基于知识图谱的网络安全漏洞智能检测系统设计

网络安全漏洞智能检测需要依赖大量的真实数据来进行分析,冗余数据与异常数据的存在会导致检测准确性下降;为保障网络系统稳定运行,提出基于知识图谱的网络安全漏洞智能检测系统设计研究;从结构、逻辑模型以及运行模式3个方面设计网络安全漏洞检测器,实现网络安全漏洞智能检测系统硬件设计;系统软件设计通过网络爬虫采集安全漏洞数据,去除冗余数据与异常数据,根据属性信息识别安全漏洞实体,获取安全漏洞属性信息关系,以此为基础,定义安全漏洞知识图谱表示形式,设计安全漏洞知识图谱结构,从而实现安全漏洞知识图谱的构建与可视化;以上述网络设计结果为依据构建网络安全漏洞智能检测整体架构,制定网络安全漏洞智能检测具体流程,从而获取最终网络安全漏洞智能检测结果;实验结果表明,在不同实验工况背景条件下,设计系统应用后的网络安全漏洞漏检率最小值为1.23%,网络安全漏洞检测F1值最大值为9.50,网络安全漏洞检测响应时间最小值为1 ms,证实了设计系统的安全漏洞检测性能更佳。     

一种针对网络设备的已知漏洞定位方法

骨干级网络设备作为关键基础设施, 一直是网络攻防中的焦点, 与此同时, 其作为一个封闭、复杂的信息系统, 漏洞的公开研究资料相对较少、漏洞细节缺失较多。补丁对比是一种有效的漏洞分析手段, 而骨干级网络设备固件解包后通常具有单体式可执行文件, 这类文件具有函数数量多、文件规模大、调试符号信息缺失等特点, 直接进行补丁比对会产生大量待确认的误报差异, 同时启发式算法可能将两个不相关的函数错误匹配, 导致正确的安全修补缺失及漏报。传统的补丁比对方法无法有效地解决这类文件的补丁分析问题, 漏洞细节的分析遇到挑战。本文提出了一种针对单体式可执行文件中已知漏洞的定位方法MDiff, 通过漏洞公告描述中的子系统概念与目标二进制文件的内部模块结构对目标进行了拆分, 在基于局部性的二进制比对技术之上, 利用语义相似度衡量方法对比对结果进行筛选排序。具体来讲, MDiff首先利用入口函数及局部性原理识别存在漏洞的网络协议服务代码, 即粗粒度定位阶段。其次针对已识别出的、存在漏洞的网络协议服务代码模块中存在差异的函数进行动静态结合的语义信息分析, 包括基于扩展局部轨迹的安全修补识别, 基于代码度量的安全修补排序等步骤, 即细粒度定位阶段。基于该两阶段漏洞定位方法, 我们实现了一个原型系统, 对4个厂商设备中已经披露的15个漏洞进行实验。实验结果表明, 本文提出的漏洞定位方法可以提高网络设备的补丁分析效率, 支持研究人员发现已知漏洞细节。     

UEFI固件的启发式逆向分析与模糊测试方法

统一可扩展固件接口(Unified Extensible Firmware Interface,简称UEFI),作为新一代固件接口标准,广泛应用于现代计算机系统,但其漏洞可能引发严重安全威胁.为了减少UEFI漏洞引发的安全问题,需要进行漏洞检测.而第三方安全测试场景下的模糊测试是检测的主要手段.但符号信息的缺失影响了测试效率.本文提出了一种启发式的UEFI逆向分析方法,恢复固件中的符号信息,改进模糊测试并实现了原型系统ReUEFuzzer.通过对来自4个厂商的525个EFI文件进行测试,证明了逆向分析方法的有效性.ReUEFuzzer可以提升函数测试覆盖率,并在测试过程中发现了一个零日漏洞,已报告给国家信息安全漏洞共享平台以及公共漏洞和暴露系统. 实验证明,本文方法在UEFI漏洞检测方面具有有效性,可以为UEFI安全提供一定的保障.     

