| Incorporating the Penetration Test into the vulnerability assessment stage duringthe Information System Risk Evaluation is conducive for the following reasons: it cancomprehensively identify and analyze the vulnerability that exists in the informationsystem, as well as reflect the actual damage of the system caused by the vulnerabilitythrough the direct use of the vulnerability, offering a quantitative analysis for the finalrisk assessment. However, existing technologies of Penetration Test lack effectiveapproaches to estimate whether the information acquired by security scanning wasaccurate or not. Besides, these technologies just screen the exploitable vulnerability thatwould not affect the stability of the target system. The current existing detectiveapproaches, such as attack tree and attack graph, can comprehensively analyze thesecurity condition of the target system and subsequently detect the vulnerability ofrelevancy caused by several vulnerability existing in the system. However, because theanalytical process cannot coordinate with Site penetration testing, the analytical resultcannot be effectively applied to penetration testing on site.This thesis focuses on the problems of information accuracy estimation,vulnerability exploiting screening and vulnerability relevancy analysis, introducing apenetration testing model base in ontology and attribute-based attack graphs. As a toolof representation of knowledge, Ontology can define the relationship between concepts.Using ontology to describe the knowledge of penetration testing can effectivelyorganize and manage the decentralized knowledge about penetration test, and realize theknowledge of penetration testing sharing and reuse. Complying with the requirementsof ontology technology, this thesis presents the hierarchical concepts and attributes ofpenetration testing knowledge from three aspects: concept, relation and inference.Besides, using OWL Ontology descriptive language to describe the instance ofpenetration tests, and establish ontology in the field of penetration test. Through theestablished ontology of penetration test, we can identify and screen the accuracy andavailability of vulnerability, and make the vulnerability and its associated authority astwo kinds of nodes in the attribute attack graph. We can also use analytical means ofattack graph to analyze the relationship between vulnerabilities, and generatepenetration attack paths. On the basis of theoretical model research, this thesis hasimplemented the prototype system. And the testing results of the prototype system reveals that the penetration testing model established by my work is able to estimate theaccuracy of information effectively. In addition, this model can automate to screen theavailable vulnerability and analyze their relevance, as well as create a penetration attackpath, so that the model can realize automatic information retrieval, analyzinginformation and exploiting the vulnerability about penetration tests. Hence, it is usefulto reduce the difficulty and workload of information analysis, and improve theefficiency of penetration testing. |
PDF Full Text Request