基于攻击图的表述性状态传递安全分析与评估  被引量：1

作　　者：张游杰[1] 张清萍[1] 吴伟[1] 师哲[2] ZHANG Youjie 1 , ZHANG Qingping 1, WU wei 1, SHI Zhe 2(1. CETC North-China Cyber Security Company Limited,No.33 Research Institute of China Electronics Technology Group Corporation, Taiyuan Shanxi 030032, China ;2. School of Computer Science, Nanjing University of Posts and Telecommunications, Naijing Jiangsu 210023, Chin)

机构地区：[1]中国电子科技集团公司第三十三研究所中电科华北网络信息安全有限公司,太原030032 [2]南京邮电大学计算机及软件学院,南京210023

出　　处：《计算机应用》2018年第6期1653-1657,共5页journal of Computer Applications

摘　　要：针对表述性状态传递(REST)架构本身安全机制不够完善的问题,提出基于攻击图的REST架构安全分析与评估,利用攻击图实现了对REST架构的安全性量化评估。首先,对REST架构可能受到的攻击进行了预测,据此构造了REST架构攻击图模型,并计算了攻击可能性指标和攻击实现度指标。然后,针对攻击图中的攻击状态及攻击行为,提出了安全防护措施,据此重新构造了REST架构攻击图模型,并计算了攻击可能性指标和攻击实现度指标。经比较,采用安全防护措施后,攻击可能性指标降低至原来的约1/10,攻击实现度指标降低至原来的约1/86。比较结果表明,所构造的攻击图模型能够对REST架构的安全性能进行有效的量化评估。The security mechanism of REpresentational State Transfer（REST） architecture is not perfect. In order to solve the problem, the security analysis and evaluation of REST architecture based on attack graph was proposed, and the security quantitative evaluation of REST architecture was realized by using attack graph. Firstly, the possible attack of REST architecture was predicted, the REST architecture attack graph model was constructed accordingly, and the attack probability parameter and attack realization parameter were calculated. Then, according to the attack state and attack behavior of attack graph, the security protection measures were proposed. In view of the above, the REST architecture attack graph model was reconstructed, and the attack probability parameter and attack realization parameter were recalculated too. By comparison,after the adoption of security protection measures, the attack possibility parameter has been reduced to about 1/10, and the attack realization parameter has been reduced to about 1/86. The comparison results show that the constructed attack graph can effectively and quantitatively evaluate the security performance of REST architecture.

关 键 词：表述性态传递 攻击图 安全评估 攻击可能性 攻击实现度 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]