CN107135221A - A kind of method of gradual solution K maximum probability attack paths - Google Patents
A kind of method of gradual solution K maximum probability attack paths Download PDFInfo
- Publication number
- CN107135221A CN107135221A CN201710326387.3A CN201710326387A CN107135221A CN 107135221 A CN107135221 A CN 107135221A CN 201710326387 A CN201710326387 A CN 201710326387A CN 107135221 A CN107135221 A CN 107135221A
- Authority
- CN
- China
- Prior art keywords
- node
- leak
- vulnerability
- available
- consequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention discloses a kind of method of gradual solution K maximum probability attack paths, this method is capable of the K bar maximum probability attack paths of secondary each node of progressively output attack of minute wheel, in each round, each node has the chance of output attack path, solve the problem of node corresponding to the less attack path of leak availability cumulative probability value all may can not export an attack path within some time, the quantity of the attack path of this method output can dynamically increase, the specific value of the quantity K of given attack path in advance is not required, solve the balance sex chromosome mosaicism between attack path calculating real-time and attack path solution quantity.This method sets up multiple available vulnerability information tables respectively for each node in network, the mark for having been accessed each available vulnerability information table and not accessed, and the specifying information progress leak selection and utilization of each available vulnerability information table are combined, finally realize the gradual solution and output of K maximum probability attack paths.
Description
Technical field
The present invention relates to a kind of Network Security Analysis Method, more particularly to a kind of gradual solution K maximum probabilities attack road
The method in footpath.
Background technology
Network security is extremely important to the safety for protecting company information, and attacker can utilize multiple in enterprise information system
Different node is deposited on (node includes server, router, interchanger, fire wall, storage device and personal computer etc.)
Leak, by way of multi-step attack, step up access rights of the hacker to system, steal system confidential data or
Make system can not normal work, therefore, to enterprise information system carry out safety analysis, calculate in system potentially attack in advance
Path is hit, can be that the defence of next step network security and leak repairing provide guidance, with important practical significance and apply valency
Value.
In the prior art, if Bi Kun et al. is in patent of invention《A kind of Network Safety Analysis of solution K maximum probability attack graphs
Method》In (CN 102724210 B, 2015.02.11, in full), it is proposed that a kind of to solve each node in attacking network
The method of the preceding K bars attack path of maximum probability, this method, which need not be calculated, generates complete attack graph, just can directly calculate
Go out the preceding K bars attack path of the maximum probability of each node in attacking network, when K values are incrementally increased, Riming time of algorithm with
Increase, due to this method be by the attack path of all nodes in network according to leak availability cumulative probability value from big to small
Order arrangement, the node that leak availability cumulative probability is worth corresponding to less attack path exports the time phase of attack path
To rearward, in the worst cases, when K values are larger, leak availability cumulative probability is worth corresponding to less attack path
Node may can not all export an attack path within some time, and leak availability cumulative probability is worth larger attack road
Node corresponding to footpath may output whole attack paths, therefore this method can not ensure each node output attack path
It is ageing, attack path quantity K with calculate real-time balance in terms of need further consideration.On the other hand, the party
Method must given parameters K in advance specific value, after the preceding K bars attack path for the maximum probability for attacking each node is solved,
If wanting to solve more attack paths, parameter K specific value must be reset and re-execute this method one time,
Can not the further computing on the basis of solving result before, there is the problem of computing repeatedly, waste computing resource and meter
Evaluation time.
The content of the invention
In order to overcome the defect that above-mentioned prior art is present, the present invention provides a kind of gradual solution K maximum probabilities attack
The method in path, the raw information of leak present on the topological structure and access relation, each node in given network system and
After the initial position message of attacker, this method is capable of the attack path of each node of minute wheel time output attack, in each round, respectively
Individual node has the chance of output attack path, and the quantity K of the attack path of output can dynamically increase, and does not require given in advance
The quantity K of attack path specific value, node, leak profit where the raw information of the leak includes leak number, leak
The probability of availability value of precondition, the consequence information of vulnerability exploit and leak.
