A Network Security Risk Assessment Method Based On Software Behavior

Risk assessment is extremely important for the construction and operation of network security since only by understanding the risk situation faced by the system,can we achieve targeted security control.Traditional risk assessment methods are faced with many problems.Among them,standard inspection qualitatively assesses system risks in the way of static security standards comparison,which is difficult to reflect the actual effect of various security measures.Moreover,vulnerability scanning based assessment methods cannot reflect the actual threats faced by the system.That is to say,it is difficult to reflect the real risk level of the system.Furthermore,the risk assessment based on intrusion detection has a high false alarm rate.Therefore,we need a quantitative risk assessment method which can represent the real security state of the system.In view of various problems and limitations in the current research and practice of network security risk assessment,this paper proposed a quantitative network security assessment method based on software behavior.Compared with traditional risk assessment methods,the method proposed in this paper has the following advantages.At first,it took software behavior as the assessment index of system security risk level to ensure the objectivity and accuracy of the assessment results.Additionally,it used the number and scope of untrusted software behavior that can be accurately measured as input parameters of system security risk assessment,which ensured the accuracy and interpretability of the assessment results.Finally,it not only took the number and scope of the current untrusted software behaviors as the input parameters of the system security risk assessment,but also took the security risk level before the current time as the input parameter of the current security risk level of system,which reflected the mutual influence between security states of system at different times.This made assessment result more reasonable.The main contents of this paper are as follows:(1)A quantitative risk assessment method based on software behavior was proposed.Based on the trustworthy judgment mechanism,this paper made a trustworthy judgment and measurement of the software behavior of the system.By identifying and recording unsafe software calls outside the program whitelist,this method used HMM model to train and predict and obtained a reliable level of system risk,so as to achieve quantitative assessment.Finally,we verified the rationality of this method through experiments.(2)An identification and processing method of software online upgrade process was proposed.Distinguishing the unknown but trusted code in the software online upgrade process from the truly untrusted code improved the accuracy and practical application ability of the risk assessment method.An experiment was designed to verify this method.(3)An identification and labeling method of active malicious code attack was proposed.This method distinguished the malicious code attack behavior and the user's violation operation in the non-security software behavior,and achieved the distinction between the security technology risk and the security management risk,which improves the ability of risk assessment method to refine risk property analysis.The feasibility of this method was verified by experiments.