基于CPN的信息系统安全防护能力建模方法

doi:10.16182/j.issn1004731x.joss.201810013

系统仿真学报 ›› 2018, Vol. 30 ›› Issue (10): 3699-3710.doi: 10.16182/j.issn1004731x.joss.201810013

基于CPN的信息系统安全防护能力建模方法

陈强军¹, 张明清¹, 孔红山¹, 刘小虎¹, 邵连杰²

1. 解放军信息工程大学,河南郑州 450001;
2. 解放军68048部队,陕西宝鸡 721000

收稿日期:2016-09-09 修回日期:2016-11-20 出版日期:2018-10-10 发布日期:2019-01-04
作者简介:陈强军(1992-),男,甘肃通渭,硕士生,研究方向为信息系统安全建模与评估;张明清(1961-),男,湖北孝感,学士,副教授,研究方向为系统建模与仿真;孔红山(1981-),男,河南濮阳,博士生,讲师,研究方向为系统建模与仿真。

Modeling for Security Protection Capability of Information System Based on CPN

Chen Qiangjun¹, Zhang Mingqing¹, Kong Hongshan¹, Liu Xiaohu¹, Shao Lianjie²

1. PLA Information Engineering University, Zhengzhou 450001, China;
2. Unit 68048 of the PLA, Baoji 721000, China

Received:2016-09-09 Revised:2016-11-20 Online:2018-10-10 Published:2019-01-04

摘要/Abstract

摘要： 建模对安全防护能力评估具有重要作用。结合安全防护能力评估方法多、更新快的特点,提出了基于监测、分析和响应的安全防护能力分析框架;针对防护设备智能学习和协作交互难以建模的问题,基于CPN(Colored Petri Nets)构建了安全防护能力分析模型。模型用消息颜色集的颜色表示系统事件的不同属性;建立了监测、分析和响应三种功能组件来表示安全防护能力的不同过程;给出了模型的2个定理,分析了模型复杂度。实例应用验证了模型的有效性,模型分析得出了其良好的通用性、扩展性和可分析性,表明可为安全防护能力的评估提供数据和模型支撑。

关键词: 安全防护能力, 分析框架, CPN, 分析模型

Abstract: Modeling plays an important role in assessment for security protection capability. Oriented to the features that evaluation has many methods which update quickly, the analysis frame is proposed based on detect, analyse and respond. Aimed at the problems that it is difficult to model the intelligent learning and coordination process for protective device, analysis model is built based on CPN. The colors of message color sets represent the different properties of events. Detect, analysis and respond components which represent different process of security protection capability are defined. Two theorems are proved, and model complexity is analyzed. The usability of model is verified, and excellent versatility, scalability and analyzability are reached by analyzing the application process. Results show that the model can provide data and model support for the evaluation on security protection capability.

Key words: security protection capability, analysis frame, CPN, analysis model

中图分类号:

TP391.9A

陈强军, 张明清, 孔红山, 刘小虎, 邵连杰. 基于CPN的信息系统安全防护能力建模方法[J]. 系统仿真学报, 2018, 30(10): 3699-3710.

Chen Qiangjun, Zhang Mingqing, Kong Hongshan, Liu Xiaohu, Shao Lianjie. Modeling for Security Protection Capability of Information System Based on CPN[J]. Journal of System Simulation, 2018, 30(10): 3699-3710.

