基于分布并行处理的攻击图构建方法研究

doi:10.3969/j.issn.1000-1093.2012.01.018

兵工学报 ›› 2012, Vol. 33 ›› Issue (1): 109-115.doi: 10.3969/j.issn.1000-1093.2012.01.018

基于分布并行处理的攻击图构建方法研究

马俊春^1,2, 孙继银²，王勇军¹, 赵宝康¹，陈珊³

(1.国防科学技术大学计算机学院，湖南长沙 410073; 2. 第二炮兵工程学院，陕西西安 710025；3.中国人民解放军96617部队，四川泸州 646000)

收稿日期:2010-10-10 修回日期:2010-10-10 上线日期:2014-03-04
作者简介:马俊春(1983—)，女，博士研究生
基金资助:
国家863项目（2009AA01Z432）；国家自然科学基金项目（60873215）

Study of Attack Graph Construction Based on Distributed Parallel Processing

MA Jun-chun^1,2， SUN Ji-yin²， WANG Yong-jun¹， ZHAO Bao-kang¹, CHEN Shan³

(1.School of Computer Science, National University of Defense Technology, Changsha 410073, Hunan, China;2.The Second Artillery Engineering Institute, Xi’an 710025, Shaanxi, China；3.The PLA 96617 Troops, Luzhou 646000, Sichuan, China)

Received:2010-10-10 Revised:2010-10-10 Online:2014-03-04

摘要/Abstract

摘要： 针对大规模复杂网络系统安全性分析中存在的问题，提出一种基于分布并行处理的攻击图构建方法。首先，该方法站在防御者的角度，将所有具有脆弱性的主机作为攻击目标，采用正向、广度优先搜索的策略构建攻击图，解决了已有方法中的攻击目标固定、单一的问题；其次，重点研究了脆弱性分析优化处理技术，从分布并行处理的角度将不同区域的目标网络进行脆弱性分析任务划分，通过多网络脆弱性分析引擎的分布并行处理技术来满足扩展性的要求，解决了已有方法存在的复杂度高、扩展性能低，难以适用于大规模复杂网络系统的问题；最后，采用限制攻击步骤数的优化策略，解决了攻击图生成过程中存在的状态爆炸问题。实验结果表明，该方法可以提高攻击图生成的效率，并且能大大降低攻击图生成时的系统资源消耗，而且本文所提方法对于大规模复杂网络系统的整体安全性具有应用价值。

关键词: 计算机系统结构, 大规模网络, 网络安全, 攻击图, 分布并行处理

Abstract: In order to resolve the existed problems when analyzing large and complex network systems, a novel attack graph construction method is proposed which is based on distributed parallel processing technology. Firstly, from the defender's point of view, all the vulnerable hosts are considered as attack targets, using positive, breadth-first search strategy to construct attack graph, which resolves the problem of which the attack target is defined and single in the existed methods. Secondly, the optimization technology is researched, and the total network is divided into different areas, through multi-engine parallel processing technology, to meet the distribution scalability requirements, the problem of existed methods with high complexity and low scalability is resolved, and which is difficult for large-scale complex network. Finally, the optimization strategy, limited number of attack steps is used, which resolves the existing state explosion problem when constructing the attack graph. Experimental results show that this method can improve the efficiency of attack graph’s generation, and reduce the system resource consumption greatly, and it has value for assessing the security of large-scale complex network.

Key words: computer system architecture, large-scale network, network security, attack graph, distributed parallel processing

中图分类号:

TP393

马俊春, 孙继银，王勇军, 赵宝康，陈珊. 基于分布并行处理的攻击图构建方法研究[J]. 兵工学报, 2012, 33(1): 109-115.

MA Jun-chun， SUN Ji-yin， WANG Yong-jun， ZHAO Bao-kang, CHEN Shan. Study of Attack Graph Construction Based on Distributed Parallel Processing[J]. Acta Armamentarii, 2012, 33(1): 109-115.

参考文献

［1］ Ortalo R, Dewarte Y, Kaaniche M. Experimenting with quantitative evaluation tools for monitoring operation security[J]. IEEE Transactions on Software Engineering, 1999, 25(9-10): 633-650.
［2］陆余良, 夏阳. 主机安全量化融合模型研究[J]. 计算机学报,2005,5(28): 914-920.
LU Yu-liang, XIA Yang. Research on target-computer secure quantitative fusion model[J]. Chinese Journal of Computers, 2005, 5(28): 914-920. (in Chinese)
［3］冯萍慧, 连一峰, 戴英侠, 等. 面向网络系统的脆弱性利用成本估算模型[J]. 计算机学报, 2006, 8(29): 1375-382.
FENG Ping-hui, LIAN Yi-feng, DAI Ying-jie, et al. An evaluation model of vulnerability exploitation cost for network system[J]. Chinese Journal of Computers, 2006, 8(29): 1375-382. (in Chinese)
［4］ Cuppens F. Alert correlation in a cooperative intrusion detection framework[C]∥Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC: IEEE Computer Society, 2002.
［5］ Ning P, Xu D. Learning attack strategies from intrusion alerts[C]∥Proceedings of the 10 ACM Conference on Computer and Communications Security. New York: ACM Press, 2003: 200-209.
［6］ Swiler L P, Phillips C, Ellis D, et al. Computer-attack graph generation tool[C]∥Proceedings DARPA Information Survivability Conference and Exposition (DISCEX II’01), Vol 2. Anaheim: IEEE Computer Society, 2001: 1307- 1321.
［7］ Swiler L P, Phillips C, Gaylor T. A graph-based network-vulnerability analysis system, SAND97-3010/1[R]. Sandia National Laboratories, Albuquerque, New Mexico and Livermore: 1998.
［8］ Ritchey R, Ammann P. Using model checking analyze network vulnerability[C]∥Proceedings of IEEE Symposium on Security and Privacy. 2001:156-165.
［9］ Sheyner O, Haines Jha S. Automated generation and analysis of attack graph[C]∥Proceedings of IEEE Symposium on Security and Privacy. 2002:273-284.
［10］王永杰, 鲜明, 刘进, 等. 基于攻击图模型的网络安全评估研究[J]. 通信学报, 2007,28(3):29-34.
WANG Yong-jie, XIAN Ming, LIU Jin, et al. Study of network security evaluation based on attack graph model[J]. Journal of Communications, 2007,28(3):29-34. (in Chinese)
［11］ Michener J. System insecurity in the internet age [J]. IEEE Software, 1999, 16(4): 62-69.
［12］ CAPEC. Common attack pattern enumeration and classification[EB/OL]. (2009-04-15)[2010-09-26]. http:∥www.capec.mitre.org.

[1]	李旭，仇颂清，彭进霖，王聪. 一种改进的移动自组织网多路径路由协议[J]. 兵工学报, 2016, 37(11): 2022-2028.
[2]	曹敬瑜, 柴玮岩, 王博, 郭永红. 嵌入式分布计算环境下的高效软件构件化框架研究[J]. 兵工学报, 2013, 34(4): 451-458.
[3]	刘天华，朱宏峰. 一种基于树结构的分布式组密钥协商协议[J]. 兵工学报, 2012, 33(6): 702-705.
[4]	钱玉文 , 宋华菊, 孔建寿, 朱晓妹. 一种基于网络隐蔽时间信道的网络指纹模型研究[J]. 兵工学报, 2012, 33(1): 19-25.

基于分布并行处理的攻击图构建方法研究

Study of Attack Graph Construction Based on Distributed Parallel Processing

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

编辑推荐

Metrics

本文评价