一种网络安全脆弱性评估方法

周诚; 李伟伟; 莫璇; 李千目

doi:10.3969/j.issn.1671-7775.2017.01.013

PDF(2168 KB)

江苏大学学报（自然科学版） ›› 2017, Vol. 38 ›› Issue (1) : 67-77. DOI: 10.3969/j.issn.1671-7775.2017.01.013

论文

一种网络安全脆弱性评估方法

作者信息 +

A assessment method of network security vulnerability

Author information +

文章历史 +

摘要

针对WIVSS默认评分机制无法体现脆弱点复杂性和多样性的缺点,对脆弱性分析理论与脆弱点评分技术进行分析,在通用脆弱点评分系统(common vulnerability scoring system, CVSS)基础上进行改进,设计了一种更具多样性且更能反映实际情况的脆弱点评分方法.该脆弱点评分方法主要由分析后得出的一系列实际系统约束规则出发,使用最优脆弱点评分权值组合搜索算法和基于信息熵的权值组合选择算法,联合确定目标网络的最优脆弱点评分权值组合,最终实现对脆弱点的最优评分.结果表明,文中方法确定的目标网络最优脆弱点评分权值组合保证了脆弱点多样性, 弥补了WIVSS的不足.

Abstract

To reflect the complexity and diversity of vulnerability for the WIVSS scoring mechanism, the frequently used vulnerability analysis theory and vulnerability scoring method were analyzed. A new vulnerability scoring method was designed based on common vulnerability scoring system (CVSS) to reflect the complexity of vulnerabilities well. According to a set of actual system constraint rules from analysis, the optimum combination search algorithm of fragile comment decentralization values and the selection algorithm of information entropy weights portfolio were used to determine the optimal decentralization vulnerable reviews combination of values by the target network, and the best scores of vulnerable points were obtained. The results show that the proposed weight combination of vulnerability can ensure the diversity of vulnerability point and improve the WIVSS.

导出引用

周诚, 李伟伟, 莫璇, 等. 一种网络安全脆弱性评估方法[J]. 江苏大学学报（自然科学版）, 2017, 38(1): 67-77 https://doi.org/10.3969/j.issn.1671-7775.2017.01.013

ZHOU Cheng, LI Wei-Wei, MO Xuan, et al. A assessment method of network security vulnerability[J]. Journal of Jiangsu University(Natural Science Edition), 2017, 38(1): 67-77 https://doi.org/10.3969/j.issn.1671-7775.2017.01.013

参考文献

［1］SPANOS G, ANGELIS L. Impact metrics of security vulnerabilities: analysis and
weighing［J］. Information Security Journal:A Global Perspective, 2015, 24(1／2／
3):57-71.
［2］LI Q M. Multiple QoS constraints finding paths algorithm in TMN［J］.
InformationAn International Interdisciplinary Journal,2011, 14(3): 731-737.
［3］LI Q M, LI J. Rough outlier detection based security risk analysis methodology
［J］. China Communications, 2012, 9(7): 14-21.
［4］LI Q M, HOU J, QI Y, et al. The rule engineer model on the highspeed
processing of disaster warning information［J］. Disaster Advances, 2012, 5(4):
1196-1201.
［5］LI Q M, ZHANG H. Information security risk assessment technology of cyberspace:
a review［J］. InformationAn International Interdisciplinary Journal, 2012, 15
(11A): 4677-4683.
［6］陈小军,方滨兴,谭庆丰,等. 基于概率攻击图的内部攻击意图推断算法研究［J］. 计算机
学报,2014, 37(1):62-72.
CHEN X J, FANG B X, TAN Q F, et al. Inferring attack intent of malicious insider
based on probabilistic attack graph model［J］. Chinese Journal of Computers, 2014,
37(1):62-72. (in Chinese)
［7］ALHOMIDI M, REED M. Risk assessment and analysis through populationbased
attack graph modelling［C］∥Proceedings of the 2013 World Congress on Internet
Security. Piscataway:IEEE Computer Society, 2013: 19-24.

［8］ISLAM T, WANG L Y. A heuristic approach to minimumcost network hardening
using attack graph［C］∥Proceedings of the 2008 New Technologies, Mobility and
Security Conference and Workshops. Piscataway:IEEE Computer Society, 2008,doi:
10.1109／NTMS.2008.ECP.9.
［9］CHEN F, LIU D H, ZHANG Y, et al. A scalable approach to analyzing network
security using compact attack graphs［J］. Journal of Networks, 2010, 5(5):543-550.
［10］朱叶青,牛德姣,蔡涛,等. 不同网络环境下大数据系统的测试与分析［J］.江苏大学学报(
自然科学版),2016,37(4):429-437.
ZHU Y Q, NIU D J, CAI T, et al. Test and analysis of big data system in different
network environment ［J］. Journal of Jiangsu University (Natural Science Edition),
2016, 37(4):429-437. (in Chinese)