Research On Network Security Based On Host-based Attack Graph

With the continuous development of computer technology and network applications, network security management has already become an important factor that can restrict the security, stability and development of a country and its enterprises. How to develop feasible and effective security strategies by analyzing network security is a vital issue which is concerned by domestic and foreign experts and scholars. Since it is able to reflect the mutual use of vulnerabilities in network, network attack graph becomes an effective tool for analyzing network security. Many countries and regions attach great interests to the study of network attack graph, and many significant scientific achievements are made. It not only promotes the further development of science and technology, but also guarantees the safe and stable operation of government and enterprise networks, and protects the security and confidentiality of national and personal private information.In order to develop more effective and convenient approaches to analyze network security, this dissertation researches on some issues about the generation of host-based attack graph and its applications in network security analysis. The main contributions and innovations are summarized as follows:1) Attack rules are built by making further abstraction of attack patterns. Besides, theories of model design and normal distribution are introduced to calculate the difficulty value of an attack, which becomes the weight of the corresponding attack rule. Based on the attack rules, an approach of generating host-based network graph is put forward. It has good performance in time and space complexity, and the attack graphs it generates are much smaller than previous methods. 2) Having analyzed a large amount of attacks in network, it is found that the security of some hosts has particular significant influence to overall network security. Thus, the concept of key host is put forward. Further research shows that the influences caused by these key hosts are not exactly the same. Therefore, key hosts are classified into three types, and identification to each type is given independently. The key hosts in network bring a new perspective in analyzing network security and provid a basis for network security manager to develop effective security strategies.3) Algorithm of generating host-based attack graph for overall network is proposed, followed with an approach of analyzing overall network security and finding key hosts through the attack graph it generates. By analyzing the out-degrees and in-degrees of nodes in attack graph for overall network, it is convenient to find out the first type of key hosts and the second type of key hosts, and it is able to calculate the distribution density of attacks, which reflects the overall network security situation and can be used to identify the security level. Obviously, the satisfaction of a critical-condition could cause changes in attack power of the corresponding host. Therefore, if these changes are calculated, it will be able to find out the third type of key hosts and the key critical-conditions.4) The definition of host-security-group and its partitioning algorithm are proposed. Moreover, an approach to analyze overall network security and find out key hosts based on host-security-group is put forward. By analyzing the situation of partitioning, it not only be able to calculate the secure properties like the density of host-security-group and the coupling degree of host-security-group, which perfectly identifies the security level of target network, but also can find out the first type of key hosts of the second type of key hosts. To find out the third type of key hosts, it could just consider the leaves of each host-security-group, and the scale of host-security-group that contained the target host of an atomic attack can be taken as the changes of overall network security when a critical-condition is satisfied. Thus, the computational complexity is substantially reduced. 5) An approach of using iterative matrix to analyze overall network security and find out key hosts is proposed. Then, by using the defined operating function, the procedure of turning initial adjacency matrix into ultimate iterative matrix which reflects the relationship of attacks between hosts is described. It is easy to identify the security level of network through the density of iterative weight and other secure properties. Besides, by calculating and comparing the coefficient of threat, coefficient of vulnerability, and changing ratio of total iterative weights, it is able to identify the three types of key hosts respectively. In particular, if the corresponding routes of each element are marked down while calculating the iterative matrixes, then the most effective attack paths between each host will be found.