|
|||||
|
|
| 攻击图的两种形式化分析 | |
| 引用本文: | 陈锋,张怡,苏金树,韩文报.攻击图的两种形式化分析[J].软件学报,2010,21(4):838-848. |
| 作者姓名: | 陈锋 张怡 苏金树 韩文报 |
| 作者单位: | 1. 国防科学技术大学,计算机学院,湖南,长沙,410073;第二军医大学,网络信息中心,上海,200433 2. 国防科学技术大学,计算机学院,湖南,长沙,410073 3. 解放军信息工程大学,信息工程学院,河南,郑州,450002 |
| 基金项目: | Supported by the National Natural Science Foundation of China under Grant No.90604006 (国家自然科学基金); the National High-Tech Research and Development Plan of China under Grant No.2008AA01A325 (国家高技术研究发展计划(863)); the National Basic Research Program of China under Grant No.2009CB320503 (国家重点基础研究发展计划(973)) |
| 摘 要: | 攻击图是一种基于模型的网络脆弱性分析技术,可以自动分析目标网络内脆弱性之间的关系和由此产生的潜在威胁.攻击图主要有状态攻击图和属性攻击图两类.前者由于存在状态爆炸问题不适应于大规模网络,目前主要的研究大多是基于后者.基于属性攻击图研究了含圈攻击路径问题和最优弥补集问题.针对含圈攻击路径问题,定义了反映真实攻击想定的n-有效攻击路径,提出了一种计算关键属性集所有n-有效攻击路径的迭代算法;针对最优弥补集问题,在定义了所有的风险源为属性攻击图的初始属性的基础上,将该问题转化为带权重的集合覆盖问题,从而归结为NP完全性问题,提出了可应用于大规模攻击图的具有多项式时间复杂度的近似算法. |
| 关 键 词: | 脆弱性 攻击图 有效攻击路径 最优弥补集 贪婪算法 |
| 收稿时间: | 8/3/2008 12:00:00 AM |
| 修稿时间: | 2009/1/20 0:00:00 |
Two Formal Analyses of Attack Graphs |
|
| CHEN Feng,ZHANG Yi,SU Jin-Shu and HAN Wen-Bao.Two Formal Analyses of Attack Graphs[J].Journal of Software,2010,21(4):838-848. | |
| Authors: | CHEN Feng ZHANG Yi SU Jin-Shu and HAN Wen-Bao |
| Affiliation: | CHEN Feng1,2,ZHANG Yi1,SU Jin-Shu1,HAN Wen-Bao3 1(School of Computer Science,National University of Defense Technology,Changsha 410073,China) 2(Network Information Center,Second Military Medical University,Shanghai 200433,China) 3(Institute of Information Engineering,PLA Information Engineering University,Zhengzhou 450002,China) |
| Abstract: | An attack graph is a model-based vulnerability analysis technology, which can automatically analyze the interrelation among vulnerabilities in the network and the potential threats resulting from the vulnerabilities. Since the state-based attack graphs can not be applied to the real large networks for the combinatorial explosion in the number of attack paths, the study is now shifted to attribute-based. Based on attribute-based attack graphs, this paper discusses the loop attack paths and the optimization security measures. For the former, an iterative algorithm is presented to find all the non-loop attack paths to the key attributes with their depth less than the given number n. For the latter, it is proved to be an NP-complete problem, and the greedy algorithm is proposed to solve the problem with polynomial time complexity. |
| Keywords: | vulnerability attack graph valid attack path optimization security measures greedy algorithm |
| 本文献已被 CNKI 万方数据 等数据库收录! | |
| 点击此处可从《软件学报》浏览原始摘要信息 | |
| 点击此处可从《软件学报》下载全文 | |