Research on Technologies for Network Vulnerability Assessment
|School||National University of Defense Science and Technology|
|Course||Computer Science and Technology|
|Keywords||Network Vulnerability Assessment Network Vulnerability Analysis Attack Graph Vulnerability Discovery Prediction Zero-day Vulnerability|
Network vulnerability is one of the main threats that today’s enterprises and common users face. Although vast achievements have been made in the area of network vulnerability assessment, there still remain many problems to solve due to the rapid development of network attack technology and the urgent need for higher level network security. Some newly found network attacks such as zero-day vulnerability attack have made new demands of network vulnerability assessment. In this context, this paper has done some research on network vulnerability risk assessment technology in both view of temporal and spatial distribution of vulnerabilities, and has designed and implemented a prototype system for network vulnerability assessment. The main contributions and innovations of this paper is as follows.(1) A new method of generating attack graphs based on greedy strategy is proposed. It effectively minimizes the scale of vulnerabilities using service level vulnerability fusion, and then generates attack graph through attack routes that could allow attackers to gain network node priority with greatest probability. The algorithm analysis and experimental results show that the time cost is polynomial proportionate to networknode number and edge number, thus effectively solving state explosion problem. The attack graph generated by this method covers all network nodes that is accessible to attackers, thus can be utilized to analyze multi-targets’vulnerabilities.(2) A new method of predicting the amount and severity of vulnerabilities during an interval time in near future using Back Propagation Neural Network Model is proposed. Experiments illustrate that the predicted results fit well with actual data. Therefore, the method can be used to help network administrator predict future trend of vulnerabilities and take precautions to defend probable network attacks.(3) A network vulnerability risk assessment scheme based on speculation is developed. It firstly categorizes network vulnerability risk into two classes: current vulnerability risk caused by already detected vulnerability and probable vulnerability risk brought about speculative ones. Then the former risk is acquired by analyzing already detected vulnerability utilizing attack graph and the latter risk is assessed through vulnerability detection and prediction techniques. Experimental results show that the proposed method has high prediction accuracy and is helpful for network administrator to make optimized security strategy.(4) A prototype system of network vulnerability assessment is designed and implemented. The system, with modularize structural design and RCP framework based implementation, has favorable expansiveness and high interface exhibition capability.The vulnerability information used by some experiments in this thesis, comes from National Vulnerability Database (NVD) which is supported by National Institute of Science and Technology (NIST).