基于局部攻击图的最小关键漏洞集分析方法  

作　　者：沈霄梦 徐丙凤[1,2] 何高峰 SHEN Xiao-meng;XU Bing-feng;HE Gao-feng(College of Information Science and Technology,Nanjing Forestry University,Nanjing 210037,China;Key Laboratory of Safety-Critical Software of Ministry of Industry and Information Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China;College of Internet of Things,Nanjing University of Posts and Telecommunications,Nanjing 210003,China)

机构地区：[1]南京林业大学信息科学技术学院,江苏南京210037 [2]南京航空航天大学高安全系统的软件开发与验证技术工业和信息化部重点实验室,江苏南京211106 [3]南京邮电大学物联网学院,江苏南京210003

出　　处：《计算机工程与设计》2024年第6期1607-1614,共8页Computer Engineering and Design

基　　金：国家自然科学基金青年科学基金项目(61802192、61702282);南京航空航天大学科研基地创新(理工类)基金项目(NJ2020022)。

摘　　要：为缓解攻击图应用在工业互联网安全防护中的状态空间爆炸问题,提出一种基于局部攻击图的最小关键漏洞集分析方法。提出一种以重要资产节点为目标的局部攻击图生成算法,通过裁剪不可达目标节点的攻击路径缓解状态空间爆炸问题;基于局部攻击图生成过程中得到的攻击路径漏洞集直接进行最小关键漏洞集分析,节省传统分析方法在搜索关键漏洞过程中对攻击图进行二次遍历的时空开销。在此基础上,通过工业网络实例进行分析并开展相关工作比较,实验结果表明,所提方法合理可行,可高效分析网络系统中的最小关键漏洞集。The attack graph is prone to state space explosion in industrial Internet security protection,which is a serious problem.To alleviate this problem,a minimal critical vulnerability set analysis method based on partial attack graph was proposed.A partial attack graph generation algorithm targeting important asset nodes was proposed to alleviate the state space explosion problem by clipping the attack paths of unreachable targets.Based on the attack path vulnerability set obtained during the generation of the partial attack graph,the analysis of the minimum critical vulnerability set was directly performed.The time and space overhead of the traditional analysis method for secondary traversal of the attack graph in the process of searching for critical vulnerabilities was saved.On this basis,an industrial network example was used to analyze and compare related work.Experimental results show that the proposed method is reasonable and feasible,and can efficiently analyze the minimum set of critical vulnerabilities in network systems.

关 键 词：工业互联网 攻击图 关键漏洞集 状态空间爆炸 网络安全 局部攻击图生成 安全防御 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]