【作者】 何明耘；

【导师】 戴冠中；

【作者基本信息】 西北工业大学 ， 控制理论与控制工程， 2003， 博士

【摘要】 在信息技术高速发展的时代，网络安全已不再是单纯的防御技术，而越来越成为安全管理员(Security Officers，SO)与虚拟攻击者(Virtual Attackers，VA)之间信息与知识的对抗。目前的动态防御系统虽然在安全技术集成、安全管理协调等方面给出了整体防御的技术框架，但仍缺乏对完整信息对抗过程的理解，不能有效地解决安全管理员所面临的信息控制与决策问题。另一方面，在大规模网络环境下，动态防御系统往往还存在管理控制粒度、海量信息处理、动态适应能力等方面的问题。 本论文以大规模网络系统为研究对象，从信息对抗的角度出发，研究了系统的安全趋势以及动态防御过程。从动态安全部署、攻击信息决策、公共知识获取等三个方面的研究，构建了大规模网络环境下动态防御系统模型。论文最后给出了一个基于多代理实现的系统，该系统具有很好的系统集成能力、动态适应能力和知识更新能力，为安全管理员提供一个信息决策支持与安全控制管理的环境平台。本论文的主要创新与贡献如下： (1)详细研究了信息对抗过程，提出了对抗的基本环节与动态过程的博弈模型。基本环节是SO与VA之间围绕目标系统漏洞信息所展开的基于两个非对称条件下信息分层、双向的对抗方式；动态过程是由公共对抗、目标管理系统、SO与VA之间形成的一个四方动态重复博弈过程。该信息对抗模型以信息驱动的方式描述了目标系统安全的动态趋势，提出了动态防御所面临的控制和决策问题，为动态防御体系建立了基本的技术框架。最后在结合大规模网络防御中所面临的问题，提出了一种自主研发的、创新的动态安全防御系统模型。 (2)研究了大规模网络环境下的动态安全部署。观测能力和控制能力是动态安全部署的两个要求，论文中针对大规模网络环境中存在的控制与观测粒度问题，提出了子域分割管理方法。通过子域边界保护以解决子网安全需求不同，以及内部保护的针对性问题；利用子网隔离、全局策略、子域协作等方式有效地解决不同控制域之间的协作问题，为大规模网络系统防御提供灵活的反击机制。 (3)研究了信息对抗下的攻击信息决策技术。攻击信息决策对抗是信息对抗中从信息到知识的过程，只有从信息优势转换成知识优势，才能最终得到决策成功。针对海量报警信号的处理，信息融合技术是关键。本论文在子域分割管理基础上，提出子域攻击信息融合与主域攻击知识融合相结合的安全信息分析方法。给出了三层攻击知识表达模型以及对应的知识融合算法。该算法综合考虑了不完整信息分析问题、误报警问题以及“新误报警问题”等，提高了攻击行为的知识认知能力。根据信息融合摘要西北工业人学博卜学位论文 提出了异常分析目标，利用陷阱主机的信息采样方式，结合异常查询方 法，在攻击信息融合中成功地提出了攻击异常分析的解决途径。攻击知 识认知的结果是要为决策分析提供支持，根据入侵反击的目标要求，在 主域范围内提出了:攻击路线分析、攻击频率分析与攻击能力分析等三 个阶段的决策支持分析。(4)研究了信息对抗下的公共知识获取与安全趋势分析技术。公共知识获取 与安全趋势分析是完整信息对抗模型中，从知识获取到信息发现的过程。 本论文首次从信息对抗的角度分析了公共知识获取和安全趋势分析的意 义，系统总结了公共知识分类、标准与知识描述等方面问题，给出动态 防御系统中公共知识获取的方法，提出了权限图与攻击树相结合的目标 系统安全趋势分析方法。更多还原

【Abstract】 In the age of information, security system does not mean a simple pure protection, but the great rivalship between the Security Officers(SO) and Virtual Attackers(VA). Some cyberspace security systems only give the defense framework, which is the integration of different protection technologies based on the system security management requirements, but not based on the understanding of information rivalry. So, these systems can’t solve effectively the problems of the decision-making which the SOs face in the infowar, and also the problems of distributed security management granularity, massive information processing and dynaic adaptive ability, which SOs face in the large-scale networks.In this dissertation, system dynamic defense and security trend are studied, based on cyberspace countermeasure, in order to solve the problems of control and decision in the large-scale dynamic defence systems. A new dynamic defence model is proposed under the knowledge of info-rivalry, and considering the three aspects: defense measure deployment, attack information decision-making support system, common competition knowledge. A multiagent-based implementation is also given in the dissertation. The system offer SO a extendible, adaptive, intelligent environment for security information and knowledge handling. The major contributions of the dissertation are summarized as follows.(1) The rivalship model is presented to study the security defence problem. The basic aspect is the rivalship between SO and VA, through different layers of information, under two unsymmetrical information conditions, including two reverse-direction information handling processes. We also use game theory to analyze the dynamic process of the defence system in large-scale network. A new architecture of dynamic security system is presented based on the model of information rivalry.(2) A new method of defense measure deployment, based on subdomains segmentation, is presented. In large-scale security system, subdomain segmentation can effectively improve the granularities of control and observation. By setting border protection in each subdomain, special custom protection is achieved. Subdomain auto-isolation, global policy management, subdomain cooperation protection, can make the defense system more controllable, self-adaptive.(3) Based on rivalship model, the process of attack information handling is studied.As for massive, noisy and volatile data, information fusion is the key technology. In the dissertation, a new attack information handling algorithm, combining subdomain alert information fusion and global attack knowledge fusion, is presented. In attack knowledge fusion, a new correlation algorithm, based on the three layer representations of attack knowledge, is proposed. The problems of information handling, including incomplete information for decision making, incorrect information for analyzing and uncertainty information for filtering, are considered in the new algorithm. Analysis on anomaly alerts provides an opportunity to learn the new attack, but the related detail information about that attack is lacked. In our algorithm, a method combining trap-node attack information gathering with anomaly alerts query is presented to create a new way to learn novel attack mode. In our decision-support system, a analysis framework, including attack path analysis, attack frequency analysis and attack capability analysis, is proposed to accomplish the Intrusion Response requirement.(4) The concenjt of common rivalry knowledge is put forward, which depicts the process from common security knowledge obtained to local system critical information discovery. Representation, classification and global reference name standard of the common security knowledge, are summarized. Then a new model of system security trend analysis is presented, which combines vulnerability analysis (using privilege graph analysis method) and attack knowledge analysis(using goal tree analysis method).更多还原