Research On Automatic Evaluation And Optimization Of Network Security Defense System

With the rapid development of network information technologies,the degree of social informatization has become more and more higher.However,there are lots of security issues in information systems while providing users various information services,such as data leakage,denial of service attack,ransomware,etc.To solve the challenges mentioned above,various security devices are widely used to build network security defense systems for improving the security of information systems.Nevertheless,the security issues cannot be completely solved by deploying security devices.Therefore,how to quantify and evaluate the security of the network security defense system,understand the status of defending attack,and guide the security staffs to optimize the deployment of security devices has become an urgent problem in the network security field.Most existing security quantization and evaluation schemes mainly focus on the security risk in information systems,while there are few schemes measuring the defense effect of the whole network security defense system.Meanwhile,how to quantitatively associate the influence factors of security with the security defense system,the defense capabilities of single security device with the defense effect of the defense system,and optimize the defense effect has become the bottlenecks in quantitating and evaluating the defense effect for defense systems.In order to solve the above-mentioned problems,this thesis proposes evaluation and optimization schemes for network security defense system,and there is an application example of the proposed schemes.Specifically,the main work of this thesis can be summarized as follows:First,to solve the problem of quantization and evaluation for the network security defense system,this thesis proposes the network security model of information system,and formally describes the relationship between the network behavior,security threat,network attack,defense capability of security devices and other elements in the information system.Then,a network security defense system evaluation scheme is constructed based on the analytic hierarchy process.Through defining the quantitative indicators with security threat risk severity and defense response action of security devices,the scheme achieves the quantization and evaluation of the security defense system.Moreover,the missing and defects during the network security defense system design can also be found with the proposed scheme.Second,in order to solve the optimization problem of network security defense system,this thesis designs a rule-based algorithm for traversing deployment methods of security devices,and proposes a network security defense system optimization scheme based difference optimization and importance analysis of single security device.This thesis can generate various effective security device deployment methods on the premise of solving the result space explosion problem,and achieve the optimal deployment method of the security defense system by comparing the quantified values of the defense effects at the same time.The deployment location errors of security devices and duplicate functions problems in the network security defense system are solved.Third,based on the proposed network security defense system evaluation and optimization schemes,a system for evaluating and optimizing defense system is designed.The application analysis of the schemes is carried out in combination with the actual scenario.Through the evaluation and optimization of the security defense system in the actual scenario,it is proved that the proposed evaluation and optimization schemes for network security defense systems are reasonable and effective in practical application.