CN107135221B - Method for progressively solving K maximum probability attack path - Google Patents

Method for progressively solving K maximum probability attack path Download PDF

Info

Publication number
CN107135221B
CN107135221B CN201710326387.3A CN201710326387A CN107135221B CN 107135221 B CN107135221 B CN 107135221B CN 201710326387 A CN201710326387 A CN 201710326387A CN 107135221 B CN107135221 B CN 107135221B
Authority
CN
China
Prior art keywords
vulnerability
node
available
information
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710326387.3A
Other languages
Chinese (zh)
Other versions
CN107135221A (en
Inventor
毕坤
韩德志
王军
殷俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Maritime University
Original Assignee
Shanghai Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Maritime University filed Critical Shanghai Maritime University
Priority to CN201710326387.3A priority Critical patent/CN107135221B/en
Publication of CN107135221A publication Critical patent/CN107135221A/en
Application granted granted Critical
Publication of CN107135221B publication Critical patent/CN107135221B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method for progressively solving K maximum probability attack paths, which can gradually output K maximum probability attack paths for attacking nodes in turns, wherein in each turn, each node has a chance of outputting the attack paths, so that the problem that the node corresponding to the attack path with smaller vulnerability availability cumulative probability value can not output one attack path in a long time is solved. The method comprises the steps of establishing a plurality of available vulnerability information tables for each node in a network, marking each available vulnerability information table with accessed and not accessed, selecting and utilizing vulnerabilities by combining specific information of each available vulnerability information table, and finally realizing the progressive solution and output of the K maximum probability attack path.

