本文選題：Web應(yīng)用 + 虛擬化��； 參考：《中國(guó)科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）》2014年碩士論文

【摘要】：發(fā)生于2013年的斯諾登曝光美國(guó)國(guó)家安全局“棱鏡”監(jiān)控項(xiàng)目的事件再一次使網(wǎng)絡(luò)信息安全成為全球矚目的焦點(diǎn),各國(guó)政府在軍事上相繼展開網(wǎng)絡(luò)戰(zhàn)技術(shù)研究,各類網(wǎng)絡(luò)靶場(chǎng)項(xiàng)目也相繼實(shí)施。在政府、企業(yè)、組織和個(gè)人越來(lái)越多地將核心業(yè)務(wù)和敏感信息通過(guò)Web應(yīng)用進(jìn)行交互的同時(shí),75%的網(wǎng)絡(luò)安全事件發(fā)生在這些Web應(yīng)用上,傳統(tǒng)的基于網(wǎng)絡(luò)層的防火墻、IDS/IPS等網(wǎng)絡(luò)安全防護(hù)設(shè)備已經(jīng)不足以阻止來(lái)自應(yīng)用層的網(wǎng)絡(luò)攻擊,不斷爆出的Web應(yīng)用安全漏洞使得建立專門用來(lái)研究針對(duì)Web應(yīng)用的網(wǎng)絡(luò)安全演練系統(tǒng)的需求變得十分迫切。 本文的主要研究?jī)?nèi)容包括： 1、在充分調(diào)研國(guó)內(nèi)外網(wǎng)絡(luò)攻防演練系統(tǒng)和Web應(yīng)用攻防技術(shù)的基礎(chǔ)上,針對(duì)現(xiàn)有的演練系統(tǒng)普遍存在的演練環(huán)境模擬仿真、漏洞庫(kù)更新和效果評(píng)估等方面的問(wèn)題,完成了面向Web應(yīng)用的網(wǎng)絡(luò)安全演練系統(tǒng)的總體設(shè)計(jì),開發(fā)了系統(tǒng)功能模塊和操作界面。 2、采用虛擬化技術(shù)實(shí)現(xiàn)了現(xiàn)實(shí)復(fù)雜網(wǎng)絡(luò)環(huán)境的仿真模擬,利用基于配置文件的網(wǎng)絡(luò)場(chǎng)景快速構(gòu)建技術(shù)實(shí)現(xiàn)了各類演練環(huán)境的快速搭建。 3、分析了各種漏洞庫(kù)的建設(shè),提出了基于XML的目錄型Web應(yīng)用安全漏洞描述方法,構(gòu)建了用于Web應(yīng)用攻防演練的漏洞庫(kù)和攻防工具箱。 4、針對(duì)Web應(yīng)用安全,優(yōu)化了效果評(píng)估指標(biāo)體系層次化分析模型,綜合了主觀賦值法和熵權(quán)法的優(yōu)點(diǎn),確定了各指標(biāo)權(quán)重,提升了評(píng)估評(píng)價(jià)的準(zhǔn)確度。 5、采用Apache+MySQL+PHP的組合模式,開發(fā)了B/S架構(gòu)的管理子系統(tǒng)和演練子系統(tǒng),實(shí)現(xiàn)了系統(tǒng)與用戶的良好交互。 本文設(shè)計(jì)和實(shí)現(xiàn)了一套面向Web應(yīng)用的網(wǎng)絡(luò)安全演練系統(tǒng),測(cè)試結(jié)果表明本系統(tǒng)達(dá)到了預(yù)期設(shè)計(jì)目標(biāo)。論文研究成果可為Web應(yīng)用安全技術(shù)相關(guān)研究人員提供支撐和借鑒,并有助于提高Web應(yīng)用系統(tǒng)的安全防護(hù)能力和應(yīng)急響應(yīng)能力。
[Abstract]:The incident that occurred in 2013 when Snowden exposed the US National Security Agency's "prism" surveillance program has once again made network information security the focus of global attention. The governments of various countries have launched military research on cyber warfare technology one after another. All kinds of network shooting range projects have been implemented. While governments, enterprises, organizations and individuals increasingly interact core business and sensitive information through Web applications, 75% of network security events occur in these Web applications. The traditional firewall based on network layer, such as IDS / IPS, is not enough to prevent the network attack from the application layer. The constantly exploding Web application security vulnerabilities make it urgent to set up a network security walkthrough system which is specially used to study Web applications. The main contents of this paper are as follows: 1. On the basis of investigating the network attack and defense drilling system and Web applied attack and defense technology at home and abroad, aiming at the problems such as the simulation of the environment, the update of the vulnerability library and the evaluation of the effect, and so on, The overall design of network security drill system for Web application is completed, and the system function module and operation interface are developed. 2. Virtual technology is used to realize the simulation of real complex network environment, and the rapid construction technology of network scene based on configuration file is used to realize the rapid construction of all kinds of drilling environment. 3. The construction of various vulnerability libraries is analyzed, and the security vulnerability description method of Web application based on XML is put forward, and the vulnerability library and attack and defense toolbox for Web application attack and defense drill are constructed. 4. Aiming at the safety of Web application, this paper optimizes the hierarchical analysis model of effect evaluation index system, synthesizes the advantages of subjective assignment method and entropy weight method, determines the weight of each index, and improves the accuracy of evaluation. 5. The management subsystem and the drill subsystem of the B / S architecture are developed by using the combination mode of Apache MySQL PHP, which realizes the good interaction between the system and the user. A network security drill system for Web application is designed and implemented in this paper. The test results show that the system achieves the expected design goal. The research results of this paper can provide support and reference for the researchers concerned in Web application security technology, and help to improve the ability of security protection and emergency response of Web application system.
【學(xué)位授予單位】：中國(guó)科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 ;美國(guó)專家提出加強(qiáng)網(wǎng)絡(luò)安全的10條建議[J];w攣胖蕓，

本文編號(hào)：1858982