To achieve these goals, the present invention provides a kind of method of gradual solution K maximum probability attack paths, the party
Method is comprised the steps of:
Step 1, it is that each node sets up L available vulnerability information tables respectively in network, wherein L is the consequence of vulnerability exploit
The quantity of classification, the consequence of a type of vulnerability exploit of each available vulnerability information table correspondence;
It is described to include node numbering, leak number, the specific attack path since attacker and leakage with vulnerability information
Hole availability cumulative probability value;The computational methods of the leak availability cumulative probability value are:By the leak since attacker
It is multiplied and is drawn using the probability of availability value of each leak on path;The change of the consequence of the vulnerability exploit including access rights and
The consequence of non-access rights class, the access rights include domestic consumer's access rights, root or administrator's access rights,
Wherein domestic consumer's access rights can be subdivided into domestic consumer's read right, domestic consumer's write permission, domestic consumer's execution authority again,
Root or administrator's access rights can be subdivided into root again or administrator's read right, root or administrator write power
Limit, root or administrator perform authority, and the consequence of the non-access rights class refers to other all in addition to access rights
The consequence of vulnerability exploit, including service stopping work, system stalls, service response are slack-off, system responds slack-off, data and lost
Lose, data are deleted, data are stolen;The consequence classification of the vulnerability exploit can be pacified by safety manager according to system
The target of fully closed note is defined;
Step 2, all available vulnerability information tables are initialized as sky table;
Step 3, the access of all available vulnerability information tables of setting are labeled as " not accessing ";
Step 4, since attacker position, inquire about and judge the leakage on all nodes that can be directly accessed by attacker
Hole, if the precondition of vulnerability exploit has been met, according to where the leak is put into leak by the consequence information of the vulnerability exploit
In the corresponding available vulnerability information table of node;
" the corresponding available leakage of node according to where the leak is put into leak by the consequence information of the vulnerability exploit
The specific rules of hole information table " include:If same leak has the consequence of multiple vulnerability exploits, endangered according to the consequence of vulnerability exploit
Evil property height relation, according to the highest harmfulness in the consequence of vulnerability exploit, node is relative where the leak is put into leak
In the available vulnerability information table answered, the height relation of the consequence harmfulness of vulnerability exploit can be by safety manager according to system
The target of due care is defined, it is generally the case that obtain the consequence harmfulness of access rights higher than the non-access rights of acquisition
The consequence harmfulness of class, obtains the consequence harmfulness of root or administrator's access rights higher than acquisition domestic consumer access right
The consequence harmfulness of limit, obtains the consequence harmfulness for performing authority higher than the consequence harmfulness for obtaining write permission, obtains write permission
Consequence harmfulness higher than obtain read right consequence harmfulness.
In step 5, the available vulnerability information table from all access labeled as " not accessing ", the accumulation of leak availability is selected general
One of rate value maximum can use vulnerability information, the available vulnerability information be removed from available vulnerability information table, and this can use
The access mark of vulnerability information table is set to " access ", inquires about the consequence information of the vulnerability exploit, updates attacker in the knot
The consequence of access rights and non-access rights class on point, and the consequence information of this vulnerability exploit is write into leak place node
Attack path information aggregate and export attack path information, inquire about and judge on all nodes that can be directly accessed by the node
Leak, if this access rights changed of the node be leak attack necessary condition and corresponding vulnerability exploit premise bar
Part has met and in the absence of attack loop, then corresponding leak has been put into leak place node according to the consequence information of vulnerability exploit
In corresponding available vulnerability information table;The attack loop, which refers to, to be had the node repeated and is repeating in attack path
Attack purpose on existing node is identical;
Whether the quantity for the attack path that step 6, judgement are calculated has met requirement, if so, 8 are gone to step, if it is not, turning
Step 7;
Step 7, judge whether that all available vulnerability information tables are sky table, if so, 8 are gone to step, if it is not, inquiry is all
The access mark of the available vulnerability information table of non-NULL, if there is the available vulnerability information table accessed labeled as " not accessing ", directly
Switch through step 5, if the access mark of the available vulnerability information table of all non-NULLs is " access ", all available leaks are believed
The access mark reset all for ceasing table is " not accessing ", goes to step 5;
Step 8, collect output result of calculation.In algorithm running, output successively and attacked each node
A plurality of attack path, its relevant information is also already recorded in the data structure of each node, in this step, can be according to reality
Border needs, and collects the result of calculation that output needs are checked.
Compared to the prior art, its is excellent for a kind of method for gradual solution K maximum probability attack paths that the present invention is provided
Point is:(1) this method is capable of the attack path of each node of minute wheel time output attack, and in each round, each node has defeated
Go out the chance of attack path, the node solved corresponding to the less attack path of leak availability cumulative probability value may be very
A problem of all attack path can not being exported in for a long time;(2) the quantity K of the attack path of this method output can dynamically increase
It is long, the specific value of the quantity K of given attack path in advance is not required, is solved attack path and is calculated real-time and attack path
Solve the balance sex chromosome mosaicism between quantity K.
