KR100450209B1 - System And Method For Diagnosing Vulnerability In Network - Google Patents

Abstract

The present invention relates to a system and method for diagnosing network vulnerabilities, and more particularly, to a system and method for diagnosing network vulnerabilities for diagnosing vulnerabilities of a host model using vulnerability expressions in a network.

In the present invention, by constructing an attacker model and selecting the next attack based on the state change of the network due to the attack, it is possible to establish the precedent relationship of the attack and to select it variably. By conducting tests, it is possible to diagnose vulnerabilities on non-existing network structures without affecting the function and performance of the network, and it is possible to generate an attack at various time periods and to view the response of the network, so that the security management level or cycle It is possible to diagnose the vulnerability.

Description

System and Method For Diagnosing Vulnerability In Network}

The present invention relates to a system and method for diagnosing network vulnerabilities, and more particularly, to a system and method for diagnosing network vulnerabilities for diagnosing vulnerabilities of a host model using vulnerability expressions in a network.

Recently, due to the diversification of hacking techniques and the increasing threat of cyber terrorism, there is increasing interest in research and policy enactment to protect the main services and systems that provide services based on national telecommunications. In this regard, the first thing to do is to diagnose the security weaknesses of the information and communication infrastructure. When these diagnoses are made correctly, it is possible to cope with the threat by defining a defense mechanism against vulnerabilities that are latent in the information and communication infrastructure. For the most recent vulnerability diagnosis, scanning-based vulnerability analysis method or penetration test method through hacking expert was used. Each method has its advantages, but there are some problems to be solved.

First, in the scanning-based vulnerability analysis method, it is difficult to find out the status change or damage situation of the network due to successive attacks. Vulnerability analysis using this method takes the form of generating a specified attack and does not define the relationship between the attack and the subsequent attack that can be performed after the attack is successful. This is a problem caused by not considering the state change after the successful attack of the target system. In addition, the penetration test method through the expert has a problem that the result also has a variable because of the variability of the expert's experience or knowledge.

Second, since both the scanning-based vulnerability analysis method and the expert penetration test method perform vulnerability analysis on a real system, the execution of an attack for vulnerability analysis may cause problems or degrade performance in an information communication network. There is a problem that can be. In particular, due to the nature of the information and communication infrastructure, it may be more problematic because a lot of damage can occur when its essential services are interrupted.

Third, both the scanning-based vulnerability analysis method and the expert penetration test method have a problem that vulnerability analysis cannot be performed on a network structure that does not exist. It may be necessary to analyze the vulnerability of the network to be designed in the future, and it may be necessary to analyze the vulnerability of the changed network structure when the design of the existing network is changed, but there is a problem that the prediction is very difficult.

Fourth, the scanning-based vulnerability analysis method can only analyze the network state at the present time, and there is a problem in that it is not possible to specify a difference in a diagnosis result about a change in the defense mechanism applied to the network after the attack is recognized. In particular, the diagnosis result may vary according to the management level or the management cycle of the information and communication-based security manager. In order to present the diagnosis result in consideration of this, there is a problem that the diagnosis should be performed at various times based on the current security management situation. .

In order to solve the problems as described above, an object of the present invention is to build the attacker model to select the next attack based on the change of network state due to the attack, it is possible to establish the preceding and subsequent relationship of the attack and to select it variably To make it possible.

Another object of the present invention is to perform an attack and a test on a model of the network to be evaluated, so as not to affect the function and performance of the network and to diagnose a vulnerability for an existing network structure.

Still another object of the present invention is to enable an attack at various time slots and to view the response thereof, thereby enabling vulnerability diagnosis according to security management level or cycle.

1 is a table showing the theorem of states, inputs and relational operators according to AV types.

2 illustrates a state and state transition example scenario of a FreeBSD regression vulnerability.

3 is a diagram illustrating a host vulnerability model included in a network vulnerability diagnosis system according to an embodiment of the present invention.

FIG. 4 is a view showing the AV list structure of the AV list unit in FIG. 3; FIG.

FIG. 5 is a view showing an AV configuration in FIG. 4; FIG.

FIG. 6 is a diagram showing a CV configuration of a CV list unit in FIG. 3; FIG.

7 is a diagram showing a mapping relationship between a CV and an AV.

8 is a flowchart illustrating a network vulnerability diagnosis method according to an embodiment of the present invention.

9 is a flowchart illustrating a vulnerability diagnosis method by simulation of a network vulnerability diagnosis system according to another embodiment of the present invention.

10 is a view showing an initial screen of a simulation program to which the present invention is applied.

11 illustrates menus used in host-based simulations.

12 is a diagram illustrating a window for initialization setting of a host security model.

13 is a diagram showing a window for initialization setting of a host vulnerability model.

14 shows a window for initialization setting of a security system model.

15 shows a window for initializing an attacker model.

16 shows a host-based simulation execution screen.

17 is a view showing a host-based simulation execution result analysis screen.

18 is a diagram showing solution information of a host model.

Explanation of symbols on the main parts of the drawings

10: host characteristic unit 20: protocol buffer unit

30: CV list part 40: AV list part

41: system AV list block 42: service AV list block

50: vulnerability DB 60: inference mechanism

70: evaluation method unit 80: security manager interface unit

In order to solve the above object, the network vulnerability diagnosis system of the present invention analyzes the vulnerabilities present in the network to express the vulnerability of the host model and analyzes the expression of the corresponding vulnerability to diagnose the vulnerability of the corresponding host model. The host vulnerability model includes: a host characteristic unit representing a characteristic of the host model; A protocol buffer unit for receiving the attack packet, storing the predetermined time, and outputting the attack packet; A CV list unit for expressing complex vulnerabilities (CVs) of the host model; An AV list unit for constructing the compound vulnerabilities and expressing unit vulnerabilities (AV) of the host model; A vulnerability DB for storing the compound vulnerability and the unit vulnerability for the host model; The overall control of the analysis and diagnosis of the vulnerability of the host model to take a combination of the vulnerability of the host model in the vulnerability database using the combination of the host model characteristics to obtain the CV list of the host model in the CV list unit An inference mechanism unit configured to construct unit AVs of the host model in the AV list unit by taking unit vulnerabilities constituting the complex vulnerabilities from the vulnerability DB; An evaluation method unit for determining whether a unit vulnerability of the AV list unit has been exploited by the attack packet and transferring a result value to the CV list unit to determine whether a complex vulnerability to which the unit vulnerability belongs is exploited by the attack packet; And a security manager interface unit for reporting a vulnerability diagnosis result of the host model to the security manager.

The network vulnerability diagnosis method of the present invention includes the steps of extracting CVs of the corresponding host model using a combination of host model characteristics; Adding the extracted CVs to a CV list and extracting an AV ID by analyzing a vulnerability expression of an AV of the corresponding CV; Extracting an AV of the host model using the extracted AV ID; Adding the extracted AV to a system AV list or a service AV list according to the characteristics of the AV; Analyzing the CV and AV to diagnose the vulnerability of the host model, and removes the CV and AV, characterized in that it comprises a process for securing the vulnerability of the network.

In addition, the network vulnerability diagnosis method of the present invention comprises the steps of setting the host-based simulation by initializing the host model, security system model and attacker model; Executing the set host-based simulation to cause the attacker model to attack the host model; And analyzing the host-based simulation execution result to diagnose the vulnerability of the network.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

First, a network vulnerability diagnosis system according to an embodiment of the present invention will be described.

Network vulnerability diagnosis system according to an embodiment of the present invention comprises a host vulnerability model, the host vulnerability model to analyze the vulnerability in the network to express the vulnerability of the host model and to analyze the corresponding expression of the corresponding host model Diagnose vulnerabilities

Hereinafter, the concept of AV (Atomic Vulnerability) which is a unit vulnerability used in the present invention will be described.

The AV refers to the smallest unit of vulnerability, and since AV is an independent concept in itself, the same AV may appear in different vulnerabilities. Therefore, it classifies AV into categories to systematically define AV, and expresses one vulnerability as a logical combination (Vul_Expression) rather than simply a set of AVs.

First, the components of the AV will be described.

One AV is defined by the following components.

AV = {Type, Category, Input, Initial State, Final State}

Here, the type = {Fact, Non-Probability, Probability}, and the category = {Generic, Application-specific, System-specific} And the input = {an input that causes a significant state transition from a security standpoint}, and the initial state = {None, Normal, named specific state}, and the final state = {Normal, Named specific state}.

The following describes the state and state transition of the AV.

The state and state transition of the AV are defined by three components: input, initial state, and final state, and the definition of state and input has a close relationship with future usage directions. In the simulation using the vulnerability data analyzed using the AV, modeling is performed at a conceptual level that defines a state and a state transition function that are important from a security point of view. Therefore, states and inputs are defined as important states and inputs from a security point of view. do. This input can be the actual command executed on Unix (export BRUEXECLOG = / etc / passwd), but mostly has a formal abstract representation format (lpd [file begin with \ "cf \" and execute command]).

Hereinafter, the vulnerability expression (Vul_Expression) of the AV will be described.

In order to constitute one vulnerability, the AV has an AND relationship, an OR relationship, a POR relationship, a SAND relationship, and a complex type relationship. Can have

Here, the AV is said to have a value that the AV is true when the vulnerability is exposed by the input, and the AND relationship (AND) represents a vulnerability that is exploited only when all AVs are true. The OR relationship (OR) is used to express a vulnerability that can be exploited if any one of each AV is true, and the POR relationship (POR) expresses a vulnerability that can be exploited if any one of each AV is true. In this case, each AV has a weight and quantifies how vulnerable the system is to the vulnerability, and the SAND relationship is used to express a vulnerability that must be exploited only when each AV is sequentially true. The complex type relationship is a form in which the AND, OR, POR and SAND relationships are complex.

In this case, the principle applied when the POR relationship is used for the complex type relationship will be described.

Explaining the first principle, in the case of "A # 60 POR (B OR C) # 40", AV B and C are in an OR relationship, and the result thereof is represented by 1 or 0. If it is 1, a POR operation must be performed between A and (B OR C), and for this, an effective value for (B OR C) must be defined.

