Research And Implementation Of A Graph-Based Network Vulnerability Assessment System

With the continuous development of Internet, network attack techniques are also keeping evolving. By utilizing relationship among all vulnerabilities in network, attackers are able to elevate their privilege step by step and finally control target hosts totally. Network vulnerability assessment is designed to assess and warn the security status for network in advance, so it comes to be important. Current available vulnerability assessment systems focus on individual vulnerabilities on each host that makes up the network, and generally give few clues as to how attackers might actually exploit combinations of vulnerabilities among multiple hosts to advance an attack on a network. Consequently, under the experiment background of CERNET Eastern (North) Network Center, this thesis is designed to implement a vulnerability assessment system that focuses on global network vulnerability analysis. From attackers'point of view, the system first uses scanners to find vulnerabilities in the target network, then analyses the relationship of vulnerabilities among multiple hosts and transform the relationship to an attack graph. Based on the attack graph generated, the system searches the corresponding attack paths and utilizes fuzzy comprehensive evaluation to assess the security status of each host.Under the environment of CERNET Eastern (North) Network Center, the process of attack graph generation is time-consuming. So the thesis adopts a fast match algorithm RETE, which is well used in PS (Production System), to reduce the time cost for generating the attack graph. However, the efficiency of RETE is determined largely by the corresponding join structure. By means of a cost model of RETE-join-structure for reference, the thesis describes an optimization algorithm to minimize the total cost of operation, which includes join and query operations. Optimization is performed based on execution statistics measured from earlier runs of the program. All rules are optimized together so that join and query operations can be shared by multiple rules. The evaluation results demonstrate that the algorithm generates a more efficient program.The thesis is composed of six chapters. Chapter 1 introduces the basic concepts of vulnerability, vulnerability assessment and current available vulnerability assessment systems. Chapter 2 represents relative research works including attack graph model and TVA mode. This chapter provides a GVA model and describes the corresponding framework and algorithms. Chapter 3 first introduces a pattern match algorithm RETE, and then describes an algorithm CBOR used to optimize pattern sequence of a rule. Chapter 4 represents an implementation of GVA system. Chapter 5 tests the function and performance of the GVA system, and the effect of CBOR algorithm as well. The last chapter draws a conclusion of the thesis and some future works are expected.