CN107135221A - A kind of method of gradual solution K maximum probability attack paths - Google Patents

A kind of method of gradual solution K maximum probability attack paths Download PDF

Info

Publication number
CN107135221A
CN107135221A CN201710326387.3A CN201710326387A CN107135221A CN 107135221 A CN107135221 A CN 107135221A CN 201710326387 A CN201710326387 A CN 201710326387A CN 107135221 A CN107135221 A CN 107135221A
Authority
CN
China
Prior art keywords
node
leak
vulnerability
available
consequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710326387.3A
Other languages
Chinese (zh)
Other versions
CN107135221B (en
Inventor
毕坤
韩德志
王军
殷俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Maritime University
Original Assignee
Shanghai Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Maritime University filed Critical Shanghai Maritime University
Priority to CN201710326387.3A priority Critical patent/CN107135221B/en
Publication of CN107135221A publication Critical patent/CN107135221A/en
Application granted granted Critical
Publication of CN107135221B publication Critical patent/CN107135221B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The invention discloses a kind of method of gradual solution K maximum probability attack paths, this method is capable of the K bar maximum probability attack paths of secondary each node of progressively output attack of minute wheel, in each round, each node has the chance of output attack path, solve the problem of node corresponding to the less attack path of leak availability cumulative probability value all may can not export an attack path within some time, the quantity of the attack path of this method output can dynamically increase, the specific value of the quantity K of given attack path in advance is not required, solve the balance sex chromosome mosaicism between attack path calculating real-time and attack path solution quantity.This method sets up multiple available vulnerability information tables respectively for each node in network, the mark for having been accessed each available vulnerability information table and not accessed, and the specifying information progress leak selection and utilization of each available vulnerability information table are combined, finally realize the gradual solution and output of K maximum probability attack paths.