To explain the second principle, in the case of "A OR (B # 50 POR C # 50)", AV B and C produce a value between 0 and 1 in the POR relationship, but using the result of A and OR Since the operation must be performed, the result of B POR C should be 1 or 0. In this case, if the reference value is exceeded based on a specific reference value (0.5), 1 is considered to be 0 otherwise. The reference value is variable. It depends on the vulnerability.

The above two principles apply equally to other relational operators.

For example, when the logical combination of AV is "A # 30 POR B # 30 POR C # 40", if the valid value of A is 10, the valid value of B is 20, and the valid value of C is 30, B is AV. The vulnerability index of a system with a value of and C is true (30 + 40) / (30 + 30 + 40). In this case, a vulnerability index of 0 means that the vulnerability is non-vulnerable, and a vulnerability index of 1 means 100% exploitation.

In addition, possible states, inputs, and relational operators according to the AV type are defined as shown in FIG. 1. 1 is a table showing the theorem of states, inputs, and relational operators according to AV types.

Hereinafter, the state and state transition of the AV will be described with reference to FIG. 2.

2 is a diagram illustrating a state and a state transition example scenario of a FreeBSD libedit vulnerability.

If the example is given as "Current Directory Vulnerability to FreeBSD Revive .editrc (CVE-2000-0595)", this vulnerability is fixed in FreeBSD 4.0, 3.4, 3.3, 3.2, 3.1, 3.0 and "/. For rebates that are statically or dynamically linked with applications such as "usr / sbin / nslookup" or "/ usr / bin / ftp". The rebates look for ".editrc" files in the current directory, not in the user's home directory. This allows local users to execute arbitrary commands created in the ".editrc" file.

Hereinafter, the category of the AV will be described with an example.

In the first example, "C1_AV_1. (NonChkParaLen)" is a buffer when "Buffer Overflow vulnerabilities belong to the general category because they can occur in any application or operating system (Kernel)." "C1_AV_2. (NonChkParaCon)" indicates that the input data to be copied is not checked, and "C1_AV_3. (EnabledAltRetAddr)" indicates that the input data is not checked by the programmer. Address), the logical combination of the buffer overflow vulnerability may be expressed as "NonChkParaLen AND NonChkParaCon AND EnabledAltRetAddr".

In the second example, "Sendmail exploits using forward files can be analyzed as AVs corresponding to specific applications called forward mails and as two system specific AVs coming from the NFS file system. "C2_AV_1. (SendmailForwardingEnabled)" indicates that the forwarding mail program executes Mail Forwarding with reference to ".forward", and "C2_AV_2. (ExploitTheForwardingFunc)" indicates that the mail is from outside. "C3_AV_1." (SysUserHomeWldWritable) "Indicates that the user's home directory (Home_directory) is world-writable," C3_AV_2. (Write.forwardFileInHomeDir) "indicates that the system has transitioned to an abnormal state. Indicating that it updates the ".forward" file in the home directory of the file, the logical combination of the forwarding mail vulnerability is "(SendmailForwardingEnabled AND SysUserHomeWldWritable) SAND ExploitTheForwardingFun c SAND Write.forwardFileInHomeDir ".

The use of the AV concept in host vulnerability modeling is described below.

The network vulnerability diagnosis system according to an embodiment of the present invention includes a host vulnerability model, which will be described with reference to FIG. 3.

3 is a diagram illustrating a host vulnerability model included in a network vulnerability diagnosis system according to an embodiment of the present invention.

The host vulnerability model includes a host characteristics (10), a protocol buffer (20), a CV (compound vulnerability list) (CV) 30, and an AV list (AV). 40), a vulnerability database (DB) 50, an inference engine 60, an evaluation method 70, and a security manager interface 80.

Here, the host characteristic unit 10 expresses the characteristics of the host model, and the protocol buffer unit 20 receives the attack packet and stores it for a predetermined time and then outputs the buffer resource of the host model. The CV list unit 30 expresses compound vulnerabilities (CV) of the host model, and the AV list unit 40 constitutes the compound vulnerabilities (CVs). Represents AV (Atomic Vulnerability), the vulnerability DB (50) stores the compound vulnerability (CV) and unit vulnerability (AV) for the host model, the inference mechanism unit 60 is vulnerable to the vulnerability of the host model General control of the analysis and diagnosis of the host model using the combination of the host model characteristics to determine the complex vulnerabilities (CV) of the host model in the vulnerability database (50) And the unit list vulnerabilities (AV) constituting the CV list of the host model in the CV list unit 30 and constituting the compound vulnerabilities (CVs) from the vulnerability DB 50 and corresponding in the AV list unit 40. An AV list of a host model is constructed, and the evaluation method unit 70 determines whether the unit vulnerability (AV) of the AV list unit 40 has been exploited by the attack packet, and determines a result value of the AV list. ) To check whether the compound vulnerability (CV) to which the corresponding unit vulnerability (AV) belongs is exploited by the attack packet, and the security manager interface unit (80) transmits the security diagnosis result of the host model to the security manager. Report to

Hereinafter, the host characteristic unit 10 will be described.

