基于主机攻击图的攻击识别

doi:10.3969/j.issn.1007-2861.2013.03.011

上海大学学报(自然科学版) ›› 2013, Vol. 19 ›› Issue (3): 271-279.doi: 10.3969/j.issn.1007-2861.2013.03.011

基于主机攻击图的攻击识别

钱权, 朱伟, 赖岩岩, 张瑞

1. 上海大学计算机工程与科学学院, 上海 200072; 2. 中国科学院信息安全国家重点实验室, 北京 100190

收稿日期:2012-11-05 出版日期:2013-06-30 发布日期:2013-06-30
通讯作者: 钱权(1972—), 男, 副教授, 博士, 研究方向为计算网络、网络安全和协议分析与验证. E-mail:qqian@shu.edu.cn
基金资助:
上海市重点学科建设资助项目(J50103)

Host-Based Attack Graph for Attack Recognition

QIAN Quan, ZHU Wei, LAI Yan-yan, ZHANG Rui

1. School of Computer Engineering and Science, Shanghai University, Shanghai 200072, China; 2. State Key Laboratory of Information Security, Chinese Academy of Sciences, Beijing 100190, China

Received:2012-11-05 Online:2013-06-30 Published:2013-06-30

摘要/Abstract

摘要： 研究了一种基于主机攻击图的网络攻击识别方法, 其核心是定义一种SAGML 语言, 并利用该语言中的状态、行为和关系来描述攻击. 详细讨论了攻击图的状态结构和行为链结构, 以及基于XML 语言的攻击图构建和解析过程. 此外, 为了提高攻击图的匹配效率, 研究了攻击图的索引建立和匹配过程. 最后, 结合SYNFlood 和Peacomm 攻击示例, 介绍了该方法的应用过程.

关键词: 攻击图, 攻击图匹配, 攻击图索引

Abstract: This paper establishes a system of network attack recognition based on attack graph by defining a SAGML language, which uses three elements: state, behavior and relationship to describe an attack. State and behavior chain structure of the attack graph, and the construction and analysis of attack graph based on XML are discussed in detail. To improve efficiency of attack graph retrieval, the attack graph indexing and matching strategy are studied. Two typical attacks, SYNFlood and Peacomm, are used to show applications of the proposed method.

Key words: attack graph, attack graph indexing, attack graph matching

中图分类号:

TP 309

钱权, 朱伟, 赖岩岩, 张瑞. 基于主机攻击图的攻击识别[J]. 上海大学学报(自然科学版), 2013, 19(3): 271-279.

QIAN Quan, ZHU Wei, LAI Yan-yan, ZHANG Rui. Host-Based Attack Graph for Attack Recognition[J]. Journal of Shanghai University（Natural Science Edition）, 2013, 19(3): 271-279.

参考文献

[1] Phillips C, Swiler L P. A graph-based system for network-vulnerability analysis [C]// Proceeding of the Workshop on New Security Paradigms. 1998: 71-79.

[2] Sheyner O M. Scenario graphs and attack graphs [D]. Pittsburgh: Carnegie Mellon University, 2004.

[3] Ritchey R W, Ammann P. Using model checking to analyze network vulnerabilities [C]// Proceedings of the 2000 IEEE Symposium on Security and Privacy. 2000: 156-165.

[4] Roschke S, Cheng F, Meinel C. A new alert correlation algorithm based on attack graph [C]// Proceedings of the 4th International Conference on Computational Intelligence in Security for Information Systems (CISIS’11). 2011: 58-67.

[5] 顾婷. 基于攻击图的网络安全评估[D]. 武汉: 华中师范大学, 2010.

[6] Eckmann S T, Vigna G, Kemmerer R A. STATL: an attack language for state-based intrusion detection [J]. Journal of Computer Security, 2002, 10(1/2): 71-103.

[7] 徐立. 基于攻击图模型的网络安全分析方法研究[D]. 上海: 上海交通大学, 2010.

[8] Roschke S, Cheng F, Meinel C. Using vulnerability information and attack graphs for intrusion detection [C]// 2010 6th International Conference on Information Assurance and Security. 2010: 68-73.

[9] 姚兰, 王新梅, 何金勇, 等. 基于攻击描述语言的IDS基准测试技术研究[J]. 计算机工程与应用, 2005, 41(33): 1-4.

[10] Yilmaz E. Survey of intrusion detection and attack description languages based on monitoring program behavior [EB/OL]. [2013-03-01]. http:// ww2.cs.fsu.edu/ yilmaz/ AreaExam/ Area-Exam.ppt.

[11] Eckmann S T, Vigna G, Kemmerer R A. STATL definition [D]. Santa Barbara: University of California Santa Barbara, 2001.

[12] 薄建业. 基于攻击模式的攻击图生成技术研究[D]. 武汉: 国防科技大学, 2009.

[13] Porras P, Sa¨?di H, Yegneswaran V. A multiperspective analysis of the storm (peacomm) worm [EB/OL]. [2013-01-02]. http://www.cyber-ta.og/pubs/StormWorm.

[14] Steggink M, Idziejczak I. Detection of peer-to-peer botnets [EB/OL]. [2013-02-05]. http://staff.science.uva.nl/delaat/rp/2007-2008/p22/report.pdf.

基于主机攻击图的攻击识别

Host-Based Attack Graph for Attack Recognition

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 3

编辑推荐

Metrics

本文评价

[1]	王莉1,2, 王卿文1. 基于投影矩阵秘密分享方案的安全性注记[J]. 上海大学学报(自然科学版), 2013, 19(3): 298-302.
[2]	钱权, 王天宏, 黄国锐, 张瑞. 分布式安全存储中基于共享组的周期性密钥更新[J]. 上海大学学报(自然科学版), 2013, 19(1): 39-43.
[3]	应昊明，王朔中，冯国瑞. 引入视觉掩蔽模型的广义乘性水印[J]. 上海大学学报(自然科学版), 2012, 18(2): 111-116.