关键词: 安全评估, 变量消元, 贝叶斯网, 量化评估

Abstract: Network security assessment is one of fundamental methods in improving network security. Current assessment methods usually involve manual operations, and require heavy processing overhead. As a result, they are not applicable to large complicated networks and cannot provide fast responses needed. This paper proposes an automated assessment approach to address these issues. Firstly, to automate the evaluation process, it analyzes vulnerability information obtained from multiple vulnerability sources (NVD and Bugtraq, etc.), and then correlates them and builds a large integrated vulnerability database consisting of over 40,000 currently-known vulnerabilities. Secondly, to improve the evaluation efficiency, it proposes a new attack graph generation method by exploring the concept of “atomic domain”, which significantly reduces generation overhead, compared with traditional methods. Furthermore, the paper constructs a Bayesian evaluation model, and proposes a variable elimination based method which exploits to simplify the Bayesian inference in the model. As assigning probability information to a Bayesian attack graph automatically, the proposed method can automate the evaluation process, thus is applicable to large-scale networks and can provide fast responses. In addition, the proposed evaluation method provides quantitative justification for network administrators to quickly respond to the dynamic changes of security situations in large complicated networks.

Key words: security assessment, variable elimination, Bayesian networks, quantitative assessment