CN102413003A - Method and system for detecting network security - Google Patents

Abstract

The invention discloses a method and a system for detecting network security. The method comprises the following steps: 1) according to the initial state of equipment in a network, connection relationships among different pieces of equipment and the vulnerability information of the equipment, generating an attack graph comprising an attack node and a state node; 2) by aiming at a set target node, converting the attack graph into a stochastic Petri net model; 3) introducing the strategy and utility information of an attack behavior on the stochastic Petri net model, generating the stochastic game net model of an attack visual angle, and introducing the strategy and utility information of a defensive behavior on the stochastic Petri net model to generate the stochastic game net model of a defensive visual angle; 4) combining the stochastic game net model of the attack visual angle with the stochastic game net model of the defensive visual angle to generate an attack-defense game strategy model; and 5) detecting network security by the attack-defense game strategy model. According to the method and the system, the accuracy for detecting the network security can be improved.

Description

Detect the method and system of internet security

Technical field

The present invention relates to network safety filed, relate in particular to the method and system that detect internet security.

Background technology

In recent years; " derivative " in the bulk information epoch such as computer virus, wooden horse, worm and assault that constantly increase and spread; Important national basis facilities such as the higher finance of the level of informatization, traffic, commerce, medical treatment, communication, electric power are caused serious destruction, become the new threat that influences national security.For tackling these new threats, people have carried out manyly working targetedly.

Cyberspace safety problem to the large-scale complex form; The most effectively research means is the analysis that in the cyberspace of reality, realizes procotol, network behavior, network performance etc.; Obtain the most authentic and valid data, and achievement in research is applied to the most real scene.Yet on real network, carry out various tests and test; Because its potential tremendous influence that brings even subversiveness destruction; Almost be infeasible, therefore common means are to play the enforcement that the network simulated environment attempts to reappear real network behavior and the various technological means of simulation according to the modelling that data with existing is deduced.

Yet; There are many problems in this network security analytical method based on model in practice at present: carry out in the fail safe modeling analysis (1); Do not consider that network attack is a kind of artificial behavior; Different interests is ordered about down and can be produced various game processes, and this point makes that the description of model is imperfect; (2) modeling process is based on the fragility of the network equipment itself, and the relevance of fragility between the heterogeneous networks equipment is not discussed, the inaccuracy as a result that this makes analysis; (3) safety analysis work is all to be based on current existing attack basically, and lack the unknown is threatened effective prediction of attacking.Therefore, the deficiency of these aspects had a strong impact on the description and the analysis of network security problem, and proposition of the present invention has just in time remedied the deficiency of present method.

Summary of the invention

For addressing the above problem, the invention discloses the method and system that detect internet security, can improve the accuracy that internet security detects.

The invention discloses a kind of method that detects internet security, comprising:

Step 1 according to the vulnerability information of initial condition, equipment room annexation and the equipment of equipment in the network, generates and comprises the attack graph of attacking node and state node; Attacking node is attack state possible in the network, and state node is a possibility specific objective under attack in the network;

Step 2, the destination node to setting converts attack graph into the stochastic Petri pessimistic concurrency control;

Step 3, the strategy and the effectiveness information of introducing attack generate the pessimistic concurrency control of game at random of attacking the visual angle on the stochastic Petri pessimistic concurrency control; On the stochastic Petri pessimistic concurrency control, introduce the strategy and the effectiveness information of the act of defense, generate the pessimistic concurrency control of game at random at defence visual angle;

Step 4; To each position in the pessimistic concurrency control of game at random of attacking visual angle and defence visual angle; By the assailant of game and defender according to the policy selection behavior under the equilibrium condition; The calculation expectation utility matrix, and, draw assailant and defender's balance policy vector by equilibrium value according to the equilibrium value of expected utility matrix computations position; Balance policy is introduced the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle respectively; Merge the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle, generate attacking and defending game Policy model;

Step 5 utilizes attacking and defending game Policy model to carry out the detection of internet security.

The invention also discloses a kind of system that detects internet security, comprising:

The attack graph generation module is used for the vulnerability information of initial condition, equipment room annexation and equipment according to network equipment, generates to comprise the attack graph of attacking node and state node; Attacking node is attack state possible in the network, and state node is a possibility specific objective under attack in the network;

Stochastic Petri net model conversion module is used for converting attack graph into the stochastic Petri pessimistic concurrency control to the destination node of setting;

Attack the pessimistic concurrency control of the game at random generation module at visual angle and defence visual angle, be used on the stochastic Petri pessimistic concurrency control, introducing the strategy and the effectiveness information of attack, generate the pessimistic concurrency control of game at random of attacking the visual angle; On the stochastic Petri pessimistic concurrency control, introduce the strategy and the effectiveness information of the act of defense, generate the pessimistic concurrency control of game at random at defence visual angle;

Attacking and defending game Policy model generation module; Be used for to attacking each position, visual angle with the pessimistic concurrency control of game at random at defence visual angle; By the assailant of game and defender according to the policy selection behavior under the equilibrium condition; The calculation expectation utility matrix, and, draw assailant and defender's balance policy vector by equilibrium value according to the equilibrium value of expected utility matrix computations position; Balance policy is introduced the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle respectively; Merge the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle, generate attacking and defending game Policy model;

The internet security detection module is used to utilize attacking and defending game Policy model to carry out the detection of internet security.

Beneficial effect of the present invention is that the present invention is based on game net at random to the foundation of network model, and it can describe the dynamic game relation in the network attacking and defending process more accurately, more directly reflects current network risks situation, and accuracy is higher; Based on the equipment room annexation, examine or check the relevance of fragility between the network equipment when the present invention searches leak, this makes that the result who analyzes is more accurate; The association analysis that the present invention focuses on network model can strengthen the descriptive power of model widely, and range of application is wider.

Description of drawings

Fig. 1 is the flow chart of the method for detection internet security of the present invention;

Fig. 2 is the flow chart of attack drawing generating method embodiment of the present invention;

Fig. 3 is the flow chart of stochastic Petri net attack model generation method of the present invention;

Fig. 4 is the flow chart that balance policy of the present invention is found the solution;

Fig. 5 is the flow chart of network attack path computational methods;

Fig. 6 is the flow chart of the fragile node computational methods of network;

Fig. 7 is embodiment of the invention network topology structure figure;

Fig. 8 is the structure chart of the system of detection internet security of the present invention.

Embodiment

Below in conjunction with accompanying drawing method of the present invention is done further explanation.

The present invention proposes a kind of network risks association analysis method based on game net at random (Stochastic Games Nets is called for short SGN) model.This method is made up of two aspects, on the one hand, has proposed by the fast modeling method of input data such as network annexation, vulnerability information to attacking and defending game Policy model; On the other hand, based on the attacking and defending game Policy model that above-mentioned algorithm generates, proposed correlation analysis and safe evaluation method are carried out in aspects such as the fragile node of objective network and potential attack path.

The present invention is a kind of, and to detect the method for internet security as shown in Figure 1.

Step S100 according to the vulnerability information of initial condition, equipment room annexation and the equipment of equipment in the network, generates and comprises the attack graph of attacking node and state node; Attacking node is attack state possible in the network, and state node is a possibility specific objective under attack in the network.

