簡易檢索 / 詳目顯示
| 研究生: |
莊政諭 Chuang, Cheng-Yu |
|---|---|
| 論文名稱: |
邏輯性取向方法之於網路安全分析 A Logic-oriented Approach to Network Security Analysis |
| 指導教授: |
賴溪松
Laih, Chi-Sung |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering |
| 論文出版年: | 2009 |
| 畢業學年度: | 97 |
| 語文別: | 英文 |
| 論文頁數: | 61 |
| 中文關鍵詞: | 攻擊圖生成 、網路安全分析 、邏輯程式 |
| 外文關鍵詞: | attack graph generation, network security analysis, logic programming |
| 相關次數: | 點閱:76 下載:1 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
在網路安全的世界裡,系統管理者一直在不斷的與惡意的攻擊者纏鬥著。一方面,攻擊者不斷的在尋找新的安全弱點並藉由這些弱點來入侵系統。另一方面,系統管理者藉由不斷的弱點掃瞄來分析來確認他們管理的系統是否有弱點的存在,並維護整體系統安全。可是,因為該分析是個繁複的工作並需要大量的時間來完成,所以系統管理者有略居下風的趨勢。針對此,我們試圖以邏輯取向來建構了個自動分析系統並以攻擊圖呈現分析的結果.
雖說在此之前已有不少的相關研究,但是它們在效能上有待改善。 我們的系統採用了類似專家系統的MulVAL[18]架構並以XSB[30]環境下的邏輯程式將他實現。 此外,除了原先的參考系統架構外,我們附加了一個攻擊圖生成功能以助使用者更加方便的解讀系統輸出。
In the realm of network security, system administrators are always combating against malicious attackers. On one side of the battlefield, attackers rigorously attempt to discover vulnerabilities and take advantage of them to compromise system security. On the other side, administrators manage to defend themselves by measures such as vulnerability scanning, in hope to discover and prevent potential attack. However, it may seem like the administrators are losing the battle because the network security analysis is such a tedious and time-consuming task. In light of that, we advise a logic-oriented approach to network security analysis and present the outcome using attack graph.
Even though there has been a long line of research into the field, the previous approaches fall short in areas such as efficiency. After much survey and comparison, we adopt the expert-system-like MulVAL[18] framework. Our system is realized through logic programming in XSB[30] environment as suggested by the framework. Moreover, we further extend it with graph attack generation capacity so it better helps the users comprehend the results.
[1] Michael Lyle Artz, NetSPA, “A Network Security Planning Architecture”, M.S. Thesis, Cambridge: Massachusetts Institute of Technology, May 2002.
[2] Oleg Mikhail Sheyner, “Scenario Graphs and Attack Graphs”, Ph.D. Thesis, Carnegie Mellon University, p.133, April 2004.
[3] Paul Ammann, Duminda Wijesekera, and Saket Kaushik, “Scalable, Graph-Based Network Vulnerability Analysis”, Proceedings of the 9th ACM Conference on Computer and Communications Security, New York: ACM Press, p.217-224, 2002.
[4] Frederic Cuppens and Alexandre Miège, “Alert Correlation in a Cooperative Intrusion Detection Framework”, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 12 - 15, 2002). SP. IEEE Computer Society, Washington, DC, p.202.
[5] Frederic Cuppens and Rodolphe Ortalo, “LAMBDA: A Language to Model a Database for Detection of Attacks”, in Proceedings of the Third international Workshop on Recent Advances in intrusion Detection (October 02 - 04, 2000), p.197-216.
[6] Kyle Ingols, Richard Lippmann, and Keith Piwowarski, “Practical Attack Graph Generation for Network Defense”, Computer Security Applications Conference, Miami Beach, Florida, p.121-130, 11 December 2006.
[7] Richard Lippmann and Kyle Ingols, “An Annotated Review of Past Papers on Attack Graphs”, PR-IA-1, MIT Lincoln Laboratory Project Report, 31 March 2005.
