| With the rapid development of computer network and the Internet, se-curity becomes more and more important. According to network security events reported, hackers can't use a single host or a network service to in-trude the network successfully. But if they use the multiple vulnerabilities caused by relations among multiple hosts and services, the network is usu-ally compromised. Therefore one of the important aspects of inspecting network security is to consider the combination of vulnerabilities after ob-taining the vulnerability information and analyze the possible attack paths taken by the attackers.In order to satisfy requirements of vulnerability detecting, an OVAL vulnerability scanner based on Client/Server pattern is introduced at first in this paper. After obtainting network vulnerability information, an efficient network security analyzing model to find possible network attack paths is presented, and then the network attack graph generating method based on this model and the network attack graph generating system are given.An OVAL vulnerability scanner scans software, hardware and configu-ration information of the whole system. Based on XML schema, it collects useful information for testing to confirm vulnerabilities and then transfers vulnerabilities, configuration and connectivity information to Console in the server ends through Socket communication. The console processes informa-tion to build the potential attack paths. OVAL and CVE standard vulner-abilities database are used so that this tool is compatible to other vulnerabil-ity scanner.The networks security analyzing model is comprised of the description of host, connect relationship of network based on TCP/IP protocol stack and attack rules based on privilege escalation. The attack rule is mapping a se-ries of preconditions to postconditions. Actions taken by attackers can be treated as transitions of attack rules and thus a unique expression of network attack graph is put forward. Meantime the SQL database is used to build this attack model and a method to analyze attack associated with vulnerabilities based on privilege escalation is advanced. The attack graph is generated ac-cording to integrating width-first forward and backward search methods and used to analyze the security of the whole network. It guarantees to find all the potential attack paths and every path is the most reduced and different from other paths.At last, a network attack graph generating system is designed and im-plemented. We prove the validity of this system through experiments and show that the network attack graph generated by this system is more concise and efficient in the premise of finding all potential attack paths. |
PDF Full Text Request