The embodiment of said step S100 is as follows.

Step S110 adds network equipment formation with original equipment title and authority, generates the initial condition node simultaneously.

Step S120 begins from the initial condition node, gets an equipment and the authority of said equipment in the network equipment formation, generates new connection device formation and new equipment fragility formation.

Step S130; According to current institute taking equipment name query equipment connecting relation; Obtain the device name of all connections of said equipment, and will connect and not be added into the title and the formation of authority adding connection device of the equipment of connection device formation with said equipment, the equipment of adding is the next stage equipment of institute's taking equipment; Inquire about the leak of connection device of being got and all devices that is connected with institute's taking equipment, and leak is joined in the formation of equipment fragility.

Step S140, the equipment of not got that is connected from the connection device formation, getting institute's taking equipment is new institute's taking equipment, if do not get, then to upper level equipment execution in step S140, otherwise execution in step S150.

Step S150, if the equipment that new institute's taking equipment connects has all added the connection device formation, then to the former taking equipment execution in step S140 of institute, otherwise, to the new taking equipment execution in step S130 of institute; All devices is traveled through completion in network.

Step S160 gets a leak in the formation of slave unit fragility, according to leak name query attack knowledge storehouse, what obtain this leak utilizes method information; Judge whether this leak can utilize,, then generate state node and attack node if can utilize; Otherwise abandon this leak, continue to judge next leak, leaky judgement finishes in the formation of equipment fragility; To attack node and be connected, generate attack graph, join the attack result authority in the fragile formation of said equipment with state node.

The database that can directly be called of attack knowledge storehouse for obtaining through prior art.

Specific embodiment is described below.

Algorithm 1-attack graph generating algorithm, as shown in Figure 2.

Step S101 at first generates the attack graph of describing the relation of attack, and original equipment title and authority are added network equipment formation, generates the initial condition node simultaneously.

Step S102 begins from the initial condition node, gets equipment and authority thereof in the network equipment formation, generates new connection device formation.

Step S103 according to current device name query equipment connecting relation, obtains all connection device titles of this equipment and it is added the connection device formation, with not adding network equipment formation in the connection device title of network equipment formation.

Step S104 gets a connection device from the connection device formation, generate the formation of new equipment fragility.

Step S105 gets a leak in the formation of slave unit fragility, inquire about attack database, obtains the method for utilizing of this leak.

Step S106 utilizes fragility to generate and attacks node and state node, and the two is coupled together.

Step S107 joins the attack result authority in the formation at last, and attack graph is able to generate.

Wherein, Step S104; The detailed process of apparatus for establishing fragility formation is: step S1041 according to current institute taking equipment name query equipment connecting relation, obtains the device name of all connections of said equipment; And will connect and not be added into the title and the formation of authority adding connection device of the equipment of connection device formation with said equipment; The equipment that adds is the next stage equipment of institute's taking equipment, inquires about the leak of connection device of being got and all devices that is connected with institute's taking equipment, and leak is joined in the formation of equipment fragility.Step S1042, the equipment of not got that is connected from the connection device formation, getting institute's taking equipment is new institute's taking equipment, if do not get, then to upper level equipment execution in step S1042, otherwise execution in step S1043.Step S1043, if the equipment that new institute's taking equipment connects has all added the connection device formation, then to the former taking equipment execution in step S1042 of institute, otherwise, to the new taking equipment execution in step S1041 of institute; All devices is traveled through completion in network.

The modeling of the network equipment and topological structure.Basis as the network attacking and defending; Need to set up parameter knowledge such as various network device parameter, network topology structure and equipment fragility in advance earlier; Good these basic parameters are promptly described formally, so that generate the network model of describing object of experiment fast according to the experiment topological relation.The foundation of network attack model.Abstract and set up attack model from practical problem.Network attack direct threats internet security, the normally main contents of network attacking and defending experiment.

The formation of equipment fragility and the equipment connecting relation formation of setting up obtain attacking information bank; Attack information refers to that certain threat utilizes fragility to implement process and the result who attacks, and comprising: the leak title, and attack, originating end needs authority and obtains authority etc.; The assailant is from specific node; Whole network system is launched a offensive; Through generating attack graph to attack information; Contain all attacks that the assailant possibly initiate in the attack graph in network, avoid those unnecessary attacks simultaneously, the generative process of attack graph also is the dynamic analog process of whole network attack.

Step S200, the destination node to setting converts attack graph into the stochastic Petri pessimistic concurrency control.

The embodiment of said step S200 is described below.

Step S210 gets a state node of attack graph, if state node is a destination node, then deletes all attack nodes that said state node links to each other.

Step S220; If state node is not a destination node, the out-degree of then adding up said state node, the number of the attack node that out-degree finger-like attitude node is connected; That is to say the number of the attack node that each state node is attached thereto; If out-degree is not greater than 1, then get next state node, execution in step 31 continues to judge.

Step S230, when out-degree greater than 1 the time, being illustrated in said state node has attack, gets the attack branch of a said state node, generates immediate transition.

Attack branches into state node and attacks linking to each other of node.

Immediate transition is corresponding with the time transition, between the enforcement of transition is considered to when not required.

Step S240, connection status node and immediate transition generate selection mode, and selection mode is meant the process of current state node through immediate transition arrival NextState node, connects immediate transition and selection mode.

Step S250 connects selection mode and the attack node that the current state node of getting is connected at the back, and out-degree is subtracted 1, and execution in step S210 is until having traveled through all state nodes.

Step S260 generates transition circulation timei and destination node, and linking objective node and transition circulation timei connect transition circulation timei and start node, generate the stochastic Petri pessimistic concurrency control.

Algorithm 2-stochastic Petri net attack model generation method, as shown in Figure 3.

Step S201 after algorithm 1 generation attack graph, gets a node in the state node of attack graph;

Step S202 is if destination node is then deleted all attack nodes that all are attached thereto; If not destination node is then added up its out-degree K;

Step S203, when out-degree K greater than 1 the time, get one and attack branch, generate immediate transition;

Step S204, connection status node and immediate transition generate selection mode, connect immediate transition and selection mode;

Step S205 connects the attack node that selection mode and current state node are connected at the back, and K stops less than 1 until out-degree;

Step S206 gets next state node again and carries out above-mentioned step, up to having traveled through all state nodes;

Step S207 generates transition circulation timei and destination node, and linking objective node and transition circulation timei connect transition circulation timei and start node, and last stochastic Petri net generates.

Wherein, step S202 is if not destination node; Then add up its out-degree K, the number of the attack node that out-degree finger-like attitude node is connected that is to say the number of the attack node that each state node is attached thereto; When out-degree K greater than 1 the time; Explanation has attack changing state node, therefore takes out and should attack branch, carries out the conversion of model.

Through attack graph being converted into the stochastic Petri pessimistic concurrency control, with assailant's target of attack, equipment and authority join in the model.

Step S300, the strategy and the effectiveness information of introducing attack generate the pessimistic concurrency control of game at random of attacking the visual angle on the stochastic Petri pessimistic concurrency control; On the stochastic Petri pessimistic concurrency control, introduce the strategy and the effectiveness information of the act of defense, generate the pessimistic concurrency control of game at random at defence visual angle.

