基于贝叶斯网络及STRIDE模型的XSS风险分析
Risk Analysis of XSS Based on Bayesian Network and STRIDE Model
周鋆 1符鹏涛1
作者信息
- 1. 国防科技大学信息系统工程全国重点实验室,长沙 410000
- 折叠
摘要
贝叶斯网络因能够对事件进行建模并给出紧凑的概率表示,被广泛地用在风险分析上.针对XSS攻击,基于STRIDE威胁模型构建贝叶斯网络结构模型,并通过专家经验和排序节点获取节点先验概率,在此基础上采用拒绝性采样算法得到数据集,进而学习贝叶斯网络参数.利用贝叶斯网络推理计算Web系统遭受XSS攻击的风险,找到弱点以加强相应的防护措施,实现积极防御.
Abstract
Bayesian network is widely used in risk analysis because it can model events and give a compact probability representation.According to XSS attacks,and a Bayesian network structure model based on the STRIDE threat model is built,the prior probability of the nodes through expert experience and the ranking nodes is obtained.On this basis,a rejection sampling algorithm is used to obtain the data set,and then the parameters of Bayesian network are learnt.Then Bayesian network inference is used to calculate the risk of XSS attacks on the Web system,so as to find the weaknesses to strengthen the corresponding protection measures and to realize the active defense.
关键词
跨站脚本攻击XSS/贝叶斯网络/STRIDE威胁分类/排序节点/拒绝性采样Key words
cross site scripting XSS/Bayesian network/STRIDE threat classification/ranking nodes/rejection sampling引用本文复制引用
基金项目
国家自然科学基金(62276272)
湖南省科技创新计划湖湘青年英才(2021RC3076)
长沙市杰出创新青年培养计划基金(KQ2009009)
出版年
2024
NETL
NSTL
万方数据