Research Of Logic-based Network Security Vulnerability Analysis

As long as a network runing, there must be some vulnerability in it. This is because thenetwork provides users with services through the servers and terminals. But their runing rely onthe services of hardware/software which may be flawed and vulnerable. Therefore, by detectingvulnerabilities in the single host structure can neither guarantee the complete security of thenetwork nor guarantee the smooth progress of services in the network. In addition, it is notpossible to eliminate all the vulnerabilities in the hardware/software, especially for those whoprovide network services for the large-scale network. Upgrading and patching can eliminateknown vulnerabilities, but may also bring more unknown vulnerabilities. The goal of networksecurity is to provide network services, while maintaining adequate security. To achieve this goal,we must start from the analysis of vulnerability with the entire network structure andconfiguration and analyse the network security.However, the network vulnerability analyses mainly focus on the description and analysisof known vulnerabilities, and with relatively little research for an unknown vulnerability, butwith no unified description and analysis. With the increasingly the complex of the networkstructure and the number of the devices in large network, there are vast amount of informationgenerated from the network attack graph. How to find key resources from these vast amounts ofinformation to assist the network administrator who want to successfully complet enhancenetwork security is an important issue for network vulnerability analysis. At the same time whileanalysing network vulnerabilities, most of them just to stay above the theoretical studies.Especially in our country, thereis not a complete network vulnerability analysis tools.Developing a friendly, automatic network vulnerability analysis system is also a problem thatneeds to be solved.In this paper, we use formal description and logical reasoningto describe the network inferthe network attack graph subsequently,. We set the right weight of the attack graph nodes andsequence the attack resources in the attack graph. After doing this network administrator can findkey resources for security enhancements. Our main work are as follows:(1)On the analysis of the disadvantage of the known and unknown vulnerabilities’description ways, we use formal technology to the abstract vulnerabilities details and to describenetwork configuration, known and unknown vulnerabilities.(2) Based on the analysis of the logic method, we analyse the informationof networkconfiguration and vulnerability by using Horn clauses after formally description. In this paper we also define the generation of attack graph, add to the attack graph with the concept of arc andmade clear the various relationship between vertices in the attack graph, Finally we give someexamples of the vulnerabilities according to the proposed analysis method, and expose the wayto increase network security based on the length of the sequence attack.(3) In this paper we modify the generated attack grap, and difine the appropriate weightvalues vertexes used to indicate the possibility of vulnerabilityies to explore. We design amethod to computate the importance of resource in the attack sequence, and rank the importanceof resources after computation to find the key resources in the network vulnerabilities detection.(4) In the developed prototype system of a network vulnerability analysis, we formallydescribe the information of the network configuration, analyse it by vulnerability analysismethod. And finally result attack graph. This system on the one hand provides an experimentalplatform for the analysis of network vulnerabilities; on the other hand proves the rationality ofthe vulnerability analysis method previously proposed.