| As computer networks continue to apply more and more in the enterprise, network security issues become prominent increasingly. These issues combining with improper safety measures restrict the development of enterprises. Risk assessment is an important methods and basic work in the network proactive defense. Before the security risks occur, risk assessment can analyse the thrests of system in the confidentiality, integrity, availability by means of effective measures. And on this basis, risk assessment can also select the appropriate security measures to control information security risks into acceptable range.Current the network has penetrated into various fields. As each area or each unit has its own private information confidential to the outside world, so there would be firewalls, authentications and other security measures between the enterprise information network and the Internet. So the subnet like a core, security control is its shell, the internal of network is protected not to be violated. In the 1990s the scholar Cao Hongxing presented shell theory to research the perimeter of system. The key point is that limiting the theoretical study of a problem into the range based on the actual characteristics, the internal of the range is system, its external is external environment, the transfer between system and the external would be studied.Based on further studying various standards, model and method of risk evaluation, in the paper vulnerabilities in the risk assessment is choosed to study.Fist according to the research and analysis of major domestic and foreign security vulnerabilities database and actual needs of enterprise information network, a research vulnerabilities database is built.Data mining uses improved M-Apriori algorithm to construct a association rules database using formal description language XML to describe association rules.Then after analyzing the characteristics of existing risk assessment models, form the view of shell theory the network risk assessment model using shell theory is established. Current attack graph generation method is analysised and improved, a attack graph generation algorithms based subnetting is designed, attack graph is analysised to extract attack path and key nodes set of target network to reinforce the security shell and to achieve risk assessment of the target network from the local to the overall. The rationality and superiority of the designed model and algorithm is verified, and the network security assessment system using shell theory is realized using the modular design, the combination of theory and practical applications is used in the enterprise information network. |
PDF Full Text Request