Description

A kind of method of gradual solution K maximum probability attack paths
Technical field
The present invention relates to a kind of Network Security Analysis Method, more particularly to a kind of gradual solution K maximum probabilities attack road The method in footpath.
Background technology
Network security is extremely important to the safety for protecting company information, and attacker can utilize multiple in enterprise information system Different node is deposited on (node includes server, router, interchanger, fire wall, storage device and personal computer etc.) Leak, by way of multi-step attack, step up access rights of the hacker to system, steal system confidential data or Make system can not normal work, therefore, to enterprise information system carry out safety analysis, calculate in system potentially attack in advance Path is hit, can be that the defence of next step network security and leak repairing provide guidance, with important practical significance and apply valency Value.
In the prior art, if Bi Kun et al. is in patent of invention《A kind of Network Safety Analysis of solution K maximum probability attack graphs Method》In (CN 102724210 B, 2015.02.11, in full), it is proposed that a kind of to solve each node in attacking network The method of the preceding K bars attack path of maximum probability, this method, which need not be calculated, generates complete attack graph, just can directly calculate Go out the preceding K bars attack path of the maximum probability of each node in attacking network, when K values are incrementally increased, Riming time of algorithm with Increase, due to this method be by the attack path of all nodes in network according to leak availability cumulative probability value from big to small Order arrangement, the node that leak availability cumulative probability is worth corresponding to less attack path exports the time phase of attack path To rearward, in the worst cases, when K values are larger, leak availability cumulative probability is worth corresponding to less attack path Node may can not all export an attack path within some time, and leak availability cumulative probability is worth larger attack road Node corresponding to footpath may output whole attack paths, therefore this method can not ensure each node output attack path It is ageing, attack path quantity K with calculate real-time balance in terms of need further consideration.On the other hand, the party Method must given parameters K in advance specific value, after the preceding K bars attack path for the maximum probability for attacking each node is solved, If wanting to solve more attack paths, parameter K specific value must be reset and re-execute this method one time, Can not the further computing on the basis of solving result before, there is the problem of computing repeatedly, waste computing resource and meter Evaluation time.
The content of the invention
In order to overcome the defect that above-mentioned prior art is present, the present invention provides a kind of gradual solution K maximum probabilities attack The method in path, the raw information of leak present on the topological structure and access relation, each node in given network system and After the initial position message of attacker, this method is capable of the attack path of each node of minute wheel time output attack, in each round, respectively Individual node has the chance of output attack path, and the quantity K of the attack path of output can dynamically increase, and does not require given in advance The quantity K of attack path specific value, node, leak profit where the raw information of the leak includes leak number, leak The probability of availability value of precondition, the consequence information of vulnerability exploit and leak.
To achieve these goals, the present invention provides a kind of method of gradual solution K maximum probability attack paths, the party Method is comprised the steps of:
Step 1, it is that each node sets up L available vulnerability information tables respectively in network, wherein L is the consequence of vulnerability exploit The quantity of classification, the consequence of a type of vulnerability exploit of each available vulnerability information table correspondence;
It is described to include node numbering, leak number, the specific attack path since attacker and leakage with vulnerability information Hole availability cumulative probability value;The computational methods of the leak availability cumulative probability value are:By the leak since attacker It is multiplied and is drawn using the probability of availability value of each leak on path;The change of the consequence of the vulnerability exploit including access rights and The consequence of non-access rights class, the access rights include domestic consumer's access rights, root or administrator's access rights, Wherein domestic consumer's access rights can be subdivided into domestic consumer's read right, domestic consumer's write permission, domestic consumer's execution authority again, Root or administrator's access rights can be subdivided into root again or administrator's read right, root or administrator write power Limit, root or administrator perform authority, and the consequence of the non-access rights class refers to other all in addition to access rights The consequence of vulnerability exploit, including service stopping work, system stalls, service response are slack-off, system responds slack-off, data and lost Lose, data are deleted, data are stolen;The consequence classification of the vulnerability exploit can be pacified by safety manager according to system The target of fully closed note is defined;
Step 2, all available vulnerability information tables are initialized as sky table;
Step 3, the access of all available vulnerability information tables of setting are labeled as " not accessing ";
Step 4, since attacker position, inquire about and judge the leakage on all nodes that can be directly accessed by attacker Hole, if the precondition of vulnerability exploit has been met, according to where the leak is put into leak by the consequence information of the vulnerability exploit In the corresponding available vulnerability information table of node;
" the corresponding available leakage of node according to where the leak is put into leak by the consequence information of the vulnerability exploit The specific rules of hole information table " include:If same leak has the consequence of multiple vulnerability exploits, endangered according to the consequence of vulnerability exploit Evil property height relation, according to the highest harmfulness in the consequence of vulnerability exploit, node is relative where the leak is put into leak In the available vulnerability information table answered, the height relation of the consequence harmfulness of vulnerability exploit can be by safety manager according to system The target of due care is defined, it is generally the case that obtain the consequence harmfulness of access rights higher than the non-access rights of acquisition The consequence harmfulness of class, obtains the consequence harmfulness of root or administrator's access rights higher than acquisition domestic consumer access right The consequence harmfulness of limit, obtains the consequence harmfulness for performing authority higher than the consequence harmfulness for obtaining write permission, obtains write permission Consequence harmfulness higher than obtain read right consequence harmfulness.
In step 5, the available vulnerability information table from all access labeled as " not accessing ", the accumulation of leak availability is selected general One of rate value maximum can use vulnerability information, the available vulnerability information be removed from available vulnerability information table, and this can use The access mark of vulnerability information table is set to " access ", inquires about the consequence information of the vulnerability exploit, updates attacker in the knot The consequence of access rights and non-access rights class on point, and the consequence information of this vulnerability exploit is write into leak place node Attack path information aggregate and export attack path information, inquire about and judge on all nodes that can be directly accessed by the node Leak, if this access rights changed of the node be leak attack necessary condition and corresponding vulnerability exploit premise bar Part has met and in the absence of attack loop, then corresponding leak has been put into leak place node according to the consequence information of vulnerability exploit In corresponding available vulnerability information table;The attack loop, which refers to, to be had the node repeated and is repeating in attack path Attack purpose on existing node is identical;
