[1]陈秀真,李建华,张少俊,等.面向安全态势的权限有效性定量评估方法[J].东南大学学报(自然科学版),2009,39(4):742-746.[doi:10.3969/j.issn.1001-0505.2009.04.018]
 Chen Xiuzhen,Li Jianhua,Zhang Shaojun,et al.Quantitative assessment of privilege validity for security situation awareness[J].Journal of Southeast University (Natural Science Edition),2009,39(4):742-746.[doi:10.3969/j.issn.1001-0505.2009.04.018]
点击复制

面向安全态势的权限有效性定量评估方法()
分享到:

《东南大学学报(自然科学版)》[ISSN:1001-0505/CN:32-1178/N]

卷:
39
期数:
2009年第4期
页码:
742-746
栏目:
计算机科学与工程
出版日期:
2009-07-20

文章信息/Info

Title:
Quantitative assessment of privilege validity for security situation awareness
作者:
陈秀真 李建华 张少俊 范磊
上海交通大学信息安全工程学院, 上海 200240; 上海市信息安全综合管理技术研究重点实验室,上海 200240
Author(s):
Chen Xiuzhen Li Jianhua Zhang Shaojun Fan Lei
School of Information Security Engineering, Shanghai Jiao Tong University, Shanghai 200240, China
Shanghai Key Lab of Overall Management Technology Research of Information Security, Shanghai 200240, China
关键词:
网络安全 态势评估 Markov模型 权限有效性
Keywords:
network security situation awareness Markov model privilege validity
分类号:
TP393
DOI:
10.3969/j.issn.1001-0505.2009.04.018
摘要:
针对安全态势评估领域的权限有效性评估指标, 融合网络流量、入侵检测系统(IDS)报警和扫描信息, 提出一种全新的权限有效性定量评估方法.该方法将用户权限作为安全目标, 基于网络会话构建威胁用户权限的入侵迹, 并使用Markov数学模型度量安全目标失败的平均入侵代价, 进而定量评估权限有效性. 实验结果表明,当系统遭受缓冲区溢出攻击时, 权限有效性指数接近于0.该方法能够实时评估缓冲区溢出攻击对系统权限有效性的威胁,有效监控黑客行为引起的系统安全态势变化. 与其他评估方法相比, 该方法考虑了报警之间的因果关系,降低了IDS误报以及无效入侵信息对安全态势评估精度的影响, 有助于管理员了解黑客入侵步骤、决策系统安全状况以及识别高危险的入侵路径.
Abstract:
Aiming at the evaluation index of privilege validity in the area of security situation awareness, a novel method of quantitatively assessing privilege validity is put forward by syncretizing network traffic, intrusion detection system(IDS)alerts and scanning information. Regarding user privilege as the security objective, intrusion footprints threatening the user privilege are constructed based on network sessions. Then, mean intrusion efforts for compromising the security objective are calculated by Markov model and further used to quantitatively assess privilege validity. The experimental results show that the value of privilege validity is close to 0 when the monitored network system is subjected to the attack of the buffer overflow. This method can real-timely assess the threat of buffer overflow exploits on the system’s privilege validity, and effectively monitor the variations of security situation caused by hackers’ illegal action. Compared with other evaluation methods, it takes into account the causal relationship between alerts and reduces the effect of IDS positive and invalid alerts on the precision of security situation assessment. Moreover, it helps administrators understand hackers’ attack steps, judge security status and identify the intrusion footprint with high risk.

参考文献/References:

[1] Porras P A,Fong M W,Valdes A.A mission-impact-based approach to INFOSEC alarm correlation [C] //The Fifth International Symposium on Recent Advances in Intrusion Detection.Zurich,Switzerland,2002:95-114.
[2] 秦华旺,戴跃伟,王执铨.入侵容忍系统的安全态势评估 [J].北京邮电大学学报,2009,32(2):57-61.
  Qin Huawang,Dai Yuewei,Wang Zhiquan.Security situation evaluation of intrusion tolerant system [J].Journal of Beijing University of Posts and Telecommunications,2009,32(2):57-61.(in Chinese)
[3] 韦勇,连一峰.基于日志审计与性能修正算法的网络安全态势评估模型 [J].计算机学报,2009,32(4):763-772.
  Wei Yong,Lian Yifeng.A network security situational awareness model based on log audit and performance correction [J].Chinese Journal of Computers,2009,32(4):763-772.(in Chinese)
[4] Si Jiaquan,Wang Kaizhuo,Wang Wei,et al.Study of index weight in network threat evaluation based on improved grey theory [C] //IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application.Wuhan,China,2008:9-13.
[5] Lippmann Richard,Webster Seth,Stetson Douglas.The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection [C] //The Fifth International Symposium on Recent Advances in Intrusion Detection.Zurich,Switzerland,2002:307-326.
[6] Manganaris Stefanos,Christensen Marvin,Zerkle Dan,et al.A data mining analysis of RTID alarms [J].Computer Networks,2000,34(4):571-577.
[7] Martin Roesch,Chris Green.Snort users manual 2.0.0 [EB/OL].(2004-08-02)[2005-02-01].http://www.snort.org/docs/snort_manual.
[8] Taylor Carol,Alves-Foss Jim.An empirical analysis of NATE—network analysis of anomalous traffic events [C] //The Tenth New Security Paradigms Workshop.Virginia Beach,USA,2002:18-26.
[9] Ortalo Rodolphe,Deswarte Yves,Ka(^overa)niche Mohamed.Experimenting with quantitative evaluation tools for monitoring operational security [J].IEEE Transactions on Software Engineering,1999,25(5):633-651.
[10] 陈秀真,李建华.基于OVAL的新型漏洞评估系统 [J].小型微型计算机系统,2007,28(9):1554-1557.
  Chen Xiuzhen,Li Jianhua.A novel vulnerability assessment system based on OVAL [J].Journal of Chinese Computer Systems,2007,28(9):1554-1557.(in Chinese)

备注/Memo

备注/Memo:
作者简介: 陈秀真(1977—), 女, 博士, 讲师, chenxz@sjtu.edu.cn.
基金项目: 国家自然科学基金资助项目(60605019, 6077209)、国家教育部博士点基金资助项目(20070248002)、国家高技术研究发展计划(863计划)资助项目(2007AA01Z473).
引文格式: 陈秀真,李建华,张少俊,等.面向安全态势的权限有效性定量评估方法[J].东南大学学报:自然科学版,2009,39(4):742-746.[doi:10.3969/j.issn.1001-0505.2009.04.018]
更新日期/Last Update: 2009-07-20