Journal of Software:2011.22(6):1398-1412

(国防科学技术大学 计算机学院,湖南 长沙 410073;国防科学技术大学 计算机学院,湖南 长沙 410073;湘南学院 数学系,湖南 郴州 423000)
Uncertain-Graph Based Method for Network Vulnerability Analysis
LIU Qiang,YIN Jian-Ping,CAI Zhi-Ping,CHENG Jie-Ren
(School of Computer, National University of Defense Technology, Changsha 410073, China;School of Computer, National University of Defense Technology, Changsha 410073, China; Department of Mathematics, Xiangnan University, Chenzhou 423000, China)
Chart / table
Similar Articles
Article :Browse 3912   Download 4360
Received:July 05, 2009    Revised:December 25, 2009
> 中文摘要: 网络漏洞分析是提高网络安全性的重要基础之一.以主机为中心的漏洞分析方法可在多项式时间内生成攻击图,但是没有考虑网络链路本身存在的不确定性.提出了一种基于不确定图的网络漏洞分析方法,采用链路不确定度以准确地描述网络链路状态,使得求解最佳利用链成为可能.在此基础上,提出了一种时间复杂度为O(n4)的不确定攻击图生成算法;基于不确定攻击图提出了一种时间复杂度为O(n3)的最佳利用链生成启发式算法.实验结果表明,该方法能在可接受的时间内生成不确定攻击图,找到一条攻击效益最佳的漏洞利用链.
Abstract:Network vulnerability analysis is one of the irreplaceable foundations of network security. Host- centric methods of vulnerability analysis can generate an attack graph in polynomial time, whereas the inherent link uncertainty has not been of a concern. An uncertain-graph based method for network vulnerability analysis is proposed in this paper, which uses link uncertainties to describe link states accurately. In this way, finding an optimal exploit chain becomes feasible. An algorithm for generating an uncertain attack graph (UAG) is proposed, whose running time is O(n4). Next, a heuristic algorithm to that can generate the optimal exploit chain, on the basis of UAG, is proposed, which runs in O(n3) time. Experimental results show that this method can generate UAG in an acceptable amount time and find a vulnerability exploit chain with a maximum attack benefit.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(60970034, 61070198, 60903040); 湖南省自然科学基金(06JJ3035); 湖南省教育厅资助科研项目(07C718) 国家自然科学基金(60970034, 61070198, 60903040); 湖南省自然科学基金(06JJ3035); 湖南省教育厅资助科研项目(07C718)
Foundation items:
Reference text:


LIU Qiang,YIN Jian-Ping,CAI Zhi-Ping,CHENG Jie-Ren.Uncertain-Graph Based Method for Network Vulnerability Analysis.Journal of Software,2011,22(6):1398-1412