基于战术关联的网络安全风险评估框架  被引量：7

作　　者：柳杰灵 凌晓波 张蕾 王博[1] 王之梁[1] 李子木[1] 张辉[1] 杨家海[1] 吴程楠 LIU Jie-ling;LING Xiao-bo;ZHANG Lei;WANG Bo;WANG Zhi-liang;LI Zi-mu;ZHANG Hui;YANG Jia-hai;WUCheng-nan(Institute for Network Science and Cyberspace&BNRist,Tsinghua University,Beijing 100084,China;State Grid Shanghai Electric Power Company,Shanghai 200122,China;State Grid Shanghai Electric Power Research Institute,Shanghai 200437,China;Songjiang Power Supply Company of State Grid Shanghai Municipal Electric Power Company,Shanghai 201699,China)

机构地区：[1]清华大学网络科学与网络空间研究院北京信息科学与技术国家研究中心,北京100084 [2]国网上海市电力公司,上海200122 [3]国网上海电力科学研究院,上海200437 [4]国网上海松江供电公司,上海201699

出　　处：《计算机科学》2022年第9期306-311,共6页Computer Science

基　　金：国家重点研发计划(2017YFB0803004)。

摘　　要：电力系统网络是网络攻击的重要目标之一。为了保障电力系统的安全运行,网络管理员需要评估电力系统网络所面临的网络安全风险。现存的网络安全风险评估框架通常仅针对单一场景进行评估,不能从过多的网络安全告警中发现利用多种手段以达到目标的策略型攻击者。为应对上述挑战,文中设计了一种基于战术关联的网络安全风险评估框架,该体系利用成熟的网络安全知识库并整合重复性指标以尽可能简化使用者的输入,同时将多种网络安全系统产生的告警在战术层面关联起来,从而发现利用多种攻击手段协同的攻击方式。对高级持续性威胁(Advanced Persistent Threat, APT)攻击案例进行评估,对比结果表明,与现有的轻量级信息安全风险评估框架(Lightweight Information Security Risk Assessment, LiSRA)相比,该方法能更有效地发现高威胁风险,其鲁棒性也优于现有方法。Power system network is one of the important targets of cyber attack.In order to ensure the safe operation of power system, network managers need to evaluate the network security risk.Usually, existing network security risk assessment framework only aims at a single scenario, and can not find the strategic attackers who use a variety of low-risk methods to achieve high-risk threat targets from large quantities of network security alerts.In order to meet the above challenges, this paper proposes a network security risk assessment method based on tactical correlation.In this method, the warning information generated on va-rious network security detection devices when an attacker implements a multi-step attack is associated to form an attack chain, and the security risk of the organization intranet is evaluated by calculating the threat, vulnerability, impact score of each node in the attack chain and the risk score of the whole attack chain.In order to verify the effectiveness and robustness of the proposed method, this paper selects a representative example to illustrate the specific implementation process of the proposed method for network security risk assessment in the organizational intranet.The example shows that the network security risk assessment framework based on the tactical association can correctly assess the harm of multi-step attack caused by low-risk alarm association to achieve high-risk targets, and is more robust than the traditional single scenario analysis method, which can better provide decision-making basis for organization decision-makers in network security risk management.

关 键 词：网络安全 高级持续性威胁(APT) 风险评估 战术关联 风险管理 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]