| As the development of the computer network and the depth of the research to security analysis, the methods based on security model are bring forward constantly. Network attack graph is all important method to analyze the security status of computer network, and it plays a guiding role for the establishment of network security policy. Recently, automatic generating of network attack graph is a hot topic for the domestic and overseas researchers.This thesis analyzes the main content about network security evaluation, including theory relating to security evaluation and major methods of discovering network information and detecting vulnerability. The thesis also analyzes the main models of network security. Aim at attackers usually use one or more known vulnerabilities to intrude the network, the thesis emphatically brings forward the network security evaluation methods based on attack graph.Existing attack graph generation methods have state explosion problems, which caused the scale of the generated graphs to be large. To solve this problem, a depth-first attack graph generation method is proposed on the basis of formal description of network security elements. The depth-first search algorithm is used to find attack paths in the network. The strategies that limited the number of attack steps and the success probability of attack paths are adapted to reduce the scale of the attack graphs. The experimental results indicate that the proposed method is valid to remove the redundancy edges and nodes in the attack graphs, consequently decreases the scale of the attack graphs.At last, we design and implement a network attack generating system. |
PDF Full Text Request