The host characteristic unit 10 includes a hardware platform 11, an operating system (OS) 12, and a service application (Application List) 13, wherein the hardware platform 11 includes the host. By specifying the hardware characteristics of the model, the hardware name (Name) and the vendor (Vender) information is determined, and the operating system 12 specifies the information about the operating system (Operation System) operating in the host model In this case, the name of the operating system to be used, the version (Version) and information of the seller is determined, and the service application 13 specifies the services provided by the host model, since most hosts provide one or more services. It organizes and manages the services provided by the host model in a list. It establishes the name and version information of the service application. Here, the characteristics of the host model are composed of a combination of the hardware platform 11, the operating system 12, and the service application 13. That is, the characteristics of the host model are the types of hardware in which the host model is configured and operated. Identify what the operating system is and what service applications it provides.

The reasoning mechanism 60 is described below.

The reasoning mechanism 60 controls the analysis and diagnosis of the vulnerability of the host model as a whole, and brings the CVs of the host model in the vulnerability DB 50 by using the combination of the host model characteristics. At 30, the CV list of the host model is constructed. Specifically, the combination of the host model characteristics is composed of an operating system name OS_name, an operating system version OS_version, a hardware platform, a service application name App_name, and a service application version App_version.

And, since one CV is composed of a plurality of AVs, the inference mechanism unit 60 takes AVs constituting the CVs of the host model from the vulnerability DB 50, and the AV list unit 40 of the host model. Construct an AV list.

Hereinafter, the expression of vulnerability in the host vulnerability model will be described.

The vulnerabilities of the host model are managed in a list form within the host vulnerability model, and constitute the most important component of the host vulnerability model.

As described above, the vulnerability of the host model is composed of the CV list of the CV list unit 30 and the AV list of the AV list unit 40, the CV list is a set of CVs, the AV list is AV And AV is a component constituting the CV and represents one unit of security vulnerabilities.

First, the unit vulnerability (AV) of the host model will be described, and next, the compound vulnerability (CV) of the host model will be described.

First, the AV list unit 40 will be described with reference to FIGS. 3 and 4.

FIG. 4 is a diagram showing the AV list structure of the AV list unit 40 in FIG.

The AV list unit 40 is used to express vulnerability information of the host model, and includes a system AV list block (System_Vul List) 41 and a service AV list block (APP_Vul List) 42. That is, a plurality of AVs exist in the host vulnerability model, and the host vulnerability model divides and manages the plurality of AVs into two types in consideration of their characteristics.

Specifically, the system AV list block 41 includes a system AV list that collects AVs generated in association with system characteristics of the host model, and AVs in the system AV list block 41 are assigned to the host. These are AVs caused by the hardware characteristics of the model or by the operating system used in the host model. On the other hand, the service AV list block 42 includes a service AV list that collects the AVs generated by the services provided by the host model, and the AVs in the service AV list block 42 are service applications. Are AV dependent.

Hereinafter, an AV constituting the system AV list block 41 and the service AV list block 42 will be described with reference to FIG. 5.

FIG. 5 is a diagram illustrating an AV configuration in FIG. 4.

The AV specifies the most basic unit vulnerability among the vulnerabilities of the host model, and includes an AV ID field (AV_ID), an AV name field (AV_Name), an AV type field (Type), an input field (Input), and an initial state. Field (Init_State) and final state field (Final_State), wherein the AV ID field is a unique identifier for distinguishing the AV, the AV name field indicates the name of the AV, and the AV type field is the AV Wherein the input field specifies an input value for exposing the AV, the initial state field indicates a state before an attack is made by the input value, and the final state field is The state after the attack is successfully performed by the input of the AV in the initial state is shown. In this case, the AV ID field is an integer, and the AV name field, AV type field, input field, initial state field, and final state field are strings.

In addition, the evaluation method unit 70 determines whether the AV has been exploited by the attack packet, and reports whether an attack input capable of exploiting the AV is included in the attack data in the attack packet and returns a result value. The return value is passed to the CV to which the AV belongs and the CV uses the return value of the AV to determine whether the CV has been exploited by an attack packet.

Hereinafter, an operation of analyzing and removing the vulnerability of the host model using the AV list in the host vulnerability model will be described.

As shown in FIG. 4, if the host vulnerability model manages AVs among the vulnerabilities of the host model, the AV is divided into a system AV list that is a system-dependent set and a service AV list that is a service-dependent set. The set of AV vulnerabilities caused by configuration or operating system problems can be identified through the system AV list, and the vulnerabilities of the overall host model can be reduced by removing the identified AVs.

In addition, the set of AV vulnerabilities caused by the services provided by the host model can be identified through the service AV list, and the vulnerabilities of the overall host model can be reduced by removing the identified AVs.

As described above, by analyzing the vulnerability of the host model divided into AV to configure for each host model, by observing and analyzing the vulnerabilities of the host model can reduce the overall vulnerability of the network host model. From this point of view, the approach itself is significant in expressing vulnerabilities of network host models using AV, and analyzing and dividing AV into system dependent sets and service dependent sets provided by the host model.