基于T-G保护系统的抗病毒网络安全分析模型

攻击者采用病毒、利用脆弱性等方式进行网络攻击,实质是其攻击权限不断扩大,进而导致系统状态变化的过程,针对这一特性,本文对原有的T--G模型和dejure重写规则进行了扩充,增加了攻击图中节点之间权限、连接关系、节点属性的描述和脆弱性重写规则,形成了DTGSA模型;通过对真实的漏洞进行建模和实验,证明此模型对攻击特征有很好的描述能力,能帮助网络管理员预测可能的攻击,进而采取相应的安全措施。     

计算机漏洞库系统的设计、实现与应用

如何发现、修补和利用计算机漏洞，是网络攻防研究的焦点问题之一。本文首先对国内外的研究现状进行分析与综述，然后介绍了如何设计、实现计算机漏洞库系统，提出了运用CORBA分布对象技术定义和实现漏洞库信息的应用程序访问接口，基于事件模型完成漏洞补丁程序或应对措施在可信任计算机之间的自动推送，实现动态的系统漏洞分析与应对。     

收益与代价相结合的漏洞修复模型

漏洞修复是增强网络安全性的重要方法,选择性地修复网络中漏洞具有现实意义.提出一种收益与代价相结合的漏洞修复模型BCVRM.漏洞修复收益评价算法基于简化的攻击图生成算法,对比漏洞修复前后网络整体及相关各类型主机安全状态的提升,给出漏洞修复的总收益.漏洞修复代价评分系统基于CVSS对漏洞属性信息的描述,给出单个漏洞修复代价的评分规则,然后结合漏洞所属主机类型及漏洞分布情况给出网络漏洞修复代价.实例网络分析表明,该模型能够为网络管理人员提供一个切实可行的网络漏洞修复策略.     

VRSS: A new system for rating and scoring vulnerabilities

Vulnerabilities are extremely important for network security. IT management must identify and assess vulnerabilities across many disparate hardware and software platforms to prioritize these vulnerabilities and remediate those that pose the greatest risk. The focus of our research is the comparative analysis of existing vulnerability rating systems, so as to discover their respective advantages and propose a compatible rating framework to unify them. We do the statistic work on vulnerabilities of three famous vulnerability databases (IBM ISS X-Force, Vupen Security and National Vulnerability database) and analyze the distribution of vulnerabilities to expose the differences among different vulnerability rating systems. The statistical results show that the distributions of vulnerabilities are not much consistent with the normal distribution. Taking into account all kinds of existing vulnerability rating systems, we propose VRSS for qualitative rating and quantitative scoring vulnerabilities, which can combine respective advantages of all kinds of vulnerability rating systems. An experimental study of 33,654 vulnerabilities demonstrates that VRSS works well.     

An OVAL-based active vulnerability assessment system for enterprise computer networks

Many security problems are caused by vulnerabilities hidden in enterprise computer networks. It is very important for system administrators to have knowledge about the security vulnerabilities. However, current vulnerability assessment methods may encounter the issues of high false positive rates, long computational time, and requirement of developing attack codes. Moreover, they are only capable of locating individual vulnerabilities on a single host without considering correlated effect of these vulnerabilities on a host or a section of network with the vulnerabilities possibly distributed among different hosts. To address these issues, an active vulnerability assessment system NetScope with C/S architecture is developed for evaluating computer network security based on open vulnerability assessment language instead of simulating attacks. The vulnerabilities and known attacks with their prerequisites and consequences are modeled based on predicate logic theory and are correlated so as to automatically construct potential attack paths with strong operation power of relational database management system. The testing results from a series of experiments show that this system has the advantages of a low false positive rate, short running periods, and little impact on the performance of audited systems and good scalability. The security vulnerabilities, undetectable if assessed individually in a network, are discovered without the need to simulate attacks. It is shown that the NetScope system is well suited for vulnerability assessment of large-scale computer networks such as campus networks and enterprise networks. Moreover, it can also be easily integrated with other security tools based on relational databases.

An advanced approach for modeling and detecting software vulnerabilities

ContextPassive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system.ObjectiveIn this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection.MethodOur method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs.ResultsWe present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach.ConclusionAlthough the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.     

