网络安全多维动态风险评估关键技术研究

发布时间：2018-06-15 16:22

本文选题：网络安全 + 风险评估　；参考：《西北大学》2016年博士论文

【摘要】：随着物联网、云计算和移动互联网等新技术快速发展,网络安全出现了覆盖范围广、复杂度高的新特性,使得如何进一步提升我国网络的安全性成为一个亟待解决的问题,并已上升到国家战略高度。从未来发展趋势看,陆、海、空、天每一个领域都将与网络连在一起,从而形成网络空间与现实国家安全的高度统一。网络安全风险评估是保障网络安全的基础和前提,已被列为我国网络安全保障工作的重点任务之一。研究网络安全风险评估方法对提升我国网络安全保障具有重要的现实意义和广阔的应用前景。传统的网络安全风险评估方法大多是静态地对安全风险进行初步评估,很少考虑当前网络正在遭受的攻击事件、补丁修复等级、代码可利用性等因素对安全风险的动态影响。为此,本文从主机和网络两个维度深入研究动态视角下的网络安全风险评估,提出了一个新的网络安全多维动态风险评估框架NSMDRA,包含风险识别、风险评估和风险管理3个评估阶段以及9个评估步骤。深入、系统地研究该框架所涉及的各项关键技术,主要包括以下四个方面：(1)提出两种基于深度学习的风险识别模型针对当前IDS面临海量数据检测速度过低的问题,提出一种基于自编码网络的支持向量机入侵检测模型AN-SVM。首先采用多层无监督的限制玻尔兹曼机RBM将高维、非线性的原始数据映射至低维空间,建立高维空间和低维空间的双向映射自编码网络结构；然后运用基于BP算法的自编码网络权值微调算法重构低维空间数据的最优高维表示；进而采用SVM分类算法对所获得的原始数据相应最优低维表示进行入侵识别。实验验证该模型可降低入侵检测模型中分类的训练时间和测试时间。针对传统浅层机器学习方法无法有效解决海量入侵数据的分类问题,提出一种基于深度信念网络的入侵检测模型DBNIDM。首先运用对比分歧算法自底向上逐层训练每一个RBM网络,将大量高维、非线性的无标签数据映射为最优的低维表示；然后利用BP算法自顶向下有监督地对RBM网络输出的低维表示进行分类。与传统的浅层学习方法相比,该模型提高了对高维、非线性空间的海量入侵数据的分类准确率。(2)提出一种基于漏洞类型聚类的层次化漏洞修复模型首先,针对CVSS方法未考虑补丁修复等级和代码可利用性对漏洞危害评估的动态影响,提出一种漏洞危害性动态综合量化评分方法VDSS,对漏洞危害性进行准确评估,为如何选择漏洞修复策略提供更精确的依据；然后提出一种基于PSO-Kmeans的漏洞信息聚类方法：运用PSO算法获取全局聚类中心,利用K-means算法对漏洞信息进行聚类,再计算每种漏洞类型的威胁因子；最后,针对传统漏洞修复策略存在难以确定同一危害等级漏洞修复优先次序的问题,对目标主机漏洞进行层次化划分,提出一种基于漏洞类型的层次化漏洞修复方法。实验表明该模型可为用户提供细粒度的漏洞修复策略。(3)提出一种基于贝叶斯攻击图的动态风险评估模型现有攻击图模型未充分考虑网络实时攻击事件对每个属性节点置信度的动态影响,为此提出一种基于贝叶斯攻击图的动态风险评估模型DRABAG。该模型运用贝叶斯信念网络建立用于描述攻击行为中多步原子攻击间因果关系的概率攻击图,其中采用通用漏洞评分系统指标计算漏洞利用成功概率,并利用局部条件概率分布表评估属性节点的静态安全风险；进而结合入侵检测系统观测到的实时攻击事件,运用贝叶斯推理方法对单步攻击行为的后验概率进行动态更新。实验表明该模型可更准确、有效地评估目标网络的安全性和推测出最大累积概率攻击路径,为最优安全防护策略的选择提供依据。(4)提出一种基于贝叶斯攻击图的最优安全防护策略选择模型针对如何运用优化算法有效地选择最优安全防护策略的问题,提出一种基于贝叶斯攻击图的最优安全防护策略选择模型HMS-BAG。根据动态风险评估结果,定义面向防护策略的贝叶斯攻击图和四种防护操作,并计算实施防护措施后的概率;然后构建防护成本和攻击收益的经济学指标及指标量化方法；运用成本—收益分析方法对防护策略选择问题进行形式化描述,提出基于粒子群的最优安全防护策略选择算法,并将所选择的最优防护策略实施于最大累积概率攻击路径。实验表明通过HMS-BAG模型选择的最优防护策略可在限定防护成本条件下最有效地降低网络安全风险。
[Abstract]:With the rapid development of new technologies such as the Internet of things, cloud computing and mobile Internet, network security has a new feature of wide coverage and high complexity, which makes it an urgent problem to further improve the security of China's network, and has risen to the national strategy. From the future development trend, land, sea, air, and every day The field will be connected with the network, thus forming a high unity between the network space and the reality of the national security. The risk assessment of the network security is the basis and prerequisite for the security of the network. It has been listed as one of the key tasks of the network security work in our country. The research on the evaluation method of network security risk has a great effect on improving the security of our network. The traditional network security risk assessment methods are mostly static assessment of security risk, rarely considering the current network attack events, patch repair level, code availability and other factors on the dynamic impact of security risk. For this reason, this paper from the host and network The two dimensions deeply study the risk assessment of network security under the dynamic perspective, and put forward a new multi-dimensional dynamic risk assessment framework for network security NSMDRA, including risk identification, risk assessment and risk management 3 evaluation stages and 9 evaluation steps. The next four aspects are as follows: (1) two kinds of risk identification models based on depth learning are proposed. In view of the problem that the current IDS is facing a low speed of massive data detection, a support vector machine intrusion detection model based on self coding network (AN-SVM.) is proposed, first of which the multi-layer unsupervised limited Bose machine RBM is used for the high dimension, nonlinear original data. It is mapped to low dimensional space to establish a bidirectional mapping self coded network structure with high dimension space and low dimension space, and then reconstructs the optimal high dimension representation of low dimensional spatial data by using the weight tuning algorithm of self coded network based on BP algorithm, and then uses the SVM classification algorithm to make intrusion recognition of the corresponding optimal low dimension representation of the original data. The experiment proves that the