基于依赖关系图和通用漏洞评分系统的网络安全度量

管理人员通常使用一些网络安全指标作为度量网络安全的重要依据。通用漏洞评分系统(CVSS)是目前人们普遍认同的网络度量方式之一。针对现有的基于CVSS的网络安全度量无法精确测量网络受到攻击的概率和影响两方面得分的问题,提出一种基于依赖关系图和CVSS的改进基础度量算法。首先发掘攻击图中漏洞节点的依赖关系,构建依赖关系图;然后根据依赖关系修改CVSS中漏洞的基础度量算法;最后聚合整个攻击图中的漏洞得分,得到网络受到攻击的概率及影响两方面的得分。采用模拟攻击者进行仿真实验,结果表明,该算法在算法精确度和可信度方面明显优于汇总CVSS分数算法,更加接近实际仿真结果。

Network security measurment based on dependency relationship graph and common vulnerability scoring system

Administrators usually take some network security metrics as important bases to measure network security. Common Vulnerability Scoring System (CVSS) is one of the generally accepted network measurement method. Aiming at the problem that the existing network security measurement based on CVSS could not accurately measure the probability and the impact of network attack at the same time, an improved base metric algorithm based on dependency relationship graph and CVSS was proposed. Firstly, the dependency relationship of the vulnerability nodes in an attack graph was explored to build the dependency relationship graph. Then, the base metric algorithm of the vulnerability in CVSS was modified according to the dependency relationship. Finally, the vulnerability scores in the whole attack graph were aggregated to obtain the probability and the impact of network attack. The results of simulation with simulated attacker show that the proposed algorithm is superior to the algorithm of aggregating CVSS scores in terms of accuracy and credibility, and can get measurement results closer to the actual simulation results.