【作者】 萧海东；

【导师】 李建华；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2007， 博士

【摘要】 二十世纪末,“信息革命”引发了全球范围的深刻变革。随着电脑和互联网的广泛应用,使得网络安全问题逐渐开始显现的重要起来。当计算机通过Internet联接到一起时,信息安全的内涵也就发生了根本的变化。它不仅从一般性的防卫变成了一种普便的防范,而且还从一种专门的领域扩展到无处不在。为了从总体上认知网络安全的动态变化,同时也为了适应对网络安全研究更高的实际需求,网络安全态势研究逐渐成为了网络安全领域的研究热点之一。本文描述了网络安全态势评估体系模型,对于相应的评估方法做了研究:首先从态势数值计算方面分析了以AHP算法为代表的典型数值态势计算算法,这种算法最早是由美国运筹学家T.L.Satty提出的,是一种定性与定量分析相结合的多目标决策分析方法论。吸收利用了行为科学的特点,将决策者的经验判断给予量化,对于目标(因素)结构复杂而且缺乏必要的数据情况下,采用此方法较为实用,是系统科学中常用的一种系统分析方法,利用这种系统分析的工具,结合网络中的主机服务、主机、子网、全网等各个层次划分,科学地计算出态势评估体系中的各种权重,指数。这种算法的优势在于可以将安全态势信息从底层逐级汇聚上来,并在汇聚算法中将权重因素融入到安全态势值中,对应的安全态势评估体系明晰,符合BS7799态势评估体系的要求。随着研究问题复杂程度的不断提高,权重数学模型的计算量变得越来越大。尤其在大规模网络安全威胁爆发时,由于感染节点的高频度、大流量的集中扫描和探测,迅速导致各层网络设备的性能和有效带宽的急剧下降,成为复杂的网络环境的安全问题。这时,AHP算法在态势分析的实时性上就受到很大影响,同时,AHP算法无法解决全网未来态势的预测问题。为了进一步完善网络态势计算模型,我们引用了另外一个强大的工具:人工神经网络,来完善态势评估体系。由于人工神经网络模型具有高度的容错性、联想性和自组织、自学习能力,且对复杂系统具有强大的非线性映射和泛化功能,因此,我们将其应用在解决态势权重问题方面。这种方法的优势在于:首先,这种方法不需要任何数值算法来建立模型,它仅仅利用网络安全态势样本数据学习就可以建立输入和输出的黑箱关系,不需要像普通数学模型那样需要描述现实系统的数量关系和空间分布形式。其次,这种方法快捷方便,只要训练数据齐备,即使复杂的网络也能很快地分析,还可以根据初始条件的变化动态地输出结果。第三,这种方法固有的非线性数据结构和计算过程使得它非常适于处理非线性映射关系。第四,我们将安全态势数值信息分布存储,存储和处理合二为一、容错性好,在这种数据存贮结构下,错误的输入可被剔除或减小。不同于以往的数值计算方式,这种智能技术的引入使安全态势的分析更加贴近于人类智能,通过构建态势权重分析神经元,并通过简单神经元的广泛互连形成复杂的非线性态势评估系统,使之具备了更为优良的特性,使大规模网络态势的分布式并行处理和自适应学习成为可能,并在很大程度上提高了系统的鲁棒容错性。网络安全发展趋势感知主要是通过分析近期网络攻击数据,利用多种预测方法对系统未来可能发生的攻击概率进行预测。在文中,我们设计了一个适配过滤器来预测态势发展的趋势,并构造出相应的神经网络:当历史安全态势数据流经这个神经网络系统时,下一个安全态势值将被预测出来。事实上,态势值随着时间非线性的变化着:其趋势被拟合为网络态势状态函数,它可以从系统延时线分流处进入态势预测系统,较早和更早的两个态势数据则可以从延时线的后面直接引入。每次神经网络的适配器将做出权重相应的调整以使误差达到最小,误差将从模型右侧引出并作为权重调整激励。当误差趋于零时,预测数据将与实际数据相似,此模型也就达到了预测的目的。随着网络环境的进一步复杂化,尤其是在未来的大规模网络环境中,安全态势的研究内容也将考虑更多的因素。按照预先训练好的态势分析模型和网络安全信息的输入来动态地分析网络安全态势的变化,从而形成理解网络安全数据的一个抽象级。进一步说,通过基于模糊推理的态势预测,可以对未来可能的网络安全态势发展进行观测。而这些结果集可以形成一个新的层次的观测空间,同时也更进一步的丰富了趋势感知模型的训练集。下一代网络中,尤其在网格的应用中,安全态势的研究也是一个重要的发展方向。开展这方面的研究的目的在于建立网络态势感知系统,将为全网安全的决策人员了解网络态势,迅速作出反应提供决策支持和指挥控制。这里,我们具体针对网格安全技术做了探索。研究网格节点处的安全态势状况,均衡整个网格的计算负载,制定良好的分布式计算策略,对于提高整个网格系统的计算性能有着重要意义。作为下一代互联网的研究热点,这也是对网格安全研究提出的新要求。文中以网格为研究平台的支撑,并结合知识库对网格安全策略元数据映射作了具体分析,构建了知识空间和参数空间映射的柯西列,证明了安全策略知识空间中知识的唯一性。创建一个有标注的、数字化的、由标准安全体系保护的大型联合资源库,来支持网格实际中的各种应用,这些安全应用是网格安全未来开发的一部分。同时,也是态势扩展研究的重要研究方向。更多还原

