Shulou(Shulou.com)06/01 Report--

1. Research background

Security risk situation prediction and analysis is an important content in the field of information security technology and management. Traditional methods are generally analyzed independently or mixed according to the following aspects:

1. Obtain historical safety information, use probability model or historical data for training, and make risk prediction according to the results [1] [2]

two。 Analyze the security vulnerability of all kinds of information assets

3. According to the security attributes of various information assets, including confidentiality, integrity, availability, etc.

4. According to the analysis of the network topology model, the main means is to analyze the relationship between various networks, mainly connectivity.

However, there are obviously some problems in the above analysis methods, which are mainly manifested in the following aspects:

1. It is impossible to match the security events that are going to happen only according to the probability model based on the historical data, that is, the empirical data may not be credible in fact.

two。 There is no analysis according to the relevant security attributes of the network, especially the strategy for the firewall, resulting in unreliable situation prediction or serious misinformation.

two。 Purpose of the study

In view of the problems existing in the above existing technologies, this paper puts forward a risk situation prediction and analysis method based on security early warning, which can solve the following problems:

1. Evaluate the possible impact of security warnings issued by authoritative institutions on the network

two。 Using the relevant security attributes of the network, the division of security domains and the configuration of boundary firewall policies, we strive to truly analyze the possible effects or threats of all kinds of security and harmful codes (such as viruses, *, etc.) to the real network.

3. Research methods

The method is divided into the following steps:

1. Collection of security information: the collection of different security information includes:

N Collection of security early warning information: synchronous security early warning information from national authorities or well-known manufacturers; this method mainly focuses on early warning such as vulnerabilities, harmful codes, security threats, etc.; after synchronization, standardize it

N Information asset collection: the content collected includes related systems (including versions), vulnerabilities, patches, running services and external ports on information assets; the value of each asset

N Network information collection: collect information about the network topology connection of each information asset, as well as the protection level of each subnet, etc.

N Firewall policy collection: collect the access control policy information of each network boundary firewall, including area, interface, allowed IP address, port, protocol and so on.

two。 Build a model:

N early warning model, as follows:

Early warning =

N Information asset model, as follows:

Information assets =

N Firewall policy model, as follows:

Firewall policy =

N Network model: the network is composed of the following tuples:

Network =

3. Analysis process

Depending on the type of early warning, the situation analysis steps include:

1) first of all, start with the top-level network (usually Internet boundaries or outbound exports)

2) analyze whether the relevant access in the early warning will be accepted by its border firewall policy (mainly analyze the source address, port, protocol of inward access), if not, turn to 5), otherwise turn to 3); when analyzing the lower-level network, it is necessary to jointly filter the policies of the relevant firewalls in the superior network as part of its policy, while the neighboring ones do not.

3) analyze whether the system, vulnerabilities, installed software or services, open ports and other factors of each information asset in the network will be affected, and generate a matching vector (the element in the vector is 0 or 1, indicating mismatch or matching, respectively), as follows:

Match vector = [match 1, match 2, … , match n]

The possibility is calculated according to each match and the weight of each factor:

Possibility of influence =

4) according to the impact possibility, comprehensively calculate the risk situation of the affected information assets as the risk situation forecast of the network (regardless of the assets that are not affected at all):

Network risk situation forecast

=

5) obtain adjacent or subordinate networks. If there is an unanalyzed network, it will be transferred to 2) otherwise to 6)

6) calculate the overall risk situation forecast value according to the risk situation forecast value of each network:

Overall risk situation forecast

=

4. Experimental procedure

The specific experimental steps are as follows:

1. Information collection and modeling:

N establish relevant information collection components to obtain early warning information from relevant national authoritative security websites on a regular basis; in addition, support direct manual input of relevant early warning information, for example:

Microsoft "IE Cumulative Security Update": bulletin number MS2013-21, affecting system IE6~IE10.

N regularly scan the relevant asset information in the network, log in to the target asset through the simple network management protocol or account password to obtain asset-related information, for example:

There are several assets with Windows7 system installed in the system: the system version number is 6.1.7601, and the ports of 135,139,445 are opened.

N obtain policy information from border firewall devices on a regular basis and standardize it, because different types of firewalls have different policy expressions (but for access control policies, they are basically similar in nature), so they need to be unified, as follows:

Firewall interzone dmz untrust

...

Acl 3000

Rule 0 permit tcp source xxx.xxx.xxx.xxx/xx source-port eq ftp-data destination-porteq 30

...

After standardization is as follows:

two。 Analysis of the related properties of early warning

Because the nature of different early warning is different, it can be divided into the following types:

N is particularly relevant to a certain type of system or software version, and has little to do with network access

N has little to do with the system type or software version, but has much to do with the network access behavior itself.

N has both the above two characteristics.

3. Analysis process

If it is the first nature, it is generally not necessary to make a special analysis of the firewall policy, because it has nothing to do with the strategy, as long as we analyze whether the assets in the network exist or not and the contents of the system and application pointed out in the early warning match; the early warning for the latter two nature needs to be analyzed in combination with the firewall strategy.

Let's assume that there are two adjacent subnets An and BMague An and a subordinate subnet C in the whole intranet, and their protection levels (protection levels range from 1 to 5) are 2, 2 and 3, respectively; there are 100 assets in networks A, B and C, the value of assets in An and B networks is 2 (value range is 1-5), and the value of assets in C is 4. The assets in network B are all Windows terminals with IE browsers installed, and only 20 have been patched, while the assets in network An and C are all other systems. There are 4 DNS servers in A, which have installed different types of DNS services with asset values of 1, 2, 4 and 4, respectively. Network C contains about 20 database servers and 2 DNS servers. However, access between network An and C is only allowed through port 22, and everything else is prohibited.

According to the previous description, according to the existing MS2013-021 early warning, the security risk potential value of the whole network for this early warning is 80 (network An and C are not involved in the calculation; the situation value is between 0 and 100). For a certain DNS denial of service * *, because the two high-value DNS features do not match exactly (the matching DNS service software and version are not indicated in the early warning, which account for 70% of the weight) and the DNS service in the C network should be ignored, the overall security risk situation forecast value is 78.

5. Conclusion

The most important effects of this method are as follows:

1. Ability to assess possible security threats and risks based on relevant early warning information

two。 It can screen the risks that may be involved in early warning by combining the relevant strategies of topology and border firewall, and reduce the false alarm rate.

In the prediction and analysis of the network and the overall risk situation, we only pay attention to the affected information assets, which can effectively reduce the problem that the risk forecast value is too low because the possible early warning involves only a small number of assets in the network.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.