欢迎访问《兵工学报》官方网站,今天是 分享到:

兵工学报 ›› 2012, Vol. 33 ›› Issue (1): 109-115.doi: 10.3969/j.issn.1000-1093.2012.01.018

• 研究简报 • 上一篇    下一篇

基于分布并行处理的攻击图构建方法研究

马俊春1,2, 孙继银2, 王勇军1, 赵宝康1, 陈珊3   

  1. (1.国防科学技术大学 计算机学院, 湖南 长沙 410073; 2. 第二炮兵工程学院, 陕西 西安 710025;3.中国人民解放军96617部队, 四川 泸州 646000)
  • 收稿日期:2010-10-10 修回日期:2010-10-10 上线日期:2014-03-04
  • 作者简介:马俊春(1983—),女,博士研究生
  • 基金资助:
    国家863项目(2009AA01Z432); 国家自然科学基金项目(60873215)

Study of Attack Graph Construction Based on Distributed Parallel Processing

MA Jun-chun1,2, SUN Ji-yin2, WANG Yong-jun1, ZHAO Bao-kang1, CHEN Shan3   

  1. (1.School of Computer Science, National University of Defense Technology, Changsha 410073, Hunan, China;2.The Second Artillery Engineering Institute, Xi’an 710025, Shaanxi, China;3.The PLA 96617 Troops, Luzhou 646000, Sichuan, China)
  • Received:2010-10-10 Revised:2010-10-10 Online:2014-03-04

摘要: 针对大规模复杂网络系统安全性分析中存在的问题,提出一种基于分布并行处理的攻击图构建方法。首先,该方法站在防御者的角度,将所有具有脆弱性的主机作为攻击目标,采用正向、广度优先搜索的策略构建攻击图,解决了已有方法中的攻击目标固定、单一的问题;其次,重点研究了脆弱性分析优化处理技术,从分布并行处理的角度将不同区域的目标网络进行脆弱性分析任务划分,通过多网络脆弱性分析引擎的分布并行处理技术来满足扩展性的要求,解决了已有方法存在的复杂度高、扩展性能低,难以适用于大规模复杂网络系统的问题;最后,采用限制攻击步骤数的优化策略,解决了攻击图生成过程中存在的状态爆炸问题。实验结果表明,该方法可以提高攻击图生成的效率,并且能大大降低攻击图生成时的系统资源消耗,而且本文所提方法对于大规模复杂网络系统的整体安全性具有应用价值。

关键词: 计算机系统结构, 大规模网络, 网络安全, 攻击图, 分布并行处理

Abstract: In order to resolve the existed problems when analyzing large and complex network systems, a novel attack graph construction method is proposed which is based on distributed parallel processing technology. Firstly, from the defender's point of view, all the vulnerable hosts are considered as attack targets, using positive, breadth-first search strategy to construct attack graph, which resolves the problem of which the attack target is defined and single in the existed methods. Secondly, the optimization technology is researched, and the total network is divided into different areas, through multi-engine parallel processing technology, to meet the distribution scalability requirements, the problem of existed methods with high complexity and low scalability is resolved, and which is difficult for large-scale complex network. Finally, the optimization strategy, limited number of attack steps is used, which resolves the existing state explosion problem when constructing the attack graph. Experimental results show that this method can improve the efficiency of attack graph’s generation, and reduce the system resource consumption greatly, and it has value for assessing the security of large-scale complex network.

Key words: computer system architecture, large-scale network, network security, attack graph, distributed parallel processing

中图分类号: