基于不确定攻击图的网络安全分析

发布时间：2018-06-10 07:35

本文选题：不确定图 + 攻击图　；参考：《湘潭大学》2017年硕士论文

【摘要】：第一,随着科学技术的快速发展,网络在人们生活中扮演着一个不可或缺的角色。但是现实生活中使用网络会遇到很多的意外情况,会导致实际数据传输存在不确定性,并且随着技术的发展,人们对数据的精度要求越来越高,因此,我们需要对这种不确定性来进行量化。第二,攻击图是模拟攻击者攻击路径的一种展示,它反映出了攻击者利用整个网络环境中的漏洞关联关系,可以帮助网络防御者逆向分析网络安全。但是现有攻击图生成算法在描述突发网络拥塞、网络断开、网络延迟等意外情况时存在不足;以及在攻击图中同样可以到达目标节点的攻击路径,哪一条路径网络更可靠等问题还没有开始研究。因此,基于这两个问题,本文设计了一个不确定攻击图生成算法,并对不确定攻击图的攻击路径的可靠性进行分析,根据不确定攻击图的攻击路径可靠性和Top-K攻击路径提出了关键边和关键漏洞。具体研究内容如下:为了更好来分析网络中遇到的各种攻击,我们首先使用漏洞扫描工具收集目标网络拓扑环境中的所有节点信息,根据网络拓扑结构建模成不确定图。其次,本文基于不确定图模型设计了一个不确定攻击图的生成算法,该算法从攻击者的目标节点出发,根据与它连接的节点信息来逆向分析搜索可攻击的节点,如果攻击成功就把该节点加入到攻击节点集合中,直到找到攻击者算法结束,以此模拟生成不确定攻击图。当生成不确定图以后,使用深度优先的策略来搜索不确定攻击图中攻击者的可能攻击路径,并分析每一条攻击路径的可靠性,而且使用深度优先搜索策略可以避免在搜索过程中攻击成环的情况发生,可以较好的模拟现实攻击情况和找出可靠的攻击路径。实验过程中,当网络规模逐渐增大时,生成的不确定攻击图越复杂,攻击路径也会越来越多,不利于防御者对网络安全进行分析。研究发现,可靠性高的攻击路径中的节点,会经常出现在其他攻击中,因此对攻击路径的可靠性高低进行排序,取前K条攻击路径提出了Top-K攻击路径,并根据Top-K攻击路径提出了关键边和关键漏洞。当网络安全管理员修复好关键漏洞以后,可以使得绝大部分攻击失效,可以较好的帮助防御者分析防御网络攻击。最后对我们文中提出的算法正确性进行了相关的实验进行验证。
[Abstract]:First, with the rapid development of science and technology, the network plays an indispensable role in people's lives. However, the use of network in real life will encounter a lot of unexpected situations, which will lead to the uncertainty of the actual data transmission, and with the development of technology, people need more and more accurate data, so, We need to quantify this uncertainty. Secondly, the attack graph is a demonstration of simulating the attacker's attack path. It reflects that the attacker can use the vulnerability association relation in the whole network environment to help the network defender to reverse analyze the network security. However, the existing attack graph generation algorithms have shortcomings in describing unexpected situations such as burst network congestion, network disconnection, network delay, and the attack path that can also reach the target node in the attack graph. The question of which path network is more reliable has not been studied. Therefore, based on these two problems, this paper designs an algorithm for generating uncertain attack graph, and analyzes the reliability of attack path of uncertain attack graph. According to the attack path reliability of uncertain attack graph and Top-K attack path, the critical edges and key vulnerabilities are proposed. The main contents are as follows: in order to better analyze the various attacks encountered in the network, we first collect all the node information in the target network topology environment by using the vulnerability scanning tool, and model it into an uncertain graph according to the network topology structure. Secondly, based on the uncertain graph model, this paper designs an algorithm to generate an uncertain attack graph. The algorithm starts from the target node of the attacker, and according to the information of the node connected with it, the algorithm is used to reverse analyze and search the attacking node. If the attack is successful, the node is added to the set of attack nodes until the end of the attack algorithm is found, and the uncertain attack graph is generated by simulation. When an uncertain graph is generated, a depth-first strategy is used to search for the possible attack path of an attacker in an uncertain attack graph, and the reliability of each attack path is analyzed. Furthermore, the depth first search strategy can avoid the loop attack in the search process, and can simulate the real attack situation and find out the reliable attack path. In the process of experiment, when the network scale increases gradually, the more complex the uncertain attack graph is, the more the attack path will be, which is unfavorable for the defender to analyze the network security. It is found that the nodes in the attack path with high reliability often appear in other attacks, so the reliability of the attack path is sorted, and the Top-K attack path is proposed by taking the first K attack path. According to the Top-K attack path, the critical edges and key vulnerabilities are proposed. When the network security administrator fixes the key holes, it can make most of the attacks invalid, and it can help the defenders to analyze and defend against the network attacks. Finally, the correctness of the proposed algorithm is verified by experiments.
【学位授予单位】：湘潭大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】