| The network suffers from attacks due to the existence of network vulnerabilities. Currently, an effective method of network vulnerability analysis is based on the construction and analysis of attack graph; it firstly describes the target network environment, then analyzes the relationship of vulnerabilities comprehensively, finally searches and repairs the critical vulnerabilities of the critical targets, which improves the security of network. For large scale network, the data required by the vulnerability analysis is various, and it is difficult to be obtained accurately and comprehensively. In order to support the vulnerability analysis for large scale complex network, it is necessary to research the technology and method to construct various large scale target network models, which fit for the reality.This paper deeply researches the method to construct comprehensive model for network environment, and how to display the vulnerability analysis result intuitively and understandable. A target network modeling and display method for the network vulnerability analysis is proposed to provide intact data source for network vulnerability analysis, and display the network vulnerability analysis result. The following are the main contents:1. To solve the application network topology modeling problem required by the network vulnerability analysis, a network topology modeling method based on zone mapping is proposed, with which we can construct a network topology model, that fit for the real network's hierarchical structure characteristics and laws, through mapping the network's hierarchy structure to the topology zone, and abstracting the mapping rules. The test result by typical network modeling shown that the similarity coefficient of model to real network is upper than 96%;2. To solve the network environment data source problem, two methods are proposed, one is distributing vulnerabilities by classify and randomly choice, and the other is deploying the security policy hierarchically. Through the 3 steps of topology modeling, vulnerabilities distributing and security policy deploying, we can construct a model which can provide intact network environment data for the network vulnerability analysis;3. To solve the problem that the attack graph cannot show the network vulnerability analysis result intuitively and comprehensively, a method is proposed to display the network vulnerability analysis result based on topology. It maps the attack graph to the network topology, which displays the attack paths, quantitative vulnerability assessment results and repair suggestions intuitively;4. Based on the above technologies, a target network modeling and displaying system is designed and implemented. The test results shown that it not only can create various network model with different scales, but also can provide intact topology, vulnerabilities and security policy data for the network vulnerability analysis, and display the vulnerability analysis result intuitively. The time cost of the system is little.The work of this paper has been used in an 863 program, which provides an intact data source for the network vulnerability analysis, and an effective measure for the display of the network vulnerability analysis results. |
PDF Full Text Request