Impact Metrics of Security Vulnerabilities: Analysis and Weighing

ABSTRACT

The number of vulnerabilities discovered and reported during the recent decades is enormous, making an improved ranking and prioritization of vulnerabilities’ severity a major issue for information technology (IT) management. Although several methodologies for ranking and scoring vulnerabilities have been proposed, the Common Vulnerability Scoring System (CVSS) is the open standard with wide acceptance from the information security community. Recently, the Weighted Impact Vulnerability Scoring System (WIVSS) has been proposed as an alternative scoring methodology, which assigns different weights to impact factors of vulnerability in order to achieve higher diversity of values and thus improvement in flexibility of ranking in comparison to CVSS. The purpose of this paper is to expand the idea of WIVSS by defining the sets of weights which provide higher diversity of values. For this reason, an algorithm that finds all the possible combinations of optimal weights within a specified range and under certain constrains is presented. The algorithm results in 14 different combinations of impact weights that are applied to a sample of 20,496 vulnerabilities and statistically analyzed for associations among impact factors. The results suggest that one specific combination of impact weights can achieve highest diversity of values.     

Goal-oriented dynamic test generation

ContextMemory safety errors such as buffer overflow vulnerabilities are one of the most serious classes of security threats. Detecting and removing such security errors are important tasks of software testing for improving the quality and reliability of software in practice.ObjectiveThis paper presents a goal-oriented testing approach for effectively and efficiently exploring security vulnerability errors. A goal is a potential safety violation and the testing approach is to automatically generate test inputs to uncover the violation.MethodWe use type inference analysis to diagnose potential safety violations and dynamic symbolic execution to perform test input generation. A major challenge facing dynamic symbolic execution in such application is the combinatorial explosion of the path space. To address this fundamental scalability issue, we employ data dependence analysis to identify a root cause leading to the execution of the goal and propose a path exploration algorithm to guide dynamic symbolic execution for effectively discovering the goal.ResultsTo evaluate the effectiveness of our proposed approach, we conducted experiments against 23 buffer overflow vulnerabilities. We observed a significant improvement of our proposed algorithm over two widely adopted search algorithms. Specifically, our algorithm discovered security vulnerability errors within a matter of a few seconds, whereas the two baseline algorithms failed even after 30 min of testing on a number of test subjects.ConclusionThe experimental results highlight the potential of utilizing data dependence analysis to address the combinatorial path space explosion issue faced by dynamic symbolic execution for effective security testing.     

基于Fuzzing的Web控件漏洞检测改进模型

Web软件安全漏洞层出不穷,攻击手段日益变化,为分析现有的Web控件漏洞检测方法,提出基于Fuzzing测试方法的Web控件漏洞检测改进模型。该系统从功能上分为五大模块进行设计和实现,并结合静态分析与动态分析技术检测WebActiveX控件模型的漏洞,给出"启发式规则"来优化测试数据生成引擎。实例测试结果表明,Web控件漏洞的Fuzzing测试模型是有效和可行的,并能妥善处理好交互性问题。     

Prioritizing static analysis results

We begin by describing the system Fortify uses for ranking vulnerabilities and our method for assigning a program an over-all score. We then consider another popular vulnerability ranking system (CVSS) and explain why it is less useful for ranking static analysis results. We use the second half of the paper to explain the motivation and method behind our ranking system.     

基于攻击图的复合入侵关联及预测方法

当前的大多数漏洞扫描器和入侵检测系统只能检测汇报孤立的漏洞和攻击。但网络中真正的威胁来自那些技术精湛的黑客,他们综合利用各种攻击手段绕开安全策略,逐步获得权限。这种复合攻击能渗透进看似防御严密的网络。攻击图是一种重要的网络安全漏洞分析工具,能用来关联警报,假设漏报,预测下一步的警报,对系统管理员理解威胁的本质从而采取适当对策是关键的。本文提出一种基于攻击图来关联并预测复合网络入侵的方法,该方法在实际网络环境中有良好的表现。     

基于双层BiLSTM的安装程序DLL劫持漏洞挖掘方法

动态链接库(dynamic link library, DLL)的出现给开发人员提供了极大的便利,也提高了操作系统与应用程序之间的交互性.然而,动态链接库本身存在的安全性隐患不容忽视,如何有效地挖掘Windows平台下安装程序执行过程中出现的DLL劫持漏洞是当下保障Windows操作系统安全的关键问题之一.搜集并提取大量安装程序的属性特征,从安装程序、安装程序调用DLL模式、DLL文件本身3个角度出发,使用双层BiLSTM (bi-directional long short-term memory)神经网络进行学习,抽取出漏洞数据集的多维特征,挖掘DLL劫持未知漏洞.实验可有效检测Windows平台下安装程序的DLL劫持漏洞,共挖掘10个未知漏洞并获得CNVD漏洞授权,此外通过和其他漏洞分析工具进行对比进一步验证该方法的有效性和完整性.     

