【作者】 吴金宇；

【导师】 方滨兴；

【作者基本信息】 北京邮电大学 ， 计算机科学与技术， 2013， 博士

【摘要】 随着计算机技术和网络技术的快速发展,计算机以及网络的应用已深入到了政治、经济、军事和社会等各领域,然而随之而来的网络安全问题也日益突出。为了应对日益严峻的网络安全问题,各种网络安全防御和控制技术应需而生。网络安全风险评估技术作为一种主动防御技术,在安全事件未发生时主动分析和评估自身存在的安全风险和安全隐患,从而能够未雨绸缪,防范于未然；在安全事件正在发生时及时分析和评估安全事件的威胁态势状况,并根据评估结果采取适当的风险控制措施,从而能够及时遏制威胁的蔓延。因此,准确高效地进行网络安全风险评估对保障网络或信息系统的安全具有重要的意义。本文在分析已有工作的基础上,对网络安全风险评估的关键技术进行了深入的研究,主要包括以下三个方面：在定性评估方面,针对攻击图分析中的两个重要问题：最优原子攻击修复集问题和最优初始条件修复集问题,定义了原子攻击拆分加权攻击图和初始条件拆分加权攻击图,将最优原子攻击修复集问题和最优初始条件修复集问题分别归结于原子攻击拆分加权攻击图中的最小S-T割集问题和初始条件拆分加权攻击图中的最小S-T割集问题,并证明其等价性。在此基础上提出了基于网络流的具有多项式复杂度的算法。实验表明,与已有成果相比,该算法具有较高的性能和很好的可扩展性,能应用于大规模攻击图的分析中。在定量评估方面,(1)针对已有的贝叶斯攻击图模型无法表达网络运行环境因素对攻击发生可能性的影响,提出了广义贝叶斯攻击图模型,该模型涵盖了攻击者利用网络或信息系统中存在的脆弱性发动一步或多步攻击的各种可能性,攻击发生的不确定性,以及环境影响因素对攻击发生可能性的影响,在保留贝叶斯攻击图已有优点的基础上,进一步拓展了语义,引入了攻击收益和威胁状态变量,使得广义贝叶斯攻击图能够包括被评估网络或信息系统的业务应用环境和环境威胁信息对攻击可能性的影响,以及这些影响在广义贝叶斯网络上的传播,使得广义贝叶斯攻击图能够更真实地反映网络或信息系统中的网络攻击发生可能性的现实情况。(2)提出了基于广义贝叶斯攻击图的层次化定量评估方法,该方法利用广义贝叶斯攻击图表达被评估网络或信息系统中攻击者利用存在的脆弱性发动一步或多步攻击的各种可能性,攻击发生的不确定性,以及环境影响因素对攻击发生可能性的影响。在构建广义贝叶斯攻击图的基础上,提出了节点攻击概率、主机攻击概率、网络攻击概率三个层次攻击概率的计算方法,以及节点风险值、主机风险值和网络风险值三个层次风险值计算方法,使得安全管理员能够在节点、主机和网络三个层次了解网络的安全风险状况。实验表明,该方法更加切合被评估网络或信息系统的攻击发生可能性的真实情况,使得评估结果更客观准确。并且从理论和实验都证明了已有的基于贝叶斯攻击图的方法是本方法的一个特例,因此,本方法具有更广泛的应用价值。在实时评估方面,(1)针对入侵检测系统产生的警报存在大量的误报问题和漏报问题,提出D-S证据攻击图模型,该模型利用D-S证据理论将安全警报得到的证据融合到攻击图中所关联的节点上,并在攻击图中进行前向和后向的信度传递,更新相应节点的预测支持因子和后验支持因子,进而计算节点攻击信度和节点预测信度。该模型既利用了D-S证据理论对不确定信息的融合处理能力,又利用了攻击图上脆弱点利用之间的关联关系优势,使得该模型能够有效地抑制安全警报中存在的误报和漏报问题。(2)提出基于D-S证据攻击图模型的增量式实时评估方法,该方法从空间上分为检测层、攻击图层、主机层和网络层四个层次,在时间上分为初始化阶段和实时更新阶段。该方法由于利用D-S证据攻击图模型很好地抑制了安全警报中存在的误报和漏报问题,对安全警报进行关联和融合,然后计算节点、主机和网络三个层次的攻击信度和预测信度,从而能够准确地进行攻击场景还原和攻击行为预测,并计算相应的威胁值和最终的网络安全态势值,从而获得了网络或信息系统在节点、主机以及网络三个层面的安全威胁态势状况,具有完善的功能。由于该方法是一种增量式的评估方法,并且具有线性的算法复杂度,实时性能较高。实验表明,该方法能够客观准确地进行攻击场景还原和攻击行为预测,并得出符合客观情况的实时网络安全威胁态势,并且,该方法具有高性能高可扩展性的特点,能应用于大规模网络或信息系统的实时评估之中。更多还原

