基于贝叶斯攻击图的SDN安全预测方法

尹彦尚; 索同鹏; 董黎刚; 蒋献

doi:10.11959/j.issn.1000-0801.2021212

您当前的位置：

首页 >

文章列表页 >

基于贝叶斯攻击图的SDN安全预测方法

研究与开发 | 更新时间：2024-06-05

- 基于贝叶斯攻击图的SDN安全预测方法
- SDN security prediction method based on bayesian attack graph
- 电信科学 2021年37卷第11期页码：75-85
- 作者机构：
- 作者简介：
  
  [ "尹彦尚（1998− ），女，浙江工商大学硕士生，主要研究方向为软件定义网络" ]
  [ "索同鹏（1995− ），男，浙江工商大学硕士生，主要研究方向为软件定义网络" ]
  [ "董黎刚（1973− ），男，博士，浙江工商大学信息与电子工程学院院长、教授、硕士生导师，中国电子学会高级会员，浙江省计算机学会理事，主要研究方向为新一代网络和分布式系统" ]
  [ "蒋献（1988− ），男，浙江工商大学实验师，主要研究方向为数字电路和模拟电路" ]
- 基金信息：
  
  浙江省重点研发计划项目;The Key Research and Development Program of Zhejiang under Grant(2020C01079);浙江省重点研发计划项目;Zhejiang Province Key Research and Devel-opment Program(2021C01036);国家自然科学基金资助项目;The National Natural Science Foundation of China(61871468);浙江省自然科学基金资助项目;Zhejiang Provincial Natural Science Foundation of China(LY18F010006);浙江省新型网络标准与应用技术重点实验室项目(2013E10012);大学生科技成果推广项目;University Students' Scientific and Technological Achievements Promotion Project(1120KZN0220031G)
- DOI：10.11959/j.issn.1000-0801.2021212
  中图分类号： TP393.0
- 网络出版日期：2021-11，
  
  纸质出版日期：2021-11-20
- 稿件说明：
移动端阅览
尹彦尚, 索同鹏, 董黎刚, 等. 基于贝叶斯攻击图的SDN安全预测方法[J]. 电信科学, 2021,37(11):75-85.

Yanshang YIN, Tongpeng SUO, Ligang DONG, et al. SDN security prediction method based on bayesian attack graph[J]. Telecommunications science, 2021, 37(11): 75-85.
尹彦尚, 索同鹏, 董黎刚, 等. 基于贝叶斯攻击图的SDN安全预测方法[J]. 电信科学, 2021,37(11):75-85. DOI： 10.11959/j.issn.1000-0801.2021212.

Yanshang YIN, Tongpeng SUO, Ligang DONG, et al. SDN security prediction method based on bayesian attack graph[J]. Telecommunications science, 2021, 37(11): 75-85. DOI： 10.11959/j.issn.1000-0801.2021212.

摘要

现有研究者采用威胁建模和安全分析系统的方法评估和预测软件定义网络（software defined network， SDN）安全威胁，但该方法未考虑SDN控制器的漏洞利用概率以及设备在网络中的位置，安全评估不准确。针对以上问题，根据设备漏洞利用概率和设备关键度结合PageRank算法，设计了一种计算SDN中各设备重要性的算法；根据SDN攻击图和贝叶斯理论设计了一种度量设备被攻击成功概率的方法。在此基础上设计了一种基于贝叶斯攻击图的SDN安全预测算法，预测攻击者的攻击路径。实验结果显示，该方法能够准确预测攻击者的攻击路径，为安全防御提供更准确的依据。

Abstract

Existing researchers use threat modeling and security analysis system to evaluate and predict SDN (software defined network) security threats

but this method does not consider the vulnerability utilization of SDN controller and the location of devices in the network

so the security evaluation is not accurate.In order to solve the above problems

according to the probability of device vulnerability utilization and device criticality

combined with PageRank algorithm

a algorithm to calculate the importance of each device in SDN was designed; according to SDN attack graph and Bayesian theory

a method to measure the success probability of device being attacked was designed.On this basis

a SDN security prediction method based on Bayesian attack graph was proposed to predict the attacker's attack path.Experimental results show that this method can accurately predict the attacker's attack path and provide more accurate basis for security defense.

关键词

Keywords

references

MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al . OpenFlow:enabling innovation in campus networks [J ] . ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 2 ): 69 - 74 .

