Research On Key Technologies Of Network Security Risk Assessment

With the rapid development of computer and computer network technologies recently, computer and computer networks have played an increasingly important role in the fields of politics, economy, military, and social life. However, the network security problems have become increasingly prominent. In order to deal with the increasingly serious network security issues, a variety of network security defense and control technologies emerged. As one of proactive security defense technologies, network security risk assessment techniques are used to assess security risks in the network or information system before the security events occur and assess the threat situation after security events occur. And the appropriate risk control measures are taken based on the risk assessment results. Therefore, effective and efficient network security risk assessment methods are of great significance to the protection of network or information system security. Based on the study and analysis of related works, we carried out in-depth research of key technologies for network security risk assessment. The major contributions of the dissertation are summarized as follows.On the aspect of qualitative assessment, we discussed two important issues in attack graph analysis:the optimal atomic-attack repair set problem and the optimal initial-condition repair set problem. Then we defined the Atomic-attacks Split Weighted Attack Graph (ASWAG) and the Initial-condition Split Weighted Attack Graph (ISWAG) and converted the former two problems into the minimum S-T cut problems in ASWAG and ISWAG. The conversions were proved to be equivalent. Two network flow based algorithms with polynomial time complexity were proposed. Experimental results showed that the algorithms are more efficient and scale better than existing methods. We can use them to analyze large-scale attack graphs.On the aspect of quantitative assessment, our work includes two parts as follows.(1) We proposed Generalized Bayesian Attack Graph (GBAG) model for existing Bayesian Attack Graph (BAG) model can not express the impact of the environmental factors on the probabilities of attacks. The GBAG model covers the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. The semantics are expanded in the GBAG model by introduced the attack gains and the threat state variables with the advantages of BAG retained. And the GBAG model can reflect the true attack probabilities more objectively due to the expansions.(2) Hierarchical quantitative assessment method based on GBAG was proposed. The method used GBAG to cover the exploiting the vulnerabilities to launch multi-step attacks by attackers, the uncertainty of the attacks, and the impact of environmental factors on the probabilities of attacks. Node attack probabilities, node risk values, host attack probabilities, host risk values, network attack probabilities and network risk value are computed based on the constructed GBAG, so that security administrators can understand the security situations in the three levels. Experimental results show that the results of our method are identical with the real situation, which means our method leads to more objective and accurate results. And theoretical and experimental proofs show that the method based BAG is a special case of our method, which means our method has a wider range of applications.On the aspect of real-time assessment, our work also includes two parts as follows.(I) False positives and false negatives are prevalent in the alerts generated by intrusion detection systems. We proposed the D-S evidence Attack Graph Model (DSAGM) to deal with the problem caused by false positives and false negatives in real-time assessment. Alerts are assigned with certainty factors. And the D-S combination rule is used to combine the related alerts corresponding to the same node in the attack graph. The credibility is propagated in the attack graph forwardly and backwardly, and the prediction support factors and posteriori support factors of the related nodes are updated. Node attack certainty factors and prediction attack certainty factors are updated later. The model does not only take advantage of the capability of uncertain information fusion of D-S evidence theory, but also take use of the relationships of exploiting the vulnerabilities in the attack graph, so that the model can effectively deal with the problems caused by false positives and false negatives.(2) The incremental real-time assessment method based on DSAGM was proposed. The framework of the method includes four layers:detection layer, attack graph layer, host layer and network layer, and contains two phases:initialization phase and real-time phase. The method use DSAGM to deal with the problems caused by false positives and false negatives, and computed the attack certainty factors and prediction attack certainty factors of each node, each hosts and the network, so that the method can reconstruct the attack scene and predict attack behaviors in future accurately. The corresponding threat values and the final network security awareness value are computed, so that the security administrators can understand the threat situations in the levels of nodes, hosts and the network. The method is an incremental assessment method and the algorithms in the method have linear complexity, so that the method is very efficient. Experimental results show that the method can reconstruct the attack scene and predict attack behaviors in future accurately and objectively, and lead to objective network security awareness value that consistent with the real-time network security threat situation. And the method is efficient and has good scalability, so that it can be applied to the real-time assessment of large-scale networks or information systems.