[8] Richard Lippmann, Kyle Ingols, Chris Scott, Keith Piwowarski, Kendra Kratkiewicz, and Mike Artz, “Evaluating and Strengthening Enterprise Network Security Using Attach Graphs”, PR-IA-2, MIT Lincoln Laboratory Project Report, 12 August 2005.
[9] Richard Lippmann, Kyle Ingols, Chris Scott, Keith Piwowarski, Kendra Kratkiewicz, Mike Artz, and Robert Cunningham, “Validating and Restoring Defense in Depth Using Attack Graphs”, MILCOM 2006, Washington, DC, 23 October 2006.
[10] Steven Noel and Sushil Jajodia, “Managing Attack Graph Complexity Through Visual Hierarchical Aggregation”, Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, New York: ACM Press, p.109-118, 2004.
[11] Steven Noel, Sushil Jajodia, Brian O’Berry, and Michael Jacobs, “Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs”, Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, p.86, 2003.
[12] Peng Ning and Dingbang Xu, “Learning attack strategies from intrusion alerts”, in Proceedings of the 10th ACM Conference on Computer and Communications Security (Washington D.C., USA, October 27 - 30, 2003). CCS '03. ACM, New York, NY, p.200-209.
[13] Xinming Ou, Wayne F. Boyer, and Miles A. McQueen, “A scalable approach to attack graph generation” In CCS ’06, p.336–345, New York, NY, USA, 2006. ACM Press.
[14] Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, “MulVAL: A logic-based network security analyzer”, in 14th USENIX Security Symposium, Baltimore, Maryland, U.S.A., p.113-128, August 2005.
[15] Cynthia Phillips and Laura Painton Swiler, “A graph-based system for network-vulnerability analysis”, proceedings of the 1998 workshop on New security paradigms, p.71-79, 1998.
[16] Ronald Ritchey and Paul Ammann, “Using model checking to analyze network vulnerabilities”, in 2000 IEEE Symposium on Security and Privacy, p.156–165, 2000.
[17] Ronald Ritchey, Brain O’Berry, and Steven Noel, “Representing TCP/IP Connectivity for Topological Analysis of Network Security” Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, 2002.
[18] Diptikalyan Saha, “Extending logical attack graphs for efficient vulnerability analysis”, In Proceedings of the 15th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 27 - 31, 2008). CCS '08. ACM, New York, NY, p.63-74.
[19] Andrew Stewart, “A contemporary approach to network vulnerability assessment”, in Network Security, volume 2005, issue 4, p.7-10, April 2005.
[20] Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing, “Automated Generation and Analysis of Attack Graphs”, in 2002 IEEE Symposium on Security and Privacy. Oakland, California, 2002.
[21] Steven J. Templeton and Kar Levitt, “A requires/provides model for computer attacks”, in Proceedings of the 2000 Workshop on New Security Paradigms (Ballycotton, County Cork, Ireland, September 18 - 21, 2000). NSPW '00. ACM, New York, NY, p.31-38.
[22] Sushil Jajodia, Steven Noel, and Brain O’Berry, “Topological Analysis of Network Attack Vulnerability”, Managing Cyber Threats: Issues, Approaches and Challenges, Vipin Kumar, Jaideep Srivastava, and Aleksandar Lazarevic, Eds., Dordrecht, Netherlands: Kluwer Academic Publisher, 2003.
[23] Nessus, Tenable Network Security, http://www.tenablesecurity.com/nessus/
[24] NVD, National Vulnerability Database, http://nvd.nist.gov/
[25] OVAL Definition Search,
http://oval.mitre.org/repository/data/AdvancedSearch.jsp
[26] OVAL Scanner, the MITRE Corporation, http://oval.mitre.org/oval/index.html
[27] SSA – Security System Analyzer, Security Database, http://www.security-database.com/ssa.php
[28] University of Purdue, RASC: Confidentiality, Integrity and Availability (CIA), http://www.itap.purdue.edu/security/files/documents/RASCCIAv13.pdf
[29] US-CERT Vulnerability Notes Database, http://www.kb.cert.org/vuls
[30] XSB, a Logic Programming and Deductive Database system for Unix and Windows, http://xsb.sourceforge.net/
校內:2010-07-29公開校外:2010-07-29公開