浅谈计算机网络安全漏洞及防范措施

随着经济快速发展,信息时代日渐全球化,然而,在网络为人民服务普及过程中,网络安全问题也日益成为人们关注焦点,网络系统遭到破坏、泄露等成为困扰使用者重大问题。网络安全漏洞防范是目前网络安全技术研究热点之一。该文结合计算机网络所存在安全漏洞,从访问控制、漏洞扫描、安装防火墙及病毒防范四个方面探讨了计算机网络安全防范对策。运用文献资料,调查法等对网络安全漏洞这一问题进行浅析。     

基于多核架构的安全漏洞分析平台研究

军工数字制造网络安全漏洞分析存在漏洞信息难以获取、分析和验证耗时长而且精度低等问题,传统的企业信息安全漏洞分析、测试验证技术不能够完全解决该问题,所以提出了基于多核架构的漏洞分析、验证、测补技术平台.将漏洞探测与分析技术、启发式漏洞渗透性测试技术、动态临时补丁生成和安装技术与基于多核处理器的软件架构相结合,实现漏洞分析...     

基于关系数据库策略驱动的网络安全评估系统

在归纳网络安全漏洞特点的基础上,提出了基于关系数据库策略驱动的漏洞探测方法,提高了网络安全评估系统的效率,增强了漏洞探测准确性,并使系统的整体分析能力大大提高,论文从原理、实现上对该方法进行了阐述,并分析了其性能。     

数值稳定性相关漏洞隐患的自动化检测方法

安全漏洞检测是保障软件安全性的重要手段.随着互联网的发展,黑客的攻击手段日趋多样化,且攻击技术不断翻新,使软件安全受到了新的威胁.本文描述了当前软件中实际存在的一种新类型的安全漏洞隐患,我们称之为数值稳定性相关的安全漏洞隐患.由于黑客可以利用该类漏洞绕过现有的防护措施,且已有的数值稳定性分析方法很难检测到该类漏洞的存在,因而这一新类型的漏洞隐患十分危险.面对这一挑战,本文首先从数值稳定性引起软件行为改变的角度定义了数值稳定性相关的安全漏洞隐患,并给出了对应的自动化检测方法.该方法基于动静态相结合的程序分析与符号执行技术,通过数值变量符号式提取、静态攻击流程分析、以及高精度动态攻击验证三个步骤,来检测和分析软件中可能存在的数值稳定性相关安全漏洞.我们在业界多个著名开源软件上进行了实例研究,实验结果表明,本文方法能够有效检测到实际软件中真实存在的数值稳定性相关漏洞隐患.     

Objective Risk Evaluation for Automated Security Management

Network security depends on a number of factors. And a common characteristic of these factors is that they are dynamic in nature. Such factors include new vulnerabilities and threats, the network policy structure and traffic. These factors can be divided into two broad categories. Network risk and service risk. As the name implies, the former one corresponds to risk associated with the network policy whereas the later one depends on the services and software running on the system. Therefore, evaluating security from both the service and policy perspective can allow the management system to make decisions regarding how a system should be changed to enhance security as par the management objective. Such decision making includes choosing between alternative security architectures, designing security countermeasures, and to systematically modify security configurations to improve security. As there may be real time changes to the network threat, this evaluation must be done dynamically to handle such changes. In this paper, we provide a security metric framework that quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of the remotely accessible services, prediction of potential vulnerabilities for these services and their estimated severity, unused address space and finally propagation of an attack within the network. These factors cover both the service aspect and the network aspect of risk toward a system. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management of services and policies in a system using risk measurement and mitigation. We also combine all the components into one single metric and present validation experiments using real-life vulnerability data from National Vulnerability Database (NVD) and show comparison with two existing risk measurement tools.