计算机科学与探索 ›› 2018, Vol. 12 ›› Issue (2): 263-273.DOI: 10.3778/j.issn.1673-9418.1702013

• 网络与信息安全 • 上一篇    下一篇

面向大规模网络安全加固的攻击图分析方法

赵  超1,王慧强1+,林俊宇2,吕宏武1,韩冀中2   

  1. 1. 哈尔滨工程大学 计算机科学与技术学院,哈尔滨 150001
    2. 中国科学院 信息工程研究所,北京 100000
  • 出版日期:2018-02-01 发布日期:2018-01-31

Attack Graph Analysis Method for Large Scale Network Security Hardening

ZHAO Chao1, WANG Huiqiang1+, LIN Junyu2, LV Hongwu1, HAN Jizhong2   

  1. 1. College of Computer Science and Technology, Harbin Engineering University, Harbin 150001, China
    2. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100000, China
  • Online:2018-02-01 Published:2018-01-31

摘要: 针对以往攻击图分析方法复杂度较高,风险判别标准单一,生成的策略加固代价较高,难以适用于大规模网络环境等问题,提出了一种面向大规模网络安全加固的启发式攻击图分析方法。结合路径长度和通用漏洞评分系统对潜在攻击进行风险评估,通过设置阈值限制搜索范围,采用启发式算法降低求解加固策略的时间复杂度。实验结果表明,该方法能够在合理的运行时间内,明显地降低网络安全加固所需的代价,具有良好的可扩展性,能够适用于大规模网络。

关键词: 攻击图, 网络安全加固, 启发式算法, 漏洞

Abstract: Concerning the problems of high complexity, single risk assessment criterion, costly network security hardening and difficultly applying to large scale network environment in previous algorithms, this paper proposes a heuristic attack graph analysis method for large scale network security hardening. The method assesses the risks of attack paths by combining path length and common vulnerability scoring system, limits search scope with a threshold, and reduces the time complexity of hardening strategy generation method by using heuristic algorithm. The experimental results show that the method has good scalability and is suitable for large scale networks, and significantly      reduces the cost of network security hardening with a reasonable running time.

Key words: attack graph, network security hardening, heuristic algorithm, vulnerability