In order to improve a network' 8 total security, a novel method of constituting security policy based on attack graphs is presented. Firstly, it divides the total network into different areas, and uses the parallel and processing technology to constitute attack graphs; Secondly, it uses the overall attack graph to identify the network vulnerabilities' dependencies and the resulting potential threat; Finally, it combines the attack graph with the genetic algorithm to establish the corresponding mathematical model, so as to transform the constitution of a security policy into a non-restraint optimization problem with penalty to guarantee the network security with the least cost. The experimental results show that this method can improve the efficiency of attack graphs' generation and reduce the system' s resource consumption greatly. The proposed method can help network security managers guard networks and can be used to assess large-scale networks' overall security.%为了提高网络的整体安全性,提出了基于攻击图的网络安全策略制定方法.该方法首先从分布并行处理角度将不同区域的目标网络进行脆弱性分析任务划分,采用分布并行处理技术进行攻击图构建;其次,利用生成的全局攻击图识别目标网络中存在的脆弱性之间的关系,以及由此产生的潜在威胁;最后,将攻击图与遗传算法相结合,建立相应的数学模型,把安全策略的制定问题转化为带有惩罚的非约束优化问题,以最小的成本保证目标网络的安全.实验结果表明,该方法具有较高的攻击图生成效率,并且降低了攻击图生成时的系统资源消耗.该方法可以帮助网络安全管理人员有针对性地进行安全防护,能够适用于评估大规模复杂网络系统的整体安全性.
展开▼