With patent of invention《A kind of Network Security Analysis Method of solution K maximum probability attack graphs》(B of CN 102724210,
2015.02.11, in full) a kind of Network Security Analysis Method of the solution K maximum probability attack graphs provided is compared, present invention solution
Following two problems:(1) solve that " in the worst cases, when K values are larger, leak availability cumulative probability value is smaller
Attack path corresponding to node may for a long time in can not all export an attack path " the problem of.Because existing
Method in patent of invention be by all available leaks inside network system according to leak availability cumulative probability value from big to small
Order arrangement and handle, and the run time of algorithm increases with the increase of parameter K values, so occurring " the worst
In the case of, when K values are larger, the node that leak availability cumulative probability is worth corresponding to less attack path may be very long
An attack path can not be all exported in time " the problem of, and the present invention is not using according to all available inside network system
The strategy that the order of the leak availability cumulative probability value of leak from big to small is utilized successively, but be each node difference
Foundation can use vulnerability information table, and be marked according to that can carry out " not accessing " or " access " to it with the access situation of vulnerability information table
Note, its essence is to have redesigned the strategy that leak is chosen and utilized, it is achieved thereby that attacking for each node is attacked in minute wheel time output
The target in path is hit, in each round, each node has the chance of output attack path, so as to solve " in worst case
Under, when K values are larger, the node that leak availability cumulative probability is worth corresponding to less attack path may be for a long time
Inside can not all export an attack path " the problem of;(2) solve the quantity K of attack path the problem of must specifying in advance and
Attack path is unable to the problem of increment is generated.Method in existing patent of invention must given parameters K in advance specific value,
After the preceding K bars attack path for solving the maximum probability for attacking each node, if wanting to solve more attack paths, it must weigh
New settings parameter K specific value simultaneously re-executes this method one time, it is impossible to enter one on the basis of solving result before
Computing is walked, in order to obtain more attack paths, it is necessary to a prior given value than larger parameter K, and parameter K
Value increase, then can be further exacerbated by that " when K values are larger, leak availability cumulative probability is worth less attack path institute
Corresponding node may can not all export an attack path within some time " the problem of, and the present invention passes through redesign
The strategy that leak is chosen and utilized, attacks the attack path of each node using the method output of minute wheel time, realizes attack path
The target of increment generation, it is not required that give the concrete numerical value for the attack path quantity K for needing to solve in advance.In one rule of analysis
During the larger network system of mould, operation required for generally can not accurately estimating the preceding K bars attack path for solving each node of attack
Time, on the other hand, want to make full use of given time window again and solve as far as possible many attack paths, in the feelings
Under condition, it is impossible to provide accurate parameter K value in advance, and the present invention need not give attack path quantity K's in advance
Specific value constraint, with the passage of run time, each node has the opportunity to export more attack paths, solves attack road
The problem of footpath increment is generated.
Brief description of the drawings
Fig. 1 is the inventive method flow chart;
Fig. 2 is network topological diagram;
Fig. 3 is access relation figure;
Fig. 4 is the raw information figure of each node leak;
Fig. 5 is the attack path precedence diagram that a kind of prior art is generated;
Fig. 6 is available vulnerability information table one;
Fig. 7 is available vulnerability information table two;
Fig. 8 is available vulnerability information table three;
Fig. 9 is available vulnerability information table four;
Figure 10 is available vulnerability information table five;
Figure 11 is available vulnerability information table six;
Figure 12 is available vulnerability information table seven;
Figure 13 is available vulnerability information table eight;
Figure 14 is available vulnerability information table nine;
Figure 15 is available vulnerability information table ten;
Figure 16 is available vulnerability information table 11;
Figure 17 is available vulnerability information table 12;
Figure 18 is available vulnerability information table 13;
Figure 19 is available vulnerability information table 14;
Figure 20 is available vulnerability information table 15;
Figure 21 is available vulnerability information table 16;
The attack path precedence diagram that Figure 22 generates for the present invention.
Embodiment
In order that technological means, creation characteristic and the reached purpose of the present invention are readily apparent from understanding, below in conjunction with specific reality
Apply example and the present invention is expanded on further.
Network topological diagram is as shown in Fig. 2 node H represents attacker, and node A, B, C and D represent a given network system
Oriented arrow between node in system, node represents the access relation between node, access relation as shown in figure 3, being opened from the second row
Begin, the node set that a node is able to access that is represented per a line, " √ " represents directly to access, and " X " is represented cannot be straight
Receiving asks that such as the second row represents that attacker can directly access node A, but can not directly access node B, C and D, the third line table
Show that node A can directly access node A, B and C, but can not directly access node D, similarly, the access relation between other nodes is shown in figure
3.In the present embodiment, it is unidirectional to define access relation, but in specific implementation, it is unidirectional that can according to circumstances define access relation
Or it is two-way.
The raw information of leak present on each node is as shown in figure 4, the precondition explanation of wherein vulnerability exploit is utilized
The precondition that the leak needs to have, the consequence information of vulnerability exploit illustrates the consequence that the leak is produced after successfully being utilized,
In the citing, the consequence information of vulnerability exploit is " administrator that attacker is obtained on the node performs authority ", leakage
The probability of availability value in hole illustrates the possibility that each leak can be utilized successfully, and the administrator on node is obtained holds
After row authority, attacker just can on the node configuration processor, from the node initiate new attack.