Step S400; To each position in the pessimistic concurrency control of game at random of attacking visual angle and defence visual angle; By the assailant of game and defender according to the policy selection behavior under the equilibrium condition; The calculation expectation utility matrix, and, draw assailant and defender's balance policy vector by equilibrium value according to the equilibrium value of expected utility matrix computations position; Balance policy is introduced the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle respectively; Merge the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle, generate attacking and defending game Policy model.

The embodiment of said step S400 is described below.

Step S410 is with the expected utility initialization, to attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _iThrough following formula calculation expectation utility matrix U (p _i)=[γ _Kl], and will be worth and compose the player and gather among the N (i); Player's set comprises assailant and defender.

Wherein, c _KlThe expression assailant is p in the position _iLoss after the failure, this value is negative, r _KlThe expression assailant is p in the position _iRepayment, wherein the assailant selects behavior a _kAnd the defender selects d _l, δ _i∈ [0,1] representes discount factor, U (p _i) specifically representation is following:

$U\left(p_i\right)=\begin{array}{ccc}{\mathrm{\γ}}_{11}& ...& {\mathrm{\γ}}_{\mathrm{lm}}\\ ...& {\mathrm{\γ}}_{\mathrm{kl}}& ...\\ {\mathrm{\γ}}_{\mathrm{nl}}& ...& {\mathrm{\γ}}_{\mathrm{nm}}\end{array}$

Wherein, the behavior of assailant's selection is expressed as a ₁..., a _k..., a _nThe behavior that the defender selects is expressed as d ₁..., d _k..., d _n, r _KlThe expression assailant selects behavior a _k, the defender selects behavior d _lThe time, assailant's repayment;

Step S420 is for attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _i, by following formula calculating player's balance policy

${\mathrm{\π}}_i^m\←\mathrm{Solve}\left[U\left(p_i\right)\right]$

Wherein, Solve [U (p _i)] expression calculating [U (p _i)], the income equilibrium probability is composed balance policy

In.

Step S430; Gather the behavioral strategy that balanced probability that N (i) calculates is represented the player, output balance policy vector

through the player

Here the balance policy

that calculates selects the setting of probability that foundation is provided will for the middle transition of SGN model.

Step S440 with the at random game pessimistic concurrency control of balance policy vector difference assignment to attack visual angle and defence visual angle, is combined into attacking and defending game Policy model with attack visual angle and the pessimistic concurrency control of game at random of defending the visual angle.

Specific embodiment is described below.

Algorithm 3-balance policy derivation algorithm, as shown in Figure 4.

Step S301 can both come the selection behavior according to the strategy under the equilibrium condition in order to consider the game both sides, at first expected utility is carried out initialization;

Step S302 is to each the position p in the game pessimistic concurrency control at random _iThrough formula (1) calculation expectation utility matrix U (p _i)=[γ _Kl];

Step S303 composes the player with end value and gathers among the N (i);

Step S304 is through formula (2) calculating player's balance policy

All p in the location sets in game pessimistic concurrency control at random _iAll accomplish this step;

Step S305; At this moment; Represent player's behavioral strategy through the balanced probability in this set, output balance policy vector

algorithm is accomplished.

Wherein, step S302, formula (1) is:

Wherein, c _KlThe expression assailant is p in the position _iLoss after the failure, this value is negative, r _KlThe expression assailant is p in the position _iRepayment, wherein the assailant selects behavior a _kAnd the defender selects d _l, considering other position effects, we are with U (p _i) be illustrated in position p _iExpected utility, and use δ _i∈ [0,1] representes discount factor, U (p _i) specifically representation is following:

Wherein, formula (2) is among the step S304:

${\mathrm{\π}}_i^m\←\mathrm{Solve}\left[U\left(p_i\right)\right]---\left(2\right)$

The network attack success or not, except the power of attacking ability, defensive measure also is the significant effects factor targetedly, the game relation exists everywhere in the mutual process of attacking and defending behavior.After setting up the stochastic Petri pessimistic concurrency control, the net of game at random of proposition description attacking and defending game Policy model and attacking and defending be the game pessimistic concurrency control at random; Research based on attacking and defending game Policy model not only can clearly be analyzed the attacking and defending process, also for the selection of effective defence policies strong foundation is provided simultaneously; Be compared to traditional Petri Nets, the present invention representes strategy interaction to the loss transition that have probable value, can combine strategy and transition preferably; Make things convenient for the auxiliary equilibrium value of calculating of appliance computer, adopt SGN state and behavior path to calculate utility function usually; Calculate balance policy at last respectively and set up attacking and defending game Policy model with to be analyzed.

Step S500 utilizes attacking and defending game Policy model to carry out the detection of internet security.

The embodiment one of said step S500 is said as follows.

Step S510 calculates attacking and defending game Policy model stable state parameter, and the stable state parameter is the selection of attack path, generates the target of attack location sets.

For attacking and defending game Policy model, in the stochastic Petri pessimistic concurrency control, there is arc (p in step S520 _i, t) (t, p _I+1), and the leak that equipment room exists cannot be utilized, and then deletes arc (p _i, t) (t, p _I+1), otherwise, remain unchanged; Travel through all transition, and the isolated transition of deletion; The attack a that representes according to the transition that provide in the attack information _iJudge whether to have the relation of attack with the relation of current location, if attack can act on position p, and the preposition target of attack location sets non-NULL of position p, promptly P ≠ φ then increases mark a to all transition in the preposition target of attack location sets of position p _i, the traversal all devices is to all transition marks, and deletion does not have the transition of mark and the arc that is associated with these transition, deletion insular position, the attacking and defending game Policy model that obtains refining.

Step S530, chosen position p are the target of attack position, adopt backtracking method search attack path.

Adopt backtracking method search attack path specific as follows said.

Step S531, the rearmounted transition set p of home position p Be " using " that position p is " 0 ", 0 element group representation does not comprise any value, and set D is set, and set D initial value is D={p} ∪ p

Step S532 is for any b _i∈ b|b ∈ D ∧ b=0}, right b _i∩ D} in component identification b _iBe " 1 ", wherein, D} represent to gather among the M (set of all positions) element and deduct among the set D remaining element set behind the element; The duplicate marking operation is up to there not being eligible b _i∈ { the b of b|b ∈ D ∧ b=0} _i

Step S533 is for any c _i∈ c|c ∈ D ∧ c=1}, right c _i∩ D} in component identification c _iBe " using "; The duplicate marking operation is up to there not being eligible c _i∈ { the c of c|c ∈ D ∧ c=1} _i

Step S534, repeating step S531 to S533 is up to the preposition transition set of D D ∈ D;

Step S535 is with d _j∈ { d|d ∈ D ∧ D=φ } be starting point, launch according to the sign of transition, obtaining with position P is the possible attack path of institute of target of attack position.

Step S540 to all possible target of attack position execution in step S530, obtains the possible attack path of institute that objective network exists.

Step S550 to the calculating that various paths quantize, draws the probability of different attack paths when different target of attack.

Specific embodiment is described below.

Algorithm 5-network attack path computational methods, as shown in Figure 5.

