| In the age of information, security system does not mean a simple pure protection, but the great rivalship between the Security Officers(SO) and Virtual Attackers(VA). Some cyberspace security systems only give the defense framework, which is the integration of different protection technologies based on the system security management requirements, but not based on the understanding of information rivalry. So, these systems can't solve effectively the problems of the decision-making which the SOs face in the infowar, and also the problems of distributed security management granularity, massive information processing and dynaic adaptive ability, which SOs face in the large-scale networks.In this dissertation, system dynamic defense and security trend are studied, based on cyberspace countermeasure, in order to solve the problems of control and decision in the large-scale dynamic defence systems. A new dynamic defence model is proposed under the knowledge of info-rivalry, and considering the three aspects: defense measure deployment, attack information decision-making support system, common competition knowledge. A multiagent-based implementation is also given in the dissertation. The system offer SO a extendible, adaptive, intelligent environment for security information and knowledge handling. The major contributions of the dissertation are summarized as follows.(1) The rivalship model is presented to study the security defence problem. The basic aspect is the rivalship between SO and VA, through different layers of information, under two unsymmetrical information conditions, including two reverse-direction information handling processes. We also use game theory to analyze the dynamic process of the defence system in large-scale network. A new architecture of dynamic security system is presented based on the model of information rivalry.(2) A new method of defense measure deployment, based on subdomains segmentation, is presented. In large-scale security system, subdomain segmentation can effectively improve the granularities of control and observation. By setting border protection in each subdomain, special custom protection is achieved. Subdomain auto-isolation, global policy management, subdomain cooperation protection, can make the defense system more controllable, self-adaptive.(3) Based on rivalship model, the process of attack information handling is studied.As for massive, noisy and volatile data, information fusion is the key technology. In the dissertation, a new attack information handling algorithm, combining subdomain alert information fusion and global attack knowledge fusion, is presented. In attack knowledge fusion, a new correlation algorithm, based on the three layer representations of attack knowledge, is proposed. The problems of information handling, including incomplete information for decision making, incorrect information for analyzing and uncertainty information for filtering, are considered in the new algorithm. Analysis on anomaly alerts provides an opportunity to learn the new attack, but the related detail information about that attack is lacked. In our algorithm, a method combining trap-node attack information gathering with anomaly alerts query is presented to create a new way to learn novel attack mode. In our decision-support system, a analysis framework, including attack path analysis, attack frequency analysis and attack capability analysis, is proposed to accomplish the Intrusion Response requirement.(4) The concenjt of common rivalry knowledge is put forward, which depicts the process from common security knowledge obtained to local system critical information discovery. Representation, classification and global reference name standard of the common security knowledge, are summarized. Then a new model of system security trend analysis is presented, which combines vulnerability analysis (using privilege graph analysis method) and attack knowledge analysis(using goal tree analysis method).
|
PDF Full Text Request