Hereinafter, compound vulnerability (CV) of the host model will be described.

First, the CV list unit 30 will be described.

The vulnerabilities present in the host model are configured according to the characteristics of the host model, and the CV list unit 30 extracts the CV vulnerabilities of the host model from the vulnerability DB 50 using the characteristics of the host model. . That is, the CV list unit 30 configures the CVs of the host model using the vulnerability DB information and manages them in the form of a CV list. At this time, there are a large number of vulnerability CVs present in the host model, some of which are dependent on the services provided by the host model, and others are dependent on the hardware characteristics of the host model or the characteristics of the operating system. Are vulnerabilities that exist.

Hereinafter, the CV which comprises the CV list part 30 is demonstrated with reference to FIG.

FIG. 6 is a diagram illustrating a CV configuration of the CV list unit 30 in FIG. 3.

The CV exists in the host model and is composed of a CV ID field (CV_ID), a CV name field (CV_Name), an AV vulnerability expression field (Vul_Expression), a state field (State), and an AV pointer information field (refAtomicVul). The CV ID field is a unique identifier for distinguishing the CV, the CV name field represents the name of the CV, the vulnerability expression field of the AV represents a relational expression of AVs constituting the CV, and the status field is The AV pointer information field indicates the current state of the CV, and the AV pointer information field indicates pointer information of an AV in which AVs constituting the CV are located. In this case, the CV ID field, the CV name field, the vulnerability expression field and the state field of the AV are strings, and the AV pointer information field is an array of AV objects (Array Integer Of AtomicVulObj).

Here, the relationship between the AVs constituting the CV is expressed in the form of a formula for defining the relationship between the CV and the AV called a vulnerability expression, and the AV constituting the CV is as described above in the AV configuration. In the AV list, the system AV list and the service AV list are present. The CV has only pointer information on where the AV exists. This is to prevent duplicate AVs from appearing in the host vulnerability model because a single AV can be a component of a plurality of CVs. That is, one CV is composed of a plurality of AVs, on the other hand, one AV constitutes a plurality of CVs.

Then, the evaluation method unit 70 checks the state information of the CV, that is, whether it has been exploited, and the AV list unit 40 constituting the CV in order to determine the state of the CV by the attack packet. The attack packet is applied to the AVs in the terminal to receive each state change value to determine the state of the CV in the CV list unit 30. In particular, by using the state change value of the AV to find out the calculated value of the vulnerability representation of the AV. The AV pointer information, which is one of the components of the CV, has a pointer to the AVs constituting the CV. The pointer is used to call an attack packet of the AV constituting the CV. Get a value.

Hereinafter, an operation of analyzing and removing the vulnerability of the host model using the CV list in the host vulnerability model will be described.

The CV list configured in the host vulnerability model may be used to analyze vulnerabilities existing in the network host model. That is, in the host vulnerability model, various hardware platforms may be selected for the host model, various operating systems operating on the selected hardware platform, and various services of the host model may be applied according to the selected hardware platform and operating system. Observe and analyze the CV list of vulnerabilities that appear in the case to analyze the distribution of vulnerabilities according to the composition of each network host model. Based on the data, based on the analysis data obtained through the security manager interface unit 80, the security manager may set configuration hardware and an operating system of host models existing on the network, and services provided by each host.

Hereinafter, the mapping relationship between the CV and the AV will be described with reference to FIG. 7.

7 is a diagram illustrating a mapping relationship between a CV and an AV.

A plurality of AVs constituting a CV are defined in an AV representation of a CV, that is, a vulnerability expression (Vul_Expression). When analyzing the mapping relationship between the CV and the AV based on a relation defined in the vulnerability representation of the corresponding AV, As shown in FIG. 7, there are a plurality of AVs constituting one CV, and conversely, one AV becomes an element of a plurality of CV configurations. In the host vulnerability model, this relationship is defined in the AV representation of the CV. The CV list is composed of a plurality of CV objects (Comp_Vul_Obj), and each CV object has pointer information (Atom_Obj_Ref) for the AV objects constituting the CV object. ), The actual AV object (Atom_Obj) will be in the AV list of the host vulnerability model. This structure is intended to avoid duplicating the AVs that make up the CV in the host vulnerability model.

In the host vulnerability model, CVs present in the host vulnerability model are determined according to characteristics of the operating system, hardware platform, and services provided by the host model. The AV is determined by this. In the mapping relationship between the AV and the CV, as shown in FIG. 7, several AVs constitute one CV. In addition, one AV exists in multiple CVs. This association is an important factor in analyzing the vulnerability of the host model. By removing one AV present in the host vulnerability model, multiple CVs configured using the removed AV are removed in the host model. On the contrary, the number of CVs caused by one more AV can be generated. Analyzing the relationship between the AV and the CV, and using it in the construction of the actual network host model, not only can the vulnerabilities existing inside the host model be eliminated, but also the potential existing in the host model through the above-described AV vulnerability description. You can extract CVs. That is, by dividing the vulnerabilities existing in the network host model into AV and CV, each is organized into a list, and in the case of the AV, the system is divided into a system AV list and a service AV list according to the characteristics of the AV, thereby managing the network host model. Analysis of existing vulnerabilities can be done more efficiently and systematically.