Step S501 at first generates the target of attack location sets;

Step S502 is to the operation of refining of attacking and defending game Policy model, so that the quantification of back is calculated and analyzed;

Step S503, after the model that obtains refining, the p that chooses in the target of attack location sets is the target of attack position;

Step S504 adopts backtracking method search attack path, and can obtain with P is the possible attack path of institute of target of attack position;

Step S505 carries out above-mentioned steps to all possible target of attack position;

Step S506 obtains the possible attack path of institute that objective network exists;

Step S507 to the calculating that various paths quantize, draws the probability of different attack paths when different target of attack.

Wherein, step S502, to attacking and defending game Policy model refine the operation detailed process be: to there being arc (p _i, t) (t, p _I+1), and the leak that equipment room exists cannot be utilized, and deletes arc (p so _i, t) (t, p _I+1), otherwise, remain unchanged; Travel through all transition, and the isolated transition of deletion; The attack a that representes according to the transition that provide in the attack information _iAttack judges whether in the relation of attacking with the relation of current location, if can act on equipment p _i, and p _iPreposition set be non-NULL, then all transition in its preposition set are increased mark a _i, the traversal all devices is to all transition marks, and deletion does not have the transition of mark and the arc that is associated with it, and the deletion insular position then obtains the model of refining.

Wherein, step S504, the concrete grammar of backtracking method search attack path is: the rearmounted transition set p that at first identifies p Be " using " that p is for " 0 " and set D is set, its initial value is D={p} ∪ p For any b _i∈ b|b ∈ D ∧ b=0}, right b _i∩ D} in component identification b _iBe " 1 ", repeat this operation up to there not being qualified b _iFor any c _i∈ c|c ∈ D ∧ c=1}, right c _i∩ D} in component identification c _iBe " using ", repeat this operation up to there not being qualified c _iRepeat of the preposition transition set of this step said method up to D D ∈ D.

The embodiment two of said step S500 is described below.

Step S510 ', the quantity m of average sign in each position when calculating stable state in the attacking and defending game Policy model _i

Step S520 ', set up the node set that occurs in maybe attack path IPi}, and mark same node under different attack paths IPi (1 ..., n _j).

Step S530 ' calculates fragility weight σ by following formula _iAnd network node is sorted according to the fragility weight;

${\mathrm{\σ}}_i=\underset{j=1}{\overset{n_j}{\mathrm{\Σ}}}{m}_i^j$

Wherein, and IPi (1 ..., n _j) be illustrated in n _jNode IP i under the paths.

Embodiment is described below.The fragile node computational methods of algorithm 6-network, as shown in Figure 6.

Step S601 wants the fragility of computing network node, the quantity m of average sign in each position when at first calculating stable state in the attacking and defending game Policy model _i

Step S602 sets up the node set { IPi} that occurs in the possibility attack path;

Step S603, mark same node under different attack paths IPi (1 ..., n _j);

Step S604 according to formula (3), calculates fragility weight σ _i

Step S605 according to The above results, sorts to network node according to the fragility weight.

Wherein, step S604, formula (3) is:

${\mathrm{\σ}}_i=\underset{j=1}{\overset{n_j}{\mathrm{\Σ}}}{m}_i^j---\left(3\right)$

Wherein, and IPi (1 ..., n _j) be illustrated in n _jNode IP i under the paths, we think that through one or several maximum node of the weighted value of above-mentioned algorithm computation gained be the fragile node in the objective network.

Foundation can quantize and exercisable correlation analysis and safety evaluation index, is the most directly result's displaying of network attacking and defending experiment, is the final goal that realizes above-mentioned model using value.

The present invention's one specific embodiment is as shown in Figure 7.

As object of experiment, use model and analytical method that the front proposes with the typical enterprise network, realize that multiple attacking and defending behavior deduces under experimental situation.The topological structure of objective network; As shown in Figure 7; Can be divided into two parts of external network and internal network, the assailant can implement to attack to each destination node in the Intranet through outer net, and the Intranet here is made up of web server, data center and some terminal nodes.They connect mutually through network equipments such as router, switches, also can connect safety means such as fire compartment wall, intrusion detection device in the enterprise network simultaneously.

According to describing method to device model and topological structure model, can obtain the information description of network environment, comprise the equipment vulnerability information, as shown in table 1; The equipment link information, as shown in table 2; And attack information, as shown in table 3, the relevance between the information must consider that network attack is exactly to utilize these associating information property to invade usually.Through algorithm 1 and algorithm 2, generate the stochastic Petri net attack model according to above-mentioned information.With transition described attack ability λ and success rate q assignment thereof, by step S400, with the description of the introducing in stochastic Petri net attack model repayment effectiveness, and utilize algorithm 3 calculate the attack strategies π of the assailant that obtains under equilibrium condition.

Table 1 equipment vulnerability information

Table 2 equipment link information

Table 3 attack information

The pessimistic concurrency control of game at random to the protection visual angle of above-mentioned fragility and attack means also can be set up similarly, promptly defends visual angle game pessimistic concurrency control at random.According to step S400, the pessimistic concurrency control of the game at random combination with above-mentioned minute role can obtain attacking and defending game Policy model.At this moment, begin to carry out correlation analysis and safety evaluation, comprise success attack probability, attack path calculating and fragile node calculating etc.

The success attack probability: the assailant implements to attack the probability of achieving success to some targets.K selects the probability of success of behavior i can be expressed as

therefore to the assailant in the position; To each the position k in the game Policy model, might attack the rate of hoping to succeed can be described as following probability vector

$p_{\mathrm{attack}}\left(a^k\right)=(p_{\mathrm{attack}}\left(a_1^k\right),...,p_{\mathrm{attack}}\left(a_{\mathrm{mk}}^k\right))$

Wherein, Therefore, p _Attack={ p _Attack(a _k) | i=1 ..., n} will be used to the setting of the decision vector in the game Policy model.For the k place continues attack in the position, the assailant need consider that not only which atomic strike behavior is bigger to the repayment that he brings, and will consider that also which kind of behavior possibility of success is bigger simultaneously.Suppose the unified expression of repayment and cost of transition, then the assailant in the position k place, the attack probability of successful of choosing in order to arrive the final goal position can be as shown in the formula calculating

$p_{\mathrm{attack}}\left(a_i^k\right)=P[M\left(p_r\right)\≠0]=1-P[M\left(p_r\right)=0]$

Wherein, M [pr] is illustrated in the identification number at pr place, position, and pr representes attack result's position.Row is attacked in i.e.

expression.For identification number in result's the position is not empty probability.

Attack path: the attack path of research is meant that the normal node that might be attacked in objective network arrives the process according to the terminal node of requirement definition here.The root authority that we obtain the assailant target network node in this patent is as attacking the end-state that finishes, because meaned enforcement that attack can be successful this moment.So the attack path here is made up of a series of network equipments with annexation, simultaneously, according to the calculating of success attack probability, we can be through as shown in the formula calculating the probability that the assailant successfully passes through this road warp.

Wherein,

expression assailant successfully passes through the probability of road through i; N representes to be total under this paths the node number of process; The significance level of k node in

expression path, and

just can obtain attack path according to algorithm 5 then.

