| The popularization of computers and the rapid development of communication technology make computer network can be found anywhere in people’s daily-life. With the increasing number of users and requirements, the scale of computers and the applications are expanding extremely year by year. Because of the remediation of network resource management, the weakness of user’s security consciousness, the lack of defense means, the vulnerabilities generally exist in various production phases of software、hardware and network information systems, such as planning, design, development, maintenance, configuration and management. Network is facing a critical security situation which has become one of the most severe factors to the network development. By analyzing the attack paths and the exploiting probabilities of vulnerabilities in networks, vulnerability assessment can show us the quantitative result of network security situation, and provide us the evidence for network security optimization. Nowadays, vulnerability assessment has become a hot topic in the field of network security.On the basis of development and analysis of existing methods, this dissertation proposes a new network vulnerability assessment model based on vulnerability attack graph. By analyzing the probability of vulnerability exploitation paths and pointing out the key vulnerabilities, it can give us the overall evaluation of network security situation and indicate the most important factors which affect the network security. Our work in this dissertation is summarized as follows:First, we define the elements of vulnerability assessment and model the network components, then build the vulnerability assessment model framework. Then we use the model of network components as input parameters, consider the relationship of vulnerabilities dependency and the exploiting path, and provide a method of the vulnerability attack graph(VAG) generation.Then, according to the requirement of overall evaluation on network vulnerabilities, we analyze the VAG based on Bayesian network. We map the VAG into the Bayesian network and calculate the attack probability by using exact inference. According to the complexity for exact inference to the large-scale network, we propose a Bayesian-network-approximate-reasoning-based method for vulnerabilities assessment, this method makes the approximate reasoning to the VAG by stochastic sampling, then we can get the attack probability after the samples analysis and statistic. At last we plan an example to compare the result of exact inference with our approximate reasoning method to prove that our method is feasible and useful.Lastly, according to the requirement of analyzing the key vulnerabilities in network, we propose a method on the key vulnerabilities analysis based on network centrality theory. We introduce the network centrality theory to analyze the VAG and propose a concept of corrected betweenness which combines betweenness with degree-theory to analysis the importance of the vulnerability nodes quantitatively in the attack graph. It will help us to find the key vulnerabilities which will have great effect on network security, then it will provide us the evidence to fix the vulnerability and enhance the network security. The experiment result shows that this method can overcome the drawbacks of the common centrality analysis methods, the evaluation result is reasonable and credible.Network vulnerability assessment can help us locate the key vulnerability of target system and all potential attack paths. With the quantitative analysis by using the mathematic tools, it can guide us how to choose the effective security measure and get the maximum security return with limited security budget. Network vulnerability assessment can provide us efficient reference to improve network security situation. |
PDF Full Text Request