Description

Method for progressively solving K maximum probability attack path
Technical Field
The invention relates to a network security analysis method, in particular to a method for gradually solving a K maximum probability attack path.
Background
The network security is very important for protecting the security of enterprise information, and an attacker can gradually improve the access authority of a hacker to the system by utilizing bugs existing on a plurality of different nodes (the nodes comprise a server, a router, a switch, a firewall, storage equipment, a personal computer and the like) in an enterprise information system in a multi-step attack mode, steals confidential data of the system or enables the system to not work normally, so that the security analysis is carried out on the enterprise information system, potential attack paths in the system are calculated in advance, guidance can be provided for the next step of network security defense and bug repair, and the method has important practical significance and application value.
In the prior art, as in the invention patent of "a method for analyzing network security for solving K maximum probability attack graph" (CN 102724210B, 2015.02.11, full text) by bekun et al, a method for solving the first K attack paths with the maximum probability of attacking nodes in a network is provided, the method can directly calculate the first K attack paths with the maximum probability of attacking nodes in the network without calculating to generate a complete attack graph, and the algorithm running time is increased when the value of K is gradually increased However, nodes corresponding to attack paths with a large vulnerability availability cumulative probability value may have all the attack paths output, so that the method cannot guarantee timeliness of the attack paths output by each node, and further consideration is needed in balancing the number K of the attack paths and the calculation real-time performance. On the other hand, the method must give specific values of the parameter K in advance, and after solving the first K attack paths with the maximum probability of attacking each node, if more attack paths are to be solved, the specific values of the parameter K must be reset and the method must be executed again, so that further operation cannot be performed on the basis of the previous solution results, and the problem of repeated calculation exists, and calculation resources and calculation time are wasted.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a method for progressively solving a K maximum probability attack path, which can output the attack paths attacking nodes in turn after the topological structure and the access relation of a network system, the original information of vulnerabilities existing on the nodes and the initial position information of attackers are given, each node has the opportunity of outputting the attack paths in each turn, the number K of the output attack paths can be dynamically increased, the specific value of the number K of the attack paths is not required to be given in advance, and the original information of the vulnerabilities comprises vulnerability numbers, the nodes where the vulnerabilities are located, preconditions of the vulnerability exploitation, consequence information of the vulnerability exploitation and availability probability values of the vulnerabilities.
In order to achieve the above object, the present invention provides a method for solving K maximum probability attack paths progressively, comprising the following steps:
step 1, respectively establishing L available vulnerability information tables for each node in a network, wherein L is the quantity of result classification of vulnerability exploitation, and each available vulnerability information table corresponds to the result of one type of vulnerability exploitation;
the available vulnerability information comprises a node number, a vulnerability number, a specific attack path from an attacker and a vulnerability availability cumulative probability value; the calculation method of the vulnerability availability cumulative probability value comprises the following steps: multiplying the availability probability values of all vulnerabilities on a vulnerability utilization path from an attacker; the consequences of the vulnerability exploitation comprise the change of access authority and the consequences of non-access authority classes, wherein the access authority comprises the access authority of a common user, a root or an administrator user, the access authority of the common user can be subdivided into the read authority of the common user, the write authority of the common user and the execution authority of the common user, the access authority of the root or the administrator user can be subdivided into the read authority of the root or the administrator user, the write authority of the root or the administrator user and the execution authority of the root or the administrator user, and the consequences of the non-access authority classes refer to the consequences of all vulnerability exploitation except the access authority, including service stop work, system stop work, service response slowdown, system response slowdown, data loss, data deletion, data stealing and the like; the consequence classification of the vulnerability exploitation can be defined by security management personnel according to the target concerned by system security;
step 2, initializing all available vulnerability information tables into empty tables;
step 3, setting the access marks of all available vulnerability information tables as 'unaccessed';
step 4, starting from the position of the attacker, inquiring and judging the vulnerabilities on all nodes which can be directly accessed by the attacker, and if the preconditions of the vulnerability exploitation are met, putting the vulnerability into an available vulnerability information table corresponding to the node where the vulnerability is located according to the consequence information of the vulnerability exploitation;
the specific rule of "putting the vulnerability into the corresponding available vulnerability information table of the node where the vulnerability is located according to the consequence information of the vulnerability exploitation" includes: if the same vulnerability has the consequences of a plurality of vulnerability utilizations, the vulnerability is put into the corresponding available vulnerability information table of the node where the vulnerability is located according to the high-low relation of the consequences of the vulnerability utilization and the highest harmfulness of the consequences of the vulnerability utilization, the high-low relation of the harmfulness of the consequences of the vulnerability utilization can be defined by a security manager according to the target concerned by system security, under the normal condition, the harmfulness of the consequences of obtaining the access authority is higher than the harmfulness of obtaining the non-access authority class, the harmfulness of the consequences of obtaining the access authority of the root or the administrator user is higher than the harmfulness of the consequences of obtaining the access authority of the common user, the harmfulness of the consequences of obtaining the execution authority is higher than the harmfulness of obtaining the writing authority, and the harmfulness of the consequences of obtaining the writing authority is higher than the.