With the IP1 in the objective network, three network nodes of IP3 and IP4 can obtain its attack path separately respectively as the destination node of attacking, and after calculating, can obtain probability separately respectively, and end product is as follows:

Target of attack is IP1:

{(IP0，1)(IP1，3)}(0.9614)，

{(IP0，1)(IP2，2)(IP1，3)}(0.6412)，

{(IP0，1)(IP1，2)(IP1，3)}(0.6411)，

{(IP0，1)(IP2，3)(IP1，2)(IP1，3)}(0.4811)；

Target of attack is IP3:

{(IP0，1)(IP2，3)(IP3，2)(IP3，3)}(0.2589)，

{(IP0，1)(IP2，3)(IP3，3)}(0.3451)，

{(IP0，1)(IP2，3)(IP4，2)(IP3，3)}(0.2589)，

{(IP0，1)(IP2，3)(IP4，2)(IP3，2)(IP3，3)}(0.2071)

Target of attack is IP4:

{(IP0，1)(IP2，3)(IP4，2)(IP4，3)}(0.2589)，

{(IP0，1)(IP2，3)(IP4，3)}(0.3451)，

{(IP0，1)(IP2，3)(IP3，2)(IP4，3)}(0.2589)，

{(IP0，1)(IP2，3)(IP3，2)(IP4，2)(IP4，3)}(0.2071)

Through the analysis to attack path, we can calculate the fragility weight of each network node that maybe be under attack in network to different targets of attack, and are as follows:

Target network node	Fragility weight calculation result
		IP1	0.9237
IP2	0.0006
		IP3	0.0349
IP4	0.0349

Adopt the present invention that a typical enterprise network attacking and defending instance has been carried out modeling and safety analysis; Realized rapid modeling to objective network; Association analysis and quantification are calculated; Drawn the fragility weight that this network system possibly suffer attack path and each network node that maybe be under attack of network attack at last, can valuable reference be provided for the network manager carries out Prevention-Security targetedly.

A kind of system that detects internet security is as shown in Figure 8.

Attack graph generation module 100 is used for the vulnerability information of initial condition, equipment room annexation and equipment according to network equipment, generates to comprise the attack graph of attacking node and state node; Attacking node is attack state possible in the network, and state node is a possibility specific objective under attack in the network.

In an embodiment, attack graph generation module 100 further comprises:

Network equipment formation generates submodule, is used for original equipment title and authority are added network equipment formation, generates the initial condition node simultaneously;

Submodule is set up in the formation of equipment fragility, is used for beginning from the initial condition node, gets an equipment and the authority of said equipment in the network equipment formation, generates new connection device formation and new equipment fragility formation;

The leak submodule is added in the formation of equipment fragility; Be used for taking equipment name query equipment connecting relation according to current institute; Obtain the device name of all connections of said equipment, and will connect and not be added into the device name and the formation of authority adding connection device of connection device formation with said equipment, the equipment of adding is the next stage equipment of institute's taking equipment; Inquire about the leak of connection device of being got and all devices that is connected with institute's taking equipment, and leak is joined in the formation of equipment fragility;

Connection device formation taking equipment submodule; The equipment of not got that is connected that is used for getting from the connection device formation institute's taking equipment is new institute's taking equipment; If do not get; Be new institute's taking equipment then, judge submodule otherwise start to upper level equipment execution equipment of not got that is connected of taking equipment from the connection device formation;

Judge submodule, be used for when the equipment that new institute's taking equipment connects has all added the connection device formation, then former institute taking equipment is started connection device formation taking equipment submodule, otherwise, the leak submodule is added in new institute's taking equipment starting device fragility formation; All devices is traveled through completion in network;

Utilizability traversal submodule is used for the formation of slave unit fragility and gets a leak, according to leak name query attack knowledge storehouse; What obtain this leak utilizes method information, judges whether this leak can utilize, if can utilize; Then generate state node and attack node, otherwise abandon this leak, continue to judge next leak; Leaky judgement finishes in the formation of equipment fragility; To attack node and be connected, generate attack graph, join the attack result authority in the formation of said equipment fragility with state node.

Stochastic Petri net model conversion module 200 is used for converting attack graph into the stochastic Petri pessimistic concurrency control to the destination node of setting.

In an embodiment, stochastic Petri net model conversion module is further used for

Get a state node of attack graph,, then delete all attack nodes that said state node links to each other if state node is a destination node;

If state node is not a destination node, the out-degree of then adding up said state node, the number of the attack node that out-degree finger-like attitude node is connected if out-degree is not greater than 1, is then got next state node, continues to carry out and judges;

When out-degree greater than 1 the time, being illustrated in said state node has attack, gets the attack branch of a said state node, generates immediate transition;

Connection status node and immediate transition generate selection mode, and selection mode is meant the process of current state node through immediate transition arrival NextState node, connects immediate transition and selection mode;

Connect selection mode and the attack node that the current state node of getting is connected at the back, out-degree is subtracted 1, the judgement of carrying out beginning is until having traveled through all state nodes;

Generate transition circulation timei and destination node, linking objective node and transition circulation timei connect transition circulation timei and start node, generate the stochastic Petri pessimistic concurrency control.

Attack the pessimistic concurrency control of the game at random generation module 300 at visual angle and defence visual angle, be used on the stochastic Petri pessimistic concurrency control, introducing the strategy and the effectiveness information of attack, generate the pessimistic concurrency control of game at random of attacking the visual angle; On the stochastic Petri pessimistic concurrency control, introduce the strategy and the effectiveness information of the act of defense, generate the pessimistic concurrency control of game at random at defence visual angle.

Attacking and defending game Policy model generation module 400; Be used for to attacking each position, visual angle with the pessimistic concurrency control of game at random at defence visual angle; By the assailant of game and defender according to the policy selection behavior under the equilibrium condition; The calculation expectation utility matrix, and, draw assailant and defender's balance policy vector by equilibrium value according to the equilibrium value of expected utility matrix computations position; Balance policy is introduced the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle respectively; Merge the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle, generate attacking and defending game Policy model.

In an embodiment, attacking and defending game Policy model generation module 400 is further used for

With the expected utility initialization, to attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _iThrough following formula calculation expectation utility matrix U (p _i)=[γ _Kl], and will be worth and compose the player and gather among the N (i); Player's set comprises assailant and defender;

Wherein, c _KlThe expression assailant is p in the position _iLoss after the failure, this value is negative, r _KlThe expression assailant is p in the position _iRepayment, wherein the assailant selects behavior a _kAnd the defender selects d _l, δ _i∈ [0,1] representes discount factor, U (p _i) specifically representation is following:

$U\left(p_i\right)=\begin{array}{ccc}{\mathrm{\γ}}_{11}& ...& {\mathrm{\γ}}_{\mathrm{lm}}\\ ...& {\mathrm{\γ}}_{\mathrm{kl}}& ...\\ {\mathrm{\γ}}_{\mathrm{nl}}& ...& {\mathrm{\γ}}_{\mathrm{nm}}\end{array}$

Wherein, the behavior of assailant's selection is expressed as a ₁... a _k..., a _nThe behavior that the defender selects is expressed as d ₁... d _k..., d _n, r _KlThe expression assailant selects behavior a _k, the defender selects behavior d _lThe time, assailant's repayment;

For attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _i, by following formula calculating player's balance policy

${\mathrm{\π}}_i^m\←\mathrm{Solve}\left[U\left(p_i\right)\right]$

Wherein, Solve [U (p _i)] expression calculating [U (p _i)], the income equilibrium probability is composed balance policy

In;

Gather the behavioral strategy that balanced probability that N (i) calculates is represented the player, output balance policy vector

through the player

With the at random game pessimistic concurrency control of balance policy vector difference assignment, attack visual angle and the pessimistic concurrency control of game at random of defending the visual angle are combined into attacking and defending game Policy model to attack visual angle and defence visual angle.

