延伸型攻擊樹分析法以評估網站安全風險之研究

Extended Attack Tree Analysis Method to Assess the Security Risks on the Website

楊欣哲(Shin-Jer Yang)；彭勝寶(Sheng-Pao Peng)

攻擊樹 ； 延伸型攻擊樹分析法 ； 風險分析 ； 資訊安全 ； 網站安全 ； Attack Tree ； Extended Attack Tree Analysis ； Risk Analysis ； Information Security ； Web Security

資訊管理學報

20卷1期（2013 / 01 / 01）

1 - 38

繁體中文

隨著網路技術的快速發展與Web應用系統的普及化，網站系統面臨各種入侵攻擊的威脅，例如：木馬病毒的威脅、DDoS攻擊、系統和應用程式的弱點攻擊等，皆以破壞網站或竊取敏感性資料為目的。針對當前的各種風險評估方法不能有效地找出系統弱點及攻擊手法，造成評估的結果無法完整表現出真正的威脅途徑。因此，本研究以攻擊樹（Attack Tree）為基礎，延伸應用在風險分析上，利用攻擊樹的特性來描繪攻擊情境，並且設計一個改良式威脅計算演算法，亦即考慮攻擊困難度與偵測防禦度以計算威脅的各種攻擊組合，稱之為延伸型攻擊樹分析法。延伸型攻擊樹分析法可針對各種威脅之影響加以評估，此法有別於一般風險評估，是以「威脅」為單位而不是以「資產」為單位來進行風險評估，可改善一般風險分析法之威脅與描述不足的地方。本研究以網站系統為例，進行安全威脅分析，獲得網站安全的風險評估等級，證明延伸型攻擊樹分析法可有效地評估網站系統的風險值，以作為系統管理者對資訊安全風險評估之依據。最後，將延伸型攻擊樹分析法與傳統風險分析法作一比較，說明此風險評估方法可以改善傳統風險分析法不足的地方，增加風險評估的可用性及客觀性。

According to the fast development of network technology and the popularization of extensive Web applications, Web information system faces various kinds of attacks, such as Trojan virus threats, DDoS attacks, system and application's vulnerability attacks, etc. The target of these attacks is for destroying Websites or stealing sensitive data. A variety of risk assessments for current systems cannot effectively identify possible paths of attacks and system vulnerabilities. Thus, the assessment results do not demonstrate a real threat path. This paper utilizes the concept of attack trees and extends and applies it to security risk analysis. Hence, we employ the features of attack tree to illustrate the situations of attacks to propose an extended attack tree analysis approach. We design an enhanced threats computing algorithm for extended attack tree analysis to calculate threats measure with consideration of attack difficulties and detective protections for assessing their influence levels. In essence, this method is different from the general risk assessment. We use 'threat' as the security unit instead of 'assets' in the risk assessment. It improves the general risk analysis approach about the poor descriptions of threats.In this paper, we use a Website system as a practical example for the Web system's security threat analysis. We can get a risk grade in Website security risk assessment for system administrator's evaluation basis. It proves that an effective risk value can be obtained from extended attack tree analysis approach for assessing a Website system. We do a comparison for our extended attack tree analysis and the traditional risk analysis approaches. Consequently, the final results indicate that our proposed method can improve the insufficient points of the traditional risk analysis and increase the availability and objectivity in risk assessment.

