Design And Realization Of One Network Security Assessment System Based On Vulnerabilities Detecting Technology

Under the background of "Digit Fujian" electronic government affair network platform, this paper discusses systematically the current situation of network information security and protection technology that is usually adopted, explains the operation principle of network security scanner and points out some developing trends of them, discusses four kinds of structure that is commonly used by network security scanner, compares several commonly used network security scanners, designs and realizes one network security assessment system at last. This system adopts C-S mode structure, is made up of the customer software and the server software. The customer software is mainly made up of customizing module, assessment module, warning module, scanning result database and host basic information database. The Server software is mainly made up of scanning engine, plug-in database, regular database, vulnerabilities database, scanning result database. In this system the scanning task is customized and submitted by the customer software, the server software carries out the task of scanning and returns the scanning result to the customer software, the customer software assesses security performance of the goal network according to the suitable algorithm. This paper explains the main function and operation principle of every component of the system, after the introduction of CVE standard, the organization of plug-in database and vulnerabilities database are also explained in the paper.In the system of network security assessment, after receiving the vulnerabilities information of the goal network, we adopt which kind of algorithm to assess security performance of the goal network seems particularly important. This text proposes a kind of algorithm based on fuzzy mathematics, this algorithm thinks system safety degree is mainly determined by appearing probability of safe incident and losses that the safe incident caused, it adopts suitable method to evaluate these two factors separately, thus draw the quantization result of system safety degree which can reflect the security performance of goal network scientifically and accurately.In the system of network security assessment the security of itself seems extremely important. System safe problem appears mostly in five links. They are all because we don't do a good job of identity verification and encryption of the information transmission between both connection sides. This system adopts two ways of password and certificate to guarantee the identity legitimacy of both sides, adopts SSL encryption method to encrypt the information transmitted between two sides, thus improves the system security performance effectively. When the goal network becomes large, if the system of network security assessment can carry out the assessment job fast, we can save network bandwidth and time resource effectively, this system adopts many kinds of methods to improves system operational efficiency.This system adopts plug-in structure, in the face of new vulnerability that is producing constantly, it is easier to expand, can guarantee the flexibility degree of adjusting system dynamically with change of the function of the network. This text has a detailed explanation to NASL language foundation and relevant function, analyses the structure of NASL script, demonstrates how to write a script with a concrete example finally, so that users can write the plug-in program to measure corresponding vulnerability by themselves.