Internet security detection module 500 is used to utilize attacking and defending game Policy model to carry out the detection of internet security.

In the embodiment one, internet security detection module 500 is further used for

Calculate attacking and defending game Policy model stable state parameter, the stable state parameter is the selection of attack path, generates the target of attack location sets;

For attacking and defending game Policy model, in the stochastic Petri pessimistic concurrency control, there is arc (p _i, t) (t, p _I+1), and the leak that equipment room exists cannot be utilized, and then deletes arc (p _i, t) (t, p _I+1), otherwise, remain unchanged; Travel through all transition, and the isolated transition of deletion; The attack a that representes according to the transition that provide in the attack information _iJudge whether to have the relation of attack with the relation of current location, if attack can act on position p, and the preposition target of attack location sets non-NULL of position p, then all transition in the preposition target of attack location sets of position p are increased mark a _i, the traversal all devices is to all transition marks, and deletion does not have the transition of mark and the arc that is associated with these transition, deletion insular position, the attacking and defending game Policy model that obtains refining;

Chosen position p is the target of attack position, adopts backtracking method search attack path;

Backtracking method search attack path is adopted in all possible target of attack position, obtain the possible attack path of institute that objective network exists;

To the calculating that various paths quantize, draw the probability of different attack paths when different target of attack.

Further, internet security detection module 500 is further used for when adopting backtracking method search attack path

The rearmounted transition set p of home position p Be " using " that position p is " 0 ", 0 element group representation does not comprise any value, and set D is set, and set D initial value is D={p} ∪ p

For any b _i∈ b|b ∈ D ∧ b=0}, right b _i∩ D} in component identification b _iBe " 1 ", wherein, D} represent to gather among the M (set of all positions) element and deduct among the set D remaining element set behind the element; The duplicate marking operation is up to there not being eligible b _i∈ { the b of b|b ∈ D ∧ b=0} _i

For any c _i∈ c|c ∈ D ∧ c=1}, right c _i∩ D} in component identification c _iBe " using "; The duplicate marking operation is up to there not being eligible c _i∈ { the c of c|c ∈ D ∧ c=1} _i

Repeat aforementioned operation, up to the preposition transition set of D D ∈ D;

With d _j∈ { d|d ∈ D ∧ D=φ } be starting point, launch according to the sign of transition, obtaining with position P is the possible attack path of institute of target of attack position.

In the embodiment two, internet security detection module 500 is further used for

The quantity m of average sign in each position when calculating stable state in the attacking and defending game Policy model _i

Set up the node set that occurs in maybe attack path IPi}, and mark same node under different attack paths IPi (1 ..., n _j);

Calculate fragility weight σ by following formula _iAnd network node is sorted according to the fragility weight;

${\mathrm{\σ}}_i=\underset{j=1}{\overset{n_j}{\mathrm{\Σ}}}{m}_i^j$

Wherein, and IPi (1 ..., n _j) be illustrated in n _jNode IP i under the paths.

Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but confirm by the scope of claims.

Claims (14)

1. a method that detects internet security is characterized in that, comprising:

Step 1 according to the vulnerability information of initial condition, equipment room annexation and the equipment of equipment in the network, generates and comprises the attack graph of attacking node and state node; Attacking node is attack state possible in the network, and state node is a possibility specific objective under attack in the network;

Step 2, the destination node to setting converts attack graph into the stochastic Petri pessimistic concurrency control;

Step 3, the strategy and the effectiveness information of introducing attack generate the pessimistic concurrency control of game at random of attacking the visual angle on the stochastic Petri pessimistic concurrency control; On the stochastic Petri pessimistic concurrency control, introduce the strategy and the effectiveness information of the act of defense, generate the pessimistic concurrency control of game at random at defence visual angle;

Step 4; To each position in the pessimistic concurrency control of game at random of attacking visual angle and defence visual angle; By the assailant of game and defender according to the policy selection behavior under the equilibrium condition; The calculation expectation utility matrix, and, draw assailant and defender's balance policy vector by equilibrium value according to the equilibrium value of expected utility matrix computations position; Balance policy is introduced the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle respectively; Merge the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle, generate attacking and defending game Policy model;

Step 5 utilizes attacking and defending game Policy model to carry out the detection of internet security.

2. the method for detection internet security as claimed in claim 1 is characterized in that,

Said step 1 further does,

Step 21 adds network equipment formation with original equipment title and authority, generates the initial condition node simultaneously;

Step 22 begins from the initial condition node, gets an equipment and the authority of said equipment in the network equipment formation, generates new connection device formation and new equipment fragility formation;

Step 23; According to current institute taking equipment name query equipment connecting relation; Obtain the device name of all connections of said equipment, and will connect and not be added into the device name and the formation of authority adding connection device of connection device formation with said equipment, the equipment of adding is the next stage equipment of institute's taking equipment; Inquire about the leak of connection device of being got and all devices that is connected with institute's taking equipment, and leak is joined in the formation of equipment fragility;

Step 24, the equipment of not got that is connected from the connection device formation, getting institute's taking equipment is new institute's taking equipment, if do not get, then to upper level equipment execution in step 24, otherwise execution in step 25;

Step 25, if the equipment that new institute's taking equipment connects has all added the connection device formation, then to former institute taking equipment execution in step 24, otherwise, to new institute's taking equipment execution in step 23; All devices is traveled through completion in network;

Step 26 is got a leak in the formation of slave unit fragility, according to leak name query attack knowledge storehouse, what obtain this leak utilizes method information; Judge whether this leak can utilize,, then generate state node and attack node if can utilize; Otherwise abandon this leak, continue to judge next leak, leaky judgement finishes in the formation of equipment fragility; To attack node and be connected, generate attack graph, join the attack result authority in the formation of said equipment fragility with state node.

3. the method for detection internet security as claimed in claim 1 is characterized in that,

Said step 2 further does,

Step 31 is got a state node of attack graph, if state node is a destination node, then deletes all attack nodes that said state node links to each other;

Step 32, if state node is not a destination node, the out-degree of then adding up said state node, the number of the attack node that out-degree finger-like attitude node is connected if out-degree is not greater than 1, is then got next state node, and execution in step 31 continues to judge;

Step 33, when out-degree greater than 1 the time, being illustrated in said state node has attack, gets the attack branch of a said state node, generates immediate transition;

Step 34, connection status node and immediate transition generate selection mode, and selection mode is meant the process of current state node through immediate transition arrival NextState node, connects immediate transition and selection mode;

Step 35 connects selection mode and the attack node that the current state node of getting is connected at the back, and out-degree is subtracted 1, and execution in step 31 is until having traveled through all state nodes;

Step 36 generates transition circulation timei and destination node, and linking objective node and transition circulation timei connect transition circulation timei and start node, generate the stochastic Petri pessimistic concurrency control.