1. 林勤經、樊國楨、方仁威、黃景彰(2002)。資訊安全管理系統建置工作之研究。資訊管理研究，四(二)，43-65。
   連結：
2. 行政院研究發展考核委員會（2009），『風險管理及危機處理作業手冊』，http://sec.nuk.edu.tw/updown/news/931916152171.pdf（存取日期2010/07/12）
3. 政府網際服務網通報（2010），『網路安全服務』，http://gsn.nat.gov.tw/new/05-03.html（存取日期2010/06/18）
4. Microsoft TechNet (2006), ‘Guidance', available at http://technet.microsoft.com/zh-tw/library/dd548203.aspx (accessed 21 September 2010).
5. 樊國楨、林樹國、朱潮昌（2008），『工業控制系統資訊安全風險評鑑實作初探』，http://fsms.bsmi.gov.tw/cat/epaper/工業控制.doc（存取日期2010/09/26）
6. OWASP (2010), ‘OWASP risk rating methodology', available at http://www.owasp.org/index.php/owasp_risk_rating_methodology (accessed 21 July 2010)
7. Zone-H (2010),‘Defacements Statistics 2010: Almost 1.5 million Websites defaced, what's happening?', available at http://www.zone-h.org/news/id/4737 (accessed 15 January 2011)
8. SANS Top 20 (2010), ‘The Top Cyber Security Risks', available at http://www.sans.org/top-cyber-security-risks/ (accessed 24 July 2010)
9. 翁浩正（2010），『資訊安全：Web Security 網站安全基礎篇（一）』，http://newsletter.ascc.sinica.edu.tw/news/read_news.php?nid=1909（存取日期2010/05/04）
10. OWASP Top 10 (2010), ‘The ten most critical web application security risks', available at http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf (accessed 21 July 2010)
11. Dimitriadis, C. K.(2007).Analyzing the security of internet banking authentication mechanisms.Information Systems Control Journal,3,1-59.
12. Edge, K.,Raines, R.,Grimaila, M.,Baldwin, R.,Bennington, R.,Reuter, C.(2007).The use of attack and protection trees to analyze security for an online banking system.Proceeding of 40th Annual Hawaii International Conference on System Sciences (HICSS'07),Hawaii, USA:
13. Gan, Z.,Tang, J. F.,Wu, P.,Varadharajan, V.(2007).A novel security risk evaluation for information systems.Proceeding of 2007 Japan-China Joint Workshop on Frontier of Computer Science and Technology (FCST 2007),Wuhan, China:
14. Jin, C.,Wang, X. Y.,Tan, H. Y.(2010).Dynamic attack tree and its applications on trojan horse detection.Proceedings of the 2010 Second International Conference on MultiMedia and Information Technology (MMIT '10),Washington, DC, USA:
15. Li, X.,He, K.(2008).A unified threat model for assessing threat in Web applications.International Journal of Security and its Applications,2(3),25-30.
16. Li, X.,Liu, R.,Feng, Z. Y.,He, K.(2009).Threat modeling-oriented attack path evaluating algorithm.Transactions of Tianjin University,15,162-167.
17. Moberg, F.(2000).Gothenburg, Sweden,CHALMERS University of Technology.
18. Schneier, B.(1990).Modeling security threats.Dr. Dobb's Journal,12(24),21-29.
19. Stango, A.,Prasad, N. R.,Kyriazanos, D. M.(2009).A threat analysis methodology for security evaluation and enhancement planning.Proceedings of 2009 Third International Conference on Emerging Security Information, Systems and Technologies,Athens/Glyfada, Greece:
20. Wang, L.Y.,Liu, A.,Jajodia, S.(2006).Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts.Journal of Computer Communications,29(15),2917-2933.
21. 傅雅萍、樊國楨、楊中皇(2008)。資通安全專論T97022資通安全專論T97022,未出版
22. 楊尚青、王憶魯(2009)。基於系統動態方法內部威脅之分析與建模。資訊管理實務研討會，中壢市，臺灣:
23. 歐士源、黃世昆(2000)。網路安全： 網路攻擊模式簡介。計算中心通訊，16(03)
24. 賴義鵬、周世益(2009)。以弱點評估方式來提升資訊系統安全需求之研究。資訊管理實務研討會，中壢市，臺灣:

1. 楊欣哲、林裕倫(2014)。企業資訊網站設計之資訊安全的評估模式與評量工具之研究。資訊管理學報，21(2)，107-138。