面向时延优化的级联漏洞扫描引擎部署策略  

作　　者：谷允捷 吴长禾 吴庆 张伟 吕天航 胡琪 宋晓斌 闫吉宇 GU Yunjie;WU Changhe;WU Qing;ZHANG Wei;LÜ Tianhang;HU Qi;SONG Xiaobin;YAN Jiyu(61660 Unit of PLA,Beijing 100084,China;National Digital Switching System Engineering Technology Research Center,Zhengzhou 450002,China)

机构地区：[1]中共人民解放军61660部队,北京100084 [2]国家数字交换系统工程技术研究中心,郑州450002

出　　处：《计算机工程》2023年第3期161-167,176,共8页Computer Engineering

基　　金：国家自然科学基金面上项目(61872382)。

摘　　要：网络规模和漏洞种类的与日俱增,导致集中式漏扫引擎难以在复杂网络结构下有效开展安全评估。级联漏扫方案能显著提升各类网络场景下漏扫引擎的可扩展性,在应对复杂网络结构下的网络安全问题时发挥了巨大作用,但现有的级联漏扫方案未考虑通信时延,导致扫描效率有待提高。提出一种新的级联漏扫引擎部署策略,面向时延优化,将真实网络环境抽象为承载终端设备或漏扫引擎的底层网络拓扑,综合中心控制引擎、局部扫描引擎与目标终端之间的通信时延建立数学模型。通过构造级联系统能量函数,将面向时延优化的级联引擎部署问题转化为系统自由能函数最小值问题,并设计级联协同部署算法进行求解,实现部署策略全局快速寻优,确定漏扫引擎的分布。基于不同的网络规模与拓扑类型,通过仿真实验分析各参数对算法性能的影响,实验结果表明,该算法的时延开销相较Greedy算法平均降低16.2%,验证了该算法在处理复杂网络环境下级联漏扫引擎部署的有效性与优越性。The growing network size and vulnerability types make it difficult for the centralized leak scanning engine to effectively conduct security assessments under complex network structures.The cascade vulnerability scanning method significantly improves the scalability of the vulnerability scanning engine in all network scenarios,which is crucial in processing network security problems under complex network structures.However,most existing studies on cascade vulnerability scanning engine deploymenthave not been able to optimize the communication delay;this causes poor scanning efficiency.This study proposes a new cascade vulnerability scanning engine deployment strategy.The real network environment is abstracted as the underlying network topology that carries terminal devices or scanning engines for delay optimization.Based on the mathematical model of communication delay between the central control engine,local scanning engine,and target terminal,this study proposes a cascade system energy function.The problem of delay optimization for cascade vulnerability scanning engine deployment can be transformed into system-free energy function minimum value problems.A cascade coordinate deployment algorithm is proposed to realize the global and rapid optimization of the deployment strategy and finally determine the deployment of scanning engines.Based on different network scales and topology types,the simulation results demonstrate algorithm performance and the impact of various indicators.The experimental results indicate that the delay cost of this algorithm is reduced by 16.2%on average compared with Greedy algorithm.The validity and superiority of cascade vulnerability scanning engine deployment strategy in handling complex network environments are verified.

关 键 词：漏洞扫描 级联漏洞扫描引擎 时延优化 部署策略 级联系统能量函数 确定性退火算法 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]