跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.89) 您好!臺灣時間:2024/12/04 20:24
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:莊政諭
研究生(外文):Cheng-Yu Chuang
論文名稱:邏輯性取向方法之於網路安全分析
論文名稱(外文):A Logic-oriented Approach to Network Security Analysis
指導教授:賴溪松賴溪松引用關係
指導教授(外文):Chi-Sung Laih
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:英文
論文頁數:61
中文關鍵詞:攻擊圖生成網路安全分析邏輯程式
外文關鍵詞:attack graph generationnetwork security analysislogic programming
相關次數:
  • 被引用被引用:0
  • 點閱點閱:305
  • 評分評分:
  • 下載下載:84
  • 收藏至我的研究室書目清單書目收藏:0
在網路安全的世界裡,系統管理者一直在不斷的與惡意的攻擊者纏鬥著。一方面,攻擊者不斷的在尋找新的安全弱點並藉由這些弱點來入侵系統。另一方面,系統管理者藉由不斷的弱點掃瞄來分析來確認他們管理的系統是否有弱點的存在,並維護整體系統安全。可是,因為該分析是個繁複的工作並需要大量的時間來完成,所以系統管理者有略居下風的趨勢。針對此,我們試圖以邏輯取向來建構了個自動分析系統並以攻擊圖呈現分析的結果.
雖說在此之前已有不少的相關研究,但是它們在效能上有待改善。 我們的系統採用了類似專家系統的MulVAL[18]架構並以XSB[30]環境下的邏輯程式將他實現。 此外,除了原先的參考系統架構外,我們附加了一個攻擊圖生成功能以助使用者更加方便的解讀系統輸出。
In the realm of network security, system administrators are always combating against malicious attackers. On one side of the battlefield, attackers rigorously attempt to discover vulnerabilities and take advantage of them to compromise system security. On the other side, administrators manage to defend themselves by measures such as vulnerability scanning, in hope to discover and prevent potential attack. However, it may seem like the administrators are losing the battle because the network security analysis is such a tedious and time-consuming task. In light of that, we advise a logic-oriented approach to network security analysis and present the outcome using attack graph.
Even though there has been a long line of research into the field, the previous approaches fall short in areas such as efficiency. After much survey and comparison, we adopt the expert-system-like MulVAL[18] framework. Our system is realized through logic programming in XSB[30] environment as suggested by the framework. Moreover, we further extend it with graph attack generation capacity so it better helps the users comprehend the results.
Acknowledges iii
List of Tables vii
List of Figures viii
Chapter 1 Introduction 1
1.1 Vulnerabilities and Network Attacks 1
1.2 Vulnerability Scan and Network Security Assessment 2
1.3 Motivations and Contributions 4
1.4 Thesis Organization 5
Chapter 2 Related Works 7
2.1 Attack Graphs and Network Security Analysis 7
2.2 Model Checking and Monotonicity 8
2.3 Past Research on Attack Graph 10
2.4 Problems or Limitations of Past Works 12
2.4.1 Scalability to Large Networks 12
2.4.2 Computing Reachability 12
2.4.3 Complex Output Attack Graphs 13
2.5 MulVAL : A Logic-based Network Security Analyzer 14
Chapter 3 Background 16
3.1 Knowledge Systems and Expert Systems 16
3.2 Prolog, Datalog, and XSB 18
3.3 Vulnerability Specification and the OVAL Language 20
3.4 GraphViz and the DOT language 23
Chapter 4 System Methodology and Design 25
4.1 Network Security and Management 25
4.2 How is a Network Attack Conducted 25
4.3 Using Datalog under XSB 26
4.4 Analysis Algorithm 27
4.5 Attack Graph Generation 28
Chapter 5 System Implementations 30
5.1 System Design 30
5.2 Terminology 31
5.3 Host Vulnerability 32
5.4 Network ACL 36
5.5 Host Configuration 37
5.6 Reasoning Rules 40
5.6.1. Exploit rules 40
5.6.2. Trojan-horse attack rules 42
5.6.3. NFS-related Exploit Rules 43
5.6.4. User Credential Exploit Rules 44
5.7 Analysis Algorithm 44
5.8 System Flowchart 45
5.9 Logical Attack Graph 46
Chapter 6 System Evaluation 50
6.1 Attack Detection on a Sample Network 50
6.2 Attack Tree to Logical Attack Graph 55
Chapter 7 Conclusions and future works 57
Bibliography 59
[1]Michael Lyle Artz, NetSPA, “A Network Security Planning Architecture”, M.S. Thesis, Cambridge: Massachusetts Institute of Technology, May 2002.
[2]Oleg Mikhail Sheyner, “Scenario Graphs and Attack Graphs”, Ph.D. Thesis, Carnegie Mellon University, p.133, April 2004.
[3]Paul Ammann, Duminda Wijesekera, and Saket Kaushik, “Scalable, Graph-Based Network Vulnerability Analysis”, Proceedings of the 9th ACM Conference on Computer and Communications Security, New York: ACM Press, p.217-224, 2002.
[4]Frederic Cuppens and Alexandre Miège, “Alert Correlation in a Cooperative Intrusion Detection Framework”, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 12 - 15, 2002). SP. IEEE Computer Society, Washington, DC, p.202.
[5]Frederic Cuppens and Rodolphe Ortalo, “LAMBDA: A Language to Model a Database for Detection of Attacks”, in Proceedings of the Third international Workshop on Recent Advances in intrusion Detection (October 02 - 04, 2000), p.197-216.
[6]Kyle Ingols, Richard Lippmann, and Keith Piwowarski, “Practical Attack Graph Generation for Network Defense”, Computer Security Applications Conference, Miami Beach, Florida, p.121-130, 11 December 2006.
[7]Richard Lippmann and Kyle Ingols, “An Annotated Review of Past Papers on Attack Graphs”, PR-IA-1, MIT Lincoln Laboratory Project Report, 31 March 2005.
[8]Richard Lippmann, Kyle Ingols, Chris Scott, Keith Piwowarski, Kendra Kratkiewicz, and Mike Artz, “Evaluating and Strengthening Enterprise Network Security Using Attach Graphs”, PR-IA-2, MIT Lincoln Laboratory Project Report, 12 August 2005.
[9]Richard Lippmann, Kyle Ingols, Chris Scott, Keith Piwowarski, Kendra Kratkiewicz, Mike Artz, and Robert Cunningham, “Validating and Restoring Defense in Depth Using Attack Graphs”, MILCOM 2006, Washington, DC, 23 October 2006.
[10]Steven Noel and Sushil Jajodia, “Managing Attack Graph Complexity Through Visual Hierarchical Aggregation”, Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, New York: ACM Press, p.109-118, 2004.
[11]Steven Noel, Sushil Jajodia, Brian O’Berry, and Michael Jacobs, “Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs”, Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, p.86, 2003.
[12]Peng Ning and Dingbang Xu, “Learning attack strategies from intrusion alerts”, in Proceedings of the 10th ACM Conference on Computer and Communications Security (Washington D.C., USA, October 27 - 30, 2003). CCS '03. ACM, New York, NY, p.200-209.
[13]Xinming Ou, Wayne F. Boyer, and Miles A. McQueen, “A scalable approach to attack graph generation” In CCS ’06, p.336–345, New York, NY, USA, 2006. ACM Press.
[14]Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, “MulVAL: A logic-based network security analyzer”, in 14th USENIX Security Symposium, Baltimore, Maryland, U.S.A., p.113-128, August 2005.
[15]Cynthia Phillips and Laura Painton Swiler, “A graph-based system for network-vulnerability analysis”, proceedings of the 1998 workshop on New security paradigms, p.71-79, 1998.
[16]Ronald Ritchey and Paul Ammann, “Using model checking to analyze network vulnerabilities”, in 2000 IEEE Symposium on Security and Privacy, p.156–165, 2000.
[17]Ronald Ritchey, Brain O’Berry, and Steven Noel, “Representing TCP/IP Connectivity for Topological Analysis of Network Security” Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, 2002.
[18]Diptikalyan Saha, “Extending logical attack graphs for efficient vulnerability analysis”, In Proceedings of the 15th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 27 - 31, 2008). CCS '08. ACM, New York, NY, p.63-74.
[19]Andrew Stewart, “A contemporary approach to network vulnerability assessment”, in Network Security, volume 2005, issue 4, p.7-10, April 2005.
[20]Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing, “Automated Generation and Analysis of Attack Graphs”, in 2002 IEEE Symposium on Security and Privacy. Oakland, California, 2002.
[21]Steven J. Templeton and Kar Levitt, “A requires/provides model for computer attacks”, in Proceedings of the 2000 Workshop on New Security Paradigms (Ballycotton, County Cork, Ireland, September 18 - 21, 2000). NSPW '00. ACM, New York, NY, p.31-38.
[22]Sushil Jajodia, Steven Noel, and Brain O’Berry, “Topological Analysis of Network Attack Vulnerability”, Managing Cyber Threats: Issues, Approaches and Challenges, Vipin Kumar, Jaideep Srivastava, and Aleksandar Lazarevic, Eds., Dordrecht, Netherlands: Kluwer Academic Publisher, 2003.
[23]Nessus, Tenable Network Security, http://www.tenablesecurity.com/nessus/
[24]NVD, National Vulnerability Database, http://nvd.nist.gov/
[25]OVAL Definition Search,
http://oval.mitre.org/repository/data/AdvancedSearch.jsp
[26]OVAL Scanner, the MITRE Corporation, http://oval.mitre.org/oval/index.html
[27]SSA – Security System Analyzer, Security Database, http://www.security-database.com/ssa.php
[28]University of Purdue, RASC: Confidentiality, Integrity and Availability (CIA), http://www.itap.purdue.edu/security/files/documents/RASCCIAv13.pdf
[29]US-CERT Vulnerability Notes Database, http://www.kb.cert.org/vuls
[30]XSB, a Logic Programming and Deductive Database system for Unix and Windows, http://xsb.sourceforge.net/
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top