| Network security has always been a major concern of computer science.In the course of investigating the root cause of network failure, vulnerability analysis has become an important branch in research,of which vulnerability assessment is the core issue.At the same time,the open structure of the IMS network allowed it to be exposed to a large number of threats already existing on the Internet,which is why it is very urgent to carry out IMS vulnerability assessment studies.However, there is till a gap in the study of vulnerability assessment. Due to many reasons,existing vulnerability assessment methods are insufficient when applied to IMS.For example, current assessment methods all focus on only part of the assessment process.None of them can provide a solution that covers all the steps,from setting values for single vulnerabilities to calculating the overall vulnerability level to finally producing the vulnerability eliminating policy.Moreover, most of the methods were designed from the attacking point of view.They use attributes such as the attacker's capability or attack pattern as input, so that the assessment of the vulnerability level depends heavily on the network's environment rather than the network itself. The qualitative methods used in most assessments are easy to use but evaluation results vary considerably under different arbitrary assumptions and are insufficient for high level assessments such as security risk calculation.The thesis focuses on the issue of quantitatively assessing vulnerabilities.It starts by looking into network defects, and then gives an in-depth analysis on evaluation methods for single, associated and structural vulnerabilities as well as the their application in the IMS.The main contributions of this thesis are as follows:1.Built models that demonstrate the mechanism of vulnerabilities with the help of formal description language. By analyzing the rules behind network operations from the vulnerability assessment point of view, concepts such as threat and protected objects were strictly defined with predicate logic.The thesis analyzed the relationship between vulnerability and network security failure from a macro-perspective and constructed an vulnerability analysis model.It also gave a set of state transitions rules for vulneralities and protected objects from a micro-perspective.Based on these results,a cause-result model and a damage anti-damage model were built utilizing similar concepts in pathology.The in-depth analysis on vulnerability laid a solid theoretical foundation for further quantitative evaluation.The thesis also elaborated on the potential threats faced by the IMS and gave an example demonstrating a typical IMS vulnerability exploitation process.2.Defined metrics for the evaluation of assessment methods and gave a set of references for single vulnerability assessment.The thesis proposed a way to evaluate the basic metrics of vulnerability according to their effectiveness,completeness, usability, accuracy and orderliness.It defined two metrics named "score diversity" and" point variance" for evaluating the composite metrics of vulnerability. With these two metrics as references,the thesis described how to design vulnerability metrics and defined the basic metrics basing on confidentiality,integrity, availability, and the loss of asset value. Taking the basic metrics into account, two composite metrics named "loss of basic security" and "potential loss of asset value" were introduced.They were compared with the famous CVSS and other similar metrics in terms of "score diversity" and "point variance".Vulnerabilities within the IMS are categorized and evaluated from three aspects including network access,session control,and service delivery.The thesis also analyzed the layout of vulnerable regions in the IMS.3.Brought forward a solution for evaluating the overall vulnerability of network services and established the corresponding elimination policies.Using a vulnerability relationship graph built with Petri net as the model, the network service vulnerable level meric, SV, was created through examining the relationships between the reachability of network failure states,the count and number of vulnerability chains,and the difficulty in exploiting single vulnerabilities.The thesis analyzed,from a theoretical aspect, the range and monotonicity of SV values,as well as how vulnerability correlations affect the SV value.The thesis proposed a method for obtaining the key set of vulnerabilities by examining direct and indirect effects that the elimination of single vulnerabilities has on the overall vulnerable level of the network service. In reference with quantified costs for vulnerability elimination,the thesis presented strategies for the elimination of vulnerabilities at minimum cost.It also gave examples on how to apply such evaluation methods to the IMS vulnerabilities.4.Proposed a model for generating network structures and a method for evaluating the vulnerability of network structures.The influence that node degree and node adding strategies have on the network topology was analyzed.An analytic model of network topology affected only by m (the degree of newly added nodes) and r (the power of the degree of existing nodes) was built. The thesis presented an algorithm for obtaining expectations that indicate the distribution of nodes with particular degrees under the circumstance that m and r is given.The network's structural vulnerability metric, fc, was created through examining the relationship between the number of failed nodes and the network's connectivity.The thesis used analytical methods to carryout an in-depth analysis on the asymptotic characteristics of structural vulnerabilities in the network. It also analyzed the parameter selection strategy that meets the established security criteria of an IMS core network that consists of only CSCFs.
|
PDF Full Text Request