基于局部攻击图的最小关键漏洞集分析方法
Analysis method of minimum critical vulnerability set based on partial attack graph
沈霄梦 1徐丙凤 2何高峰3
作者信息
- 1. 南京林业大学信息科学技术学院,江苏南京 210037
- 2. 南京林业大学信息科学技术学院,江苏南京 210037;南京航空航天大学高安全系统的软件开发与验证技术工业和信息化部重点实验室,江苏南京 211106
- 3. 南京邮电大学物联网学院,江苏南京 210003
- 折叠
摘要
为缓解攻击图应用在工业互联网安全防护中的状态空间爆炸问题,提出一种基于局部攻击图的最小关键漏洞集分析方法.提出一种以重要资产节点为目标的局部攻击图生成算法,通过裁剪不可达目标节点的攻击路径缓解状态空间爆炸问题;基于局部攻击图生成过程中得到的攻击路径漏洞集直接进行最小关键漏洞集分析,节省传统分析方法在搜索关键漏洞过程中对攻击图进行二次遍历的时空开销.在此基础上,通过工业网络实例进行分析并开展相关工作比较,实验结果表明,所提方法合理可行,可高效分析网络系统中的最小关键漏洞集.
Abstract
The attack graph is prone to state space explosion in industrial Internet security protection,which is a serious problem.To alleviate this problem,a minimal critical vulnerability set analysis method based on partial attack graph was proposed.A par-tial attack graph generation algorithm targeting important asset nodes was proposed to alleviate the state space explosion problem by clipping the attack paths of unreachable targets.Based on the attack path vulnerability set obtained during the generation of the partial attack graph,the analysis of the minimum critical vulnerability set was directly performed.The time and space over-head of the traditional analysis method for secondary traversal of the attack graph in the process of searching for critical vulnera-bilities was saved.On this basis,an industrial network example was used to analyze and compare related work.Experimental re-sults show that the proposed method is reasonable and feasible,and can efficiently analyze the minimum set of critical vulnerabili-ties in network systems.
关键词
工业互联网/攻击图/关键漏洞集/状态空间爆炸/网络安全/局部攻击图生成/安全防御Key words
industrial internet/attack graph/critical vulnerability set/state space explosion/network security/partial attack graph generation/security defense引用本文复制引用
基金项目
国家自然科学基金青年科学基金(61802192)
国家自然科学基金青年科学基金(61702282)
南京航空航天大学科研基地创新基金(理工类)(NJ2020022)
出版年
2024
NETL
NSTL
万方数据