Give after above-mentioned input information, as shown in figure 1, the specific method step of the present invention is as follows:
Step (1) is that each node sets up an available vulnerability information table respectively.In this embodiment, vulnerability exploit
Consequence information is " administrator that attacker is obtained on the node performs authority ", therefore sets up one respectively for each node
Individual available vulnerability information table.Can be each knot according to actual conditions if there is the consequence of the vulnerability exploit of plurality of classes
Point sets up multiple available vulnerability information tables respectively;
All available vulnerability information tables are initialized as sky table by step (2);
Step (3) sets the access of all available vulnerability information tables to be labeled as " not accessing ";
Step (4) is inquired about since attacker position and is judged the leakage on all nodes that can be directly accessed by attacker
Hole, finds the leak V that attacker can be attacked on node A1And V2, and the precondition of vulnerability exploit met, so will leakage
Hole V1And V2Corresponding available vulnerability information is put into node A available vulnerability information table, as shown in fig. 6, node A's is available
Vulnerability information can be used by having increased two in vulnerability information table newly:“[A,V1,HA(V1), 0.9] " and " [A, V2,HA(V2), 0.8] ", often
Bar can be tired comprising node numbering, leak number, the specific attack path since attacker and leak availability with vulnerability information
Product probable value, for example, can use vulnerability information " [A, V1,HA(V1), 0.9] " illustrate to have leak number on node A for V1Can
It is the leak V that can be directly attacked on node A from attacker H since the specific attack path attacker with leak1, leak
Availability cumulative probability value is 0.9;
In available vulnerability information tables of step (5) from all access labeled as " not accessing ", the accumulation of leak availability is selected
One of probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [A, V1,HA(V1), 0.9] ", this can use
Vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set into " access ",
Inquire about leak V1The consequence information of vulnerability exploit be " attacker obtains administrator on the node and performs authority ", update
Access rights of the attacker on node A, and the consequence information of this vulnerability exploit is write to node A attack path information collection
Merge output this attack path information, inquire about and judge the leak on all nodes that can be directly accessed by node A, find from
The leak V that node A can be attacked on node B3With the leak V on node C4, and in the absence of attack loop, therefore leak can be used
Information " [B, V3,HA(V1)B(V3), 0.81] " it is put into node B available vulnerability information table, wherein attack path " HA (V1)B
(V3) " illustrate that the specific attack step since attacker is:Since attacker H, the leak V on node A is cast the first stone1, obtain
The leak V attacked again since node A on node B after weighting limit3, leak availability cumulative probability value is 0.9*0.9=0.81,
Vulnerability information " [C, V can be used4,HA(V1)C(V4), 0.54] " it is put into node C available vulnerability information table, wherein leak can
It is 0.9*0.6=0.54 with property cumulative probability value, the particular content in the available vulnerability information table of each node and access mark are such as
Shown in Fig. 7;
In available vulnerability information tables of step (6) from all access labeled as " not accessing ", the accumulation of leak availability is selected
One of probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [B, V3,HA(V1)B(V3), 0.81] ", will
The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to "
Access ", inquiry leak V3Vulnerability exploit consequence information for " attacker obtains administrator's right of execution on the node
Limit ", updates access rights of the attacker on node B, and the consequence information of this vulnerability exploit is write to node B attack road
Footpath information aggregate simultaneously exports this attack path information, inquires about and judges the leakage on all nodes that can be directly accessed by node B
Hole, finds the leak V that can be attacked on node C from node B4, and in the absence of attack loop, therefore can with vulnerability information " [C,
V4,HA(V1)B(V3)C(V4), 0.486] " it is put into node C available vulnerability information table, wherein leak availability cumulative probability
It is worth for 0.9*0.9*0.6=0.486, particular content in the available vulnerability information table of each node and to access mark as shown in Figure 8;
In available vulnerability information tables of step (7) from all access labeled as " not accessing ", the accumulation of leak availability is selected
One of probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V1)C(V4), 0.54] ", will
The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to "
Access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains administrator's right of execution on the node
Limit ", updates access rights of the attacker on node C, and the consequence information of this vulnerability exploit is write to node C attack road
Footpath information aggregate simultaneously exports this attack path information, inquires about and judges the leakage on all nodes that can be directly accessed by node C
Hole, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore can with vulnerability information " [D,
V5,HA(V1)C(V4)D(V5), 0.054] " it is put into node D available vulnerability information table, wherein leak availability cumulative probability
It is worth for 0.9*0.6*0.1=0.054, particular content in the available vulnerability information table of each node and to access mark as shown in Figure 9;
It can be seen that from the step, although vulnerability information " [C, V can be used4,HA(V1)C(V4), 0.54] " leak availability cumulative probability
Value be not current all nodes available vulnerability information table in maximum one of leak availability cumulative probability value, but be due to
The access mark of node A and node B available vulnerability information table is " access ", so being arranged when current leak is chosen
Remove, and vulnerability information " [C, V can be used4,HA(V1)C(V4), 0.54] " it is all available leakages that current accessed is labeled as " not accessing "
