在线监测的路由器安全威胁态势量化评估方法

杨君刚; 梁礼; 刘故箐; 张倩; 张长青

doi:10.3969/j.issn.1000-436x.2013.11.008

您当前的位置：

首页 >

文章列表页 >

在线监测的路由器安全威胁态势量化评估方法

学术论文

- 在线监测的路由器安全威胁态势量化评估方法
- Method for router online security risk assessment quantification
- 通信学报 2013年34卷第11期页码：59-70
- 作者机构：
  
  1. 西安通信学院信息传输系，陕西西安 710106
  2. 西安通信学院研究生管理大队，陕西西安 7101061
- 作者简介：
  
  [ "杨君刚（1973-），男，陕西宝鸡人，博士，西安通信学院副教授、硕士生导师，主要研究方向为网络与系统安全。" ]
  [ "梁礼（1983-），男，河北保定人，西安通信学院硕士生，主要研究方向为计算机网络安全检测与评估。" ]
  [ "刘故箐（1974-），女，重庆人，西安通信学院讲师，主要研究方向为计算机网络安全漏洞评估。" ]
  [ "张倩（1976-），女，陕西西安人，西安通信学院讲师，主要研究方向为系统优化与调度。" ]
  [ "张长青（1986-），男，陕西眉县人，西安通信学院硕士生，主要研究方向为人工智能和网络安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61072125);陕西省自然科学基金资助项目(2011JM8033)
- DOI：10.3969/j.issn.1000-436x.2013.11.008
  中图分类号： TP393
- 网络出版日期：2013-11，
  
  纸质出版日期：2013-11-25
- 稿件说明：
移动端阅览
杨君刚, 梁礼, 刘故箐, 等. 在线监测的路由器安全威胁态势量化评估方法[J]. 通信学报, 2013,34(11):59-70.

Jun-gang YANG, Li LIANG, Gu-jing LIU, et al. Method for router online security risk assessment quantification[J]. Communication journal, 2013, 34(11): 59-70.
杨君刚, 梁礼, 刘故箐, 等. 在线监测的路由器安全威胁态势量化评估方法[J]. 通信学报, 2013,34(11):59-70. DOI： 10.3969/j.issn.1000-436x.2013.11.008.

Jun-gang YANG, Li LIANG, Gu-jing LIU, et al. Method for router online security risk assessment quantification[J]. Communication journal, 2013, 34(11): 59-70. DOI： 10.3969/j.issn.1000-436x.2013.11.008.

摘要

在对路由器安全问题本质分析基础上提出路由器安全效能的概念并对路由器攻击进行分类，提出一种在线监测的路由器安全威胁态势量化评估的计算方法。该方法在对路由器攻击分类的基础上，以路由器带宽占用率和CPU平均使用率计算服务下降型威胁安全风险因子，以威胁发生可能性和威胁严重程度计算权限提升型安全风险因子，结合路由器本身的重要性计算其安全风险，进而分析路由器的安全威胁态势。实验表明：所提方法能够很好地反映路由器的安全风险，为网络管理员提供直观的安全威胁态势，以便调整路由器安全策略，更好地提高其安全性能。

Abstract

The concept of router safety performance was proposed based on the nature of router security issues and router attacks were classified. Then a method for router online security risk assessment quantification was also presented.The security risk factor of service decline was calculated by router bandwidth consumption and average CPU usage and the security risk factor of privilege escalation was calcu ated by the possibility of threat occurrence and severity based on the router attack classification. The router security threat status was evaluated combining weighting the importance of router and the security risk factor. The experiment results show the method is effective in calculating the quantitive risk of the router and helpful for administrators to assess security risks.

关键词

Keywords

references

龙门，夏靖波，张子阳等 . 节点相关的隐马尔可夫模型的网络安全评估 [J ] . 北京邮电大学学报 , 2010 , 33 ( 6 ): 121 - 124 .

LONG M , XIA J B , ZHANG Z Y , et al . Network security assessment based on node correlated HMM [J ] . Journal of Beijing Un versity of Posts and Telecommunications , 2010 , 33 ( 6 ): 121 - 124 .

张保稳，罗铮，薛质等 . 基于全局权限图的网络风险评估模型 [J ] . 上海交通大学学报 , 2010 , 44 ( 9 ): 1197 - 1200 .

ZHANG B W , LUO Z , XUE Z , et al . A network risk assessment model based on network global priviliege graph [J ] . Journal o Shanghai Jiao-tong University , 2010 , 44 ( 9 ): 1197 - 1200 .

STIJN V C . Threat Modeling for Web Application Using the STRIDE Model [D ] . London : Royal Holloway University of London , 2004 .

付钰，吴晓平，叶清 . 基于改进FAHP-BN的信息系统安全态势评估方法 [J ] . 通信学报 , 2009 , 30 ( 9 ): 135 - 140 .

FU Y , WU X P , YE Q . Approach for information systems security situ-ation evaluation using improved FAHP and Bayesian network [J ] . Journal on Communications , 2009 , 30 ( 9 ): 135 - 140 .

NGUYEN H V , CHOI Y . Proactive detection of DdoS attacks utilizing k-NN classifier in an anti-DDos framework [J ] . International Journal of Electrical , 2010 , 4 ( 4 ): 247 - 252 .

谢柏林，余顺争 . 基于应用层协议分析的应用层实时主动防御系统 [J ] . 计算机学报 , 2011 , 34 ( 3 ): 452 - 463 .

XIE B L , YU S Z . Application layer real-time proactive defense sys-tem based on application layer protocol analysis [J ] . Cinese Journal of Computers , 2011 , 34 ( 3 ): 452 - 463 .

LI Z F . Using support vector machines to enhance the performance of Bayesian face recognition [J ] . IEEE Transactions on Information Fo-rensics and Security , 2007 , 2 ( 2 ): 174 - 180 .

MCNAB C . Network Security Assessment [M ] . New York : O'Reilley Media, Inc , 2007 .

张永铮，方滨兴，迟悦 . 计算机弱点数据库综述与评价 [J ] . 计算机科学 , 2006 , 33 ( 8 ): 19 - 21 .

ZHANG Y Z , FANG B X , CHI Y . Survey and evaluation on computer vulnerability database [J ] . Computer Science , 2006 , 33 ( 8 ): 19 - 21 .

周亮，李俊娥，陆天波等 . 信息系统漏洞风险定量评估模型研究 [J ] . 通信学报 , 2009 , 30 ( 2 ): 71 - 76 .

ZHOU L , LI J E , LU T B , et al . Research on quantitative assessment model on vulnerability risk for information system [J ] . Journal on Communications , 2009 , 30 ( 2 ): 71 - 76 .

KAMMERER R , FROMEL B , WASICEK A . Enhancing security in CAN systems using a star coupling router [A ] . Proceedin of the 7th IEEE International Symposium on Industrial Embedded Systems [C ] . Karlsruhe, Germany , 2012 . 237 - 246 .

AL-IBRAHIM M , SAVSAR M , ADI W . A security analysis for label switching routers [A ] . ACS/IEEE International Conference on Com-puter Systems and Applications [C ] . Beirut, Lebanon , 2001 . 525 - 529 .

WANG Z Q , ZHANG Y Q , LIU Q X . A research on vulnerability discovering for router protocols based on fuzzing [A ] . 7th Inter-national ICST Conference on Communications and Networkng [C ] . Kunming, China , 2012 . 245 - 250 .

WU Y H , WU J P , XU K , et al . The design and implementation of router security subsystem based on IPSec [A ] . 2002 IEEE Region 10 Conference on Compute4rs, Communications, Control and En-gineering [C ] . Beijing, China , 2002 . 160 - 165 .

VARET A , LARRIEU N . Design and development of an embedded aeronautical router with security capabilities [A ] . 2012 Integrated Communications Navigation and Surveillance [C ] . Washington, USA , 2012 . 1 - 14 .

ROCA A , FLICH J , SILLA F , et al . A latency-efficient router archi-tecture for CMP systems [A ] . 13th Euromicro Conference Digital System Design Architectures, Methods and Tools [C ] . Lil e, France , 2010 . 165 - 172 .

桂宾 . 路由器安全风险分析及规避策略 [J ] . 计算机安全 , 2002 , 6 : 16 - 18 .

GUI B . Research on router security risk analysis [J ] . Computer Security , 2002 , 6 : 16 - 18 .

SCHUDEL G , SMITH D J . Router Security Strategies: Security IP Network Traffic Planes [M ] . Cisco Press , 2008 .

QU G Z , PAKASH J , KISHORE R , et al . A framework for network vulnerability analysis [EB/OL ] . http://www.ece.arizona.edu/~hpdc/projects/nvat/NV-framework.pdf http://www.ece.arizona.edu/~hpdc/projects/nvat/NV-framework.pdf , 2003 .

NTULI N , SUNYOUNG H . Detecting router cache snooping i named data networking [A ] . 2012 International Conference on ICT Conver-gence [C ] . Jeju Island, Korea , 2012 . 714 - 718 .

HU N N , LI L , MAO Z M , et al A measurement study of Internet bottlenecks [A ] . INFOCOM 2005 24th Annual Joint Confere of the IEEE Computer and Communications Societies [C ] . Miami, USA , 2005 . 1689 - 1700 .

ROESCH M , GREEN C . Snort uses manual, snort release 2.0.0.2003 [EB/OL ] . http://www.snort.org/docs/SnortUsersManual.pdf http://www.snort.org/docs/SnortUsersManual.pdf .

GB/T 20984-2007 . 信息安全技术信息安全风险评估规范 [S ] ．北京 : 中国标准出版社 , 2007 .

GB/T 20984-2007 Information Technology Security Evaluation Crite-ria [S ] . Beijing : China Zhijian Publishing House , 2007 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于六维语义空间的自动驾驶风险评估研究

基于贝叶斯攻击图的网络入侵意图分析模型

APP隐私泄露风险评估与保护方案

P2P网络中基于模糊理论的任务访问控制模型

商业银行移动支付安全研究