Hereinafter, a network vulnerability diagnosis method according to an embodiment of the present invention will be described with reference to FIG. 8.

8 is a flowchart illustrating a network vulnerability diagnosis method according to an embodiment of the present invention.

All of the vulnerabilities of the host model are based on the vulnerability DB 50. In the host vulnerability model, the inference mechanism unit 60 extracts CV and AV, which are vulnerabilities of the host model, by using a combination of the host model characteristics. That is, the inference mechanism unit 60 uses the combination of operating system name, operating system version, hardware platform, and services provided, that is, a combination of host model characteristics, to specify the characteristics of the host model. Extracting from the DB 50 (S801), adding the extracted CVs to the CV list of the CV list unit 30 (S802), and extracting the AV ID by analyzing the vulnerability expression of the AV of the CV (S803). .

In addition, the inference mechanism unit 60 extracts the AV from the vulnerability DB 50 using the extracted AV ID (S804), and extracts the extracted AV to the characteristics of the corresponding AV in the AV list unit 40. Therefore, it is added to the system AV list of the system AV list block 41 or to the service AV list of the service AV list block 42 (S805).

Accordingly, the inference mechanism unit 60 analyzes the CV and the AV to diagnose the vulnerability of the host model (S806), and removes the CV and the AV to secure the network's vulnerability (S807).

Hereinafter, a vulnerability diagnosis method by simulation of a network vulnerability diagnosis system according to another embodiment of the present invention will be described with reference to FIG. 9.

9 is a flowchart illustrating a vulnerability diagnosis method by simulation of a network vulnerability diagnosis system according to another embodiment of the present invention.

In the vulnerability diagnosis method by simulation of a network vulnerability diagnosis system according to another embodiment of the present invention, a host-based simulation is set by initializing a host model, a security system model, and an attacker model (S901), and executing the set host-based simulation by The attacker model attacks the host model (S902), and analyzes the host-based simulation execution result to diagnose the vulnerability of the network (S903).

First, a simulation program to which the present invention is applied will be described with reference to FIG. 10.

10 is a diagram illustrating an initial screen of a simulation program to which the present invention is applied.

As shown in FIG. 10, a menu of a simulation program to which the present invention is applied includes an initialize menu, a host-based simulation menu, a network-based simulation menu, a display. Consists of a menu and an analysis menu.

The initialization menu has a function of loading a network to be evaluated and a menu for terminating a program. The host-based simulation menu performs simulation of an attack against a host, and the network-based simulation menu is configured for a network. Perform the relevant simulation.

The host-based and network-based simulations are divided into two types of attacks because the two types of attacks are different from each other. In other words, the floating type attacks change the properties of the system based on network traffic regardless of the contents of the data. Although the interval between each input is very small, in case of command-based attack, the state of the system can be changed based on the contents of the attack input, and the interval between each input and the input proceeds with sufficient time. These two simulation methods are difficult to run on one time axis.

In addition, the display menu includes a menu for viewing packet information in the simulation and a menu for adjusting animation speed of the packet, and the analysis menu is a menu for presenting a result of analyzing a simulation execution result.

10 is a view after the network loading of the initialization menu after executing the simulation program to which the present invention is applied, the shape and the attacker position of the attack has not yet been determined. Once the type of attack has been determined, that is, either the host type simulation or the network based simulation is used to set up the attacker's model and execute the attack. The following describes a case where the host-based simulation is set as the attack type.

Hereinafter, the host-based simulation setting process (S901) will be described.

First, the host-based simulation initial menu setting will be described with reference to FIG. 11.

11 is a diagram illustrating a menu used in a host-based simulation.

As shown in FIG. 11, the menu used in the host-based simulation includes an attack setting menu for setting an attacker's properties, an attacker model to generate an attack packet to execute the attack, and to start the host-based simulation. There is a Restart menu, a Pause menu to pause the simulation, and a Stop menu to end the simulation. A process (S101) of setting a host-based simulation using the menus will be described.

The initialization of the host model will be described below.

First, the initialization of the host security model will be described with reference to FIG. 12.

12 is a diagram illustrating a window for initialization setting of a host security model.

The host security model consists of a user authentication model (Authen) and a network access control model (Netsec). The initial values of the two models are set through a window as shown in FIG. That is, the host security model applies host-based access restriction and user authentication based on initial values of the user authentication model and the network access control model.

First, an initial value setting procedure for a user authentication model of the host security model will be described.

In order to authenticate a user, enter ID and password and add it. At this time, the user determines whether to use a shadow password (Shadow passwd), whether to use a special character (Special Character) and whether or not to use a one-time password (OPT; One Time Passwd). It also determines whether the user is a trusted host, sets the IP address of the trusted host, and enters information about how long the user's password is valid. Finally, you decide whether to allow the use of dictionary words in the user's password, and enter the dictionary words that should not be used. As described above, information is input to set an initialization value of a model related to user authentication used in the host security model.

