随着计算机应用和网络的普及,网络安全事件不断发生。作为计算机安全相关工作的重要环节,网络安全测评工作也为越来越多的安全工作者所重视。当测评目标为重要的系统和网络时,为保证其安全性和可用性,我们需要构建一个独立的测评环境对测评目标进行测试评估。虚拟网络测评环境是一种以虚拟化技术和模拟仿真技术为基础的网络测评环境,该环境提高了硬件利用率,同时也增强了测试过程的可控性,是当前测评环境研究的趋势,也是本文研究的重点。基于虚拟化技术的虚拟网络测评环境的构建方法包括基于直接部署和基于完全克隆两种,两者分别存在部署效率低和网络节点部署类型单一的问题,同时也都存在着硬件利用率低的问题。基于模拟仿真技术的虚拟网络测评环境也存在着一定的缺陷,所模拟的节点状态与真实状态相比存在一定的偏差。本文提出一种虚拟网络测评环境构建方案,采用基于分组自适应的网络节点部署方法对实体节点进行部署,在此基础上采用基于激活扩散的网络节点模拟方法对模拟节点的状态进行计算,具体包括以下工作:1)提出一种基于分组自适应的网络节点部署方法,该方法在分析现有网络节点部署方法的优势和劣势的基础上,对共有软件和非共有软件采用不同方式进行部署,同时采用分组自适应策略对网络节点进行分组部署,根据时间熵不同采用无优先级分组算法和优先级分组算法。 2)提出一种基于激活扩散的网络节点模拟方法,该方法首先利用激活扩散模型计算节点间的拓扑相似度,同时利用节点的软件向量计算节点间的系统相似度,然后在拓扑相似度和系统相似度的基础上计算节点相似度,最后根据实体节点的状态值和模拟节点与实体节点的相似度对模拟节点的状态进行计算。3)实现了虚拟网络测评原型系统,该系统采用了B/S架构同时利用了经过安全性完善的虚拟化环境xen。通过对基于分组自适应的网络节点部署方法和直接部署及完全克隆等其他网络节点部署方法的网络节点部署效率的实验对比以及对基于激活扩散的网络节点模拟方法所计算出的网络节点状态模拟值与实际值的对比,说明了本文所提出构建方案的合理性和有效性。With the popularity of computer and network, network security incidents continue to occur. As an important part of computer security field, network security assessment is more and more well-known. When evaluated system and network is important, we need to construct an undependent network environment for testing and evaluation to maintain its security and availability. Virtual network evaluation environment is a network evaluation environment based on virtualization and simulation, which not only improves hardware utilization, but also enhances the controllability of assessment process. As a result, virtual network evaluation environment is the trend of current evaluation studies and the focus of this paper.Existing virtual based network evaluation environment construction methods include direct deployment methods and completely cloned methods, which have the drawbacks of low efficiency and lack of type. Besides, there is also a problem of low hardware utilization. The disadvantage of simulation based network evaluation environment is the deviation between the simulated state and the true state.This paper presents a virtual network evaluation environment construction method using grouping adaptive based network node deployment method to deploy physical nodes and using spreading activation based simulation method to calculate the state of simulation nodes, including the following:1)This paper proposes an grouping adaptive based network node deployment method. Analyzing the strengths and weaknesses of existing network node deployment methods , this method deploys the common software and uncommon software in different ways and the grouping uses priority grouping algorithm and non-priority grouping algorithm based on time entropy.2) This paper proposes a node simulation method based on spreading activation. This method uses spreading activation model to calculate topological similarity between nodes and uses software vector to calculate system similarity between nodes. Based on topological similarity and system similarity, node similarity is calculated and finally the analog state of the node is calculated according to the state value of physical nodes and the similarity between simulated nodes and physical nodes.3) In the detailed design, this paper develops a virtual network evaluation prototype system, using B/S structure and the virtualization environment xen which has been modified. In the experiment, grouping adaptive based network node deployment method is compared with direct deployment method, complete cloning development method and other network node deployment methods proposed in this paper. Besides, the state value simulated by the spreading activation model based method is compared with the actual value. The results indicates the reasonable and effective of the method proposed by this paper