【Abstract】 With the rapid development of computer and computer network technologies recently, computer and computer networks have played an increasingly important role in the fields of politics, economy, military, and social life. However, the network security problems have become increasingly prominent. In order to deal with the increasingly serious network security issues, a variety of network security defense and control technologies emerged. As one of proactive security defense technologies, network security risk assessment techniques are used to assess security risks in the network or information system before the security events occur and assess the threat situation after security events occur. And the appropriate risk control measures are taken based on the risk assessment results. Therefore, effective and efficient network security risk assessment methods are of great significance to the protection of network or information system security. Based on the study and analysis of related works, we carried out in-depth research of key technologies for network security risk assessment. The major contributions of the dissertation are summarized as follows.On the aspect of qualitative assessment, we discussed two important issues in attack graph analysis:the optimal atomic-attack repair set problem and the optimal initial-condition repair set problem. Then we defined the Atomic-attacks Split Weighted Attack Graph (ASWAG) and the Initial-condition Split Weighted Attack Graph (ISWAG) and converted the former two problems into the minimum S-T cut problems in ASWAG and ISWAG. The conversions were proved to be equivalent. Two network flow based algorithms with polynomial time complexity were proposed. Experimental results showed that the algorithms are more efficient and scale better than existing methods. We can use them to analyze large-scale attack graphs.On the aspect of quantitative assessment, our work includes two parts as follows.(1) We proposed Generalized Bayesian Attack Graph (GBAG) model for existing Bayesian Attack Graph (BAG) model can not express the impact of the environmental factors on the probabilities of attacks. The GBAG model covers the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. The semantics are expanded in the GBAG model by introduced the attack gains and the threat state variables with the advantages of BAG retained. And the GBAG model can reflect the true attack probabilities more objectively due to the expansions.(2) Hierarchical quantitative assessment method based on GBAG was proposed. The method used GBAG to cover the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. Node attack probabilities, node risk values, host attack probabilities, host risk values, network attack probabilities and network risk value are computed based on the constructed GBAG, so that security administrators can understand the security situations in the three levels. Experimental results show that the results of our method are identical with the real situation, which means our method leads to more objective and accurate results. And theoretical and experimental proofs show that the method based BAG is a special case of our method, which means our method has a wider range of applications.On the aspect of real-time assessment, our work also includes two parts as follows.(I) False positives and false negatives are prevalent in the alerts generated by intrusion detection systems. We proposed the D-S evidence Attack Graph Model (DSAGM) to deal with the problem caused by false positives and false negatives in real-time assessment. Alerts are assigned with certainty factors. And the D-S combination rule is used to combine the related alerts corresponding to the same node in the attack graph. The credibility is propagated in the attack graph forwardly and backwardly, and the prediction support factors and posteriori support factors of the related nodes are updated. Node attack certainty factors and prediction attack certainty factors are updated later. The model does not only take advantage of the capability of uncertain information fusion of D-S evidence theory, but also take use of the relationships of exploiting the vulnerabilities in the attack graph, so that the model can effectively deal with the problems caused by false positives and false negatives.(2) The incremental real-time assessment method based on DSAGM was proposed. The framework of the method includes four layers:detection layer, attack graph layer, host layer and network layer, and contains two phases:initialization phase and real-time phase. The method use DSAGM to deal with the problems caused by false positives and false negatives, and computed the attack certainty factors and prediction attack certainty factors of each node, each hosts and the network, so that the method can reconstruct the attack scene and predict attack behaviors in future accurately. The corresponding threat values and the final network security awareness value are computed, so that the security administrators can understand the threat situations in the levels of nodes, hosts and the network. The method is an incremental assessment method and the algorithms in the method have linear complexity, so that the method is very efficient. Experimental results show that the method can reconstruct the attack scene and predict attack behaviors in future accurately and objectively, and lead to objective network security awareness value that consistent with the real-time network security threat situation. And the method is efficient and has good scalability, so that it can be applied to the real-time assessment of large-scale networks or information systems.更多还原