4. the method for detection internet security as claimed in claim 1 is characterized in that,

Said step 4 further does,

Step 41 is with the expected utility initialization, to attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _iThrough following formula calculation expectation utility matrix U (p _i)=[γ _Kl], and will be worth and compose the player and gather among the N (i); Player's set comprises assailant and defender;

Wherein, c _KlThe expression assailant is p in the position _iLoss after the failure, this value is negative, r _KlThe expression assailant is p in the position _iRepayment, wherein the assailant selects behavior a _kAnd the defender selects d _l, δ _i∈ [0,1] representes discount factor, U (p _i) specifically representation is following:

$U\left(p_i\right)=\begin{array}{ccc}{\mathrm{\γ}}_{11}& ...& {\mathrm{\γ}}_{\mathrm{lm}}\\ ...& {\mathrm{\γ}}_{\mathrm{kl}}& ...\\ {\mathrm{\γ}}_{\mathrm{nl}}& ...& {\mathrm{\γ}}_{\mathrm{nm}}\end{array}$

Wherein, the behavior of assailant's selection is expressed as a ₁..., a _k..., a _nThe behavior that the defender selects is expressed as d ₁..., d _k..., d _n, r _KlThe expression assailant selects behavior a _k, the defender selects behavior d _lThe time, assailant's repayment;

Step 42 is for attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _i, by following formula calculating player's balance policy

${\mathrm{\π}}_i^m\←\mathrm{Solve}\left[U\left(p_i\right)\right]$

Wherein, Solve [U (p _i)] expression calculating [U (p _i)], the income equilibrium probability is composed balance policy

In;

Step 43; Gather the behavioral strategy that balanced probability that N (i) calculates is represented the player, output balance policy vector

through the player

Step 44 with the at random game pessimistic concurrency control of balance policy vector difference assignment to attack visual angle and defence visual angle, is combined into attacking and defending game Policy model with attack visual angle and the pessimistic concurrency control of game at random of defending the visual angle.

5. the method for detection internet security as claimed in claim 1 is characterized in that,

Said step 5 further does,

Step 51 is calculated attacking and defending game Policy model stable state parameter, and the stable state parameter is the selection of attack path, generates the target of attack location sets;

For attacking and defending game Policy model, in the stochastic Petri pessimistic concurrency control, there is arc (p in step 52 _i, t) (t, p _I+1), and the leak that equipment room exists cannot be utilized, and then deletes arc (p _i, t) (t, p _I+1), otherwise, remain unchanged; Travel through all transition, and the isolated transition of deletion; The attack a that representes according to the transition that provide in the attack information _iJudge whether to have the relation of attack with the relation of current location, if attack can act on position p, and the preposition target of attack location sets non-NULL of position p, then all transition in the preposition target of attack location sets of position p are increased mark a _i, the traversal all devices is to all transition marks, and deletion does not have the transition of mark and the arc that is associated with these transition, deletion insular position, the attacking and defending game Policy model that obtains refining;

Step 53, chosen position p is the target of attack position, adopts backtracking method search attack path;

Step 54 to all possible target of attack position execution in step 53, obtains the possible attack path of institute that objective network exists;

Step 55 to the calculating that various paths quantize, draws the probability of different attack paths when different target of attack.

6. the method for detection internet security as claimed in claim 1 is characterized in that,

Said step 5 further does,

Step 61, the quantity m of average sign in each position when calculating stable state in the attacking and defending game Policy model _i

Step 62, set up the node set that occurs in maybe attack path IPi}, and mark same node under different attack paths IPi (1 ..., n _j);

Step 63 calculates fragility weight σ by following formula _iAnd network node is sorted according to the fragility weight;

${\mathrm{\σ}}_i=\underset{j=1}{\overset{n_j}{\mathrm{\Σ}}}{m}_i^j$

Wherein, and IPi (1 ..., n _j) be illustrated in n _jNode IP i under the paths.

7. the method for detection internet security as claimed in claim 5 is characterized in that,

Adopt backtracking method search attack path further to do in the said step 53,

Step 71, the rearmounted transition set p of home position p Be " using " that position p is " 0 ", 0 element group representation does not comprise any value, and set D is set, and set D initial value is D={p} ∪ p

Step 72 is for any b _i∈ b|b ∈ D ∧ b=0}, right b _i∩ D} in component identification b _iBe " 1 ", wherein, D} represent to gather among the M (set of all positions) element and deduct among the set D remaining element set behind the element; The duplicate marking operation is up to there not being eligible b _i∈ { the b of b|b ∈ D ∧ b=0} _i

Step 73 is for any c _i∈ c|c ∈ D ∧ c=1}, right c _i∩ D} in component identification c _iBe " using "; The duplicate marking operation is up to there not being eligible c _i∈ { the c of c|c ∈ D ∧ c=1} _i

Step 74, repeating step 71 to 73 is up to the preposition transition set of D D ∈ D;

Step 75 is with d _j∈ { d|d ∈ D ∧ D=φ } be starting point, launch according to the sign of transition, obtaining with position P is the possible attack path of institute of target of attack position.

8. a system that detects internet security is characterized in that, comprising:

The attack graph generation module is used for the vulnerability information of initial condition, equipment room annexation and equipment according to network equipment, generates to comprise the attack graph of attacking node and state node; Attacking node is attack state possible in the network, and state node is a possibility specific objective under attack in the network;

Stochastic Petri net model conversion module is used for converting attack graph into the stochastic Petri pessimistic concurrency control to the destination node of setting;

Attack the pessimistic concurrency control of the game at random generation module at visual angle and defence visual angle, be used on the stochastic Petri pessimistic concurrency control, introducing the strategy and the effectiveness information of attack, generate the pessimistic concurrency control of game at random of attacking the visual angle; On the stochastic Petri pessimistic concurrency control, introduce the strategy and the effectiveness information of the act of defense, generate the pessimistic concurrency control of game at random at defence visual angle;

Attacking and defending game Policy model generation module; Be used for to attacking each position, visual angle with the pessimistic concurrency control of game at random at defence visual angle; By the assailant of game and defender according to the policy selection behavior under the equilibrium condition; The calculation expectation utility matrix, and, draw assailant and defender's balance policy vector by equilibrium value according to the equilibrium value of expected utility matrix computations position; Balance policy is introduced the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle respectively; Merge the pessimistic concurrency control of game at random of attacking the visual angle and the pessimistic concurrency control of game at random of defending the visual angle, generate attacking and defending game Policy model;

The internet security detection module is used to utilize attacking and defending game Policy model to carry out the detection of internet security.

