基于脆弱性变换的网络动态防御有效性分析方法

doi:10.3969/j.issn.0372-2112.2018.12.027

电子学报 ›› 2018, Vol. 46 ›› Issue (12): 3014-3020.DOI: 10.3969/j.issn.0372-2112.2018.12.027

基于脆弱性变换的网络动态防御有效性分析方法

李立勋^1,2, 张斌^1,2, 董书琴^1,2, 唐慧林^1,2

1. 信息工程大学, 河南郑州 450001;
2. 河南省信息安全重点实验室, 河南郑州 450001

收稿日期:2017-11-28 修回日期:2018-01-25 出版日期:2018-12-25
- 作者简介:
- 李立勋 男,1994年生于四川都江堰.现为信息工程大学硕士研究生.主要研究方向为网络动态防御.E-mail:lilixun_1994@126.com;张斌男,1969年生于河南许昌.现为信息工程大学教授、博士生导师.主要研究方向为网络空间安全.E-mail:zhangbin1969@sohu.com;董书琴 男,1990年生于河北邢台.现为信息工程大学博士研究生.主要研究方向网络安全态势感知.E-mail:dongshuqin377@126.com;唐慧林 男,1981年生于安徽枞阳.现为信息工程大学讲师.主要研究方向为网络安全.E-mail:gogowithsnow@126.com
- 基金资助:
- 河南省基础与前沿技术研究计划项目 (No.2014302903）; 信息保障技术重点实验室开放基金项目 (No.KJ-15-109）; 信息工程大学新兴科研方向培育基金 (No.2016604703）

Effectiveness Analysis Approach Based on Vulnerability Mutation for Network Dynamic Defense

LI Li-xun^1,2, ZHANG Bin^1,2, DONG Shu-qin^1,2, TANG Hui-lin^1,2

1.Information and Engineering University, Zhengzhou, Henan 450001, China;
2.Key Laboratory of Information Security, Zhengzhou, Henan 450001, China

Received:2017-11-28 Revised:2018-01-25 Online:2018-12-25 Published:2018-12-25

摘要/Abstract

摘要： 有效性分析对合理制订最优网络动态防御策略至关重要.首先利用随机抽样模型从脆弱性变换角度给出入侵成功概率计算公式，用于刻画变换空间、变换周期及脆弱性数量对网络入侵过程的影响；然后针对单、多脆弱性变换两种情况，分别给出相应的入侵成功概率极限定理并予以证明，同时给出两种情况下的最优变换空间计算方法；仿真结果表明，增大单条入侵路径上依次攻击的脆弱性数量、减小变换周期可持续提高网络动态防御有效性，而增大变换空间初始可以提升网络动态防御有效性，但是由于入侵成功概率会随变换空间的持续增大而逐渐收敛，在入侵成功概率收敛时，有效性无法持续提高.

关键词: 网络安全, 网络动态防御, 安全策略分析, 入侵成功概率, 动态变换, 脆弱性变换, 随机抽样

Abstract: Effectiveness analysis is critical for making optimal network dynamic defense (NDD) strategies. Firstly, the attack success probability formula is derived by constructing the random sampling model from the perspective of vulnerability mutation, which can depict the influence caused by the mutation space, the mutation period and the number of vulnerabilities on the process of network attack. Then, two limit theorems of attack success probability are given and proved in single and multiple vulnerabilities cases respectively, and the calculating methods of optimal mutation space are given according to the two theorems. The simulation results show that the NDD's effectiveness improves with the mutation period reducing and the number of vulnerability attacked successively on a single attack path growing, meanwhile, although enlarging the mutation space is beneficial to improving the NDD's effectiveness in the beginning, the attack success probability would converge with the persistent enlargement of mutation space, which limits the continuous improvement of NDD's effectiveness.

Key words: cyber security, network dynamic defense, security policy analysis, attack success probability, dynamic mutation, vulnerability mutation, random sampling

中图分类号:

TP393

李立勋, 张斌, 董书琴, 唐慧林. 基于脆弱性变换的网络动态防御有效性分析方法[J]. 电子学报, 2018, 46(12): 3014-3020.

LI Li-xun, ZHANG Bin, DONG Shu-qin, TANG Hui-lin. Effectiveness Analysis Approach Based on Vulnerability Mutation for Network Dynamic Defense[J]. Acta Electronica Sinica, 2018, 46(12): 3014-3020.

参考文献

[1] 蔡桂林,王宝生,王天佐,等.移动目标防御技术研究进展[J].计算机研究与发展,2016,53(5):968-987. CAI Gui-lin,WANG Bao-sheng,WANG Tian-zuo,et al.Research and development of moving target defense technology[J].Journal of Computer Research and Development,2016,53(5):968-987.(in Chinese)
[2] 邬江兴.拟态计算与拟态安全防御的原意和愿景[J].电信科学,2014,30(7):1-7. WU Jiang-xing.Meaning and vision of mimic computing and mimic security defense[J].Telecommunications Science,2014,30(7):1-7.(in Chinese)
[3] ESKRIDGE T C,CARVALHO M M,STONER E,et al.VINE-A cyber emulation environment for MTD experimentation[A].George C.Proceedings of the Second ACM Workshop on Moving Target Defense[C].Denver,Colorado,USA:ACM,2015.43-47.
[4] ZAFFARANO K,TAYLOR J,HAMILTON S.A quantitative framework for moving target defense effectiveness evaluation[A].George C.Proceedings of the Second ACM Workshop on Moving Target Defense[C].Denver,Colorado,USA:ACM,2015.3-10.
[5] OKHRAVI H,RIORDAN J,CARTER K.Quantitative evaluation of dynamic platform techniques as a defensive mechanism[A].Research in Attacks,Intrusions and Defenses[C].New York:Springer,2014.405-425.
[6] ZHUANG R,DELOACH S A,OU X.A model for analyzing the effect of moving target defenses on enterprise networks[A].Robert K A.Cyber and Information Security Research Conference[C].Oak Ridge,TN,USA:ACM,2014.73-76.
[7] 雷程,马多贺,张红旗,等.基于变点检测的网络移动目标防御效能评估方法[J].通信学报,2017,38(1):126-140. LEI Cheng,MA Duo-he,ZHANG Hong-qi,et,al.Performance assessment approach based on change-point detection for network moving target defense[J].Journal on Communications,2017,38(1):126-140.(in Chinese)
[8] HAMLET J R,LAMB C C.Dependency graph analysis and moving target defense selection[A].Peng Liu.Proceedings of the 2016 ACM Workshop on Moving Target Defense[C].Vienna,Austria:ACM,2016.105-116.
[9] CARTER K M,RIORDAN J F,OKHRAVI H.A game theoretic approach to strategy determination for dynamic platform defenses[A].Sushil J.Proceedings of the First ACM Workshop on Moving Target Defense[C].Scottsdale,Arizona,USA:ACM,2014.21-30.
[10] HODA M,SAEED V,WILLIAM K,et al.Markov modeling of moving target defense games[A].Peng Liu.Proceedings of the 2016 ACM Workshop on Moving Target Defense[C].Vienna,Austria:ACM,2016.81-92.
[11] MASON W,SRIDHAR V,MASSIMILIANO A,et al.Moving target defense against DDoS attacks:an empirical game-theoretic analysis[A].Peng Liu.Proceedings of the 2016 ACM Workshop on Moving Target Defense[C].Vienna,Austria:ACM,2016.93-104.
[12] CARROLL T E,CROUSE M,FULP E W,et al.Analysis of network address shuffling as a moving target defense[A].Abbas J.IEEE International Conference on Communications[C].Sydney,Australia:IEEE,2014.701-706.
[13] LUO Y B,WANG B S,CAI G L.Effectiveness of port hopping as a moving target defense[A].Yong-ik Y.International Conference on Security Technology[C].Hainan,China:IEEE,2014.7-10.
[14] 程叶霞,姜文,薛质,等.基于攻击图模型的多目标网络安全评估研究[J].计算机研究与发展,2012,49:23-31. CHENG Ye-xia,JIANG Wen,XUE Zhi,et al.Multi-objective network security evaluation based on attack graph model[J].Journal of Computer Research and Development,2012,49:23-31.(in Chinese)
[15] SUSHIL J,ANUP K G,VIPIN S,et al.Moving Target Defense-Creating Asymmetric Uncertainty for Cyber Threats[M] New York:Springer,2011.117-151.
[16] 陈锋,张怡,苏金树,等.攻击图的两种形式化分析[J].软件学报,2010,21(4):838-848. CHEN Feng,ZHANG Yi,SU Jin-shu,et all.Two formal analyses of attack graphs[J].Journal of Software,2010,21(4):838-848.(in Chinese)

基于脆弱性变换的网络动态防御有效性分析方法

Effectiveness Analysis Approach Based on Vulnerability Mutation for Network Dynamic Defense

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	王刚, 陆世伟, 冯云, 刘文斌, 马润年. 网络节点增减下的潜伏型病毒传播行为建模研究[J]. 电子学报, 2022, 50(2): 273-283.
[2]	黄美根, 郁滨. 软件定义WSN规则一致更新研究[J]. 电子学报, 2019, 47(9): 1965-1971.
[3]	李艳, 王纯子, 黄光球, 赵旭, 张斌, 李盈超. 网络安全态势感知分析框架与实现方法比较[J]. 电子学报, 2019, 47(4): 927-945.
[4]	张恒巍, 黄世锐. Markov微分博弈模型及其在网络安全中的应用[J]. 电子学报, 2019, 47(3): 606-612.
[5]	黄健明, 张恒巍. 基于随机演化博弈模型的网络防御策略选取方法[J]. 电子学报, 2018, 46(9): 2222-2228.
[6]	张恒巍, 李涛, 黄世锐. 基于攻防微分博弈的网络安全防御决策方法[J]. 电子学报, 2018, 46(6): 1428-1435.
[7]	张恒巍, 黄健明. 基于Markov演化博弈的网络防御策略选取方法[J]. 电子学报, 2018, 46(6): 1503-1509.
[8]	乔延臣, 云晓春, 张永铮, 李书豪. 基于调用习惯的恶意代码自动化同源判定方法[J]. 电子学报, 2016, 44(10): 2410-2414.
[9]	叶阿勇, 林少聪, 马建峰, 许力. 一种主动扩散式的位置隐私保护方法[J]. 电子学报, 2015, 43(7): 1362-1368.
[10]	刘云, 杨亮, 范科峰, 王勇, 唐仕军. 一种改进的动态用户认证协议[J]. 电子学报, 2013, 41(1): 42-46.
[11]	李鹏;;王汝传;;高德华. 基于模糊识别和支持向量机的联合Rootkit动态检测技术研究[J]. 电子学报, 2012, 40(1): 115-120.
[12]	肖喜;翟起滨;田新广;陈小娟;叶润国. 基于Shell命令和多阶Markov链模型的用户伪装攻击检测[J]. 电子学报, 2011, 39(5): 1199-1204.
[13]	李琦;吴建平;徐明伟;徐恪. 一种前向安全的电子邮件协议[J]. 电子学报, 2009, 37(10): 2302-2308.
[14]	应凌云;冯登国;苏璞睿. 基于P2P的僵尸网络及其防御[J]. 电子学报, 2009, 37(1): 31-37.
[15]	王洪波, 程时端, 林宇. 高速网络超连接主机检测中的流抽样算法研究[J]. 电子学报, 2008, 36(4): 809-818.