Quantitative Evaluation Of Vulnerability Exploitability Based On Attack Graph

With the thriving of the Internet,it has penetrated into every area of people's lives.While the Internet brings a lot of convenience,it also introduces a series of security threats.Nowadays,there are a variety of Internet attacks,and it should not be ignored no longer.Currently,the analysis of Internet vulnerability is a significant work in the research field of Internet security.The approach based on the simulation of the attack utilizing attack path is prevalent,and it is also the emphasis and aporia.This approach is able to reflect the relevance of the entire vulnerability,which can help network security administrators carry out some security patches.Researchers always get the state attack graph or the attribute attack graph in the previous works utilizing attack path.However,the two graphs are too complex to represent the relevance between the vulnerabilities simply and intuitively.And researchers need to analyze these complex graphs before patching the network,and it is very inefficient.Meanwhile,the quantifiable value of single vulnerability exploitability is the mathematical basis for calculating the probability of attack success based on the vulnerability relation graph,while only a few works have been devoted to it.In view of the above two problems,a series of works have been done in thesis.The main points of innovation and work are as follows:A more intuitive vulnerability relation graph is proposed based on the analysis of network nodes,the simplification of state attack graph and attribute attack graph.The vulnerability relationship is modeled utilizing the node attribute,network topology information,local vulnerability attribute and unit attack condition.The generated attack graph can simply and intuitively present the relationship between vulnerabilities and simulate the attack.Finally,the probability of the successful attack of every attack path in the graph is calculated to determin the repair order of the vulnerabilities.At present,the most widely used vulnerability assessment system is CVSS.However,Thesis has found that CVSS has only 23 kinds of score values,the diversity of the scores are not enough,and the result of the vulnerability score is too centralized,which is not conducive to global vulnerability detection.In view of the lack of CVSS,Thesis first finds that vulnerability types can affect vulnerability exploitability through data statistics,but existing standards have not taken it as one of the evaluation factors.In order to make the evaluation system more objective and accurate,we quantified the vulnerability types by using AHP,proposed EOVSS and optimized the CVSS.Thesis builds a simulation network environment.First,we model the node of information that builds the vulnerability graph.In order to compare the accuracy of EOVSS,we obtain the exploitability of single vulnerability through three ways of EOVSS,CVSS and WIVSS,calculate the successful utilization of single vulnerability and the success of the single effective attack path,and make a comparative analysis.Experiments prove that EOVSS has high accuracy and diversity.Meanwhile,the global vulnerability detection in network environment is also analyzed.