9. the system of detection internet security as claimed in claim 8 is characterized in that,

Said attack graph generation module further comprises:

Network equipment formation generates submodule, is used for original equipment title and authority are added network equipment formation, generates the initial condition node simultaneously;

Submodule is set up in the formation of equipment fragility, is used for beginning from the initial condition node, gets an equipment and the authority of said equipment in the network equipment formation, generates new connection device formation and new equipment fragility formation;

The leak submodule is added in the formation of equipment fragility; Be used for taking equipment name query equipment connecting relation according to current institute; Obtain the device name of all connections of said equipment, and will connect and not be added into the device name and the formation of authority adding connection device of connection device formation with said equipment, the equipment of adding is the next stage equipment of institute's taking equipment; Inquire about the leak of connection device of being got and all devices that is connected with institute's taking equipment, and leak is joined in the formation of equipment fragility;

Connection device formation taking equipment submodule; The equipment of not got that is connected that is used for getting from the connection device formation institute's taking equipment is new institute's taking equipment; If do not get; Be new institute's taking equipment then, judge submodule otherwise start to upper level equipment execution equipment of not got that is connected of taking equipment from the connection device formation;

Judge submodule, be used for when the equipment that new institute's taking equipment connects has all added the connection device formation, then former institute taking equipment is started connection device formation taking equipment submodule, otherwise, the leak submodule is added in new institute's taking equipment starting device fragility formation; All devices is traveled through completion in network;

Utilizability traversal submodule is used for the formation of slave unit fragility and gets a leak, according to leak name query attack knowledge storehouse; What obtain this leak utilizes method information, judges whether this leak can utilize, if can utilize; Then generate state node and attack node, otherwise abandon this leak, continue to judge next leak; Leaky judgement finishes in the formation of equipment fragility; To attack node and be connected, generate attack graph, join the attack result authority in the formation of said equipment fragility with state node.

10. the system of detection internet security as claimed in claim 8 is characterized in that,

Said stochastic Petri net model conversion module is further used for

Get a state node of attack graph,, then delete all attack nodes that said state node links to each other if state node is a destination node;

If state node is not a destination node, the out-degree of then adding up said state node, the number of the attack node that out-degree finger-like attitude node is connected if out-degree is not greater than 1, is then got next state node, continues to carry out and judges;

When out-degree greater than 1 the time, being illustrated in said state node has attack, gets the attack branch of a said state node, generates immediate transition;

Connection status node and immediate transition generate selection mode, and selection mode is meant the process of current state node through immediate transition arrival NextState node, connects immediate transition and selection mode;

Connect selection mode and the attack node that the current state node of getting is connected at the back, out-degree is subtracted 1, the judgement of carrying out beginning is until having traveled through all state nodes;

Generate transition circulation timei and destination node, linking objective node and transition circulation timei connect transition circulation timei and start node, generate the stochastic Petri pessimistic concurrency control.

11. the system of detection internet security as claimed in claim 8 is characterized in that,

Said attacking and defending game Policy model generation module is further used for

With the expected utility initialization, to attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _iThrough following formula calculation expectation utility matrix U (p _i)=[γ _Kl], and will be worth and compose the player and gather among the N (i); Player's set comprises assailant and defender;

Wherein, c _KlThe expression assailant is p in the position _iLoss after the failure, this value is negative, r _KlThe expression assailant is p in the position _iRepayment, wherein the assailant selects behavior a _kAnd the defender selects d _l, δ _i∈ [0,1] representes discount factor, U (p _i) specifically representation is following:

$U\left(p_i\right)=\begin{array}{ccc}{\mathrm{\γ}}_{11}& ...& {\mathrm{\γ}}_{\mathrm{lm}}\\ ...& {\mathrm{\γ}}_{\mathrm{kl}}& ...\\ {\mathrm{\γ}}_{\mathrm{nl}}& ...& {\mathrm{\γ}}_{\mathrm{nm}}\end{array}$

Wherein, the behavior of assailant's selection is expressed as a ₁..., a _k..., a _nThe behavior that the defender selects is expressed as d ₁..., d _k..., d _n, r _KlThe expression assailant selects behavior a _k, the defender selects behavior d _lThe time, assailant's repayment;

For attacking visual angle and defence visual angle each position p in the game pessimistic concurrency control at random _i, by following formula calculating player's balance policy

${\mathrm{\π}}_i^m\←\mathrm{Solve}\left[U\left(p_i\right)\right]$

Wherein, Solve [U (p _i)] expression calculating [U (p _i)], the income equilibrium probability is composed balance policy

In;

Gather the behavioral strategy that balanced probability that N (i) calculates is represented the player, output balance policy vector

through the player

With the at random game pessimistic concurrency control of balance policy vector difference assignment, attack visual angle and the pessimistic concurrency control of game at random of defending the visual angle are combined into attacking and defending game Policy model to attack visual angle and defence visual angle.

12. the system of detection internet security as claimed in claim 8 is characterized in that,

Said internet security detection module is further used for

Calculate attacking and defending game Policy model stable state parameter, the stable state parameter is the selection of attack path, generates the target of attack location sets;

For attacking and defending game Policy model, in the stochastic Petri pessimistic concurrency control, there is arc (p _i, t) (t, p _I+1), and the leak that equipment room exists cannot be utilized, and then deletes arc (p _i, t) (t, p _I+1), otherwise, remain unchanged; Travel through all transition, and the isolated transition of deletion; The attack a that representes according to the transition that provide in the attack information _iJudge whether to have the relation of attack with the relation of current location, if attack can act on position p, and the preposition target of attack location sets non-NULL of position p, then all transition in the preposition target of attack location sets of position p are increased mark a _i, the traversal all devices is to all transition marks, and deletion does not have the transition of mark and the arc that is associated with these transition, deletion insular position, the attacking and defending game Policy model that obtains refining;

Chosen position p is the target of attack position, adopts backtracking method search attack path;

Backtracking method search attack path is adopted in all possible target of attack position, obtain the possible attack path of institute that objective network exists;

To the calculating that various paths quantize, draw the probability of different attack paths when different target of attack.

13. the system of detection internet security as claimed in claim 8 is characterized in that,

Said internet security detection module is further used for

The quantity m of average sign in each position when calculating stable state in the attacking and defending game Policy model _i

Set up the node set that occurs in maybe attack path IPi}, and mark same node under different attack paths IPi (1 ..., n _j);

Calculate fragility weight σ by following formula _iAnd network node is sorted according to the fragility weight;

${\mathrm{\σ}}_i=\underset{j=1}{\overset{n_j}{\mathrm{\Σ}}}{m}_i^j$

Wherein, and IPi (1 ..., n _j) be illustrated in n _jNode IP i under the paths.

14. the system of detection internet security as claimed in claim 12 is characterized in that,

Said internet security detection module is further used for when adopting backtracking method search attack path

The rearmounted transition set p of home position p Be " using " that position p is " 0 ", 0 element group representation does not comprise any value, and set D is set, and set D initial value is D={p} ∪ p

For any b _i∈ b|b ∈ D ∧ b=0}, right b _i∩ D} in component identification b _iBe " 1 ", wherein, D} represent to gather among the M (set of all positions) element and deduct among the set D remaining element set behind the element; The duplicate marking operation is up to there not being eligible b _i∈ { the b of b|b ∈ D ∧ b=0} _i

For any c _i∈ c|c ∈ D ∧ c=1}, right c _i∩ D} in component identification c _iBe " using "; The duplicate marking operation is up to there not being eligible c _i∈ { the c of c|c ∈ D ∧ c=1} _i

Repeat aforementioned operation, up to the preposition transition set of D D ∈ D;

With d _j∈ { d|d ∈ D ∧ D=φ } be starting point, launch according to the sign of transition, obtaining with position P is the possible attack path of institute of target of attack position.

Images