| The globalization development of information technologies has infiltrated the information into the fields of politics, economy et al. However, it also makes the illegal act risking the information systems more universial and the information security focused. So the active defensive technologies for information security have risen as the impletent of passive defensive technologies to protect information security.At present, the active defensive technologies for information security mainly focus on the active defense of information security by assementing the security situation and predicting the security threats. From the view of technical point, this paper studies the method evaluating both the overall security of target systems and the severity of their vulnerabilities and predicting.the attack path. The main innovations are as follows:1) A method is proposed to effectively evaluate both the overall security of networks and the vulnerabilities’ severity.Firstly, by analyzing the correlation between atomic attack and attack evidence, a detection algorithm named CRDA was presented to determine the causation between them. Then, based on the system architecture of attack model, a Bayesian network termed as the Bayesian Attack Graph(BAG) was defined and an algorithm named BAGA was proposed to timely and effectively identify vulnerabilities. Finally, the threat of vulnerability was defined. On the basis of it, the threats of vulnerabilities could be divided into different levels to evaluate their severity according to attackers’ privileges obtained through exploiting vulnerabilities successfully. The experiment shows that the method is provably feasible and effective to evaluate both the overall security of networks and the vulnerabilities’ severity.2) A method based-Bayesian inference is proposed to accurately compute the nodes’ belief in NAG so as to predict for attack paths in networks.Firstly, this paper proposes the model of NAG. Then, by analyzing cost-benefit on child attack paths, the model of attack feasibility is proposed and the algorithm generating attack paths is designed to eliminate path redundancy as far as possible. Based on the above, the likelihood weighting algorithm is improved to support above algorithm so that it can effectively avoid the problem of incorrect computation and improve the accuracy of node belief. The finally experimental results show that the method can effectively eliminate the path redundancy and evidently improve the accuracy of node belief and consequently enhance the validity of prediction for attack paths.3) A method is proposed to compute the conditional probability and the node belief so as to solve the problem of probabilistic incorrect computing, which is caused by shared dependencies and incorrect computing of the conditional probability.Firstly, by analyzing correlation between attack cost and the likelihood that network attacks could be provably exploited by attackers, we propose a computing approach to compute the conditional probability. Secondly, by utilizing the d-separation to establish conditional independence between nodes within Bayesian network, we also give a computing approach adapted to compute node belief so as to avoid the problem caused by shared dependencies between nodes. The finally experimental results show that our method can effectively address the problem of probabilistic incorrect computing, evidently improve the accuracy of node belief and consequently enhance the validity of prediction for propagation paths of network threats. |
PDF Full Text Request