基于攻击图的网络安全评估方法研究*

为了提高网络的整体安全性,提出了基于攻击图的网络安全评估方法。首先,在攻击图的基础上提出了脆弱点依赖图的定义;其次,将影响评估的因素分为脆弱性自身特点、网络环境因素和脆弱性关联关系三部分;最后,按照网络拓扑的规模,采用自下向上、先局部后整体的思想,直观地给出了漏洞、主机和整个网络系统三个层次的脆弱性指数评估值。通过大量反复的实验测试,该方法可以对网络系统存在的脆弱性进行定期的、全面的量化评估,及时发现并弥补网络系统中存在的安全隐患,有效地提升网络系统的生存能力,从而提高网络系统应对各种突发攻击事件的能力,具有重大的理论价值、经济效益和社会意义。

Novel method of evaluating network security based on attack graphs

In order to improve networks’ total security,this paper presented a novel method of assessing network security based on attack graphs.Firstly,it proposed a definition of vulnerability dependence graph based on attack graphs.Secondly,it divided the factors which impact network vulnerability assessment into three parts: the vulnerability character by itself,the network environment and the relationship between vulnerabilities.Finally,according to the size of network topology,using the evaluation policy from bottom to top and from local to global,it gave the vulnerability assessment intuitively in three levels: the vulnerability,the host and the network.Through a large number of repeated laboratory tests,the experimental results show that this method can assess network security efficiently,help network security managers guard the network,which improves networks viability,and improves the ability of responding to sudden attacks.So it has great theoretical value,economic value and social significance.