Next, an initial value setting procedure for the network access control model of the host security model will be described.

To perform network access control used in the host security model, first enter the port information, protocol information and service information of the network system of the host model that allows access from the host model. . Also, to execute access control based on port and IP address, input the IP address and port information to allow access, and enter the IP address and port information to not allow access.

Hereinafter, the initialization of the host vulnerability model will be described with reference to FIG. 13.

13 is a diagram illustrating a window for initializing a host vulnerability model.

The host vulnerability model consists of setting the hardware characteristics of the host model (HW Platform), operating system (OS) characteristics, and information on services provided by the host model.

First, the setting of the operating system of the host model consists of inputting the name of the operating system (OS Name) and version (OS Version) to be used, the hardware characteristics of the host model is the name of the hardware constituting the host model ( HW Name) and set the HW Purpose for the host model to be used in the network. The address information (Network) of the host vulnerability model is the IP address (IP Addr.) Value of the host model and the subnet mask ( SubNet Mask) value. Next, enter the service name (APP Name) and service version information (APP Version) provided by the host model. After the initial setting of the host vulnerability model is completed, the host vulnerability model extracts the vulnerabilities of the host model using the property values of the host model in the vulnerability database to form a vulnerability list. The attack is based on the attacker's model based on these vulnerabilities.

Hereinafter, the initialization of the security system model will be described with reference to FIG. 14.

14 is a diagram illustrating a window for initializing a security system model.

In the security system model, filtering can be selected if desired via the parameter input window. IP filtering in static packet filtering, port filtering in static packet filtering, one of SYNNDefender Relay and SYNNDefender Gateway in Dynamic Packet Filtering, and Ten packet filtering cases may be generated by a combination of the Committed Access Rate of the dynamic packet filtering and the selection of each of the four cases.

If you check IP filtering or port filtering, you must select Default Stance. If you select Default Deny, you must enter the information to be entered in Trustworthy Information. If you selected Default Permit, enter the information to enter the Preventive Information. If you select one of the synth panda relays and the synth panda gateway, you do not need to enter anything if you select the synth panda relay. When you select the synth panda gateway, you must enter a value in the Reset Timer. . When the Committed Access Rate is selected, the traffic type to be filtered is selected and the traffic volume to be limited is inputted.

Hereinafter, the initialization of the attacker model will be described with reference to FIG. 15.

15 is a diagram illustrating a window for initializing an attacker model.

As shown in FIG. 15, the initial value setting of the attacker model includes a location for specifying the location of the attacker model, an authority in the host model where the attacker model is the target system, and a goal to attack. And, it is divided into input IP address (Target IP Address) and target IP address (Source IP Address) which set the location of attacker model.

As shown in FIG. 15, the location of the attacker model is determined by analyzing a relationship with the subnet to which the attack target host model belongs on the network, when the attacker is located in the attack target system (Local System). It can be divided into a target (Local Subnet), a host model belonging to the same network domain (Local Domain), and a host model belonging to another domain (Remote Domain). The authority of the attacker is to set the initial authority acquired by the attacker in the target system, and is divided into root authority (Root), user authority (User) and no authority other authority (Other). The objective is the attacker's right to gain by attacking the target system, i.e. the attacker's model of attack. As a goal, the attacker would like to gain root access, gain user access, gain information, and denial of service attacks against the target system. There is a Denial of Service (DoS). The address information of the attacker model includes a source IP address that determines the location of the host model to which the attacker model is located. The applied simulation program of the present invention finds a host model for the attacker model to be configured based on the source IP on the target network. The selected host model is used by the attacker model as an attacking host model to transmit attack packets generated by the attacker model. Finally, there is a target IP among the menus for setting the attacker model. The target address is the address of the host model targeted by the attacker model. The attacker model sends the attack packet using the target IP address. The attack is performed by collecting the information of the target host model and setting the attack scenario to obtain the final attack target. After the attacker model is set up through this process, select the restart menu to run the host-based simulation.

In addition, if an attacker targets a host in all subnets without selecting a host, the target IP is set to 0.0.0.0 instead of the specific host's IP address. It allows you to execute an attack. Similarly, if you select NoneScenario in the attacker setting window of FIG. 15, the attacker generates all attack packets and starts a random attack on the host model that composes every subnet in the network. Such an attack is an attacker applying all the attack methods possessed by the attacker without any special purpose and scenario for the purpose.

Hereinafter, the host-based simulation execution process (S102) will be described.

First, the host-based simulation execution screen will be described with reference to FIG. 16.

16 illustrates a host-based simulation execution screen.

As shown in Fig. 16, packets transmitted between the attacker and the host among the packets appear in a specific color, for example, red, on the screen, which indicates the attack packet. In addition, packets transmitted and received between general host models, which are not packets transmitted between an attacker and a target host, represent general normal packets and are distinguished from other specific colors on the screen, for example, blue.

Next, the display of the simulation program to which the present invention is applied will be described.

