论文标题
漏洞感知的弹性网络:基于软件多样性的网络适应
Vulnerability-Aware Resilient Networks: Software Diversity-based Network Adaptation
论文作者
论文摘要
通过利用软件多文化的原理来确保网络中的安全性,我们提出了一个基于漏洞的软件多样性指标,以确定如何适应网络拓扑以最大程度地减少安全漏洞,同时保持最大的网络连接。 Our proposed software diversity-based adaptation (SDA) scheme estimates a node's software diversity based on the vulnerabilities of software packages installed on other nodes on attack paths reachable to the node and employs it for edge adaptations, such as removing an edge with a neighboring node that exposes high security vulnerability because two connected nodes use the same software packages or a neighboring node may have high software vulnerability or adding an edge with another由于两个节点使用不同的软件包或与之关联的漏洞较低,因此具有较小或没有安全漏洞的节点。为了验证拟议的SDA方案,我们进行了广泛的实验,将所提出的SDA方案与真实网络中的基线方案进行了比较。我们的仿真实验结果证明了我们所提出的SDA的表现与现有同行相比,在三个具有较大网络密度的实际网络拓扑下,就提议的SDA方案的有效性和效率提供了有见地的发现。
By leveraging the principle of software polyculture to ensure security in a network, we proposed a vulnerability-based software diversity metric to determine how a network topology can be adapted to minimize security vulnerability while maintaining maximum network connectivity. Our proposed software diversity-based adaptation (SDA) scheme estimates a node's software diversity based on the vulnerabilities of software packages installed on other nodes on attack paths reachable to the node and employs it for edge adaptations, such as removing an edge with a neighboring node that exposes high security vulnerability because two connected nodes use the same software packages or a neighboring node may have high software vulnerability or adding an edge with another node with less or no security vulnerability because the two nodes use different software packages or have low vulnerabilities associated with them. To validate the proposed SDA scheme, we conducted extensive experiments comparing the proposed SDA scheme with counterpart baseline schemes in real networks. Our simulation experimental results proved the outperformance of our proposed SDA compared to the existing counterparts and provided insightful findings in terms of the effectiveness and efficiency of the proposed SDA scheme under three real network topologies with vastly different network density.