基于风险矩阵的物联网系统漏洞关联性危害评估
|
摘要
随着物联网的迅速发展和普及利用,针对物联网的攻击事件比例逐年上升。为了对物联网系统的漏洞进行科学评估,文章提出一种漏洞关联性危害评估方法。与传统的对单独漏洞进行孤立评估的方法不同,该方法利用CVSS v3评价指标,以漏洞关联图和风险矩阵为基础,同时考虑前序漏洞节点、后序漏洞节点的关联关系以及漏洞自身的因素,对漏洞进行关联评估。实验表明,该方法对网络安全的防护工作能够起到有效的指导作用,避免存在高关联性危害漏洞的物联网设备被攻击者控制发动DDoS攻击或者成为区块链的挖矿工具。
With the rapid development and popularization of the Internet of Things(IoTs), the proportion of attacks on Internet of Things is increasing year by year. In order to scientifically evaluate the vulnerabilities of IoT system, this paper proposes a vulnerability correlation hazard assessment method. Unlike the traditional method of evaluating a single vulnerability in isolation, this vulnerability correlation assessment method uses the CVSS v3 evaluation index, based on the vulnerability correlation graph and the risk matrix, and takes into account the relationship between pre-order vulnerability node and pose-order vulnerability node and vulnerability itself. Experiments show that the method has effective guides for protection of cyberspace security and can avoid the IoT devices that have high correlation hazard vulnerabilities controlled by attackers to launch DDoS attacks or to become a blockchain mining tools.
With the rapid development and popularization of the Internet of Things(IoTs), the proportion of attacks on Internet of Things is increasing year by year. In order to scientifically evaluate the vulnerabilities of IoT system, this paper proposes a vulnerability correlation hazard assessment method. Unlike the traditional method of evaluating a single vulnerability in isolation, this vulnerability correlation assessment method uses the CVSS v3 evaluation index, based on the vulnerability correlation graph and the risk matrix, and takes into account the relationship between pre-order vulnerability node and pose-order vulnerability node and vulnerability itself. Experiments show that the method has effective guides for protection of cyberspace security and can avoid the IoT devices that have high correlation hazard vulnerabilities controlled by attackers to launch DDoS attacks or to become a blockchain mining tools.
引文
[1]YE Zhonghua.Analysis of the F ive Development Trends of the Internet of Things in 2017[N].China City Newspaper,2017-1-9(019).叶中华.解析2017年物联网五大发展趋势[N].中国城市报,2017-1-9(019).
[2]SUN Zhixin,LUO Bingqing,LUO Shengmei,et al.Security Model of Internet of Things Based on Hierarchy[J].Computer Engineering,2011,37(10):1-7.孙知信,骆冰清,罗圣美,等.一种基于等级划分的物联网安全模型[J].计算机工程,2011,37(10):1-7.
[3]XIE Lixia,JIANG Diansheng,ZHANG Li,et al.Vulnerability Threat Correlation Assessment Method[J].Journal of Computer Applications,2012,32(3):679-682.谢丽霞,江典盛,张利,等.漏洞威胁的关联评估方法[J].计算机应用,2012,32(3):679-682.
[4]XIE Changrong,ZENG Baoguo.Introduction to Internet of Things Technology[M].Chongqing:Chongqing University Press,2013.谢昌荣,曾宝国.物联网技术概论[M].重庆:重庆大学出版社,2013.
[5]LI Qingpeng,WANG Buhong,WANG Xiaodong,et al.Network Security Assessment Based on Probabilities of Attack Graph Nodes[J].Application Research of Computers,2013,30(3):906-908.李庆朋,王布宏,王晓东,等.基于攻击图节点概率的网络安全度量方法[J].计算机应用研究,2013,30(3):906-908.
[6]GAO Chuan,YAN Hanbing,JIA Zixiao.Research on the Method for Network Vulnerabilities Situational Awareness Based on the Features[J].Netinfo Security,2016,16(12):28-33.高川,严寒冰,贾子骁.基于特征的网络漏洞态势感知方法研究[J].信息网络安全,2016,16(12):28-33.
[7]ZHANG Hengwei.Research on Key Technolog y of Secur it y R isk Assessment for Infor mation System[D].Zhengzhou:Information Engineering University,2015.张恒巍.信息系统安全风险评估关键技术研究[D].郑州:信息工程大学,2015.
[8]ZHANG Yuqing.Research on Network Security Vulnerabilities[J].Netinfo Security,2008,8(11):24-26.张玉清.网络安全漏洞研究[J].信息网络安全,2008,8(11):24-26.
[9]LEI Kenan,ZHANG Yuqing,WU Chensi,et al.A System for Scoring the Exploitability of Vulnerability Based Types[J].Journal of Computer Research and Development,2017,54(10):2296-2309.雷柯楠,张玉清,吴晨思,等.基于漏洞类型的漏洞可利用性量化评估系统[J].计算机研究与发展,2017,54(10):2296-2309.
[10]ZHANG Fengli,FENG Bo.Vulnerability Assessment Based on Correlation[J].Application Research of Computers,2014,31(3):811-814.张凤荔,冯波.基于关联性的漏洞评估方法[J].计算机应用研究,2014,31(3):811-814.
[11]GAO Zhimin.Application of Vulnerabilities Corelation Graph in Risk Evaluation[J].Telecommunication Engineering,2009,49(10):26-30.高志民.漏洞关联图在风险评估中的应用[J].电讯技术,2009,49(10):26-30.
[12]LIU Pingping.Research on Vulnerability Assessment Technology Based on Correlation Relationship[D].Beijing:Beijing University of Posts and Telecommunications,2015.刘平平.基于关联关系的漏洞评估技术研究[D].北京:北京邮电大学,2015.
[13]QI Yong,LIU Min,LI Qianmu.Attack Graph Model Based on Extended Markov Chain[J].Computer Engineering and Design,2014,35(12):4131-4135.戚湧,刘敏,李千目.基于扩展马尔科夫链的攻击图模型[J].计算机工程与设计,2014,35(12):4131-4135.
[14]WU Jinyu.Research on Key Technologies of Network Security Risk Assessment[D].Beijing:Beijing University of Posts and Telecommunications,2013.吴金宇.网络安全风险评估关键技术研究[D].北京:北京邮电大学,2013.
[15]ZHANG Hengwei,ZHANG Jian,HAN Jihong,et al.Vulnerability Risk Analysis Method Based on Game Model and Risk Matrix[J].Computer Engineering and Design,2016,37(6):1421-1427.张恒巍,张健,韩继红,等.基于博弈模型和风险矩阵的漏洞风险分析方法[J].计算机工程与设计,2016,37(6):1421-1427.
[16]WANG Hui,WANG Yunfeng,WANG Kunfu.Research on Predicting Attack Path Based on Bayesian Inference[J].Application Research of Computers,2015,32(1):226-231.王辉,王云峰,王坤福.基于贝叶斯推理的攻击路径预测研究[J].计算机应用研究,2015,32(1):226-231.
[17]WEN Weiping,GUO Ronghua,MENG Zheng,et al.Research and Implementation on Information Security Risk Assessment Key Technology[J].Netinfo Security,2015,15(2):7-14.文伟平,郭荣华,孟正,等.信息安全风险评估关键技术研究与实现[J].信息网络安全,2015,15(2):7-14.
[18]ZHANG Xi,HUANG Shuguang,XIA Yang,et al.Attack Graph-based Method for Vulnerability Risk Evaluation[J].Application Research of Computers,2010,27(1):278-280.张玺,黄曙光,夏阳,等.一种基于攻击图的漏洞风险评估方法[J].计算机应用研究,2010,27(1):278-280.
[2]SUN Zhixin,LUO Bingqing,LUO Shengmei,et al.Security Model of Internet of Things Based on Hierarchy[J].Computer Engineering,2011,37(10):1-7.孙知信,骆冰清,罗圣美,等.一种基于等级划分的物联网安全模型[J].计算机工程,2011,37(10):1-7.
[3]XIE Lixia,JIANG Diansheng,ZHANG Li,et al.Vulnerability Threat Correlation Assessment Method[J].Journal of Computer Applications,2012,32(3):679-682.谢丽霞,江典盛,张利,等.漏洞威胁的关联评估方法[J].计算机应用,2012,32(3):679-682.
[4]XIE Changrong,ZENG Baoguo.Introduction to Internet of Things Technology[M].Chongqing:Chongqing University Press,2013.谢昌荣,曾宝国.物联网技术概论[M].重庆:重庆大学出版社,2013.
[5]LI Qingpeng,WANG Buhong,WANG Xiaodong,et al.Network Security Assessment Based on Probabilities of Attack Graph Nodes[J].Application Research of Computers,2013,30(3):906-908.李庆朋,王布宏,王晓东,等.基于攻击图节点概率的网络安全度量方法[J].计算机应用研究,2013,30(3):906-908.
[6]GAO Chuan,YAN Hanbing,JIA Zixiao.Research on the Method for Network Vulnerabilities Situational Awareness Based on the Features[J].Netinfo Security,2016,16(12):28-33.高川,严寒冰,贾子骁.基于特征的网络漏洞态势感知方法研究[J].信息网络安全,2016,16(12):28-33.
[7]ZHANG Hengwei.Research on Key Technolog y of Secur it y R isk Assessment for Infor mation System[D].Zhengzhou:Information Engineering University,2015.张恒巍.信息系统安全风险评估关键技术研究[D].郑州:信息工程大学,2015.
[8]ZHANG Yuqing.Research on Network Security Vulnerabilities[J].Netinfo Security,2008,8(11):24-26.张玉清.网络安全漏洞研究[J].信息网络安全,2008,8(11):24-26.
[9]LEI Kenan,ZHANG Yuqing,WU Chensi,et al.A System for Scoring the Exploitability of Vulnerability Based Types[J].Journal of Computer Research and Development,2017,54(10):2296-2309.雷柯楠,张玉清,吴晨思,等.基于漏洞类型的漏洞可利用性量化评估系统[J].计算机研究与发展,2017,54(10):2296-2309.
[10]ZHANG Fengli,FENG Bo.Vulnerability Assessment Based on Correlation[J].Application Research of Computers,2014,31(3):811-814.张凤荔,冯波.基于关联性的漏洞评估方法[J].计算机应用研究,2014,31(3):811-814.
[11]GAO Zhimin.Application of Vulnerabilities Corelation Graph in Risk Evaluation[J].Telecommunication Engineering,2009,49(10):26-30.高志民.漏洞关联图在风险评估中的应用[J].电讯技术,2009,49(10):26-30.
[12]LIU Pingping.Research on Vulnerability Assessment Technology Based on Correlation Relationship[D].Beijing:Beijing University of Posts and Telecommunications,2015.刘平平.基于关联关系的漏洞评估技术研究[D].北京:北京邮电大学,2015.
[13]QI Yong,LIU Min,LI Qianmu.Attack Graph Model Based on Extended Markov Chain[J].Computer Engineering and Design,2014,35(12):4131-4135.戚湧,刘敏,李千目.基于扩展马尔科夫链的攻击图模型[J].计算机工程与设计,2014,35(12):4131-4135.
[14]WU Jinyu.Research on Key Technologies of Network Security Risk Assessment[D].Beijing:Beijing University of Posts and Telecommunications,2013.吴金宇.网络安全风险评估关键技术研究[D].北京:北京邮电大学,2013.
[15]ZHANG Hengwei,ZHANG Jian,HAN Jihong,et al.Vulnerability Risk Analysis Method Based on Game Model and Risk Matrix[J].Computer Engineering and Design,2016,37(6):1421-1427.张恒巍,张健,韩继红,等.基于博弈模型和风险矩阵的漏洞风险分析方法[J].计算机工程与设计,2016,37(6):1421-1427.
[16]WANG Hui,WANG Yunfeng,WANG Kunfu.Research on Predicting Attack Path Based on Bayesian Inference[J].Application Research of Computers,2015,32(1):226-231.王辉,王云峰,王坤福.基于贝叶斯推理的攻击路径预测研究[J].计算机应用研究,2015,32(1):226-231.
[17]WEN Weiping,GUO Ronghua,MENG Zheng,et al.Research and Implementation on Information Security Risk Assessment Key Technology[J].Netinfo Security,2015,15(2):7-14.文伟平,郭荣华,孟正,等.信息安全风险评估关键技术研究与实现[J].信息网络安全,2015,15(2):7-14.
[18]ZHANG Xi,HUANG Shuguang,XIA Yang,et al.Attack Graph-based Method for Vulnerability Risk Evaluation[J].Application Research of Computers,2010,27(1):278-280.张玺,黄曙光,夏阳,等.一种基于攻击图的漏洞风险评估方法[J].计算机应用研究,2010,27(1):278-280.