【作者】 崔建清；

【导师】 陆松年；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2008， 硕士

【摘要】 在某些情况下,单个网络节点可能是安全的,或者某些单一的行为不构成威胁,但在错综复杂的网络连接下,网络安全脆弱性情况就表现出来了。它不是单个节点的缺陷的反映,而是网络系统整体风险的度量。网络安全分析要做的事情便是对网络的整体安全性进行检测评估,是部署防御策略的基础。大规模网络的安全分析是需要统筹来考虑的问题,需要寻找更优的解决方案,同时还要考虑分析方法的多样性以及网络节点之间的关联性。本文分析了网络安全分析方法的基本原理,包括攻击图的概念,攻击树的模型,以及其他模型的建模等。同时,在借鉴国内外研究成果的基础上,探讨了攻击路径的自动生成算法以及对攻击图相关的算法之间的优缺点进行了比较。然后,通过对攻击图理论的深入研究,提出了一个基于攻击图的网络安全分析系统的原型,设计了系统的五大主要模块,并对实现各个模块的细节与所需的技术方法或工具进行了比较和探讨,提出了模块开发所需的数据结构和数据表格,分析了安全评估的策略,给出了分析系统的基本框架。最后,本文针对所提出的原型方案以及所研究的内容提出了一些不足之处,并指明了将来所要努力的方向和需要改进的地方。更多还原

【Abstract】 Under some circumstances, the single network node may be safe, or single network behavior will not form threat, but for the complicated network connections, the vulnerability situation is quite different. Network risk is not merely the reflection of node flaw, but the measure of risk degree for the entire network. Network security analysis can evaluate the overall security of the network, which is the foundation for security strategy deployment. The network security evaluation is a systematic project, so we need to overall consider the security questions and seek the optimized solution. Simultaneously, we should consider the diversification of analysis methods and the relation among network nodes.This article has analyzed the basic principle of network security analysis method, including attack graph conception, attack tree model, and other method of modeling. It has profited from the domestic and foreign research results, in this foundation, it discussed automatic production of attack path, as well as attack graph algorithm comparison. Then, based on theory research, this article proposed a network security analysis system prototype based on attack graph, and produce five main modules which is given the more details, such as data structure, tables, and then compare these technology methods or tools, at last, analysis the strategy of security evaluation and give the basic framework on how to realize system.In conclusion, this article proposed some deficiency aimed at the prototype system as well as the content about research, and has introduced the direction which needs to be improved.更多还原