基于知识库的渗透测试评估方法研究与实现
发布时间:2018-08-25 08:38
【摘要】:如今各个领域都已与网络有着千丝万缕的联系,网络的发展给大家带来便利的同时,行走在网络空间中的“黑客”已成为严重威胁网络安全的问题,渗透测试技术就是这些行走在网络空间中的“黑客”安身立命的本领所在。早至凯文·米特尼克这样的第一批“黑客”,近至牟取非法利益而从事地下黑色产业链的“黑帽子黑客”,他们通常都对自身的渗透测试技术守口如瓶,或者只在一个利益共同体中进行交流与切磋。然而“白帽子黑客”打破了这种旧有的格局,在取得授权的先决前提下,对目标系统或网络进行渗透测试的实践评估。随着一些对安全性需求很高的企业开始采纳这种方式来对自己的业务、网络及系统进行评估,渗透测试安全评估方法逐渐发展成为一个热门的领域。 本文对渗透测试技术和安全评估方法进行研究,渗透测试是一种实际环境的攻击模拟,通过它能发现影响业务的安全隐患。而安全评估方法是一种安全风险分析方法,,它的任务是评估业务的安全隐患及给出相应的升级策略。通过调研发现其实两者有很多共性点,如前期对系统脆弱性分析、系统威胁的建模等,同时两者也存在以下几个方面的问题: (1)渗透测试的对抗性和定制性一般要求很高,需要渗透测试团队在不断的渗透操作中进行分析,自动化的渗透测试工具只有商业化版本; (2)安全评估方法中有很多不确定性的参数,如一个特定企业的网络系统中发现一处漏洞,但并不能确定是否有攻击能对其造成影响,或者不能确定企业防御措施是否能抵御漏洞的威胁; (3)国内渗透测试领域、安全评估领域都与国外有较大差距。 基于以上几个问题为出发点,本文通过构建知识库的方式来实现渗透测试过程的自动化执行及通过渗透测试结果来增加安全评估的准确性,结合这两方面内容,研究基于知识库的渗透测试评估方法。 首先,在深入研究渗透测试技术的基础上,结合规则树方法,构建知识库的信息,知识库中每条链存储了一个完整的渗透攻击过程,通过前期目标与脆弱性信息收集,调用知识库中内容,实现了渗透测试的自动化执行。 其次,深入研究了安全评估方法,基于渗透测试的返回结果,在满足NIST指南的情况下,重新设计了安全评估过程,使安全评估的某些脆弱性的评估值确定化。同时应用了漏洞生命周期思想,理论上加强了评估值的正确性,安全评估的正确性也能随着知识库的不断扩充而得到加强。
[Abstract]:Nowadays, all fields have been inextricably linked to the network. While the development of the network has brought convenience to everyone, "hackers" who walk in cyberspace have become a serious threat to network security. Penetration testing is the ability of these hackers to survive in cyberspace. As early as the first "hackers" such as Kevin Mitnick, "black hat hackers" who were engaged in underground black industry chains for illegal profits, they usually kept their own penetration testing techniques in a bottle. Or only in a community of interests for exchanges and exchanges. However, White Hat Hacker breaks this old pattern and evaluates the target system or network penetration test on the premise of obtaining authorization. As some enterprises with high security requirements begin to adopt this method to evaluate their own business, network and system, penetration testing security evaluation method has gradually developed into a hot field. In this paper, the penetration testing technology and security evaluation method are studied. Penetration testing is a kind of attack simulation in real environment. The security assessment method is a kind of security risk analysis method. Its task is to evaluate the security hidden trouble of the business and give the corresponding upgrade strategy. Through the investigation, we found that there are many common points between the two, such as the early analysis of system vulnerability, the modeling of system threat, and so on. At the same time, there are also some problems in the following aspects: (1) the resistance and customization of penetration testing are very high, which need to be analyzed by the penetration test team during the continuous penetration operation. Automated penetration testing tools are available only in commercial versions; (2) there are many uncertain parameters in security assessment methods, such as the discovery of a vulnerability in a particular enterprise's network system, However, it is not certain whether there is an attack that can affect it, or whether the enterprise defense measures can resist the threat of vulnerability; (3) there is a big gap between domestic penetration test field and security evaluation field compared with foreign countries. Based on the above questions, this paper constructs the knowledge base to realize the automatic execution of penetration test process and to increase the accuracy of safety assessment through the results of penetration test, which are combined with these two aspects. The method of penetration test evaluation based on knowledge base is studied. First of all, on the basis of in-depth study of penetration testing technology, combined with rule tree method, the information of knowledge base is constructed. Each chain of knowledge base stores a complete process of penetration attack. The automatic execution of penetration test is realized by calling the contents of knowledge base. Secondly, the security assessment method is deeply studied. Based on the return results of the penetration test, the process of security assessment is redesigned under the condition of satisfying the NIST guidelines, so that the assessment value of some vulnerabilities of the security assessment can be determined. At the same time, the theory of vulnerability life cycle is applied to strengthen the correctness of the evaluation value, and the correctness of the security assessment can be enhanced with the continuous expansion of the knowledge base.
【学位授予单位】:吉林大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2202348
[Abstract]:Nowadays, all fields have been inextricably linked to the network. While the development of the network has brought convenience to everyone, "hackers" who walk in cyberspace have become a serious threat to network security. Penetration testing is the ability of these hackers to survive in cyberspace. As early as the first "hackers" such as Kevin Mitnick, "black hat hackers" who were engaged in underground black industry chains for illegal profits, they usually kept their own penetration testing techniques in a bottle. Or only in a community of interests for exchanges and exchanges. However, White Hat Hacker breaks this old pattern and evaluates the target system or network penetration test on the premise of obtaining authorization. As some enterprises with high security requirements begin to adopt this method to evaluate their own business, network and system, penetration testing security evaluation method has gradually developed into a hot field. In this paper, the penetration testing technology and security evaluation method are studied. Penetration testing is a kind of attack simulation in real environment. The security assessment method is a kind of security risk analysis method. Its task is to evaluate the security hidden trouble of the business and give the corresponding upgrade strategy. Through the investigation, we found that there are many common points between the two, such as the early analysis of system vulnerability, the modeling of system threat, and so on. At the same time, there are also some problems in the following aspects: (1) the resistance and customization of penetration testing are very high, which need to be analyzed by the penetration test team during the continuous penetration operation. Automated penetration testing tools are available only in commercial versions; (2) there are many uncertain parameters in security assessment methods, such as the discovery of a vulnerability in a particular enterprise's network system, However, it is not certain whether there is an attack that can affect it, or whether the enterprise defense measures can resist the threat of vulnerability; (3) there is a big gap between domestic penetration test field and security evaluation field compared with foreign countries. Based on the above questions, this paper constructs the knowledge base to realize the automatic execution of penetration test process and to increase the accuracy of safety assessment through the results of penetration test, which are combined with these two aspects. The method of penetration test evaluation based on knowledge base is studied. First of all, on the basis of in-depth study of penetration testing technology, combined with rule tree method, the information of knowledge base is constructed. Each chain of knowledge base stores a complete process of penetration attack. The automatic execution of penetration test is realized by calling the contents of knowledge base. Secondly, the security assessment method is deeply studied. Based on the return results of the penetration test, the process of security assessment is redesigned under the condition of satisfying the NIST guidelines, so that the assessment value of some vulnerabilities of the security assessment can be determined. At the same time, the theory of vulnerability life cycle is applied to strengthen the correctness of the evaluation value, and the correctness of the security assessment can be enhanced with the continuous expansion of the knowledge base.
【学位授予单位】:吉林大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前4条
1 王航;高强;莫毓昌;;基于攻击图和安全度量的网络脆弱性评价[J];计算机工程;2010年03期
2 丁卫平;施诠;管致锦;;一种基于事务规则树的高效关联规则挖掘算法[J];计算机应用研究;2007年05期
3 常艳;王冠;;网络安全渗透测试研究[J];信息网络安全;2012年11期
4 胡亮;赵剑明;解男男;努尔布力;;多步攻击的规则树检测及可视化[J];中国图象图形学报;2013年03期
本文编号:2202348
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2202348.html
