發(fā)布時間：2018-06-10 07:35

  本文選題：不確定圖 + 攻擊圖��； 參考：《湘潭大學(xué)》2017年碩士論文

【摘要】：第一,隨著科學(xué)技術(shù)的快速發(fā)展,網(wǎng)絡(luò)在人們生活中扮演著一個不可或缺的角色。但是現(xiàn)實生活中使用網(wǎng)絡(luò)會遇到很多的意外情況,會導(dǎo)致實際數(shù)據(jù)傳輸存在不確定性,并且隨著技術(shù)的發(fā)展,人們對數(shù)據(jù)的精度要求越來越高,因此,我們需要對這種不確定性來進行量化。第二,攻擊圖是模擬攻擊者攻擊路徑的一種展示,它反映出了攻擊者利用整個網(wǎng)絡(luò)環(huán)境中的漏洞關(guān)聯(lián)關(guān)系,可以幫助網(wǎng)絡(luò)防御者逆向分析網(wǎng)絡(luò)安全。但是現(xiàn)有攻擊圖生成算法在描述突發(fā)網(wǎng)絡(luò)擁塞、網(wǎng)絡(luò)斷開、網(wǎng)絡(luò)延遲等意外情況時存在不足;以及在攻擊圖中同樣可以到達目標(biāo)節(jié)點的攻擊路徑,哪一條路徑網(wǎng)絡(luò)更可靠等問題還沒有開始研究。因此,基于這兩個問題,本文設(shè)計了一個不確定攻擊圖生成算法,并對不確定攻擊圖的攻擊路徑的可靠性進行分析,根據(jù)不確定攻擊圖的攻擊路徑可靠性和Top-K攻擊路徑提出了關(guān)鍵邊和關(guān)鍵漏洞。具體研究內(nèi)容如下:為了更好來分析網(wǎng)絡(luò)中遇到的各種攻擊,我們首先使用漏洞掃描工具收集目標(biāo)網(wǎng)絡(luò)拓撲環(huán)境中的所有節(jié)點信息,根據(jù)網(wǎng)絡(luò)拓撲結(jié)構(gòu)建模成不確定圖。其次,本文基于不確定圖模型設(shè)計了一個不確定攻擊圖的生成算法,該算法從攻擊者的目標(biāo)節(jié)點出發(fā),根據(jù)與它連接的節(jié)點信息來逆向分析搜索可攻擊的節(jié)點,如果攻擊成功就把該節(jié)點加入到攻擊節(jié)點集合中,直到找到攻擊者算法結(jié)束,以此模擬生成不確定攻擊圖。當(dāng)生成不確定圖以后,使用深度優(yōu)先的策略來搜索不確定攻擊圖中攻擊者的可能攻擊路徑,并分析每一條攻擊路徑的可靠性,而且使用深度優(yōu)先搜索策略可以避免在搜索過程中攻擊成環(huán)的情況發(fā)生,可以較好的模擬現(xiàn)實攻擊情況和找出可靠的攻擊路徑。實驗過程中,當(dāng)網(wǎng)絡(luò)規(guī)模逐漸增大時,生成的不確定攻擊圖越復(fù)雜,攻擊路徑也會越來越多,不利于防御者對網(wǎng)絡(luò)安全進行分析。研究發(fā)現(xiàn),可靠性高的攻擊路徑中的節(jié)點,會經(jīng)常出現(xiàn)在其他攻擊中,因此對攻擊路徑的可靠性高低進行排序,取前K條攻擊路徑提出了Top-K攻擊路徑,并根據(jù)Top-K攻擊路徑提出了關(guān)鍵邊和關(guān)鍵漏洞。當(dāng)網(wǎng)絡(luò)安全管理員修復(fù)好關(guān)鍵漏洞以后,可以使得絕大部分攻擊失效,可以較好的幫助防御者分析防御網(wǎng)絡(luò)攻擊。最后對我們文中提出的算法正確性進行了相關(guān)的實驗進行驗證。
[Abstract]:First, with the rapid development of science and technology, the network plays an indispensable role in people's lives. However, the use of network in real life will encounter a lot of unexpected situations, which will lead to the uncertainty of the actual data transmission, and with the development of technology, people need more and more accurate data, so, We need to quantify this uncertainty. Secondly, the attack graph is a demonstration of simulating the attacker's attack path. It reflects that the attacker can use the vulnerability association relation in the whole network environment to help the network defender to reverse analyze the network security. However, the existing attack graph generation algorithms have shortcomings in describing unexpected situations such as burst network congestion, network disconnection, network delay, and the attack path that can also reach the target node in the attack graph. The question of which path network is more reliable has not been studied. Therefore, based on these two problems, this paper designs an algorithm for generating uncertain attack graph, and analyzes the reliability of attack path of uncertain attack graph. According to the attack path reliability of uncertain attack graph and Top-K attack path, the critical edges and key vulnerabilities are proposed. The main contents are as follows: in order to better analyze the various attacks encountered in the network, we first collect all the node information in the target network topology environment by using the vulnerability scanning tool, and model it into an uncertain graph according to the network topology structure. Secondly, based on the uncertain graph model, this paper designs an algorithm to generate an uncertain attack graph. The algorithm starts from the target node of the attacker, and according to the information of the node connected with it, the algorithm is used to reverse analyze and search the attacking node. If the attack is successful, the node is added to the set of attack nodes until the end of the attack algorithm is found, and the uncertain attack graph is generated by simulation. When an uncertain graph is generated, a depth-first strategy is used to search for the possible attack path of an attacker in an uncertain attack graph, and the reliability of each attack path is analyzed. Furthermore, the depth first search strategy can avoid the loop attack in the search process, and can simulate the real attack situation and find out the reliable attack path. In the process of experiment, when the network scale increases gradually, the more complex the uncertain attack graph is, the more the attack path will be, which is unfavorable for the defender to analyze the network security. It is found that the nodes in the attack path with high reliability often appear in other attacks, so the reliability of the attack path is sorted, and the Top-K attack path is proposed by taking the first K attack path. According to the Top-K attack path, the critical edges and key vulnerabilities are proposed. When the network security administrator fixes the key holes, it can make most of the attacks invalid, and it can help the defenders to analyze and defend against the network attacks. Finally, the correctness of the proposed algorithm is verified by experiments.
【學(xué)位授予單位】：湘潭大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前1條

1 劉強;殷建平;蔡志平;程杰仁;;基于不確定圖的網(wǎng)絡(luò)漏洞分析方法[J];軟件學(xué)報;2011年06期

相關(guān)碩士學(xué)位論文 前3條

1 姜慧;基于攻擊路徑的全局漏洞檢測[D];中國海洋大學(xué);2015年

2 劉敏;基于攻擊圖的網(wǎng)絡(luò)安全評估技術(shù)研究[D];南京理工大學(xué);2015年

3 程葉霞;基于攻擊圖模型的網(wǎng)絡(luò)安全評估技術(shù)的研究[D];上海交通大學(xué);2012年

，

本文編號：2002461