Leak availability cumulative probability value is maximum in the information table of hole one, therefore be selected and utilize in this step;
In available vulnerability information tables of step (8) from all access labeled as " not accessing ", the accumulation of leak availability is selected
One of probable value maximum can use vulnerability information, because node A, node B and node C available vulnerability information table are currently
" access ", so selection can use vulnerability information " [D, V5,HA(V1)C(V4)D(V5), 0.054] ", by the available vulnerability information
Removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to " access ", inquire about leak
V5The consequence information of vulnerability exploit be " attacker obtains administrator on the node and performs authority ", update attacker and exist
Access rights on node D, and the consequence information of this vulnerability exploit is write into node D attack path information aggregate and exported
This attack path information, inquires about and judges the leak on all nodes that can be directly accessed by node D, finds by access relation
Limitation, the particular content that can not be attacked in any node, the available vulnerability information table of each node from node D and access mark such as
Shown in Figure 10;It is can be seen that from the step because node A, node B and node C available vulnerability information table are currently " to have visited
Ask ", therefore leak can only be chosen from node D available vulnerability information table, so node D obtains the machine of output attack path
Meeting;Conducted interviews mark by the available vulnerability information table to each node, so that each node has the machine of output attack path
Meeting;
Step (9) is because the access mark of the available vulnerability information table of current all non-NULLs is " access ", then by institute
The access mark reset all for having available vulnerability information table is " not accessing ", as a result as shown in figure 11;After the step terminates, meaning
The calculating and output for the attack path in current round on each node are over, the calculating of the attack path of a new round and defeated
Go out to start;
In available vulnerability information tables of step (10) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [A, V2,HA(V2), 0.8] ", can by this
Removed with vulnerability information from available vulnerability information table, and the access mark of the available vulnerability information table is set to " visit
Ask ", inquiry leak V2The consequence information of vulnerability exploit be " attacker obtains administrator on the node and performs authority ",
Access rights of the attacker on node A are updated, and the attack path that the consequence information of this vulnerability exploit is write into node A is believed
Breath collection merges output this attack path information, inquires about and judges the leak on all nodes that can be directly accessed by node A, sends out
The leak V that can be now attacked on node B from node A3With the leak V on node C4, and in the absence of attack loop, therefore will be available
Vulnerability information " [B, V3,HA(V2)B(V3), 0.72] " it is put into node B available vulnerability information table, wherein leak availability is tired out
Product probable value is 0.8*0.9=0.72, can use vulnerability information " [C, V4,HA(V2)C(V4), 0.48] " it is put into the available of node C
In vulnerability information table, wherein leak availability cumulative probability value is 0.8*0.6=0.48, in the available vulnerability information table of each node
Particular content and to access mark as shown in figure 12;
In available vulnerability information tables of step (11) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [B, V3,HA(V2)B(V3), 0.72] ",
The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to
" access ", inquiry leak V3Vulnerability exploit consequence information for " attacker obtains administrator on the node and performed
Authority ", updates access rights of the attacker on node B, and the consequence information of this vulnerability exploit is write to node B attack
Routing information collection merges output this attack path information, inquires about and judges on all nodes that can be directly accessed by node B
Leak, finds the leak V that can be attacked on node C from node B4, and in the absence of attack loop, therefore vulnerability information can be used
“[C,V4,HA(V2)B(V3)C(V4), 0.432] " it is put into node C available vulnerability information table, the available leak letter of each node
Cease the particular content in table and access mark as shown in figure 13;
In available vulnerability information tables of step (12) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V1)B(V3)C(V4),
0.486] ", the available vulnerability information is removed from available vulnerability information table, and the access of the available vulnerability information table is marked
It is set to " access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains keeper on the node and used
Family performs authority ", access rights of the attacker on node C are updated, and the consequence information of this vulnerability exploit is write into node C
Attack path information aggregate and export this attack path information, inquire about and judge all knots that can be directly accessed by node C
Leak on point, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore leak can be used
Information " [D, V5,HA(V1)B(V3)C(V4)D(V5), 0.0486] " be put into node D available vulnerability information table, each node can
It is as shown in figure 14 with the particular content in vulnerability information table and access mark;
In available vulnerability information tables of step (13) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [D, V5,HA(V1)B(V3)C(V4)D
(V5), 0.0486] ", the available vulnerability information is removed from available vulnerability information table, and this can use to the visit of vulnerability information table
Ask that mark is set to " access ", inquiry leak V5Vulnerability exploit consequence information for " attacker obtains the pipe on the node
Reason person user performs authority ", access rights of the attacker on node D are updated, and the consequence information of this vulnerability exploit is write
Enter node D attack path information aggregate and export this attack path information, inquire about and judge all can directly be visited by node D
The leak on node asked, discovery is limited by access relation, and any node, the available leakage of each node can not be attacked from node D
Particular content and access mark in the information table of hole is as shown in figure 15;
Step (14) then will because the access mark of the available vulnerability information table of current all non-NULLs is " access "
The access mark reset all of all available vulnerability information tables is " not accessing ", as a result as shown in figure 16;After the step terminates, meaning
The calculating and output that taste the attack path on each node in current round are over, the calculating of the attack path of a new round and
Output starts;
In available vulnerability information tables of step (15) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V2)C(V4), 0.48] ",
The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to
" access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains administrator on the node and performed
Authority ", updates access rights of the attacker on node C, and the consequence information of this vulnerability exploit is write to node C attack
Routing information collection merges output this attack path information, inquires about and judges on all nodes that can be directly accessed by node C
Leak, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore vulnerability information can be used
“[D,V5,HA(V2)C(V4)D(V5), 0.048] " it is put into node D available vulnerability information table, the available leak letter of each node
Cease the particular content in table and access mark as shown in figure 17;
In available vulnerability information tables of step (16) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [D, V5,HA(V2)C(V4)D(V5),
0.048] ", the available vulnerability information is removed from available vulnerability information table, and the access of the available vulnerability information table is marked
It is set to " access ", inquiry leak V5Vulnerability exploit consequence information for " attacker obtains keeper on the node and used
Family performs authority ", access rights of the attacker on node D are updated, and the consequence information of this vulnerability exploit is write into node D
Attack path information aggregate and export this attack path information, inquire about and judge all knots that can be directly accessed by node D
Leak on point, discovery is limited by access relation, and any node, the available vulnerability information of each node can not be attacked from node D
Particular content and access mark in table is as shown in figure 18;In the round, due to node A and node B available vulnerability information
Table is sky table, so only outputing attack node C and node D attack path;
Step (17) then will because the access mark of the available vulnerability information table of current all non-NULLs is " access "
The access mark reset all of all available vulnerability information tables is " not accessing ", as a result as shown in figure 19;After the step terminates, meaning
The calculating and output that taste the attack path on each node in current round are over, the calculating of the attack path of a new round and
Output starts;
In available vulnerability information tables of step (18) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V2)B(V3)C(V4),
0.432] ", the available vulnerability information is removed from available vulnerability information table, and the access of the available vulnerability information table is marked
It is set to " access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains keeper on the node and used
Family performs authority ", access rights of the attacker on node C are updated, and the consequence information of this vulnerability exploit is write into node C
Attack path information aggregate and export this attack path information, inquire about and judge all knots that can be directly accessed by node C
Leak on point, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore leak can be used
Information " [D, V5,HA(V2)B(V3)C(V4)D(V5), 0.0432] " be put into node D available vulnerability information table, each node can
It is as shown in figure 20 with the particular content in vulnerability information table and access mark;
In available vulnerability information tables of step (19) from all access labeled as " not accessing ", select leak availability and tire out
One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [D, V5,HA(V2)B(V3)C(V4)D
(V5), 0.0432] ", the available vulnerability information is removed from available vulnerability information table, and this can use to the visit of vulnerability information table
Ask that mark is set to " access ", inquiry leak V5Vulnerability exploit consequence information for " attacker obtains the pipe on the node
Reason person user performs authority ", access rights of the attacker on node D are updated, and the consequence information of this vulnerability exploit is write
Enter node D attack path information aggregate and export this attack path information, inquire about and judge all can directly be visited by node D
The leak on node asked, discovery is limited by access relation, and any node, the available leakage of each node can not be attacked from node D
Particular content and access mark in the information table of hole is as shown in figure 21;
Step (20) is sky table due to the available vulnerability information table of all nodes, and result of calculation can be collected to output,
Algorithm end of run.In algorithm running, a plurality of attack path for attacking each node is outputed successively, and it is related
Information is also already recorded in the data structure of each node, in this step, can collect output needs according to actual needs
The result of calculation checked.
For the embodiment, according to existing patent of invention《A kind of Network Safety Analysis of solution K maximum probability attack graphs
Method》The method that (CN 102724210 B, 2015.02.11, in full) is provided is solved, then the genesis sequence of attack path such as Fig. 5
It is shown, the Sequential output of all attack path according to corresponding leak availability cumulative probability value from big to small, so as to cause
The path for attacking node D is exported backmost, because the run time of the algorithm increases with the increase of network size,
Increase with the increase of parameter K values, in the worst cases, when network size is larger, when K values are larger, leak can
An attack road may can not be all exported within some time with the node corresponding to the less attack path of property cumulative probability value
Footpath.
For the embodiment, the method provided using the present invention, the genesis sequence of attack path as shown in figure 22, can be seen
Go out, after algorithm operation starts, node A, B, C and D respectively have an attack path output successively, although attack node D attack road
Leak availability cumulative probability value corresponding to footpath is smaller, but still obtains the chance of output attack path, because this method
The Selection Strategy of available leak is redesigned, this method does not use the leak according to all available leaks inside network system
The strategy that the order of availability cumulative probability value from big to small is utilized successively, but leakage can be used by being set up respectively for each node
Hole information table, and according to " not accessing " or " access " mark can be carried out to it with the access situation of vulnerability information table, so that real
The target of the attack path of each node of minute wheel time output attack is showed, in each round, each node has output attack path
Chance, solve that " in the worst cases, when K values are larger, leak availability cumulative probability is worth less attack path institute
Corresponding node may can not all export an attack path within some time " the problem of.In the first round and the second wheel, knot
Point A, B, C and D have attack path output, in third round and fourth round, and node C and D have attack path output, due to not having
There are more attack node A and B path, so node A and B do not have attack path output;See on the whole, attack path is simultaneously
The not Sequential output according to corresponding leak availability cumulative probability value from big to small, but for any one given knot
Point, for Sequential output of the attack path according to corresponding leak availability cumulative probability value from big to small of the node.
In this embodiment, the consequence information of vulnerability exploit is that " administrator that attacker is obtained on the node holds
Row authority ", therefore an available vulnerability information table is established for each node, can be according to specific in specific implementation process
Situation and need to classify to the consequence information of a variety of vulnerability exploits, be that each node sets up multiple available vulnerability information tables;
In this embodiment, the algorithm end of run when the available vulnerability information table of all nodes is sky table, in specific implementation process
In, requirement whether can be met with the quantity for needing to judge the current attack path solved as the case may be,
If so, can then export result of calculation immediately and terminate operation.
General principle, principal character and the advantages of the present invention of the present invention has been shown and described above.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the simply explanation described in above-described embodiment and specification is originally
The principle of invention, various changes and modifications of the present invention are possible without departing from the spirit and scope of the present invention, these changes
Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its
Equivalent is defined.
Claims (3)
1. a kind of method of gradual solution K maximum probability attack paths, it is characterised in that comprise the following steps:
Step 1, it is that each node sets up L available vulnerability information tables respectively in network, wherein L classifies for the consequence of vulnerability exploit
Quantity, the consequence of a type of vulnerability exploit of each available vulnerability information table correspondence;It is described to include knot with vulnerability information
Point numbering, leak number, the specific attack path since attacker and leak availability cumulative probability value;The leak can use
The computational methods of property cumulative probability value are:By since the probability of availability value phase of each leak on the vulnerability exploit path attacker
It is multiplied go out;
Step 2, all available vulnerability information tables are initialized as sky table;
Step 3, the access of all available vulnerability information tables of setting are labeled as " not accessing ";
Step 4, since attacker position, inquire about and judge the leak on all nodes that can be directly accessed by attacker, if
The precondition of vulnerability exploit has been met, then the node according to where the leak is put into leak by the consequence information of the vulnerability exploit
In corresponding available vulnerability information table;
In step 5, the available vulnerability information table from all access labeled as " not accessing ", leak availability cumulative probability value is selected
Maximum one can use vulnerability information, the available vulnerability information be removed from available vulnerability information table, and this can use into leak
The access mark of information table is set to " access ", inquires about the consequence information of the vulnerability exploit, updates attacker on the node
Access rights and non-access rights class consequence, and node where the consequence information of this vulnerability exploit is write into leak attacking
Hit routing information collection and merge output attack path information, inquire about and judge the leakage on all nodes that can be directly accessed by the node
Hole, if this access rights changed of the node be leak attack necessary condition and corresponding vulnerability exploit precondition
Meet and in the absence of attack loop, then corresponding leak is put into by the relative of leak place node according to the consequence information of vulnerability exploit
In the available vulnerability information table answered;
Whether the quantity for the attack path that step 6, judgement are calculated has met requirement, if so, 8 are gone to step, if it is not, going to step
7;
Step 7, judge whether that all available vulnerability information tables are sky table, if so, 8 are gone to step, if it is not, inquiring about all non-NULLs
Available vulnerability information table access mark, if exist access labeled as " not accessing " available vulnerability information table, directly turn
Step 5, if the access mark of the available vulnerability information table of all non-NULLs is " access ", by all available vulnerability information tables
Access mark reset all be " not accessing ", go to step 5;
Step 8, collect output result of calculation.
2. the method for gradual solution K maximum probability attack paths as claimed in claim 1, it is characterised in that
It is described that " the corresponding available leak of node according to where the leak is put into leak by the consequence information of the vulnerability exploit is believed
The specific rules of breath table " include:If same leak has the consequence of multiple vulnerability exploits, according to the consequence harmfulness of vulnerability exploit
Height relation, according to the highest harmfulness in the consequence of vulnerability exploit, node is corresponding where the leak is put into leak
It can use in vulnerability information table.
3. the method for gradual solution K maximum probability attack paths as claimed in claim 1, it is characterised in that
The consequence of the vulnerability exploit includes change and the consequence of non-access rights class of access rights, and the access rights include
Domestic consumer's access rights, root or administrator's access rights, wherein domestic consumer's access rights can be subdivided into commonly again
User's read right, domestic consumer's write permission, domestic consumer perform authority, and root or administrator's access rights can be subdivided into again
Root or administrator's read right, root or administrator's write permission, root or administrator perform authority, described non-
The consequence of access rights class refers to the consequence of other all vulnerability exploits in addition to access rights;The consequence of the vulnerability exploit point
Class can be defined by safety manager according to the target of system due care.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710326387.3A CN107135221B (en) | 2017-05-10 | 2017-05-10 | Method for progressively solving K maximum probability attack path |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710326387.3A CN107135221B (en) | 2017-05-10 | 2017-05-10 | Method for progressively solving K maximum probability attack path |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107135221A true CN107135221A (en) | 2017-09-05 |
CN107135221B CN107135221B (en) | 2020-05-05 |
Family
ID=59731582
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710326387.3A Active CN107135221B (en) | 2017-05-10 | 2017-05-10 | Method for progressively solving K maximum probability attack path |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107135221B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210012012A1 (en) * | 2019-07-12 | 2021-01-14 | Palo Alto Research Center Incorporated | System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102413003A (en) * | 2010-09-20 | 2012-04-11 | 中国科学院计算技术研究所 | Method and system for detecting network security |
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
US9043920B2 (en) * | 2012-06-27 | 2015-05-26 | Tenable Network Security, Inc. | System and method for identifying exploitable weak points in a network |
CN105516177A (en) * | 2015-12-28 | 2016-04-20 | 上海交通大学 | 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV) |
CN106453403A (en) * | 2016-11-21 | 2017-02-22 | 国家电网公司 | Vulnerability restructuring sequence determining method and system based on attack links |
-
2017
- 2017-05-10 CN CN201710326387.3A patent/CN107135221B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102413003A (en) * | 2010-09-20 | 2012-04-11 | 中国科学院计算技术研究所 | Method and system for detecting network security |
US9043920B2 (en) * | 2012-06-27 | 2015-05-26 | Tenable Network Security, Inc. | System and method for identifying exploitable weak points in a network |
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
CN105516177A (en) * | 2015-12-28 | 2016-04-20 | 上海交通大学 | 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV) |
CN106453403A (en) * | 2016-11-21 | 2017-02-22 | 国家电网公司 | Vulnerability restructuring sequence determining method and system based on attack links |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210012012A1 (en) * | 2019-07-12 | 2021-01-14 | Palo Alto Research Center Incorporated | System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system |
Also Published As
Publication number | Publication date |
---|---|
CN107135221B (en) | 2020-05-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Miehling et al. | A POMDP approach to the dynamic defense of large-scale cyber networks | |
Servin et al. | Multi-agent reinforcement learning for intrusion detection | |
CN103999089B (en) | For the system and method for scanning computer leak in a network environment | |
Jajodia et al. | Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response | |
CN109800573B (en) | Social network protection method based on degree anonymity and link disturbance | |
CN102571746B (en) | Virtual machine deployment method oriented to side channel attack defense of cloud computation environment | |
CN105991521A (en) | Network risk assessment method and network risk assessment device | |
CN107733863A (en) | Daily record adjustment method and device under a kind of distributed hadoop environment | |
CN108881110A (en) | A kind of safety situation evaluation and defence policies joint decision method and system | |
CN102724210B (en) | Network security analytical method for solving K maximum probability attack graph | |
CN108616529A (en) | A kind of method for detecting abnormality and system based on Business Stream | |
CN107895038A (en) | A kind of link prediction relation recommends method and device | |
CN105930366A (en) | Statistical method and device | |
CN108696534B (en) | Real-time network security threat early warning analysis method and device | |
Zarreh et al. | Risk assessment for cyber security of manufacturing systems: A game theory approach | |
JP7213626B2 (en) | Security measure review tool | |
Zhong et al. | An efficient parallel reinforcement learning approach to cross-layer defense mechanism in industrial control systems | |
Lakhno | Development of a support system for managing the cyber security | |
Lakhno et al. | Development of a support system for managing the cyber security of information and communication environment of transport | |
CN104283736B (en) | A kind of network communication five-tuple Fast Match Algorithm based on improvement automatic state machine | |
Yadav et al. | SmartPatch: A patch prioritization framework | |
CN103916859B (en) | The detection method of cognition wireless network malice busy channel user | |
CN107347064A (en) | Cloud computing platform Tendency Prediction method based on neural network algorithm | |
CN107135221A (en) | A kind of method of gradual solution K maximum probability attack paths | |
CN109636338A (en) | A kind of broad band photoelectrical operation management platform system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |