| Summary: | 碩士 === 中原大學 === 資訊工程研究所 === 91 === Vulnerability analysis is important to ensure the security of a network environment. Critical services in a network environment with vulnerabilities are vulnerable if there are attack paths leading to the services. Many tools based on graph theory have been proposed to discover the possible attack paths through which an attacker may exploit to reach his final goal. Although automated tools to find all possible attack paths are available, they require manual effort and expert knowledge to describe the one-step attack templates before computerized model checking procedure can be performed. As the amount of vulnerabilities discovered doubles exponentially every year, the configuration change in network occurs more and more often, and the softwares installed to individual system varies from time to time, an attack graph generation system which demands little manual effort and expert knowledge is desirable. In this thesis, an intelligent attack graph generator is proposed. In this attack graph generator, vulnerability information is derived from data collected from authoritative sources. The configuration and the software installation information are gathered through a reporting mechanism. Both are automatic procedures. The resulted information constitutes the primitive facts about the environment. A set of rules is derived to model the expert knowledge central to the derivation of the one-step attack templates. By utilizing the influence rules to analyze the primitive facts, the one-step attack templates can be generated and the possible attack paths can be explored in a fully automated process. The intelligent attack graph generator has been implemented, and experiments have been conducted to verify the correctness of the proposed scheme.
|
|---|