Whether the quantity for the attack path that step 6, judgement are calculated has met requirement, if so, 8 are gone to step, if it is not, turning Step 7;
Step 7, judge whether that all available vulnerability information tables are sky table, if so, 8 are gone to step, if it is not, inquiry is all The access mark of the available vulnerability information table of non-NULL, if there is the available vulnerability information table accessed labeled as " not accessing ", directly Switch through step 5, if the access mark of the available vulnerability information table of all non-NULLs is " access ", all available leaks are believed The access mark reset all for ceasing table is " not accessing ", goes to step 5;
Step 8, collect output result of calculation.In algorithm running, output successively and attacked each node A plurality of attack path, its relevant information is also already recorded in the data structure of each node, in this step, can be according to reality Border needs, and collects the result of calculation that output needs are checked.
Compared to the prior art, its is excellent for a kind of method for gradual solution K maximum probability attack paths that the present invention is provided Point is:(1) this method is capable of the attack path of each node of minute wheel time output attack, and in each round, each node has defeated Go out the chance of attack path, the node solved corresponding to the less attack path of leak availability cumulative probability value may be very A problem of all attack path can not being exported in for a long time;(2) the quantity K of the attack path of this method output can dynamically increase It is long, the specific value of the quantity K of given attack path in advance is not required, is solved attack path and is calculated real-time and attack path Solve the balance sex chromosome mosaicism between quantity K.
With patent of invention《A kind of Network Security Analysis Method of solution K maximum probability attack graphs》(B of CN 102724210, 2015.02.11, in full) a kind of Network Security Analysis Method of the solution K maximum probability attack graphs provided is compared, present invention solution Following two problems:(1) solve that " in the worst cases, when K values are larger, leak availability cumulative probability value is smaller Attack path corresponding to node may for a long time in can not all export an attack path " the problem of.Because existing Method in patent of invention be by all available leaks inside network system according to leak availability cumulative probability value from big to small Order arrangement and handle, and the run time of algorithm increases with the increase of parameter K values, so occurring " the worst In the case of, when K values are larger, the node that leak availability cumulative probability is worth corresponding to less attack path may be very long An attack path can not be all exported in time " the problem of, and the present invention is not using according to all available inside network system The strategy that the order of the leak availability cumulative probability value of leak from big to small is utilized successively, but be each node difference Foundation can use vulnerability information table, and be marked according to that can carry out " not accessing " or " access " to it with the access situation of vulnerability information table Note, its essence is to have redesigned the strategy that leak is chosen and utilized, it is achieved thereby that attacking for each node is attacked in minute wheel time output The target in path is hit, in each round, each node has the chance of output attack path, so as to solve " in worst case Under, when K values are larger, the node that leak availability cumulative probability is worth corresponding to less attack path may be for a long time Inside can not all export an attack path " the problem of;(2) solve the quantity K of attack path the problem of must specifying in advance and Attack path is unable to the problem of increment is generated.Method in existing patent of invention must given parameters K in advance specific value, After the preceding K bars attack path for solving the maximum probability for attacking each node, if wanting to solve more attack paths, it must weigh New settings parameter K specific value simultaneously re-executes this method one time, it is impossible to enter one on the basis of solving result before Computing is walked, in order to obtain more attack paths, it is necessary to a prior given value than larger parameter K, and parameter K Value increase, then can be further exacerbated by that " when K values are larger, leak availability cumulative probability is worth less attack path institute Corresponding node may can not all export an attack path within some time " the problem of, and the present invention passes through redesign The strategy that leak is chosen and utilized, attacks the attack path of each node using the method output of minute wheel time, realizes attack path The target of increment generation, it is not required that give the concrete numerical value for the attack path quantity K for needing to solve in advance.In one rule of analysis During the larger network system of mould, operation required for generally can not accurately estimating the preceding K bars attack path for solving each node of attack Time, on the other hand, want to make full use of given time window again and solve as far as possible many attack paths, in the feelings Under condition, it is impossible to provide accurate parameter K value in advance, and the present invention need not give attack path quantity K's in advance Specific value constraint, with the passage of run time, each node has the opportunity to export more attack paths, solves attack road The problem of footpath increment is generated.
Brief description of the drawings
Fig. 1 is the inventive method flow chart;
Fig. 2 is network topological diagram;
Fig. 3 is access relation figure;
Fig. 4 is the raw information figure of each node leak;
Fig. 5 is the attack path precedence diagram that a kind of prior art is generated;
Fig. 6 is available vulnerability information table one;
Fig. 7 is available vulnerability information table two;
Fig. 8 is available vulnerability information table three;
Fig. 9 is available vulnerability information table four;
Figure 10 is available vulnerability information table five;
Figure 11 is available vulnerability information table six;
Figure 12 is available vulnerability information table seven;
Figure 13 is available vulnerability information table eight;
Figure 14 is available vulnerability information table nine;
Figure 15 is available vulnerability information table ten;
Figure 16 is available vulnerability information table 11;
Figure 17 is available vulnerability information table 12;
Figure 18 is available vulnerability information table 13;
Figure 19 is available vulnerability information table 14;
Figure 20 is available vulnerability information table 15;
Figure 21 is available vulnerability information table 16;
The attack path precedence diagram that Figure 22 generates for the present invention.
Embodiment
In order that technological means, creation characteristic and the reached purpose of the present invention are readily apparent from understanding, below in conjunction with specific reality Apply example and the present invention is expanded on further.
Network topological diagram is as shown in Fig. 2 node H represents attacker, and node A, B, C and D represent a given network system Oriented arrow between node in system, node represents the access relation between node, access relation as shown in figure 3, being opened from the second row Begin, the node set that a node is able to access that is represented per a line, " √ " represents directly to access, and " X " is represented cannot be straight Receiving asks that such as the second row represents that attacker can directly access node A, but can not directly access node B, C and D, the third line table Show that node A can directly access node A, B and C, but can not directly access node D, similarly, the access relation between other nodes is shown in figure 3.In the present embodiment, it is unidirectional to define access relation, but in specific implementation, it is unidirectional that can according to circumstances define access relation Or it is two-way.
The raw information of leak present on each node is as shown in figure 4, the precondition explanation of wherein vulnerability exploit is utilized The precondition that the leak needs to have, the consequence information of vulnerability exploit illustrates the consequence that the leak is produced after successfully being utilized, In the citing, the consequence information of vulnerability exploit is " administrator that attacker is obtained on the node performs authority ", leakage The probability of availability value in hole illustrates the possibility that each leak can be utilized successfully, and the administrator on node is obtained holds After row authority, attacker just can on the node configuration processor, from the node initiate new attack.
Give after above-mentioned input information, as shown in figure 1, the specific method step of the present invention is as follows:
Step (1) is that each node sets up an available vulnerability information table respectively.In this embodiment, vulnerability exploit Consequence information is " administrator that attacker is obtained on the node performs authority ", therefore sets up one respectively for each node Individual available vulnerability information table.Can be each knot according to actual conditions if there is the consequence of the vulnerability exploit of plurality of classes Point sets up multiple available vulnerability information tables respectively;
All available vulnerability information tables are initialized as sky table by step (2);
Step (3) sets the access of all available vulnerability information tables to be labeled as " not accessing ";
Step (4) is inquired about since attacker position and is judged the leakage on all nodes that can be directly accessed by attacker Hole, finds the leak V that attacker can be attacked on node A1And V2, and the precondition of vulnerability exploit met, so will leakage Hole V1And V2Corresponding available vulnerability information is put into node A available vulnerability information table, as shown in fig. 6, node A's is available Vulnerability information can be used by having increased two in vulnerability information table newly:“[A,V1,HA(V1), 0.9] " and " [A, V2,HA(V2), 0.8] ", often Bar can be tired comprising node numbering, leak number, the specific attack path since attacker and leak availability with vulnerability information Product probable value, for example, can use vulnerability information " [A, V1,HA(V1), 0.9] " illustrate to have leak number on node A for V1Can It is the leak V that can be directly attacked on node A from attacker H since the specific attack path attacker with leak1, leak Availability cumulative probability value is 0.9;
In available vulnerability information tables of step (5) from all access labeled as " not accessing ", the accumulation of leak availability is selected One of probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [A, V1,HA(V1), 0.9] ", this can use Vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set into " access ", Inquire about leak V1The consequence information of vulnerability exploit be " attacker obtains administrator on the node and performs authority ", update Access rights of the attacker on node A, and the consequence information of this vulnerability exploit is write to node A attack path information collection Merge output this attack path information, inquire about and judge the leak on all nodes that can be directly accessed by node A, find from The leak V that node A can be attacked on node B3With the leak V on node C4, and in the absence of attack loop, therefore leak can be used Information " [B, V3,HA(V1)B(V3), 0.81] " it is put into node B available vulnerability information table, wherein attack path " HA (V1)B (V3) " illustrate that the specific attack step since attacker is:Since attacker H, the leak V on node A is cast the first stone1, obtain The leak V attacked again since node A on node B after weighting limit3, leak availability cumulative probability value is 0.9*0.9=0.81, Vulnerability information " [C, V can be used4,HA(V1)C(V4), 0.54] " it is put into node C available vulnerability information table, wherein leak can It is 0.9*0.6=0.54 with property cumulative probability value, the particular content in the available vulnerability information table of each node and access mark are such as Shown in Fig. 7;
In available vulnerability information tables of step (6) from all access labeled as " not accessing ", the accumulation of leak availability is selected One of probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [B, V3,HA(V1)B(V3), 0.81] ", will The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to " Access ", inquiry leak V3Vulnerability exploit consequence information for " attacker obtains administrator's right of execution on the node Limit ", updates access rights of the attacker on node B, and the consequence information of this vulnerability exploit is write to node B attack road Footpath information aggregate simultaneously exports this attack path information, inquires about and judges the leakage on all nodes that can be directly accessed by node B Hole, finds the leak V that can be attacked on node C from node B4, and in the absence of attack loop, therefore can with vulnerability information " [C, V4,HA(V1)B(V3)C(V4), 0.486] " it is put into node C available vulnerability information table, wherein leak availability cumulative probability It is worth for 0.9*0.9*0.6=0.486, particular content in the available vulnerability information table of each node and to access mark as shown in Figure 8;
In available vulnerability information tables of step (7) from all access labeled as " not accessing ", the accumulation of leak availability is selected One of probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V1)C(V4), 0.54] ", will The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to " Access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains administrator's right of execution on the node Limit ", updates access rights of the attacker on node C, and the consequence information of this vulnerability exploit is write to node C attack road Footpath information aggregate simultaneously exports this attack path information, inquires about and judges the leakage on all nodes that can be directly accessed by node C Hole, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore can with vulnerability information " [D, V5,HA(V1)C(V4)D(V5), 0.054] " it is put into node D available vulnerability information table, wherein leak availability cumulative probability It is worth for 0.9*0.6*0.1=0.054, particular content in the available vulnerability information table of each node and to access mark as shown in Figure 9; It can be seen that from the step, although vulnerability information " [C, V can be used4,HA(V1)C(V4), 0.54] " leak availability cumulative probability Value be not current all nodes available vulnerability information table in maximum one of leak availability cumulative probability value, but be due to The access mark of node A and node B available vulnerability information table is " access ", so being arranged when current leak is chosen Remove, and vulnerability information " [C, V can be used4,HA(V1)C(V4), 0.54] " it is all available leakages that current accessed is labeled as " not accessing " Leak availability cumulative probability value is maximum in the information table of hole one, therefore be selected and utilize in this step;
In available vulnerability information tables of step (8) from all access labeled as " not accessing ", the accumulation of leak availability is selected One of probable value maximum can use vulnerability information, because node A, node B and node C available vulnerability information table are currently " access ", so selection can use vulnerability information " [D, V5,HA(V1)C(V4)D(V5), 0.054] ", by the available vulnerability information Removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to " access ", inquire about leak V5The consequence information of vulnerability exploit be " attacker obtains administrator on the node and performs authority ", update attacker and exist Access rights on node D, and the consequence information of this vulnerability exploit is write into node D attack path information aggregate and exported This attack path information, inquires about and judges the leak on all nodes that can be directly accessed by node D, finds by access relation Limitation, the particular content that can not be attacked in any node, the available vulnerability information table of each node from node D and access mark such as Shown in Figure 10;It is can be seen that from the step because node A, node B and node C available vulnerability information table are currently " to have visited Ask ", therefore leak can only be chosen from node D available vulnerability information table, so node D obtains the machine of output attack path Meeting;Conducted interviews mark by the available vulnerability information table to each node, so that each node has the machine of output attack path Meeting;
Step (9) is because the access mark of the available vulnerability information table of current all non-NULLs is " access ", then by institute The access mark reset all for having available vulnerability information table is " not accessing ", as a result as shown in figure 11;After the step terminates, meaning The calculating and output for the attack path in current round on each node are over, the calculating of the attack path of a new round and defeated Go out to start;
In available vulnerability information tables of step (10) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [A, V2,HA(V2), 0.8] ", can by this Removed with vulnerability information from available vulnerability information table, and the access mark of the available vulnerability information table is set to " visit Ask ", inquiry leak V2The consequence information of vulnerability exploit be " attacker obtains administrator on the node and performs authority ", Access rights of the attacker on node A are updated, and the attack path that the consequence information of this vulnerability exploit is write into node A is believed Breath collection merges output this attack path information, inquires about and judges the leak on all nodes that can be directly accessed by node A, sends out The leak V that can be now attacked on node B from node A3With the leak V on node C4, and in the absence of attack loop, therefore will be available Vulnerability information " [B, V3,HA(V2)B(V3), 0.72] " it is put into node B available vulnerability information table, wherein leak availability is tired out Product probable value is 0.8*0.9=0.72, can use vulnerability information " [C, V4,HA(V2)C(V4), 0.48] " it is put into the available of node C In vulnerability information table, wherein leak availability cumulative probability value is 0.8*0.6=0.48, in the available vulnerability information table of each node Particular content and to access mark as shown in figure 12;
In available vulnerability information tables of step (11) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [B, V3,HA(V2)B(V3), 0.72] ", The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to " access ", inquiry leak V3Vulnerability exploit consequence information for " attacker obtains administrator on the node and performed Authority ", updates access rights of the attacker on node B, and the consequence information of this vulnerability exploit is write to node B attack Routing information collection merges output this attack path information, inquires about and judges on all nodes that can be directly accessed by node B Leak, finds the leak V that can be attacked on node C from node B4, and in the absence of attack loop, therefore vulnerability information can be used “[C,V4,HA(V2)B(V3)C(V4), 0.432] " it is put into node C available vulnerability information table, the available leak letter of each node Cease the particular content in table and access mark as shown in figure 13;
In available vulnerability information tables of step (12) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V1)B(V3)C(V4), 0.486] ", the available vulnerability information is removed from available vulnerability information table, and the access of the available vulnerability information table is marked It is set to " access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains keeper on the node and used Family performs authority ", access rights of the attacker on node C are updated, and the consequence information of this vulnerability exploit is write into node C Attack path information aggregate and export this attack path information, inquire about and judge all knots that can be directly accessed by node C Leak on point, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore leak can be used Information " [D, V5,HA(V1)B(V3)C(V4)D(V5), 0.0486] " be put into node D available vulnerability information table, each node can It is as shown in figure 14 with the particular content in vulnerability information table and access mark;
In available vulnerability information tables of step (13) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [D, V5,HA(V1)B(V3)C(V4)D (V5), 0.0486] ", the available vulnerability information is removed from available vulnerability information table, and this can use to the visit of vulnerability information table Ask that mark is set to " access ", inquiry leak V5Vulnerability exploit consequence information for " attacker obtains the pipe on the node Reason person user performs authority ", access rights of the attacker on node D are updated, and the consequence information of this vulnerability exploit is write Enter node D attack path information aggregate and export this attack path information, inquire about and judge all can directly be visited by node D The leak on node asked, discovery is limited by access relation, and any node, the available leakage of each node can not be attacked from node D Particular content and access mark in the information table of hole is as shown in figure 15;
Step (14) then will because the access mark of the available vulnerability information table of current all non-NULLs is " access " The access mark reset all of all available vulnerability information tables is " not accessing ", as a result as shown in figure 16;After the step terminates, meaning The calculating and output that taste the attack path on each node in current round are over, the calculating of the attack path of a new round and Output starts;
In available vulnerability information tables of step (15) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V2)C(V4), 0.48] ", The available vulnerability information is removed from available vulnerability information table, and the access mark of the available vulnerability information table is set to " access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains administrator on the node and performed Authority ", updates access rights of the attacker on node C, and the consequence information of this vulnerability exploit is write to node C attack Routing information collection merges output this attack path information, inquires about and judges on all nodes that can be directly accessed by node C Leak, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore vulnerability information can be used “[D,V5,HA(V2)C(V4)D(V5), 0.048] " it is put into node D available vulnerability information table, the available leak letter of each node Cease the particular content in table and access mark as shown in figure 17;
In available vulnerability information tables of step (16) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [D, V5,HA(V2)C(V4)D(V5), 0.048] ", the available vulnerability information is removed from available vulnerability information table, and the access of the available vulnerability information table is marked It is set to " access ", inquiry leak V5Vulnerability exploit consequence information for " attacker obtains keeper on the node and used Family performs authority ", access rights of the attacker on node D are updated, and the consequence information of this vulnerability exploit is write into node D Attack path information aggregate and export this attack path information, inquire about and judge all knots that can be directly accessed by node D Leak on point, discovery is limited by access relation, and any node, the available vulnerability information of each node can not be attacked from node D Particular content and access mark in table is as shown in figure 18;In the round, due to node A and node B available vulnerability information Table is sky table, so only outputing attack node C and node D attack path;
Step (17) then will because the access mark of the available vulnerability information table of current all non-NULLs is " access " The access mark reset all of all available vulnerability information tables is " not accessing ", as a result as shown in figure 19;After the step terminates, meaning The calculating and output that taste the attack path on each node in current round are over, the calculating of the attack path of a new round and Output starts;
In available vulnerability information tables of step (18) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [C, V4,HA(V2)B(V3)C(V4), 0.432] ", the available vulnerability information is removed from available vulnerability information table, and the access of the available vulnerability information table is marked It is set to " access ", inquiry leak V4Vulnerability exploit consequence information for " attacker obtains keeper on the node and used Family performs authority ", access rights of the attacker on node C are updated, and the consequence information of this vulnerability exploit is write into node C Attack path information aggregate and export this attack path information, inquire about and judge all knots that can be directly accessed by node C Leak on point, finds the leak V that can be attacked on node D from node C5, and in the absence of attack loop, therefore leak can be used Information " [D, V5,HA(V2)B(V3)C(V4)D(V5), 0.0432] " be put into node D available vulnerability information table, each node can It is as shown in figure 20 with the particular content in vulnerability information table and access mark;
In available vulnerability information tables of step (19) from all access labeled as " not accessing ", select leak availability and tire out One of product probable value maximum can use vulnerability information, therefore selection can use vulnerability information " [D, V5,HA(V2)B(V3)C(V4)D (V5), 0.0432] ", the available vulnerability information is removed from available vulnerability information table, and this can use to the visit of vulnerability information table Ask that mark is set to " access ", inquiry leak V5Vulnerability exploit consequence information for " attacker obtains the pipe on the node Reason person user performs authority ", access rights of the attacker on node D are updated, and the consequence information of this vulnerability exploit is write Enter node D attack path information aggregate and export this attack path information, inquire about and judge all can directly be visited by node D The leak on node asked, discovery is limited by access relation, and any node, the available leakage of each node can not be attacked from node D Particular content and access mark in the information table of hole is as shown in figure 21;
Step (20) is sky table due to the available vulnerability information table of all nodes, and result of calculation can be collected to output, Algorithm end of run.In algorithm running, a plurality of attack path for attacking each node is outputed successively, and it is related Information is also already recorded in the data structure of each node, in this step, can collect output needs according to actual needs The result of calculation checked.
For the embodiment, according to existing patent of invention《A kind of Network Safety Analysis of solution K maximum probability attack graphs Method》The method that (CN 102724210 B, 2015.02.11, in full) is provided is solved, then the genesis sequence of attack path such as Fig. 5 It is shown, the Sequential output of all attack path according to corresponding leak availability cumulative probability value from big to small, so as to cause The path for attacking node D is exported backmost, because the run time of the algorithm increases with the increase of network size, Increase with the increase of parameter K values, in the worst cases, when network size is larger, when K values are larger, leak can An attack road may can not be all exported within some time with the node corresponding to the less attack path of property cumulative probability value Footpath.
For the embodiment, the method provided using the present invention, the genesis sequence of attack path as shown in figure 22, can be seen Go out, after algorithm operation starts, node A, B, C and D respectively have an attack path output successively, although attack node D attack road Leak availability cumulative probability value corresponding to footpath is smaller, but still obtains the chance of output attack path, because this method The Selection Strategy of available leak is redesigned, this method does not use the leak according to all available leaks inside network system The strategy that the order of availability cumulative probability value from big to small is utilized successively, but leakage can be used by being set up respectively for each node Hole information table, and according to " not accessing " or " access " mark can be carried out to it with the access situation of vulnerability information table, so that real The target of the attack path of each node of minute wheel time output attack is showed, in each round, each node has output attack path Chance, solve that " in the worst cases, when K values are larger, leak availability cumulative probability is worth less attack path institute Corresponding node may can not all export an attack path within some time " the problem of.In the first round and the second wheel, knot Point A, B, C and D have attack path output, in third round and fourth round, and node C and D have attack path output, due to not having There are more attack node A and B path, so node A and B do not have attack path output;See on the whole, attack path is simultaneously The not Sequential output according to corresponding leak availability cumulative probability value from big to small, but for any one given knot Point, for Sequential output of the attack path according to corresponding leak availability cumulative probability value from big to small of the node.
In this embodiment, the consequence information of vulnerability exploit is that " administrator that attacker is obtained on the node holds Row authority ", therefore an available vulnerability information table is established for each node, can be according to specific in specific implementation process Situation and need to classify to the consequence information of a variety of vulnerability exploits, be that each node sets up multiple available vulnerability information tables; In this embodiment, the algorithm end of run when the available vulnerability information table of all nodes is sky table, in specific implementation process In, requirement whether can be met with the quantity for needing to judge the current attack path solved as the case may be, If so, can then export result of calculation immediately and terminate operation.
General principle, principal character and the advantages of the present invention of the present invention has been shown and described above.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the simply explanation described in above-described embodiment and specification is originally The principle of invention, various changes and modifications of the present invention are possible without departing from the spirit and scope of the present invention, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its Equivalent is defined.

Claims (3)

1. a kind of method of gradual solution K maximum probability attack paths, it is characterised in that comprise the following steps:
Step 1, it is that each node sets up L available vulnerability information tables respectively in network, wherein L classifies for the consequence of vulnerability exploit Quantity, the consequence of a type of vulnerability exploit of each available vulnerability information table correspondence;It is described to include knot with vulnerability information Point numbering, leak number, the specific attack path since attacker and leak availability cumulative probability value;The leak can use The computational methods of property cumulative probability value are:By since the probability of availability value phase of each leak on the vulnerability exploit path attacker It is multiplied go out;
Step 2, all available vulnerability information tables are initialized as sky table;
Step 3, the access of all available vulnerability information tables of setting are labeled as " not accessing ";
Step 4, since attacker position, inquire about and judge the leak on all nodes that can be directly accessed by attacker, if The precondition of vulnerability exploit has been met, then the node according to where the leak is put into leak by the consequence information of the vulnerability exploit In corresponding available vulnerability information table;
In step 5, the available vulnerability information table from all access labeled as " not accessing ", leak availability cumulative probability value is selected Maximum one can use vulnerability information, the available vulnerability information be removed from available vulnerability information table, and this can use into leak The access mark of information table is set to " access ", inquires about the consequence information of the vulnerability exploit, updates attacker on the node Access rights and non-access rights class consequence, and node where the consequence information of this vulnerability exploit is write into leak attacking Hit routing information collection and merge output attack path information, inquire about and judge the leakage on all nodes that can be directly accessed by the node Hole, if this access rights changed of the node be leak attack necessary condition and corresponding vulnerability exploit precondition Meet and in the absence of attack loop, then corresponding leak is put into by the relative of leak place node according to the consequence information of vulnerability exploit In the available vulnerability information table answered;
Whether the quantity for the attack path that step 6, judgement are calculated has met requirement, if so, 8 are gone to step, if it is not, going to step 7;
Step 7, judge whether that all available vulnerability information tables are sky table, if so, 8 are gone to step, if it is not, inquiring about all non-NULLs Available vulnerability information table access mark, if exist access labeled as " not accessing " available vulnerability information table, directly turn Step 5, if the access mark of the available vulnerability information table of all non-NULLs is " access ", by all available vulnerability information tables Access mark reset all be " not accessing ", go to step 5;
Step 8, collect output result of calculation.
2. the method for gradual solution K maximum probability attack paths as claimed in claim 1, it is characterised in that
It is described that " the corresponding available leak of node according to where the leak is put into leak by the consequence information of the vulnerability exploit is believed The specific rules of breath table " include:If same leak has the consequence of multiple vulnerability exploits, according to the consequence harmfulness of vulnerability exploit Height relation, according to the highest harmfulness in the consequence of vulnerability exploit, node is corresponding where the leak is put into leak It can use in vulnerability information table.
3. the method for gradual solution K maximum probability attack paths as claimed in claim 1, it is characterised in that
The consequence of the vulnerability exploit includes change and the consequence of non-access rights class of access rights, and the access rights include Domestic consumer's access rights, root or administrator's access rights, wherein domestic consumer's access rights can be subdivided into commonly again User's read right, domestic consumer's write permission, domestic consumer perform authority, and root or administrator's access rights can be subdivided into again Root or administrator's read right, root or administrator's write permission, root or administrator perform authority, described non- The consequence of access rights class refers to the consequence of other all vulnerability exploits in addition to access rights;The consequence of the vulnerability exploit point Class can be defined by safety manager according to the target of system due care.
CN201710326387.3A 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path Active CN107135221B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710326387.3A CN107135221B (en) 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710326387.3A CN107135221B (en) 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path

Publications (2)

Publication Number Publication Date
CN107135221A true CN107135221A (en) 2017-09-05
CN107135221B CN107135221B (en) 2020-05-05

Family

ID=59731582

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710326387.3A Active CN107135221B (en) 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path

Country Status (1)

Country Link
CN (1) CN107135221B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210012012A1 (en) * 2019-07-12 2021-01-14 Palo Alto Research Center Incorporated System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413003A (en) * 2010-09-20 2012-04-11 中国科学院计算技术研究所 Method and system for detecting network security
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
US9043920B2 (en) * 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
CN105516177A (en) * 2015-12-28 2016-04-20 上海交通大学 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV)
CN106453403A (en) * 2016-11-21 2017-02-22 国家电网公司 Vulnerability restructuring sequence determining method and system based on attack links

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413003A (en) * 2010-09-20 2012-04-11 中国科学院计算技术研究所 Method and system for detecting network security
US9043920B2 (en) * 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN105516177A (en) * 2015-12-28 2016-04-20 上海交通大学 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV)
CN106453403A (en) * 2016-11-21 2017-02-22 国家电网公司 Vulnerability restructuring sequence determining method and system based on attack links

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210012012A1 (en) * 2019-07-12 2021-01-14 Palo Alto Research Center Incorporated System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system

Also Published As

Publication number Publication date
CN107135221B (en) 2020-05-05

Similar Documents

Publication Publication Date Title
Miehling et al. A POMDP approach to the dynamic defense of large-scale cyber networks
Servin et al. Multi-agent reinforcement learning for intrusion detection
CN103999089B (en) For the system and method for scanning computer leak in a network environment
Jajodia et al. Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response
CN109800573B (en) Social network protection method based on degree anonymity and link disturbance
CN102571746B (en) Virtual machine deployment method oriented to side channel attack defense of cloud computation environment
CN105991521A (en) Network risk assessment method and network risk assessment device
CN107733863A (en) Daily record adjustment method and device under a kind of distributed hadoop environment
CN108881110A (en) A kind of safety situation evaluation and defence policies joint decision method and system
CN102724210B (en) Network security analytical method for solving K maximum probability attack graph
CN108616529A (en) A kind of method for detecting abnormality and system based on Business Stream
CN107895038A (en) A kind of link prediction relation recommends method and device
CN105930366A (en) Statistical method and device
CN108696534B (en) Real-time network security threat early warning analysis method and device
Zarreh et al. Risk assessment for cyber security of manufacturing systems: A game theory approach
JP7213626B2 (en) Security measure review tool
Zhong et al. An efficient parallel reinforcement learning approach to cross-layer defense mechanism in industrial control systems
Lakhno Development of a support system for managing the cyber security
Lakhno et al. Development of a support system for managing the cyber security of information and communication environment of transport
CN104283736B (en) A kind of network communication five-tuple Fast Match Algorithm based on improvement automatic state machine
Yadav et al. SmartPatch: A patch prioritization framework
CN103916859B (en) The detection method of cognition wireless network malice busy channel user
CN107347064A (en) Cloud computing platform Tendency Prediction method based on neural network algorithm
CN107135221A (en) A kind of method of gradual solution K maximum probability attack paths
CN109636338A (en) A kind of broad band photoelectrical operation management platform system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant