CN102724210A - Network security analytical method for solving K maximum probability attack graph - Google Patents
Network security analytical method for solving K maximum probability attack graph Download PDFInfo
- Publication number
- CN102724210A CN102724210A CN2012102245339A CN201210224533A CN102724210A CN 102724210 A CN102724210 A CN 102724210A CN 2012102245339 A CN2012102245339 A CN 2012102245339A CN 201210224533 A CN201210224533 A CN 201210224533A CN 102724210 A CN102724210 A CN 102724210A
- Authority
- CN
- China
- Prior art keywords
- leak
- node
- attack
- assailant
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention disclose a network security analytical method for solving a K maximum probability attack graph. The method specially includes: step (1) typing in system information and inputting the value of a parameter K; step (2) initializing a system; step (3) counting nodes which can be attacked by an attacker currently; step (4) judging whether a loophole table is empty, entering the step (5) if the loophole table is empty, taking out head-of-line nodes of an available loophole table otherwise for loophole using, judging whether the number of existing attack paths of the nodes is smaller than K, updating loophole using information and the position of the attacker and entering the step (3) for executing if the number of existing attack paths of the nodes is smaller than K, and entering the beginning position of the step (4) for continuing executing otherwise; and step (5) generating front K paths with the maximum probability of all attack nodes and finishing operation. By storing and accumulating the front K attack paths with the maximum probability at the nodes, the problem of the front K attack paths with the maximum probability at the attack nodes is solved.
Description
Technical field
The present invention relates to a kind of network security analytical method, particularly a kind of network security analytical method of finding the solution K maximum probability attack graph.
Background technology
Network security provides one of institute of company focal point problem of network service, and the hacker attacks incident is in rising trend, owing to service disruption or data disclosure that assault causes have all brought immeasurable loss for enterprises and individuals user.Current, unit safety scanning technology and internet security scanning technique be comparative maturity; Can find the security breaches on the given computer; And can provide leak to repair patch, but these security sweep instruments lack security association Analysis of Relationship between each leak of internal system, and current hacker's attack means; Attack, develop into the multistep cascade that progressively utilizes a plurality of system vulnerabilities constantly to promote own illegal authority and attack from the single step that utilizes the individual system leak.Under multistep cascade attack mode; The hacker possibly utilize a plurality of Different software leaks progressively to promote the illegal authority of oneself in the inside of A computer continuously; Also possibly utilize the long-range leak on the B computer; Launch a offensive to the B computer from the A computer, perhaps cause serious consequences such as B Computer Service collapse thereby on the B computer, obtain the unauthorized access authority.Therefore, effectively analyzing the multistep cascade that exists in the given network and attack, the fail safe of analyzing given network is had great importance, also is that the repairing of network safety prevention and security breaches provides valuable reference simultaneously.
In the prior art; Like P.Ammann; D.Wijesekera, people such as S.Kaushik have delivered " Scalable; Graph-Based Network Vulnerability Analysis " (" the 9th Association for Computing Machinery's compunication and safe conference collection of thesis ", extendible, based on the network vulnerability analysis of figure) on 224 pages of " Proceedings of the 9th ACM Conference on Computer and Communications Security " 2002,217 –; This article was published in the paper " A graph-based system for network-vulnerability analysis " (" new type of safe problem seminar collection of thesis in 1998 " on " Proceedings ofthe 1998workshop on New security paradigms " 71-79 page or leaf based on C.Phillips and L.P.Swiler in 1998; A kind of network vulnerability analytical system) based on figure; Having proposed " monotonicity " supposes; Point out that the assault behavior normally progressively obtains more authority; That is to say that the attacking ability that the hacker possesses progressively promotes; This theory greatly reduces the size of attack graph state space; And still have the ability of describing most system safety sexual states, and become the multinomial magnitude to the complexity of calculating attack graph from the index magnitude, make the attack graph algorithm can analyze more massive network.The multistep cascade of using this method to calculate to exist in the network is attacked; But there is certain problem in this method: 1, the attack graph of this method structure has comprised all multistep cascade attack paths that exist in the network; Network node numbers such as main frame, server, router more for a long time in network; The quantity of the attack path that comprises in the attack graph that generates is bigger, makes attack graph become complicated, indigestion on the one hand; On the other hand, increased the amount of calculation that attack graph generates; 2, the attack graph that generates of this method complexity of not considering to attack each leak, this method can provide the attack step of attacking each network node, but can not directly calculate the probability of success value of attacking each node.
In the prior art; Like people such as Li Kai at " Proceedings of the 9th International Conference for Young Computer Scientists " 2008; Delivered " Network Security Evaluation Algorithm Based on Access Level Vectors " (" the 9th young computer science proceeding " on the 1538-1544 page or leaf; Network security assessment algorithm based on the access level vector), the difference of each leak probability of availability value in the taking into account system, the characteristics of utilizing probability product dullness not increase; A kind of maximum probability attack path method that can calculate each node in the arrival network has been proposed; Use this method need not generate complete attack graph, just can calculate the maximum probability attack path for each node, but still there is certain problem in this method: this method can only generate the maximum probability attack path of attacking each network node; (K is a positive integer variable and the network security manager need understand the maximum preceding K bar attack path of probability of attacking each network node usually; Can be self-defined as required by the keeper, during K=1, be the maximum probability attack path); Through finding the solution of K maximum probability attack path; Can better understand with analytical system in the security breaches that exist, the fail safe situation of evaluating system is for the system vulnerability reparation provides reference.
Summary of the invention
In order to overcome the defective that above-mentioned prior art exists; The present invention provides a kind of network security analytical method of the K of finding the solution maximum probability attack graph; This method is for any node in the system; Can find the solution the maximum preceding K paths of probability of attacking this node, the value of this parameter K can be self-defined by the network security manager.
To achieve these goals, technical scheme of the present invention is following:
Concrete grammar of the present invention is:
Step (1). input system information; The leak information that each node in the system is existed, attack the input data of the occurrence of annexation between each node in template knowledge base information, the system and parameter K as this method; The leak information of each node scans system's node through unit security scanning software of the prior art and makes up in the system; Attack the template knowledge base and make up through inquiry software vulnerability database of the prior art (for example famous CVE storehouse, BugTraq storehouse, X-Force storehouse etc.), the probability of availability value of each leak makes up through inquiring about current general leak evaluate knowledge storehouse of having announced; The value explanation of parameter K needs to the maximum preceding K bar attack path of each node generating probability, if the attack path of attacking certain node, then only keeps the maximum preceding K paths of success attack probability greater than the K bar; If the attack path of attacking certain node is less than the K bar, then all attack paths all keep, and do not require this moment to generate K bar attack path.
Said unit security scanning software is 360 security bundles.
Said software vulnerability database is a kind of in CVE storehouse, BugTraq storehouse and the X-Force storehouse.
Step (2). system initialization; The attack path ensemble of communication that each node of initialization is preserved is an empty set, sets assailant's initial position.
Step (3). begin from the residing position of assailant, the security breaches that exist on the node that the inquiry assailant can directly visit, the template knowledge base is attacked in inquiry, obtains the descriptor of relevant vulnerability; If leak availability prerequisite satisfies, then this leak information is put into available leak table; The computational methods of the leak availability cumulative probability value that begins from the assailant are: will utilize the probability of availability value of each leak on the path to multiply each other from the leak that the assailant begins and draw; It is the maximum Priority Queues of keyword with leak availability cumulative probability value that available leak table is one, and promptly the maximum leak of cumulative probability value is positioned at Priority Queues foremost.
Step (4). if available leak table has been empty, then change step (5); Otherwise; Take out the maximum leak information of cumulative probability value in the available leak table; And this leak information removed from available leak table, judge whether the entry number of already present attack path on this leak place node has reached the K bar, if reached the K bar; Then the information of this time leak utilization does not need to keep, and changes step (4) section start and carries out; If the entry number of already present attack path is less than the K bar on this leak place node; That then takes out this leak utilizes consequence information, and the information of this time leak utilization is write the attack path ensemble of communication of this node, then according to the consequence of utilizing of leak; Upgrade the access rights of assailant on this node; At last, this node as assailant's present located position, is changeed step (3) and carries out.
Every said attack path is a five-tuple, the leak availability cumulative probability value that the leak that this five-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begin from the assailant, leak utilize consequence information.
Step (5). available leak table has been empty, output result of calculation; The preceding K bar attack path of attacking each node has write the attack path ensemble of communication of each node, so, can directly export.
Further; Said step (1) needs the value of input parameter K; The value explanation of parameter K needs to the maximum preceding K bar attack path of each node generating probability, if the attack path of attacking certain node, then only keeps the maximum preceding K paths of success attack probability greater than the K bar; If the attack path of attacking certain node is less than the K bar, then all attack paths all keep, and do not require this moment to generate K bar attack path.
Further, said step (1) needs the probability of availability value of each leak in the input system.
Further, the descriptor of relevant vulnerability described in the step (3) comprises that leak availability precondition, leak probability of availability value and leak utilize consequence information; Said leak information is a four-tuple, the leak availability cumulative probability value that the leak that this four-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begins from the assailant.
Further, said step (3) is used with leak availability cumulative probability value and is deposited available leak table as the maximum Priority Queues data structure of keyword.
Further, said step (4) is from available leak table, to take out the maximum leak information of cumulative probability value, carries out the leak utilization.
Further, said step (4) is being carried out leak when utilizing, and can judge whether the entry number of already present attack path on this leak place node has reached the K bar, if reach the K bar, then the information of this time leak utilization can not keep; If the entry number of already present attack path is less than the K bar on this leak place node; That then takes out this leak utilizes consequence information; And the information of this time leak utilization write the attack path ensemble of communication of this node; Every attack path is a five-tuple, the leak availability cumulative probability value that the leak that this five-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begin from the assailant, leak utilize consequence information.
Adopt the network security analytical method of finding the solution K maximum probability attack graph of technique scheme; Through preceding K bar attack path in each node storage cumulative probability maximum; Realize attacking finding the solution of the maximum preceding K bar attack path problem of the probability of each node, thereby realized finding the solution K maximum probability attack graph; The value of parameter K can be self-defined; The probable value of consideration success attack can be distinguished the dangerous degree of various multistep cascade attack paths more accurately; Than wall scroll maximum probability attack path, obtain the maximum preceding K bar attack path of probability of attacking each node and will abundanter tutorial message be provided for the network security manager.Need not to make up earlier complete system attack figure; On complete system attack figure, find the solution the maximum preceding K paths of probability according to the probability of availability value of each leak again, in the process of dynamic construction attack graph, progressively obtain the maximum preceding K paths of probability of inner each node of attacking system.
Description of drawings:
Fig. 1 is the inventive method flow chart.
Fig. 2 is a network topological diagram.
Fig. 3 is node visit graph of a relation.
Fig. 4 is the leak hum pattern of each node.
Fig. 5 is available leak table one.
Fig. 6 is available leak table two.
Fig. 7 is available leak table three.
Fig. 8 is available leak table four.
Fig. 9 is available leak table five.
Figure 10 is available leak table six.
Figure 11 is available leak table seven.
Figure 12 is available leak table eight.
Figure 13 is available leak table nine.
Figure 14 is available leak table ten.
Figure 15 is available leak table ten one.
Figure 16 is available leak table ten two.
Figure 17 is the K=2 maximum probability attack path output summary sheet of each node.
Embodiment:
Be easy to understand understanding in order to make technological means of the present invention, creation characteristic and to reach purpose, further set forth the present invention below in conjunction with specific embodiment
Network topological diagram of the present invention is as shown in Figure 2; Node A represents the assailant; Node B, node C, node D, node E and node F represent the node in the given computer network system; A can visit node B, node C and node D, and same, the line between node B, node C, node D, node E and the node F is represented the annexation between node.
Visit relation among the present invention between each node is as shown in Figure 3; Since second row; The node set that on behalf of a node, each row can have access to, " √ " expression can directly be visited, and " X " expression cannot directly be visited; Assailant itself, node B, node C and node D can be directly visited like the second line display assailant, but node E and node F cannot be visited.Visit relation between node can be unidirectional, also can be two-way.Among the present invention, definition visit relation is unidirectional, but in practical implementation, can according to circumstances be defined as unidirectional or two-way.
The leak information that comprises when each node is initial among the present invention is as shown in Figure 4; Every leak information is a five-tuple, and this five-tuple comprises that node, leak visit precondition, the leak at leak numbering, leak place utilize the probability of availability value of consequence, leak; Wherein, The precondition that the explanation of leak visit precondition utilizes this leak to possess; Leak utilizes consequence to represent the result that this leak of successful use can access; Attack consequence and can be obtain authority, obtain data, stop Computer Service, obliterated data etc., among the present invention, leaky attack consequence all be defined as the control authority that the assailant obtains this node.If the assailant has obtained the control authority of certain node, show that then the assailant can continue to attack other node from this node, attacks thereby form the multistep cascade.The subject matter that the present invention will solve is exactly under the situation of considering the leak usable probability, calculates the problem of the preceding K bar multistep cascade attack path of the probability maximum of attacking each node.
As shown in Figure 1, concrete grammar step of the present invention is following:
Step (1). input system information; The leak information that each node in the system is existed, attack the input data of the occurrence of annexation between each node in template knowledge base information, the system and parameter K as this method.Among the present invention, on behalf of node leak information table, Fig. 4 comprised attack template knowledge base information, and the value of parameter K is set at 2.
Step (2). system initialization; The attack path ensemble of communication that each node of initialization is preserved is an empty set, and the initial position of setting the assailant is that system is outside, shown in the node A among Fig. 2.
Step (3). begin the security breaches that exist on the node that the inquiry assailant can directly visit from the residing position of assailant.Assailant's current location is outside in system, referring to Fig. 2 and Fig. 3, and node B, node C and the node D of assailant in can access system, referring to Fig. 4, the leak information that the assailant can utilize comprises: the leak V1 on the node B, success attack probability are 0.8; Leak V2 on the node C, success attack probability are 0.4; Leak V3 on the node D, success attack probability are 0.9.Available leak information is put into available leak table, and leak information is a four-tuple, the leak availability cumulative probability value that the leak that this four-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begins from the assailant; As shown in Figure 5, it is the maximum Priority Queues of keyword with leak availability cumulative probability value that available leak table is one, and promptly the maximum leak of cumulative probability value is positioned at Priority Queues foremost.Among the present invention,, in practical application, take all factors into consideration data manipulations such as inquiry, insertion and deletion, use maximum Priority Queues data structure of the descending of available leak table according to the cumulative probability value.Referring to Fig. 5, the form of " leak that begins from the assailant utilizes the path " is: the assailant, and next node, the leak numbering of back in the bracket is this numbering that will utilize the leak correspondence in this node institute.Referring to Fig. 5, article one writes down as follows: AD (V3), and the implication of expression is: A represents the assailant, and next node is node D, and the leak that on node D, utilizes numbering is V3.
Step (4). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Fig. 5 the maximum leak numbering of cumulative probability value is V3 in the current available leak table, corresponding cumulative probability value is 0.9.The information of V3 leak is taken out from available leak table, and this leak belongs to node D, and the upward corresponding attack path record count of current node D is 0, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node D that the leak of inquiring about leak V3 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node D; Add attack path AD (V3), the success attack probability is 0.9; (2), the current location of setting the assailant is node D, the expression assailant is current can to initiate new attack from node D.
Step (5). position D begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know node C and the node F of assailant in can access system in conjunction with Fig. 2 and Fig. 3.Can be known that by Fig. 4 the leak information that the assailant can utilize comprises: the leak V5 on (1), the node C, success attack probability are 0.4.The probability of success that the assailant attacks node D earlier is 0.9; The probability of success through node D attack node C is 0.4 then; So the assailant is 0.9*0.4=0.36 through the CPS that node D attacks node C, promptly the availability cumulative probability value of leak V5 is 0.36; (2), the leak V9 on the node F, the success attack probability is 0.1.The probability of success that the assailant attacks node D earlier is 0.9; The probability of success through node D attack node F is 0.1 then; So the assailant is 0.9*0.1=0.09 through the CPS that node D attacks node F, promptly the availability cumulative probability value of leak V9 is 0.09.Above-mentioned two available leak information are put into available leak table: article one is (V5, C, AD (V3) C (V5); 0.36), wherein attack path " AD (V3) C (V5) " expression begins from assailant A, utilizes the leak V3 on the node D earlier; After obtaining the control authority of node D, utilize the leak V5 on the node C to attack node C through node D again, the leak numbering is wrapped up with bracket; Thereby distinguish with node numbering, A representes assailant's original position, so A does not have " (leak numbering) " information at the back; Second is (V9, F, AD (V3) F (V9), 0.09).The execution result of step (4) and step (5) is as shown in Figure 6.
Step (6). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Fig. 6 the maximum leak numbering of cumulative probability value is V1 in the current available leak table, corresponding cumulative probability value is 0.8.The information of V1 leak is taken out from available leak table, and this leak belongs to node B, and the upward corresponding attack path record count of current node B is 0, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node B that the leak of inquiring about leak V1 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node B; Add attack path AB (V1), the success attack probability is 0.8; (2), the current location of setting the assailant is node B, the expression assailant is current can to initiate new attack from node B.
Step (7). position B begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know node C and the node E of assailant in can access system in conjunction with Fig. 2 and Fig. 3.Can be known that by Fig. 4 the leak information that the assailant can utilize comprises: the leak V4 on (1), the node C, success attack probability are 0.7.The probability of success that the assailant attacks node B earlier is 0.8; The probability of success through node B attack node C is 0.7 then; So the assailant is 0.8*0.7=0.56 through the CPS that node B attacks node C, promptly the availability cumulative probability value of leak V4 is 0.56; (2), the leak V6 on the node E, the success attack probability is 0.3.The probability of success that the assailant attacks node B earlier is 0.8; The probability of success through node B attack node E is 0.3 then; So the assailant is 0.8*0.3=0.24 through the CPS that node B attacks node E, promptly the availability cumulative probability value of leak V6 is 0.24.Above-mentioned two available leak information are put into available leak table: article one is (V4, C, AB (V1) C (V4), 0.56), and second is (V6, E, AB (V1) E (V6), 0.24).The execution result of step (6) and step (7) is as shown in Figure 7.
Step (8). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Fig. 7 the maximum leak numbering of cumulative probability value is V4 in the current available leak table, corresponding cumulative probability value is 0.56.The information of V4 leak is taken out from available leak table, and this leak belongs to node C, and the upward corresponding attack path record count of current node C is 0, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node C that the leak of inquiring about leak V4 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node C; Add attack path AB (V1) C (V4), the success attack probability is 0.56; (2), the current location of setting the assailant is node C, the expression assailant is current can to initiate new attack from node C.
Step (9). position C begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know the node E of assailant in can access system in conjunction with Fig. 2 and Fig. 3.Can be known that by Fig. 4 the leak information that the assailant can utilize comprises: the leak V7 on (1), the node E, success attack probability are 0.7.The assailant is 0.56 through the CPS that node B attacks node C; The probability of success through node C attack node E is 0.7 then; So; The assailant is 0.56*0.7=0.392 through the CPS that node B and node C attack node E, and promptly the availability cumulative probability value of leak V7 is 0.392.An above-mentioned available leak information (V7, E, AB (V1) C (V4) E (V7), 0.392) is put into available leak table.The execution result in the 8th step and the 9th step is as shown in Figure 8.
Step (10). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Fig. 8 the maximum leak numbering of cumulative probability value is V2 in the current available leak table, corresponding cumulative probability value is 0.4.The information of V2 leak is taken out from available leak table, and this leak belongs to node C, and the upward corresponding attack path record count of current node C is 1, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node C that the leak of inquiring about leak V2 according to Fig. 4 utilizes consequence, need do two work then: (1), add the pairing attack path record of node C, adding attack path AC (V2), the success attack probability is 0.4; (2), the current location of setting the assailant is node C, the expression assailant is current can to initiate new attack from node C.
Step (11). position C begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know the node E of assailant in can access system in conjunction with Fig. 2 and Fig. 3.Can be known that by Fig. 4 the leak information that the assailant can utilize comprises: the leak V7 on (1), the node E, success attack probability are 0.7.The CPS of assailant's directtissima node C is 0.4; The probability of success through node C attack node E is 0.7 then; So; The assailant is 0.4*0.7=0.28 through the CPS of node C attack node E directly, and promptly the availability cumulative probability value of leak V7 is 0.28 on this attack path.An above-mentioned available leak information (V7, E, AC (V2) E (V7), 0.28) is put into available leak table.The execution result of step (10) and step (11) is as shown in Figure 9.
Step (12). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Fig. 9 the maximum leak numbering of cumulative probability value is V7 in the current available leak table, corresponding cumulative probability value is 0.392.The information of V7 leak is taken out from available leak table, and this leak belongs to node E, and the upward corresponding attack path record count of current node E is 0, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node E that the leak of inquiring about leak V7 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node E; Add attack path AB (V1) C (V4) E (V7), the success attack probability is 0.392; (2), the current location of setting the assailant is node E, the expression assailant is current can to initiate new attack from node E.
Step (13). position E begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know the node F of assailant in can access system in conjunction with Fig. 2 and Fig. 3.Can be known that by Fig. 4 the leak information that the assailant can utilize comprises: the leak V8 on (1), the node F, success attack probability are 0.7.The assailant is 0.392 through the CPS that node B and node C attack node E; The probability of success through node E attack node F is 0.7 then; So; The assailant is 0.392*0.7=0.2744 through the CPS of node B, node C and node E attack node F successively, and promptly the availability cumulative probability value of leak V8 is 0.2744 on this attack path.An above-mentioned available leak information (V8, F, AB (V1) C (V4) E (V7) F (V8), 0.2744) is put into available leak table.The execution result of step (12) and step (13) is shown in figure 10.
Step (14). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Figure 10 the maximum leak numbering of cumulative probability value is V5 in the current available leak table, corresponding cumulative probability value is 0.36.The information of V5 leak is taken out from available leak table, and this leak belongs to node C, and the upward corresponding attack path record count of current node C is 2; Equal the value of parameter K, this K=2 explains that the K bar attack path to node C generates; And the CPS value of this K bar attack path is all greater than current attack path; And utilizing consequence according to the leak that Fig. 4 inquires about leak V5 is that the assailant obtains the control authority on node C, identical with the attack consequence of the attack path that has generated to node C, so; This attack path does not need to keep, and need C be labeled as assailant's current location yet.The execution result in the 14 step is shown in figure 11.
Step (15). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Figure 11 the maximum leak numbering of cumulative probability value is V7 in the current available leak table, corresponding cumulative probability value is 0.28.The information of V7 leak is taken out from available leak table, and this leak belongs to node E, and the upward corresponding attack path record count of current node E is 1, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node E that the leak of inquiring about leak V7 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node E; Add attack path AC (V2) E (V7), the success attack probability is 0.28; (2), the current location of setting the assailant is node E, the expression assailant is current can to initiate new attack from node E.
Step (16). position E begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know the node F of assailant in can access system in conjunction with Fig. 2 and Fig. 3.Can be known that by Fig. 4 the leak information that the assailant can utilize comprises: the leak V8 on (1), the node F, success attack probability are 0.7.The assailant is 0.28 through the CPS that node C attacks node E; The probability of success through node E attack node F is 0.7 then; So; The assailant is 0.28*0.7=0.196 through the CPS of node C and node E attack node F successively, and promptly the availability cumulative probability value of leak V8 is 0.196 on this attack path.An above-mentioned available leak information (V8, F, AC (V2) E (V7) F (V8), 0.196) is put into available leak table.The execution result of step (15) and step (16) is shown in figure 12.
Step (17). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Figure 12 the maximum leak numbering of cumulative probability value is V8 in the current available leak table, corresponding cumulative probability value is 0.2744.The information of V8 leak is taken out from available leak table, and this leak belongs to node F, and the upward corresponding attack path record count of current node F is 0, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node F that the leak of inquiring about leak V8 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node F; Add attack path AB (V1) C (V4) E (V7) F (V8), the success attack probability is 0.2744; (2), the current location of setting the assailant is node F, the expression assailant is current can to initiate new attack from node F.
Step (18). position F begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know that in conjunction with Fig. 2 and Fig. 3 the assailant can not initiate new attack from node F, therefore also need not to upgrade available leak table.The execution result of step (17) and step (18) is shown in figure 13.
Step (19). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Figure 13 the maximum leak numbering of cumulative probability value is V6 in the current available leak table, corresponding cumulative probability value is 0.24.The information of V6 leak is taken out from available leak table, and this leak belongs to node E, and the upward corresponding attack path record count of current node E is 2; Equal the value of parameter K, this K=2 explains that the K bar attack path to node E generates; And the CPS value of this K bar attack path is all greater than current attack path; And utilizing consequence according to the leak that Fig. 4 inquires about leak V6 is that the assailant obtains the control authority on node E, identical with the attack consequence of the attack path that has generated to node E, so; This attack path does not need to keep, and need E be labeled as assailant's current location yet.The execution result of step (19) is shown in figure 14.
Step (20). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Figure 14 the maximum leak numbering of cumulative probability value is V8 in the current available leak table, corresponding cumulative probability value is 0.196.The information of V8 leak is taken out from available leak table, and this leak belongs to node F, and the upward corresponding attack path record count of current node F is 1, and less than the value of parameter K, this K=2 generates attack path thereby therefore need utilize this leak.It is that the assailant obtains the control authority on node F that the leak of inquiring about leak V8 according to Fig. 4 utilizes consequence; Need do two work then: (1), the pairing attack path record of interpolation node F; Add attack path AC (V2) E (V7) F (V8), the success attack probability is 0.196; (2), the current location of setting the assailant is node F, the expression assailant is current can to initiate new attack from node F.
Step (21). position F begins from assailant's present located, the security breaches that exist on the node that the inquiry assailant can directly visit.Can know that in conjunction with Fig. 2 and Fig. 3 the assailant can not initiate new attack from node F, therefore also need not to upgrade available leak table.The execution result of step (20) and step (21) is shown in figure 15.