Step 5, selecting an available vulnerability information with the maximum vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of 'no access', removing the available vulnerability information from the available vulnerability information tables, setting the access mark of the available vulnerability information table as 'accessed', inquiring the consequence information of the vulnerability exploitation, updating the consequences of the attacker in the access right and non-access right class on the node, writing the result information of the loophole utilization into the attack path information set of the node where the loophole is located and outputting the attack path information, inquiring and judging the loophole on all the nodes which can be directly accessed by the node, if the access authority of the node which is changed this time is the necessary condition of the loophole attack and the precondition of the corresponding loophole utilization is satisfied and no attack loop exists, putting the corresponding vulnerability into a corresponding available vulnerability information table of the node where the vulnerability is located according to the consequence information of the vulnerability utilization; the attack loop refers to the situation that nodes which appear repeatedly exist in an attack path and the attack purposes on the nodes which appear repeatedly are the same;
step 6, judging whether the calculated number of the attack paths meets the requirements, if so, turning to step 8, and if not, turning to step 7;
step 7, judging whether all available vulnerability information tables are empty tables, if so, turning to step 8, if not, inquiring access marks of all non-empty available vulnerability information tables, if available vulnerability information tables marked as 'unaccessed' exist, directly turning to step 5, and if the access marks of all non-empty available vulnerability information tables are 'accessed', resetting all the access marks of all available vulnerability information tables as 'unaccessed', and turning to step 5;
and 8, summarizing and outputting the calculation result. In the operation process of the algorithm, a plurality of attack paths for attacking each node are output successively, and relevant information is recorded in the data structure of each node.
Compared with the prior art, the method for solving the K maximum probability attack path in a progressive mode has the advantages that: (1) the method can output the attack paths attacking the nodes in turns, and each node has the opportunity of outputting the attack paths in each turn, so that the problem that the node corresponding to the attack path with smaller vulnerability availability cumulative probability value can not output one attack path for a long time is solved; (2) the number K of the attack paths output by the method can be dynamically increased, the specific value of the number K of the attack paths is not required to be given in advance, and the balance problem between the real-time performance of the attack path calculation and the attack path solving number K is solved.
Compared with the network security analysis method for solving the K maximum probability attack graph provided by the invention patent (CN 102724210B, 2015.02.11, full text), the invention solves the following two problems: (1) the problem that in the worst case, when the value of K is large, nodes corresponding to attack paths with small vulnerability availability cumulative probability values can not output one attack path for a long time is solved. Because the method in the prior invention patent arranges and processes all available vulnerabilities in a network system according to the sequence of vulnerability availability cumulative probability values from large to small, and the running time of the algorithm increases along with the increase of the value of a parameter K, the problem that a node corresponding to an attack path with a small vulnerability availability cumulative probability value can not output an attack path for a long time under the worst condition under the condition that the value of the parameter K is large can occur, but the invention does not adopt the strategy of utilizing the vulnerability availability cumulative probability values of all available vulnerabilities in the network system from large to small, respectively establishes an available vulnerability information table for each node, and carries out 'no access' or 'accessed' marking according to the access condition of the available vulnerability information table, and the essence of the invention redesigns vulnerability selection and utilization strategy, therefore, the goal of outputting the attack path attacking each node in turn is realized, and each node has the opportunity of outputting the attack path in each turn, so that the problem that in the worst case, when the value of K is large, the node corresponding to the attack path with small vulnerability availability cumulative probability value cannot output one attack path for a long time is solved; (2) the problem that the number K of attack paths must be specified in advance and the problem that the attack paths cannot be generated in an increment mode are solved. The method in the prior patent of the invention must give a specific value of a parameter K in advance, after solving the first K attack paths with the maximum probability of attacking each node, if more attack paths are desired to be solved, the specific value of the parameter K must be reset and the method is executed again, further operation cannot be carried out on the basis of the previous solution result, in order to solve more attack paths, a larger value of the parameter K must be given in advance, and the value of the parameter K is increased, the problem that 'when the value of K is larger, a node corresponding to an attack path with smaller vulnerability accumulated probability value cannot output an attack path for a long time' can be further aggravated, but the invention redesigns the strategy of vulnerability selection and utilization, and adopts a rotation method to output the attack paths attacking each node, the method and the device realize the goal of generating the increment of the attack path and do not need to give a specific numerical value of the number K of the attack paths needing to be solved in advance. When a large-scale network system is analyzed, the running time required for solving the first K attack paths attacking each node cannot be accurately estimated, on the other hand, a given time window is hoped to be fully utilized and attack paths as many as possible are solved, under the condition, an accurate parameter K value cannot be given in advance, specific value constraint of the number K of the attack paths is not required to be given in advance, each node has an opportunity to output more attack paths along with the lapse of the running time, and the problem of attack path increment generation is solved.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a network topology diagram;
FIG. 3 is an access relationship diagram;
FIG. 4 is an original information diagram of each node vulnerability;
FIG. 5 is a prior art generated attack path sequence diagram;
FIG. 6 is a first table of available vulnerability information;
FIG. 7 is a second table of available vulnerability information;
FIG. 8 is a third table of available vulnerability information;
FIG. 9 is a fourth table of available vulnerability information;
FIG. 10 is a fifth table of available vulnerability information;
FIG. 11 is a sixth available vulnerability information table;
FIG. 12 is a seventh table of available vulnerability information;
fig. 13 is an available vulnerability information table eight;
FIG. 14 is a ninth table of available vulnerability information;
FIG. 15 is a table of available vulnerability information ten;
FIG. 16 is a table eleven of available vulnerability information;
FIG. 17 is a table twelve of available vulnerability information;
fig. 18 is a table thirteen of available vulnerability information;
FIG. 19 is a fourteen available vulnerability information table;
FIG. 20 is a table fifteen available vulnerability information;
FIG. 21 is a table sixteen of available vulnerability information;
FIG. 22 is a sequence diagram of attack paths generated by the present invention.
Detailed Description
In order to make the technical means, the technical features and the achievement objects of the invention easy to understand, the invention is further described in the following with the specific embodiments.
The network topology is shown in fig. 2, node H represents an attacker, nodes A, B, C and D represent nodes in a given network system, directional arrows between the nodes represent access relationships between the nodes, the access relationships are shown in fig. 3, starting with the second row, each row represents a set of nodes that a node can access, "√" indicates direct access, "X" indicates no direct access, e.g., the second row indicates that an attacker can directly access node a but not directly access nodes B, C and D, and the third row indicates that node a can directly access nodes A, B and C but not directly access node D, and similarly, the access relationships between other nodes are shown in fig. 3. In this embodiment, the access relationship is defined as unidirectional, but in a specific implementation, the access relationship may be defined as unidirectional or bidirectional according to the situation.
The original information of the vulnerabilities existing on each node is shown in fig. 4, where the preconditions of the exploit show preconditions required for exploiting the vulnerability, and the consequence information of the exploit explains the consequences generated after the vulnerability is successfully exploited, in this example, the consequence information of the exploit is "an attacker obtains the administrator user execution authority on the node", the availability probability value of the vulnerability shows the possibility that each vulnerability can be successfully exploited, and after obtaining the administrator user execution authority on the node, the attacker can execute a program on the node and launch a new attack from the node.
Given the above input information, as shown in fig. 1, the specific method steps of the present invention are as follows:
and (1) respectively establishing an available vulnerability information table for each node. In this embodiment, the result information of the exploit is "the attacker obtains the administrator user execution authority on the node", so that an available exploit information table is established for each node. If the results of various types of vulnerability exploitation exist, a plurality of available vulnerability information tables can be respectively established for each node according to actual conditions;
initializing all available vulnerability information tables into empty tables;
step (3), setting the access marks of all available vulnerability information tables as 'unaccessed';
step (4) starting from the position of the attacker, inquiring and judging the vulnerabilities on all nodes directly accessed by the attacker, and discovering that the attacker can attack the vulnerability V on the node A1And V2And the precondition of the vulnerability exploitation is satisfied, so the vulnerability V is determined1And V2The corresponding available vulnerability information is put into the available vulnerability information table of the node a, as shown in fig. 6, two pieces of available vulnerability information are added to the available vulnerability information table of the node a: "[ A, V ]1,HA(V1),0.9]"and" [ A, V ]2,HA(V2),0.8]", each piece of available vulnerability information includes a node number, a vulnerability number, a specific attack path from an attacker, and a vulnerability availability cumulative probability value, such as available vulnerability information" [ A, V1,HA(V1),0.9]"explain the existence of the bug on the node A with the number V1The specific attack path from the attacker is that the attacker H can directly attack the vulnerability V on the node A1The cumulative probability value of the vulnerability availability is 0.9;
step (5), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ A, V ]1,HA(V1),0.9]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V1The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of an administrator user on the node', the access authority of the attacker on the node A is updated, the result information of the vulnerability utilization is written into the attack path information set of the node A and the attack path information is output, the vulnerabilities on all nodes which can be directly accessed by the node A are inquired and judged, and the vulnerability V on the node B which can be attacked by the slave node A is found3And vulnerability V on node C4And there is no attack loop, so there will be available vulnerability information "[ B, V3,HA(V1)B(V3),0.81]"put into the node B's table of available vulnerability information, wherein attack Path" HA (V)1)B(V3) "show the specific attack steps from the attacker as: starting from an attacker H, firstly attacking a vulnerability V on a node A1After the authority is obtained, attacking the vulnerability V on the node B from the node A3The cumulative probability value of the vulnerability availability is 0.9 x 0.9 ═ 0.81, and the available vulnerability information is' C, V4,HA(V1)C(V4),0.54]"put into the available vulnerability information table of the node C, wherein the cumulative probability value of the vulnerability availability is 0.9 × 0.6 — 0.54, and the specific content and the access mark in the available vulnerability information table of each node are shown in fig. 7;
step (6) selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and therefore selecting the available vulnerability information ' [ B, V ]3,HA(V1)B(V3),0.81]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V3The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of the administrator user on the node', updates the access authority of the attacker on the node B, writes the result information of the vulnerability utilization into the attack path information set of the node B and outputs the attack path information, inquires and judges the vulnerabilities on all nodes which can be directly accessed by the node B, and discovers that the slave node B can attack the vulnerability V on the node C4And no attack loop exists, so the available vulnerability information is "[ C, V4,HA(V1)B(V3)C(V4),0.486]"put into the available vulnerability information table of node C, wherein the cumulative probability value of vulnerability availability is 0.9 × 0.6 ═ 0.486, and the specific content and access label in the available vulnerability information table of each node are shown in fig. 8;
step (7) selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and therefore selecting the available vulnerability information ' [ C, V ]4,HA(V1)C(V4),0.54]”,Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V4The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of the administrator user on the node', the access authority of the attacker on the node C is updated, the result information of the vulnerability utilization is written into the attack path information set of the node C and the attack path information is output, the vulnerabilities on all nodes which can be directly accessed by the node C are inquired and judged, and the vulnerability V on the node D which can be attacked by the slave node C is found5And there is no attack loop, so there will be available vulnerability information "[ D, V5,HA(V1)C(V4)D(V5),0.054]"put into the available vulnerability information table of node D, wherein the cumulative probability value of vulnerability availability is 0.9 × 0.6 × 0.1 ═ 0.054, and the specific content and access label in the available vulnerability information table of each node are shown in fig. 9; as can be seen from this step, although vulnerability information "[ C, V ] is available4,HA(V1)C(V4),0.54]The cumulative probability value of the vulnerability availability is not the one with the maximum cumulative probability value of the vulnerability availability in the available vulnerability information tables of all the nodes at present, but because the access marks of the available vulnerability information tables of the node A and the node B are all accessed, the current vulnerability is excluded when the current vulnerability is selected, and the available vulnerability information is' C, V4,HA(V1)C(V4),0.54]"is the one with the highest cumulative probability value of vulnerability availability in all available vulnerability information tables with current access marks as" not accessed ", and is selected and utilized in the step;
and (8) selecting an available vulnerability information with the highest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', wherein the available vulnerability information tables of the node A, the node B and the node C are all ' accessed ', so that the available vulnerability information ' D, V5,HA(V1)C(V4)D(V5),0.054]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V5Leak ofThe result information used is that the attacker obtains the administrator user execution authority on the node, the access authority of the attacker on the node D is updated, the result information of the vulnerability exploitation is written into the attack path information set of the node D and the attack path information is output, all vulnerabilities on the nodes which can be directly accessed by the node D are inquired and judged, the limitation of the access relation is found, the slave node D cannot attack any node, and the specific content and the access mark in the available vulnerability information table of each node are shown in figure 10; it can be seen from this step that, since the available vulnerability information tables of the node a, the node B and the node C are all "visited" at present, vulnerabilities can only be selected from the available vulnerability information table of the node D, so that the node D obtains an opportunity to output an attack path; the method comprises the steps that access marking is carried out on an available vulnerability information table of each node, so that each node has a chance of outputting an attack path;
step (9), because the access marks of all the current non-empty available vulnerability information tables are all 'accessed', all the access marks of all the available vulnerability information tables are reset to 'not accessed', and the result is shown in fig. 11; after the step is finished, the calculation and the output of the attack path on each node in the current round are finished, and the calculation and the output of the attack path in a new round are started;
step (10), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ A, V ]2,HA(V2),0.8]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V2The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of an administrator user on the node', the access authority of the attacker on the node A is updated, the result information of the vulnerability utilization is written into the attack path information set of the node A and the attack path information is output, the vulnerabilities on all nodes which can be directly accessed by the node A are inquired and judged, and the vulnerability V on the node B which can be attacked by the slave node A is found3And holes on node CV4And there is no attack loop, so there will be available vulnerability information "[ B, V3,HA(V2)B(V3),0.72]"put into the table of available vulnerability information of node B, wherein the cumulative probability value of vulnerability availability is 0.8 × 0.9 ═ 0.72, and put the available vulnerability information" [ C, V4,HA(V2)C(V4),0.48]"put into the available vulnerability information table of the node C, wherein the cumulative probability value of the vulnerability availability is 0.8 × 0.6 — 0.48, and the specific content and the access mark in the available vulnerability information table of each node are shown in fig. 12;
step (11) selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and therefore selecting the available vulnerability information ' [ B, V ]3,HA(V2)B(V3),0.72]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V3The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of the administrator user on the node', updates the access authority of the attacker on the node B, writes the result information of the vulnerability utilization into the attack path information set of the node B and outputs the attack path information, inquires and judges the vulnerabilities on all nodes which can be directly accessed by the node B, and discovers that the slave node B can attack the vulnerability V on the node C4And no attack loop exists, so the available vulnerability information is "[ C, V4,HA(V2)B(V3)C(V4),0.432]"put into the available vulnerability information table of the node C, the specific content and access flag in the available vulnerability information table of each node are shown in fig. 13;
step (12), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ C, V ]4,HA(V1)B(V3)C(V4),0.486]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V4The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of the administrator user on the node', the access authority of the attacker on the node C is updated, the result information of the vulnerability utilization is written into the attack path information set of the node C and the attack path information is output, the vulnerabilities on all nodes which can be directly accessed by the node C are inquired and judged, and the vulnerability V on the node D which can be attacked by the slave node C is found5And there is no attack loop, so there will be available vulnerability information "[ D, V5,HA(V1)B(V3)C(V4)D(V5),0.0486]"put into the available vulnerability information table of node D, the specific content and access flag in the available vulnerability information table of each node are shown in fig. 14;
step (13), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ D, V ]5,HA(V1)B(V3)C(V4)D(V5),0.0486]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V5The result information of the exploit is that 'an attacker acquires the administrator user execution authority on the node', the access authority of the attacker on the node D is updated, the result information of the exploit is written into the attack path information set of the node D and the attack path information is output, all the vulnerabilities on the nodes which can be directly accessed by the node D are inquired and judged, the limitation of the access relation is found, the slave node D cannot attack any node, and the specific content and the access mark in the available vulnerability information table of each node are shown in FIG. 15;
step (14), because the access flags of all the current non-empty available vulnerability information tables are all "accessed", all the access flags of all the available vulnerability information tables are reset to "not accessed", and the result is shown in fig. 16; after the step is finished, the calculation and the output of the attack path on each node in the current round are finished, and the calculation and the output of the attack path in a new round are started;
step (15), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ C, V ]4,HA(V2)C(V4),0.48]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V4The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of the administrator user on the node', the access authority of the attacker on the node C is updated, the result information of the vulnerability utilization is written into the attack path information set of the node C and the attack path information is output, the vulnerabilities on all nodes which can be directly accessed by the node C are inquired and judged, and the vulnerability V on the node D which can be attacked by the slave node C is found5And there is no attack loop, so there will be available vulnerability information "[ D, V5,HA(V2)C(V4)D(V5),0.048]"put into the available vulnerability information table of node D, the specific content and access flag in the available vulnerability information table of each node are shown in fig. 17;
step (16), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ D, V ]5,HA(V2)C(V4)D(V5),0.048]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V5The result information of the exploit is that 'an attacker acquires the administrator user execution authority on the node', the access authority of the attacker on the node D is updated, the result information of the exploit is written into the attack path information set of the node D and the attack path information is output, all the vulnerabilities on the nodes which can be directly accessed by the node D are inquired and judged, the limitation of the access relation is found, the slave node D cannot attack any node, and the specific content and the access mark in the available vulnerability information table of each node are shown in FIG. 18; in this round, node A and node B may be combinedAll the vulnerability information tables are empty tables, so that only the attack paths of the attack node C and the attack node D are output;
step (17), because the access marks of all the current non-empty available vulnerability information tables are all 'accessed', all the access marks of all the available vulnerability information tables are reset to 'not accessed', and the result is shown in fig. 19; after the step is finished, the calculation and the output of the attack path on each node in the current round are finished, and the calculation and the output of the attack path in a new round are started;
step (18), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ C, V ]4,HA(V2)B(V3)C(V4),0.432]Removing the available vulnerability information from the available vulnerability information table, setting the access mark of the available vulnerability information table as 'accessed', and inquiring vulnerability V4The result information of the vulnerability utilization is that 'an attacker obtains the execution authority of the administrator user on the node', the access authority of the attacker on the node C is updated, the result information of the vulnerability utilization is written into the attack path information set of the node C and the attack path information is output, the vulnerabilities on all nodes which can be directly accessed by the node C are inquired and judged, and the vulnerability V on the node D which can be attacked by the slave node C is found5And there is no attack loop, so there will be available vulnerability information "[ D, V5,HA(V2)B(V3)C(V4)D(V5),0.0432]"put into the available vulnerability information table of node D, the specific content and access flag in the available vulnerability information table of each node are shown in fig. 20;
step (19), selecting an available vulnerability information with the largest vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of ' no access ', and accordingly selecting the available vulnerability information ' [ D, V5,HA(V2)B(V3)C(V4)D(V5),0.0432]Removing the available vulnerability information from the available vulnerability information table, and setting the access flag of the available vulnerability information table as' already usedAccess ", query for vulnerabilities V5The result information of the exploit is that "an attacker obtains the administrator user execution authority on the node", updates the access authority of the attacker on the node D, writes the result information of the exploit into the attack path information set of the node D and outputs the attack path information, inquires and judges the vulnerabilities on all nodes which can be directly accessed by the node D, finds the limitation of the access relation, the slave node D cannot attack any node, and the specific content and the access mark in the available vulnerability information table of each node are shown in fig. 21;
and (20) because the available vulnerability information tables of all nodes are empty tables, summarizing and outputting the calculation results, and finishing the operation of the algorithm. In the operation process of the algorithm, a plurality of attack paths for attacking each node are output successively, and relevant information is recorded in the data structure of each node.
For this embodiment, if the method provided by the prior invention patent "a network security analysis method for solving K maximum probability attack graph" (CN 102724210B, 2015.02.11, full text) is adopted for solving, the generation sequence of the attack paths is as shown in fig. 5, all attack paths are output in the order of the corresponding vulnerability availability cumulative probability values from large to small, so that the paths of the attack node D are all output at the last, because the operation time of the algorithm increases with the increase of the network scale and increases with the increase of the value of the parameter K, in the worst case, when the network scale is large, when the value of K is large, the node corresponding to the attack path with the small vulnerability availability cumulative probability value may not output an attack path for a long time.
For the embodiment, the order of generating the attack paths is shown in fig. 22 by using the method provided by the present invention, and it can be seen that after the algorithm operation starts, the nodes A, B, C and D respectively have an attack path output in turn, and although the cumulative probability value of the vulnerability availability corresponding to the attack path of the attack node D is smaller, the opportunity of outputting the attack path is still obtained because the method redesigns the selection strategy of the available vulnerability, the method does not adopt a strategy of utilizing the cumulative probability values of the vulnerability availability of all the available vulnerabilities in the network system in turn from large to small, but establishes an available vulnerability information table for each node respectively, and marks the node with "no access" or "accessed" according to the access condition of the available vulnerability information table, thereby achieving the goal of outputting the attack path of attacking each node in turn, in each round, each node has the opportunity of outputting an attack path, and the problem that in the worst case, when the value of K is larger, the node corresponding to the attack path with smaller vulnerability availability cumulative probability value can not output an attack path for a long time is solved. In the first round and the second round, nodes A, B, C and D both have attack path outputs, in the third round and the fourth round, nodes C and D both have attack path outputs, since there are no more paths to attack nodes A and B, nodes A and B have no attack path outputs; on the whole, the attack paths are not output according to the order of the corresponding vulnerability availability cumulative probability values from large to small, but for any given node, the attack paths aiming at the node are output according to the order of the corresponding vulnerability availability cumulative probability values from large to small.
In this embodiment, the consequence information of the exploit is "the attacker obtains the administrator user execution authority on the node", so an available exploit information table is established for each node, in the specific implementation process, the consequence information of various exploits can be classified according to specific conditions and needs, and a plurality of available exploit information tables are established for each node; in this embodiment, when the available vulnerability information tables of all nodes are empty tables, the algorithm is finished, and in the specific implementation process, whether the number of the attack paths that have been solved currently meets the requirement or not can be judged according to the specific situation and the need, and if yes, the calculation result can be immediately output and the operation is finished.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are given by way of illustration of the principles of the present invention, and that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (3)

1. A method for progressively solving K maximum probability attack paths is characterized by comprising the following steps:
step 1, respectively establishing L available vulnerability information tables for each node in a network, wherein L is the quantity of result classification of vulnerability exploitation, and each available vulnerability information table corresponds to the result of one type of vulnerability exploitation; the available vulnerability information in the available vulnerability information table comprises a node number, a vulnerability number, a specific attack path from an attacker and a vulnerability availability cumulative probability value; the calculation method of the vulnerability availability cumulative probability value comprises the following steps: multiplying the availability probability values of all vulnerabilities on a vulnerability utilization path from an attacker;
step 2, initializing all available vulnerability information tables into empty tables;
step 3, setting the access marks of all available vulnerability information tables as 'unaccessed';
step 4, starting from the position of the attacker, inquiring and judging the vulnerabilities on all nodes which can be directly accessed by the attacker, and if the preconditions of the vulnerability exploitation are met, putting the vulnerability into an available vulnerability information table corresponding to the node where the vulnerability is located according to the consequence information of the vulnerability exploitation;
step 5, selecting an available vulnerability information with the maximum vulnerability availability cumulative probability value from all the available vulnerability information tables with the access marks of 'no access', removing the available vulnerability information from the available vulnerability information tables, setting the access mark of the available vulnerability information table as 'accessed', inquiring the consequence information of the vulnerability exploitation, updating the consequences of the attacker in the access right and non-access right class on the node, writing the result information of the loophole utilization into the attack path information set of the node where the loophole is located and outputting the attack path information, inquiring and judging the loophole on all the nodes which can be directly accessed by the node, if the access authority of the node which is changed this time is the necessary condition of the loophole attack and the precondition of the corresponding loophole utilization is satisfied and no attack loop exists, putting the corresponding vulnerability into a corresponding available vulnerability information table of the node where the vulnerability is located according to the consequence information of the vulnerability utilization;
step 6, judging whether the calculated number of the attack paths meets the requirements, if so, turning to step 8, and if not, turning to step 7;
step 7, judging whether all available vulnerability information tables are empty tables, if so, turning to step 8, if not, inquiring access marks of all non-empty available vulnerability information tables, if available vulnerability information tables marked as 'unaccessed' exist, directly turning to step 5, and if the access marks of all non-empty available vulnerability information tables are 'accessed', resetting all the access marks of all available vulnerability information tables as 'unaccessed', and turning to step 5;
and 8, summarizing and outputting the calculation result.
2. The method for progressively solving a K-max probability attack path as recited in claim 1,
the specific rule of "putting the vulnerability into the corresponding available vulnerability information table of the node where the vulnerability is located according to the consequence information of the vulnerability exploitation" includes: if the same vulnerability has the consequences of a plurality of vulnerabilities, the vulnerability is placed into the corresponding available vulnerability information table of the node where the vulnerability is located according to the high-low relation of the harmfulness of the consequences of the vulnerabilities and the highest harmfulness of the consequences of the vulnerabilities.
3. The method for progressively solving a K-max probability attack path as recited in claim 1,
the consequences of the vulnerability exploitation comprise the change of access authority and the consequences of non-access authority classes, wherein the access authority comprises the access authority of a common user, a root or an administrator user, the access authority of the common user can be subdivided into the read authority of the common user, the write authority of the common user and the execution authority of the common user, the access authority of the root or the administrator user can be subdivided into the read authority of the root or the administrator user, the write authority of the root or the administrator user and the execution authority of the root or the administrator user, and the consequences of the non-access authority classes refer to the consequences of all vulnerability exploitation except the access authority; the classification of the consequences of the exploit may be defined by security management personnel based on the goals of system security concerns.
CN201710326387.3A 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path Active CN107135221B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710326387.3A CN107135221B (en) 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710326387.3A CN107135221B (en) 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path

Publications (2)

Publication Number Publication Date
CN107135221A CN107135221A (en) 2017-09-05
CN107135221B true CN107135221B (en) 2020-05-05

Family

ID=59731582

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710326387.3A Active CN107135221B (en) 2017-05-10 2017-05-10 Method for progressively solving K maximum probability attack path

Country Status (1)

Country Link
CN (1) CN107135221B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11729222B2 (en) * 2019-07-12 2023-08-15 Palo Alto Research Center Incorporated System and method for extracting configuration-related information for reasoning about the security and functionality of a composed internet of things system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413003A (en) * 2010-09-20 2012-04-11 中国科学院计算技术研究所 Method and system for detecting network security
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
US9043920B2 (en) * 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
CN105516177A (en) * 2015-12-28 2016-04-20 上海交通大学 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV)
CN106453403A (en) * 2016-11-21 2017-02-22 国家电网公司 Vulnerability restructuring sequence determining method and system based on attack links

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413003A (en) * 2010-09-20 2012-04-11 中国科学院计算技术研究所 Method and system for detecting network security
US9043920B2 (en) * 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN105516177A (en) * 2015-12-28 2016-04-20 上海交通大学 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV)
CN106453403A (en) * 2016-11-21 2017-02-22 国家电网公司 Vulnerability restructuring sequence determining method and system based on attack links

Also Published As

Publication number Publication date
CN107135221A (en) 2017-09-05

Similar Documents

Publication Publication Date Title
Zhuang et al. Towards a theory of moving target defense
US9037571B1 (en) Topology service using closure tables and metagraphs
Abraham et al. Cyber security analytics: a stochastic model for security quantification using absorbing markov chains
US9071636B2 (en) Predictive scoring management system for application behavior
US20220182406A1 (en) Analysis apparatus, analysis system, analysis method, and non-transitory computer readable medium storing program
TWI670623B (en) Method and device for acquiring device fingerprint
CN113010896B (en) Method, apparatus, device, medium and program product for determining abnormal object
CN106471470B (en) Model-driven affinity-based network function method and device
JP2017505942A (en) Intelligent firewall access rules
CN115486026A (en) Quantum computing machine learning of security threats
CN102724210A (en) Network security analytical method for solving K maximum probability attack graph
Zhong et al. An efficient parallel reinforcement learning approach to cross-layer defense mechanism in industrial control systems
CN107135221B (en) Method for progressively solving K maximum probability attack path
US11777979B2 (en) System and method to perform automated red teaming in an organizational network
Niveditha et al. Detection of Malware attacks in smart phones using Machine Learning
CN109324856A (en) Menu treating method, device, computer equipment and storage medium
US20150113090A1 (en) Selecting a primary storage device
CN107888588B (en) K maximum probability attack path solving method for specified target node set
Caulfield et al. Optimizing time allocation for network defence
CN113518086B (en) Network attack prediction method, device and storage medium
JP6749873B2 (en) Detecting device, detecting method, and detecting program
WO2022252039A1 (en) Method and apparatus for adversarial attacking in deep reinforcement learning
CN113704252B (en) Rule engine decision tree implementation method, device, computer equipment and computer readable storage medium
CN115412328A (en) Attack path tracing and attack source detection method based on machine learning
CN110544113B (en) Method and device for determining input of fuel charge in transaction based on intelligent contract

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant