计算机工程

• 安全技术 • 上一篇    下一篇

基于攻击模式的完备攻击图自动生成方法

刘 龙a,陈秀真a,李建华b   

  1. (上海交通大学 a. 信息安全工程学院;b. 电子信息与电气工程学院,上海 200240)
  • 收稿日期:2012-09-19 出版日期:2013-10-15 发布日期:2013-10-14
  • 作者简介:刘 龙(1988-),男,硕士研究生,主研方向:网络安全;陈秀真(通讯作者),副教授、博士;李建华,教授、博士
  • 基金项目:
    国家“973”计划基金资助项目(2010CB731403,2010CB731406);国家自然科学基金资助项目(61071152,61271316); “十二五”国家科技支撑计划基金资助项目(2012BAH38B04);西安交通大学制造系统工程国家重点实验室开放课题基金资助项目(sklms2012005)

Complete Attack Graph Automatic Generation Method Based on Attack Pattern

LIU Long a, CHEN Xiu-zhen a, LI Jian-hua b   

  1. (a. School of Information Security Engineering; b. School of Electronic Information and Electrical Engineering, Shanghai Jiaotong University, Shanghai 200240, China)
  • Received:2012-09-19 Online:2013-10-15 Published:2013-10-14

摘要: 无圈攻击图结构简单,但在构建过程中会导致部分路径缺失。为此,给出完备攻击图的概念,提出基于攻击模式的完备攻击图自动生成方法。通过分析网络防火墙的配置文件,自动获取网络连通性。完善攻击模式知识库以优化攻击者能力建模,并在此基础上设计广度优先前向搜索的攻击图生成算法,实现自动生成完备攻击图的原型。实验结果表明,该方法的自动化程度高、时间消耗少,可应用于大型网络。

关键词: 网络安全, 脆弱性, 攻击图, 网络连通性, 防火墙, 攻击模式

Abstract: As the generation of attack graph without loops leads to missing of attack paths, this paper puts forward the concept of complete attack graph and builds its automatic generation method. It obtains the network connectivity automatically by analyzing the firewall configuration files, to get rid of tedious manual input. Then the attack patterns are enriched to cover almost all network attack types and based on them, an efficient approach to complete attack graph generation is built. In the end, a model to generate complete attack graph automatically using the algorithm is built. Experimental result shows that this method has less time consumption, high degree of automation, and it can be applied to large networks.

Key words: network security, vulnerability, attack graph, network connectivity, firewall, attack pattern

中图分类号: