面向时延优化的级联漏洞扫描引擎部署策略

doi:10.19678/j.issn.1000-3428.0063950

摘要/Abstract

摘要： 网络规模和漏洞种类的与日俱增，导致集中式漏扫引擎难以在复杂网络结构下有效开展安全评估。级联漏扫方案能显著提升各类网络场景下漏扫引擎的可扩展性，在应对复杂网络结构下的网络安全问题时发挥了巨大作用，但现有的级联漏扫方案未考虑通信时延，导致扫描效率有待提高。提出一种新的级联漏扫引擎部署策略，面向时延优化，将真实网络环境抽象为承载终端设备或漏扫引擎的底层网络拓扑，综合中心控制引擎、局部扫描引擎与目标终端之间的通信时延建立数学模型。通过构造级联系统能量函数，将面向时延优化的级联引擎部署问题转化为系统自由能函数最小值问题，并设计级联协同部署算法进行求解，实现部署策略全局快速寻优，确定漏扫引擎的分布。基于不同的网络规模与拓扑类型，通过仿真实验分析各参数对算法性能的影响，实验结果表明，该算法的时延开销相较Greedy算法平均降低16.2%，验证了该算法在处理复杂网络环境下级联漏扫引擎部署的有效性与优越性。

关键词: 漏洞扫描, 级联漏洞扫描引擎, 时延优化, 部署策略, 级联系统能量函数, 确定性退火算法

Abstract: The growing network size and vulnerability types make it difficult for the centralized leak scanning engine to effectively conduct security assessments under complex network structures.The cascade vulnerability scanning method significantly improves the scalability of the vulnerability scanning engine in all network scenarios, which is crucial in processing network security problems under complex network structures.However, most existing studies on cascade vulnerability scanning engine deploymenthave not been able to optimize the communication delay;this causes poor scanning efficiency.This study proposes a new cascade vulnerability scanning engine deployment strategy.The real network environment is abstracted as the underlying network topology that carries terminal devices or scanning engines for delay optimization.Based on the mathematical model of communication delay between the central control engine, local scanning engine, and target terminal, this study proposes a cascade system energy function.The problem of delay optimization for cascade vulnerability scanning engine deployment can be transformed into system-free energy function minimum value problems.A cascade coordinate deployment algorithm is proposed to realize the global and rapid optimization of the deployment strategy and finally determine the deployment of scanning engines.Based on different network scales and topology types, the simulation results demonstrate algorithm performance and the impact of various indicators.The experimental results indicate that the delay cost of this algorithm is reduced by 16.2% on average compared with Greedy algorithm.The validity and superiority of cascade vulnerability scanning engine deployment strategy in handling complex network environments are verified.

Key words: vulnerability scanning, cascade vulnerability scanning engine, delay optimization, deployment strategy, cascade system energy function, deterministic annealing algorithm

中图分类号:

TP393

谷允捷, 吴长禾, 吴庆, 张伟, 吕天航, 胡琪, 宋晓斌, 闫吉宇. 面向时延优化的级联漏洞扫描引擎部署策略[J]. 计算机工程, 2023, 49(3): 161-167,176.

GU Yunjie, WU Changhe, WU Qing, ZHANG Wei, Lü Tianhang, HU Qi, SONG Xiaobin, YAN Jiyu. Cascade Vulnerability Scanning Engine Deployment Strategy for Delay Optimization[J]. Computer Engineering, 2023, 49(3): 161-167,176.

http://www.ecice06.com/CN/Y2023/V49/I3/161

图/表 5

20230314185459

20230314185502

20230314185506

20230314185509

20230314185512

参考文献

[1] CVE Details[EB/OL].[2022-01-10].https://www.cvedetails.com/.
[2] KUMAR C, BHARATI T S, PRAKASH S.Online social network security:a comparative review using machine learning and deep learning[J].Neural Processing Letters, 2021, 53(1):843-861.
[3] ARAÚJO R, PINTO A, PINTO P.A performance assessment of free-to-use vulnerability scanners-revisited[M]//ICT Systems Security and Privacy Protection.Berlin, Germany:Springer, 2021:53-65.
[4] KHOEI T T, AISSOU G, HU W C, et al.Ensemble learning methods for anomaly intrusion detection system in smart grid[C]//Proceedings of IEEE International Conference on Electro Information Technology.Washington D.C., USA:IEEE Press, 2021:129-135.
[5] MUTHUKUMARAN V, KUMAR V V, JOSEPH R B, et al.Improving network security based on trust-aware routing protocols using long short-term memory-queuing segment-routing algorithms[J].International Journal of Information Technology Project Management, 2021, 12(4):47-60.
[6] DE CARVALHO BERTOLI G, PEREIRA L A, SAOTOME O.Improving detection of scanning attacks on heterogeneous networks with Federated Learning[J].ACM SIGMETRICS Performance Evaluation Review, 2022, 49(4):118-123.
[7] SON J, HONG C.SDN-based packet-forwarding and delay minimization algorithm for efficient utilization of network resources and delay minimization[J].KIISE Transactions on Computing Practices, 2015, 21(11):727-732.
[8] KOWSIGAN M, RAJESHKUMAR J, BARANIDHARAN B, et al.A novel intrusion detection system to alleviate the black hole attacks to improve the security and performance of the MANET[J].Wireless Personal Communications, 2021, 36(7):1-21.
[9] IMRAN M, BASHIR F, TAFRI A R, et al.A systematic review of scalable hardware architectures for pattern matching in network security[J].Computers & Electrical Engineering, 2021, 92:169-174.
[10] EINY S, OZ C, NAVAEI Y D.The anomaly- and signature-based IDS for network security using hybrid inference systems[J].Mathematical Problems in Engineering, 2021, 21(9):1-10.
[11] 王博瑞.分布式漏洞扫描系统的设计与实现[D].西安:西安电子科技大学, 2015. WANG B R.The design and implement of distributed vulnerability scanning system[D].Xi'an:Xidian University, 2015.(in Chinese)
[12] AHMED U, LIN J C W, SRIV ASTAVA G, et al.A resource allocation deep active learning based on load balancer for network intrusion detection in SDN sensors[J].Computer Communications, 2022, 184:56-63.
[13] GOPAL G V, BABU G R M.An ensemble feature selection approach using hybrid kernel based SVM for network intrusion detection system[J].Indonesian Journal of Electrical Engineering and Computer Science, 2021, 23(1):558.
[14] MING L, WANG D X, MIAO Q.Research on monitoring probe deployment in large scale network[C]//Proceedings of International Conference on Information and Network Security.Beijing, China:Institution of Engineering and Technology, 2014:76-83.
[15] HELLER B, SHERWOOD R, MCKEOWN N.The controller placement problem[J].ACM SIGCOMM Computer Communication Review, 2012, 42(4):473-478.
[16] ZHAO Y, HE R, CHEN H, et al.Experimental performance evaluation of software defined networking(SDN) based data communication networks for large scale flexi-grid optical networks[J].Optics Express, 2014, 22(8):9538-9547.
[17] KONDEPU K, SGAMBELLURI A, VALCARENGHI L, et al.Exploiting SDN for integrating green TWDM-PONS and metro networks preserving end-to-end delay[J].Journal of Optical Communications and Networking, 2017, 9(1):67-74.
[18] SCHARDONG F.NFV resource allocation:a systematic review and taxonomy of VNF forwarding graph embedding[J].Computer Networks, 2021, 185(3):726-734.
[19] YU J K, WANG Y, PEI K K, et al.A load balancing mechanism for multiple SDN controllers based on load informing strategy[C]//Proceedings of the 18th Asia-Pacific Network Operations and Management Symposium.Washington D.C., USA:IEEE Press, 2016:1-4.
[20] 秦华, 阎钢.基于OpenFlow网络的数据中心服务器负载均衡策略[J].计算机工程, 2016, 42(3):130-137. QIN H, YAN G.Server load balancing strategy in data center based on OpenFlow network[J].Computer Engineering, 2016, 42(3):130-137.(in Chinese)
[21] QIN Q F, POULARAKIS K, IOSIFIDIS G, et al.SDN controller placement with delay-overhead balancing in wireless edge networks[J].IEEE Transactions on Network and Service Management, 2018, 15(4):1446-1459.
[22] BRANDEAU M L, CHIU S S.An overview of representative problems in location research[J].Management Science, 1989, 35(6):645-674.
[23] 张祥德, 唐青松.确定性退火技术及其在点匹配中的应用[J].东北大学学报(自然科学版), 2003, 24(11):1119-1122. ZHANG X D, TANG Q S.Deterministic annealing and its application to point matching[J].Journal of Northeastern University (Natural Science), 2003, 24(11):1119-1122.(in Chinese)
[24] SOLEYMANIFAR R, BECK A S C, SALAPAKA S, et al.A clustering approach to edge controller placement in software-defined networks with cost balancing[J].IFAC-PapersOnLine, 2020, 53(2):2642-2647.
[25] OBADIA M, BOUET M, ROUGIER J L, et al.A greedy approach for minimizing SDN control overhead[C]//Proceedings of the 1st IEEE Conference on Network Softwarization (NetSoft).Washington D.C., USA:IEEE Press, 2015:1-5.
[26] WANG G D, ZHAO Y X, HUANG J, et al.A K-means-based network partition algorithm for controller placement in software defined network[C]//Proceedings of IEEE International Conference on Communications.Washington D.C., USA:IEEE Press, 2016:1-6.
[27] Vladimir batagelj and andrej mrvar (2006):pajek datasets[EB/OL].[2022-01-10].http://vlado.fmf.uni-lj.si/pub/networks/data/.
[28] Jure leskovec and andrej krevl(2014):SNAP datasets, stanford:large network dataset collection[EB/OL].[2022-01-10].http://snap.stanford.edu/data/.
[29] TOGAY C, KASIF A, CATAL C, et al.A firewall policy anomaly detection framework for reliable network security[J].IEEE Transactions on Reliability, 2022, 71(1):339-347.

选择文件类型/文献管理软件名称

选择包含的内容