆弱性识别机制[J]. 北京邮电大学学报, 2020, 43(1): 14-20.
[3]	刘威歆, 郑康锋, 胡影, 武斌. 一种基于目标攻击图的态势威胁评估方法[J]. 北京邮电大学学报, 2015, 38(1): 82-86.
[4]	钟尚勤徐国胜姚文斌杨义先. 基于主机安全组划分的网络安全性分析 [J]. 北京邮电大学学报, 2012, 35(1): 19-23.
[5]	王忠峰, 王志海. TAN分类器结构等价类空间及其在分类器学习算法中的应用[J]. 北京邮电大学学报, 2012, 35(1): 72-76.
[6]	吴焕潘林王晓箴许榕生. 应用不完整攻击图分析的风险评估模型[J]. 北京邮电大学学报, 2010, 33(3): 57-61.