SCHEHLMANN L , ABT S , BAIER H . Blessing or curse? Revisiting security aspects of Software-Defined Networking [C ] // 10th International Conference on Network and Service Management (CNSM) and Workshop . Piscataway:IEEE Press , 2014 : 382 - 387 .

SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks [J ] . IEEE Communications Surveys ＆ Tutorials , 2016 , 18 ( 1 ): 623 - 654 .

KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks [C ] // Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking - HotSDN '13 . New York:ACM Press , 2013 : 55 - 60 .

LEE S , YOON C , SHIN S . The smaller,the shrewder:a simple malicious application can kill an entire SDN environment [C ] // Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization . New York:ACM Press , 2016 : 23 - 28 .

FERNANDES E L . Dpctl documentationcpqd/ofsoftswitch13 wiki github [EB ] . 2018 .

ANTIKAINEN M , AURA T , SÄRELÄ M , . Spook in your network:attacking an SDN with a compromised OpenFlow switch [C ] // Secure IT Systems . Piscataway:Springer Press , 2014 : 229 - 244 .

任晓龙 . 网络节点重要性排序算法及其应用研究 [D ] . 杭州:杭州师范大学 , 2015 .

REN X L . The study of ranking algorithm of the important node in networks and its applications [D ] . Hangzhou:Hangzhou Normal University , 2015 .

游梦娜 . 基于攻击图的网络脆弱性评估技术研究与实现 [D ] . 北京:北京邮电大学 , 2018 .

YOU M N . Research and implementation of network vulnerability assessment technology based on attack graph [D ] . Beijing:Beijing University of Posts and Telecommunications , 2018 .

朱禹铭 . 基于贝叶斯的动态网络攻击行为预测方法研究 [D ] . 秦皇岛:燕山大学 , 2019 .

ZHU Y M . Research on dynamic network attack behavior prediction method based on Bayesian [D ] . Qinhuangdao:Yanshan University , 2019 .

EOM T , HONG J B , AN S , et al . A framework for real-time intrusion response in software defined networking using precomputed graphical security models [J ] . Security and Communication Networks , 2020 : 1 - 15 .

EOM T , HONG J B , AN S , et al . A systematic approach to threat modeling and security analysis for software defined networking [J ] . IEEE Access , 2019 , 7 : 137432 - 137445 .

LUO S , DONG M , OTA K , et al . A security assessment mechanism for software-defined networking-based mobile networks [J ] . Sensors (Basel,Switzerland) , 2015 , 15 ( 12 ): 31843 - 31858 .

YOON S , CHO J H , KIM D S , et al . Attack graph-based moving target defense in software-defined networks [J ] . IEEE Transactions on Network and Service Management , 2020 , 17 ( 3 ): 1653 - 1668 .

LIU Y , MAN H . Network vulnerability assessment using Bayesian networks [C ] // Defense and Security.Proc SPIE 5812,Data Mining,Intrusion Detection,Information Assurance,and Data Networks Security 2005 . Piscataway:Society of Photo-Optical Instrumentation Engineers (SPIE) Press,2005 , 5812 : 61 - 71 .

ZIMBA A , CHEN H S , WANG Z S . Bayesian network based weighted APT attack paths modeling in cloud computing [J ] . Future Generation Computer Systems , 2019 , 96 : 525 - 537 .

Information security risk assessment [EB ] . 2019 .

Definition - what does risk analysismean? [EB ] . 2019 .

JOHNSON P , LAGERSTRÖM R , EKSTEDT M , et al . Can the common vulnerability scoring system be trusted? A Bayesian analysis [J ] . IEEE Transactions on Dependable and Secure Computing , 2018 , 15 ( 6 ): 1002 - 1015 .

POOLSAPPASIT N , DEWRI R , RAY I . Dynamic security risk management using Bayesian attack graphs [J ] . IEEE Transactions on Dependable and Secure Computing , 2012 , 9 ( 1 ): 61 - 74 .

Information Technology Labortory . National vulnerability database version 2.5 [S ] . 2018 .

OU X , GOVINDAVAJHALA S , APPEL A W . MulVAL:alogic-based network security analyzer [C ] // USENIX Security Symposium . Piscataway:USENIX Press , 2005 : 113 - 128 .

浏览量

240

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据