Research On Vulnerability Analysis And Simulation Validation Techniques Of Complex Information System Network

With the popularity of information technology used in our society and the emergence of large-scale network distributed technologies such as cloud computing and grid computing, critical information infrastructure is exposed to a growing number of security threats. To strengthen the security of information infrastructure, governments and security groups are reinforcing researches on the complex information system network vulnerabilities. However, many current studies are focused on information system network risk assessment, researches on the network vulnerabilities’discovery, identification, evaluation and validation are still in the exploratory stage when the information system’s size and complexity are enlarged, lots of problems need to be solved. Based on this background, in this dissertation we focus on the three aspects of complex network structural and behavioral vulnerability analysis techniques, key protocol vulnerability analysis techniques, and the simulation validation techniques in the network mode of thinking, strive to provide comprehensive systematic supports for the work of complex information system network vulnerability analysis and security evaluation. The main results and research topics of this dissertation are as follows.1. To solve the vulnerability identification and assessment issue related to the network topology, static and dynamic analysis methods based on the complex network theory are proposed. In the study of static characteristices, graph theory parameters such as degree, betweenness, closeness, clustering coefficient, entropy are used to perform analysis on example networks. Comprehensive evaluation results of networks’survivability and fault tolerance are achieved. In the dynamic cascading failures’study, load-capacity model are established, and simulations are conducted on example networks under different attack strategies. This study provide theoretical reference for large scale network failures’early warning and handling.2. In the aspect of network cascade control and defense, an emergency response strategy based on traffic control method is proposed according to the actual information networks functions. Firstly traditional methods of enlarging tolerance factor and deleting components with minimum centrality are discussed by modeling and simulation, and then our scheme is proposed, analysis and comparative studies based on simulation are performed. Results prove that our scheme can be applied to all network types, and can control information network cascading failures with relatively smaller resource, and our scheme can avoid the ineffective and high cost problems of the former two methods in controlling some homogeneous networks.3. In the aspect of key network protocol vulnerability analysis, a suite of exploiting, utilizing, protecting TCP (Transmission Control Protocol) and BGP (Border Gateway Protocol) vulnerabilities in congestion control mechanisms is proposed based on DLDoS(Distributed Low rate DoS) attacks. Firstly the related vulnerabilities of TCP and BGP are analyzed, the DLDoS attack scheme is decomposed, concluded and analyzed in detail, a precise time synchronization method between distributed attack hosts is proposed. Then multiple LDoS defense mechanisms are discussed and summarized, and the comparison of LDoS and FDoS (Flooding DoS) is also given. In the process of utilizing these vulnerabilities, a novel kind of DLDoS attack using one dimension random walk algorithm is proposed, the algorithm can be used to generate power-law distribution which complies with normal network behavior feature, and make the distributed attack flows even stealthier. This method can provide reference for DLDoS attack countermeasures based on time domain analysis and frequency domain analysis.4. In order to study the route flapping and cascading failures in BGP network caused by DLDoS attacks, flow model and birth-death model are constructed. Firstly the BGP route flapping caused by LDoS attack is validated and analyzed through experiments. Then a flow model and a birth-death model are constructed to analyze the congestion and cascading failures in BGP network, these models excel the load-capacity model in the description of BGP routers’recovery mechanism. The simulation results of these models reveal that a phase transition exists in the process of BGP network’s cascading failure, when the number of down routers exceeds the phase transition point, the network will accelerate to collapse completely, otherwise it will gradually recover. These two models are proven to be more accurate in describing dynamic characteristics of actual BGP networks.5. To meet the simulation validation requirements of complex information system network vulnerability, we design and implement a vulnerability simulation validation platform based on CTR (Cyber Test Range) techniques. Firstly the general CTR architect framework based on HLA (High Level Architecture) is concluded and proposed; the range-level control system design fit for CTR’s controllability and safety requirements is also discussed in detail, then a CTR capability maturity model consists of five levels is proposed and quantitative classification model based on cluster analysis of gray theory is also given. Then an emulab-based platform used for network vulnerability analysis and simulation validation is designed and implemented, which integrates vulnerability validation techniques of large-scale complex network and traditional information system. Accept tests and comparisons have proven that the platform can provide sufficient security experiment facilities and fidelity to meet the requirements of network vulnerability analysis and simulation validation.