model can reduce the training time and time of classification in the intrusion detection model. The traditional shallow machine learning method can not effectively solve the classification problem of massive intrusion data. An intrusion detection model, DBNIDM., based on the depth belief network, is first trained by the bottom by layer training of the contrast algorithm. Every RBM network maps a large number of high-dimensional, nonlinear unlabeled data to the optimal low dimension representation, and then uses BP algorithm to categorize the low dimensional representation of the output of RBM network from top to bottom. Compared with the traditional shallow learning method, the model improves the classification of massive intrusion data in high dimension and nonlinear space. (2) (2) a hierarchical vulnerability restoration model based on vulnerability type clustering is proposed. First, in view of the dynamic impact of the patch repair level and code availability on vulnerability assessment, a dynamic comprehensive quantitative scoring method, VDSS, is proposed to evaluate the vulnerability hazard and how to select the vulnerability hazard. The vulnerability restoration strategy provides a more accurate basis, and then proposes a PSO-Kmeans based clustering method for vulnerability information: using the PSO algorithm to obtain the global clustering center, using the K-means algorithm to cluster the vulnerability information, and then calculating the threat factors of each type of vulnerability; finally, it is difficult to determine the same problem for the traditional vulnerability restoration strategy. A hierarchical vulnerability is divided into hierarchies of target host vulnerabilities, and a hierarchical vulnerability restoration method based on vulnerability type is proposed. The experiment shows that the model can provide a fine-grained vulnerability repair strategy for users. (3) a dynamic risk assessment model based on Bayesian Juliu attack graph is proposed. The dynamic impact of network real-time attacks on the confidence of each attribute node is not fully considered, and a dynamic risk assessment model based on Bayes attack graph (DRABAG.) is proposed. The model uses Bayesian belief network to establish a probabilistic attack graph to describe the causality between multiple step original attacks in the attack. The general vulnerability scoring system is used to calculate the success probability of the vulnerability and evaluate the static security risk of the attribute nodes by using the local conditional probability distribution table. Then combined with the real-time attack events observed by the intrusion detection system, the Bias reasoning method is used to dynamically update the posterior probability of the single step attack. It shows that the model can be more accurate, effectively evaluate the security of the target network and speculate the maximum cumulative probability attack path, and provide the basis for the selection of the optimal security protection strategy. (4) an optimal security policy selection model based on Bayesian attack graph is proposed to select the optimal security defense effectively by using the optimization algorithm. In order to protect strategy, an optimal security strategy selection model based on Bayes attack graph (HMS-BAG.) is proposed. According to the results of dynamic risk assessment, the Bayes attack map and four protection operations are defined, and the probability after the implementation of the protective measures is calculated. Then, the economic indicators of the protection cost and the attack benefit are constructed. And the method of quantifying the index; using the cost income analysis method to formalize the protection strategy selection problem, put forward the optimal security policy selection algorithm based on particle swarm, and implement the optimal protection strategy in the maximum cumulative probability attack path. The experiment shows the optimal protection strategy selected by the HMS-BAG model. It can reduce the risk of network security most effectively under the condition of limiting the cost of protection.
【学位授予单位】：西北大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TP393.08

【参考文献】