| With the development of computer and network communication technology, the network scale is continually expanding, people rely more on network, but also are suffering great security risks. Network system exists and cannot avoid vulnerability, resulting in network security incidents continue to occur, which presents a huge challenge for safety analysis and defense work. If only a single vulnerability is analyzed, it is hard to make defense decision. The analysis of vulnerability association was enabled by Attack Graph technology. It shows all possible paths that intruder may take with a technology that visually graphic. It describes the relationship between the vulnerability of the network, which provides evidence of intrusions intent and potential threat identification.In this paper, attack graph modeling, key technologies attack graph generation method and attack graph analysis techniques were studied. Then, the existing graph model, generate algorithm and minimization analysis techniques algorithms for the attack graph were improved. Specifically, the research work of this paper include the following contents:Firstly, the network security defense framework based on attack graph was proposed after introduced the concepts of attack graph. It consists of three modules,including a network security factor modeling representation, efficient defense graph generation and decisionmaking of a minimum critical countermeasures. In the first module, defense strategy model and construction method were proposed based on existing attack graph model. Compared with the traditional attack graph model, improvements were that not only from the perspective of the attacker, but acting as a defender at the same time, with addition of cyber-attack defense strategy module. Through classification of strategy and quantification of the strategy costs, the defense strategy module was constructed, which can optimize the allocation of network security resources during decision-making. According to the defense strategy model, an efficient method for generating defense graph was presents in the second module. It aims to exclude redundant paths to avoid the state explosion problem in the existing attack graph generation methods. Minimization analysis of the generated Defense strategy graph constructs the third module. The concept of a critical set of countermeasures with minimum weight problem was proposed at first. And three approximation algorithms: Greedy_WDG, Ant_WDG and BPSO_WDG algorithms were built to solve this problem. According to the scale of defense graph, the module itself can choose which algorithm it should take. Also, security analysis may choose a different level of defense decisions based on different network environments and defense needs. Finally, do experiment with the three algorithms in different scale network environment. Meanwhile, in order to conduct in-depth study BPSO_WDG algorithm, do experiment with algorithm parameters for BPSO_WDG. The experiment results show that BPSO_WDG algorithm performs better than others. |
PDF Full Text Request