【Abstract】 "Information revolution" led the great changes at the end of 20th century. With widely use of computers and Internet, the securities of networks become more and more important. When all the computers connect together through the Internet, the meaning of information security has an essential change. Not only from normal protection to common defense, but also from special scope to anywhere now. Researches of networks security situation evaluation become a hot spot under these backgrounds, and higher-level requirement to networks security research is presented. In this paper, first, the common model of networks security situational awareness architecture is described, and studies the evaluation method relevantly: from security situation numeric computation, the AHP arithmetic is analysis, which is promoted by T.L.Satty, an operational researcher of American. It is methodology of multi-targets decision-making with unite of determine the nature analysis and quantitative analysis. This arithmetic absorbs the specialty of behavioral sciences, measure the judgment of experience of decision-making, it is a practical arithmetic under the circumstances of target complex configuration and lack the essential data. It is one of powerful method in system science analyzing, and usually is used as a mathematic tool. Using this powerful tool, and considering the level division of the network services, host, subnet, cyberspace, several of weights, values of security situational awareness architecture can be calculated. The advantage of this arithmetic is that can gather the networks security situational information from under stratum level by level, and weight factor is considered in situation value computing in this arithmetic, this security situation evaluation architecture is very perspicuity, and tally with the requirement of BS7799.As the research problems become more and more complex, the computing of this math model become even more difficult, when cosmically networks security threats burst out, the pefermance of networks equipments and bandwidth toboggan for the highly frequency scanning and detecting on the infect nodes, the security problems occurs in this more complex networks environment. Performance of real time analyzing of situational awareness is greatly effected too; other disadvantage such as AHP cannot give a solution of situational alert in the future. In order to make this computing model better, a powerful tool is introduced, it is Artificial Neural Network- ANN. For the reason of highly error tolerance, association, auto organize, auto study ability of ANN, and its powerful nonlinear mapping function to complex system, it can be applied to solve the problem of cyberspace security situation weight computing. The predominance as follows: first of all, it doesn’t need any numeric arithmetic to set up the model, only sample data is used, the black box relationship of input and output will be constructed, and doesn’t need to describe the numeric relationship and dimension distribution of real system. Secondly, this method is very swift in construction when the training data is available. The result can output dynamically. Thirdly, its inherent nonlinear data structure and computing process give it ability to process the nonlinear mapping relationship. Finally, the security situation values can be store distributed, combine the store and processing together, error tolerate ability is good in the data store structure, the error can be diminished. not like the numberic computing as before, the introduction of this intelligent technology make the analysis of security situational awareness be more apt to human intelligence, to design the situational weight analysis nerve cell, and form more complicated nonlinear situational evaluation system with nerve cells. this system has adventages, especially in distributed parallel processing and self adapt learning of cosmically cyberspace security situational awareness, this system also improves robustness and tolerance of situational awareness system to a great extent.The trend apperceiving of cyberspace security situational awareness is mainly based on analysis of networks attack data, in this paper, an adapting filter is designed to predict the trend of situational awareness, accordingly, the NN is constructed: when security history data passes the model, the next value will be predicted. In fact, the security situational value changed nonlinearly when time lapses. Its trend is described as networks situational function P(t), it enters the model at time delay input, the earlier two situational data can be input into the model directly from delay input. The adaptor changes weights to make the error minimal, and error output used to drive the weight adjusting. When error goes 0, the prediction is done, this is the purpose.When the cyberspace become more and more complex, especially in the future cyberspace, more factors should be conceded in situational awareness research content. The variation of cyberspace awareness is dynamically analyzed with pre-trained situational awareness model and network security information which is input. And abstracted level of cyberspace situational awareness meaning is formed. And through the situational awareness prediction based on fuzz reason, the trend of future security situation will be observed. All the result set will form a new observation space, and can make the training set of prediction model richer. In the next generation networks, especially in the grid computing application, research of the cyberspace security situational awareness is an important new direction. The purpose is set up the security situational awareness system, and help decision-maker to comprehend the networks security situation, and support them in decision-making and stage-managing. As a hot spot in NGN, the requirement of grid security analysis is even higher. In this paper, a common grid security model introduced, policy metadata mapping of grid security analysis is based on knowledge database. Describe of security information metadata is very important to grid security, encrypt etc. Any grid infrastructure must combine all the resource under protect of grid security architecture, and create a digital, tagged resource database to support the several of grid application. These security applications are some parts of the grid development. Also are hot spots in later research of cyberspace security situational awareness.更多还原