From the menu of the simulation program to which the present invention is applied, the process menu of the attack packet can be checked by selecting a process menu of the display menu. The window shown in the lower left part of FIG. 16 is a process window. This window displays the contents of the attack packet generated by the attacker and analyzes the information on how to react to the attack packets received from the security system model and the host model. In addition, the transmission time of the attack packet can be adjusted by selecting an animation time menu from the display menu. While adjusting the speed, the state change between models according to the flow of the attack packet can be observed through the process window.

Hereinafter, the host-based simulation execution result analysis and vulnerability diagnosis process (S103) will be described.

First, the host-based simulation execution result analysis will be described with reference to FIG. 17.

17 is a diagram illustrating a host-based simulation execution result analysis screen.

As shown in FIG. 17, the information displayed in the graph indicates the number of attempted attacks by the target host and the number of successful attacks in the host model, and the window shown on the screen summarizes the configuration of the hosts in the subnet And the number of times the host was attacked by the attacker (Attack Count) and the number of successful attack after the attack (Exploit Count).

Next, the solution information retrieval of the host model will be described with reference to FIG.

18 is a diagram illustrating solution information of a host model.

In the host model, solution information about vulnerabilities attacked by the attacker model can be extracted from the vulnerability database. 18 shows solution information for vulnerabilities attacked in the host model. Diagnose vulnerabilities in the host model based on the solution information.

In addition, the embodiment according to the present invention is not limited to the above-mentioned, and can be implemented by various alternatives, modifications, and changes within the scope apparent to those skilled in the art.

As described above, the present invention builds an attacker model and selects the next attack based on the state change of the network due to the attack, so that it is possible to establish a predecessor relationship of the attack and to select the variable variably. By conducting attacks and tests on the model, it is possible to diagnose vulnerabilities on non-existing network structures without affecting the function and performance of the network, and to make it possible to generate an attack at various time periods and to view the response thereof. Vulnerability diagnosis by level or cycle is possible.

Claims (8)

It analyzes the vulnerabilities in the network to express the weaknesses of the host model and analyzes the expressions of the corresponding vulnerabilities to have the host vulnerability model. The host vulnerability model is A host characteristic unit representing a characteristic of the host model; A protocol buffer unit for receiving the attack packet, storing the predetermined time, and outputting the attack packet; A CV list unit for expressing complex vulnerabilities (CVs) of the host model; An AV list unit for constructing the compound vulnerabilities and expressing unit vulnerabilities (AV) of the host model; A vulnerability DB for storing the compound vulnerability and the unit vulnerability for the host model; The overall control of the analysis and diagnosis of the vulnerability of the host model to take a combination of the vulnerability of the host model in the vulnerability database using the combination of the host model characteristics to obtain the CV list of the host model in the CV list unit An inference mechanism unit configured to construct unit AVs of the host model in the AV list unit by taking unit vulnerabilities constituting the complex vulnerabilities from the vulnerability DB; An evaluation method unit for determining whether a unit vulnerability of the AV list unit has been exploited by the attack packet and transferring a result value to the CV list unit to determine whether a complex vulnerability to which the unit vulnerability belongs is exploited by the attack packet; And a security manager interface unit for reporting a vulnerability diagnosis result of the host model to a security manager. The method of claim 1, The host characteristic unit, A hardware platform specifying hardware characteristics of the host model; An operating system for specifying information about an operating system operating in the host model; Network vulnerability diagnosis system comprising a service application that specifies the services provided by the host model. The method of claim 1, The AV list unit, A system AV list block having a system AV list collecting AVs generated in association with system characteristics of the host model; And a service AV list block having a service AV list that collects AVs generated by services provided by the host model. The method of claim 1, The AV is, To specify the most basic unit vulnerability among the vulnerabilities of the host model, An AV ID field which is a unique identifier for distinguishing the AV; An AV name field indicating a name of the AV; An AV type field which is information indicating the type of the AV; An input field specifying an input value for exposing the AV; An initial state field indicating a state before an attack is made by the input value; And a final state field indicating a state after the successful attack by the input of the AV in the initial state. The method of claim 1, CV is Composed of the AV as a composite vulnerability of the host model, A CV ID field that is a unique identifier for identifying the CV; A CV name field indicating a name of the CV; A vulnerability expression field of an AV indicating a relation of AVs constituting the CV; A status field indicating a current status of the CV; And an AV pointer information field indicating pointer information on an AV in which AVs constituting the CV are located. The method according to claim 4 or 5, The mapping relationship existing between the CV and the AV is A network vulnerability diagnosis system, characterized in that one AV constitutes a plurality of AVs and one AV constitutes a plurality of CV components. Extracting CVs of the corresponding host model using a combination of host model characteristics; Adding the extracted CVs to a CV list and extracting an AV ID by analyzing a vulnerability expression of an AV of the corresponding CV; Extracting an AV of the host model using the extracted AV ID; Adding the extracted AV to a system AV list or a service AV list according to the characteristics of the AV; Diagnosing the vulnerability of the host model by analyzing the CV and the AV, and removing the CV and the AV to secure the network's vulnerability. Initializing a host model, a security system model, and an attacker model to set up a host-based simulation; Executing the set host-based simulation to cause the attacker model to attack the host model; And analyzing the host-based simulation execution result to diagnose the vulnerability of the network.