参考文献

[1] 360互联网安全中心. 2015年中国互联网安全报告[EB/OL]. (2016-02-29)[ 2016-09-06]. http://www.360.cn/ weishi/2015_sr.html.
360 Center for Internet Security: 2015 Chinese Internet Security Report [EB/OL]. (2016-02-29) [2016-09-06] http://www. 360.cn/weishi/2015_sr.html.
[2] Nayot Poolsappasit, Rinku Dewri, Indrajit Ray.Dynamic Security Risk Management Using Bayesian Attack Graphs[J]. IEEE Transactions on Dependable and Secure Computing (S1941-0018), 2012, 9(1): 61-74.
[3] 万雪莲, 张京河. 基于攻、防的信息系统安全综合评估方法的研究[J]. 计算机科学, 2016, 43(S1): 322-327.
Wan Xuelian, Zhang Jinghe.Research on Comprehensive Assessment Method of Information System Security Based on System Attack and Defense[J]. Computer Science, 2016, 43(S1): 322-327.
[4] 戴方芳. 基于攻击图理论的网络安全风险评估技术研究 [D]. 北京: 北京邮电大学, 2015.
Dai Fangfang.Research on Network Security Risk Assessment Technology Based on Attack Graph Theory [D]. Beijing, China: Beijing University of Posts and Telecommunications, 2015.
[5] 高翔, 刘洋, 贺筱媛. 基于GSCPN模型的网络安全加固措施制定方法[J]. 系统仿真学报(S1004-731X), 2016, 28(5): 1009-1016.
Gao Xiang, Liu Yang, He Xiaoyuan.Method for Network Security Reinforcement Based on GSCPN Model[J]. Journal of System Simulation (S1004-731X), 2016, 28(5): 1009-1016.
[6] You Y, Cho I, Lee K.An advanced approach to security measurement system[J]. The Journal of Supercomputing (S0920-8542), 2016, 72(9): 3443-3454.
[7] 吴迪, 冯登国, 连一峰, 等. 一种给定脆弱性环境下的安全措施效用评估模型[J]. 软件学报, 2012, 23(7): 1880-1898.
Wu Di, Feng Dengguo, Lian Yifeng, et al.An efficiency evaluation model of system security measures in the given vulnerabilities set[J]. Journal of Software, 2012, 23(7): 1880-1898.
[8] Roland Rieke.Modelling and Analysing Network Security Policies in a Given Vulnerability Setting[M]// Critical Information Infrastructures Security. Germany: Springer Berlin Heidelberg, 2006: 67-78.
[9] Laborde R, Nasser B, Grasset F.A formal approach for the evaluation of network security mechanisms based on RBAC policies[J]. Electronic Notes in Theoretical Computer Science (S1571-0661), 2005, 121(0): 117-142.
[10] Laborde R, Nasser B, Grasset F, et al.Network security management: A formal evaluation tool based on RBAC policies[M]// Network Control and Engineering for QoS, Security and Mobility, III. USA: Springer US, 2005: 69-80.
[11] 陈小军, 时金桥, 徐菲, 等. 面向内部威胁的最优安全策略算法研究[J].计算机研究与发展, 2014, 51(7): 1565-1577.
Chen Xiaojun, Shi Jinqiao, Xu Fei, et al.Algorithm of Optimal Security Hardening Measures Against Insider Threat[J]. Journal of Computer Research and Development, 2014, 51(7): 1565-1577.
[12] 李志, 单洪, 马春来, 等. 基于攻防图的网络主动防御策略选取研究[J]. 计算机应用研究, 2015, 32(12): 3729-3734.
Li Zhi, Shan Hong, Ma Chunlai.Network active defense strategy selection based on attack-defense graph[J]. Application Research of Computers, 2015, 32(12): 3729-3734.
[13] Feng, Nan, Wang, et al. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis[J]. Information Sciences (S0020-0255), 2014, 256(1): 57-73.
[14] Ghani H, Luna J, Suri N.Quantitative assessment of software vulnerabilities based on economic-driven security metrics[C]// Risks and Security of Internet and Systems (CRiSIS), 2013 International Conference on. USA: IEEE, 2013: 1-8.
[15] 吕慧颖, 彭武, 王瑞梅, 等. 基于时空关联分析的网络实时威胁识别与评估[J]. 计算机研究与发展, 2014, 51(5): 1039-1049.
Lü Huiying, Peng Wu, Wang Ruimei, et al.A Real-time Network Threat Recognition and Assessment Method Based on Association Analysis of Time and Space[J]. Journal of Computer Research and Development, 2014, 51(5): 1039-1049.
[16] 张恒巍, 张健, 王晋东, 等. 基于连通度算子的系统漏洞风险评估[J]. 计算机工程与设计, 2015, 36(1): 65-70.
Zhang Hengwei, Zhang Jian, Wang Jindong, et al.System vulnerability risk evaluation based on connectivity operator[J]. Computer Engineering and Design, 2015, 36(1): 65-70.
[1] Wang L, Jajodia S, Singhal A, et al.k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities[J]. IEEE Transactions on Dependable and Secure Computing (S1941-0018), 2014, 11(1): 30-44.
[2] Visumathi J, Shunmuganathan K L.A computational intelligence for evaluation of intrusion detection system[J]. Indian Journal of Science and Technology (S0974-5645), 2011, 4(1): 40-45.
[3] 高翔, 祝跃飞, 刘胜利. 一种基于广义随机颜色Petri网的网络攻击组合模型[J]. 电子与信息学报, 2013, 38(11): 2608-2614.
Gao Xian, Zhu Yuefen, Liu Shengli.Attack Composition Model Based on Generalized Stochastic Colored Petri Nets[J]. Journal of Electronics & Information Technology, 2013, 38(11): 2608-2614.
[4] 陈小军, 方滨兴, 谭庆丰, 等. 基于概率攻击图的内部攻击意图推断算法研究[J]. 计算机学报, 2014, 37(1): 62-72.
Chen Xiaojun, Fang Binxing, Tan Qingfeng, et al.Inferring attack intent of malicious insider based on probabilistic attack graph model[J]. Chinese Journal of Computers, 2014, 37(1): 62-72.
[5] Igor Kotenko, Andrey Chechulin.Computer Attack Modeling and Security Evaluation based on Attack Graphs.[C]// The 7th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing System: Technology and Applications, Berlin, Germany. USA: IEEE, 2013, 9: 614-619.
[6] 张红旗, 王鲁. 信息安全技术 [M]. 北京: 高等教育出版社, 2008.
Zhang Hongqi, Wang Lu.Information Security Technology [M]. Beijing, China: Higher Education Press, 2008.

基于CPN的信息系统安全防护能力建模方法

Modeling for Security Protection Capability of Information System Based on CPN

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 3

编辑推荐

Metrics

本文评价

[1]	周学广, 吕伟栋, 袁志民. 基于着色Petri网的舰艇指挥控制信息流建模研究[J]. 系统仿真学报, 2019, 31(5): 828-842.
[2]	高翔, 刘洋, 贺筱媛. 基于GSCPN模型的网络安全加固措施制定方法[J]. 系统仿真学报, 2016, 28(5): 1009-1016.
[3]	张梅, 陈广森, 游佳. 基于CPN Tools的可重入自动组合设备的建模与仿真[J]. 系统仿真学报, 2015, 27(12): 2927-2934.