Step (22). take out the maximum leak information of cumulative probability value in the available leak table, and this leak information is removed from available leak table, utilize this leak information updating can use the leak table then, upgrade the node attack path.Can be known that by Figure 15 the maximum leak numbering of cumulative probability value is V9 in the current available leak table, corresponding cumulative probability value is 0.09.The information of V9 leak is taken out from available leak table, and this leak belongs to node F, and the upward corresponding attack path record count of current node F is 2; Equal the value of parameter K, this K=2 explains that the K bar attack path to node F generates; And the CPS value of this K bar attack path is all greater than current attack path; And utilizing consequence according to the leak that Fig. 4 inquires about leak V9 is that the assailant obtains the control authority on node F, identical with the attack consequence of the attack path that has generated to node F, so; This attack path does not need to keep, and need F be labeled as assailant's current location yet.The execution result of step (22) is shown in figure 16.
Step (23). current available leak table has been empty, can be known by Fig. 1, and this moment, the K maximum probability attack path of each node generated, and exported the K of each node, and this K=2 maximum probability attack path is summarized in Figure 17.As can beappreciated from fig. 17; Node B and node D have respectively generated an attack path respectively; This is by the input of this case study on implementation decision, that is to say, for the K maximum probability attack path problem of finding the solution each node; If the Actual path clauses and subclauses sum of attacking certain node also is correct less than the K bar; Node C, node E and node F have generated two different maximum probability attack paths respectively; Can find out from the step of front; In fact the total number of attack path that can attack node C, node E or node F is greater than two; Because the value of input parameter K is 2, so algorithm has been preserved two maximum paths of probability.
Step (24). the algorithm end of run.
In the present invention, the visit relation between the definition node in practical implementation, can be defined as unidirectional or two-way for unidirectional based on situation; The definition leaky attack consequence be the control authority that the assailant obtains this node; In practical implementation; Can segment attacking consequence based on situation, but but as be divided into and obtain the read right write permission, can carry out authority, the reading system data, stop service; To the attack consequence of each subdivision, all can generate the maximum attack path of corresponding K bar probability then; The practical implementation step with the descending of available leak table according to the cumulative probability value, in practical application, is taken all factors into consideration data manipulations such as inquiry, insertion and deletion in explaining, uses maximum Priority Queues data structure, improves the operational efficiency of algorithm.
More than show and described basic principle of the present invention, principal character and advantage of the present invention.The technical staff of the industry should understand; The present invention is not restricted to the described embodiments; That describes in the foregoing description and the specification just explains principle of the present invention; The present invention also has various changes and modifications under the prerequisite that does not break away from spirit and scope of the invention, and these variations and improvement all fall in the scope of the invention that requires protection.The present invention requires protection range to be defined by appending claims and equivalent thereof.
Claims (7)
1. network security analytical method of finding the solution K maximum probability attack graph is characterized in that the concrete grammar of this method is:
Step (1). input system information; The leak information that each node in the system is existed, attack the input data of the occurrence of annexation between each node in template knowledge base information, the system and parameter K as this method; The leak information of each node scans system's node through unit security scanning software of the prior art and makes up in the system; Attack the template knowledge base and make up through inquiry software vulnerability database of the prior art (for example famous CVE storehouse, BugTraq storehouse, X-Force storehouse etc.), the probability of availability value of each leak makes up through inquiring about current general leak evaluate knowledge storehouse of having announced; The value explanation of parameter K needs to the maximum preceding K bar attack path of each node generating probability, if the attack path of attacking certain node, then only keeps the maximum preceding K paths of success attack probability greater than the K bar; If the attack path of attacking certain node is less than the K bar, then all attack paths all keep, and do not require this moment to generate K bar attack path; Said unit security scanning software is 360 security bundles; Said software vulnerability database is a kind of in CVE storehouse, BugTraq storehouse and the X-Force storehouse;
Step (2). system initialization; The attack path ensemble of communication that each node of initialization is preserved is an empty set, sets assailant's initial position;
Step (3). begin from the residing position of assailant, the security breaches that exist on the node that the inquiry assailant can directly visit, the template knowledge base is attacked in inquiry, obtains the descriptor of relevant vulnerability; If leak availability prerequisite satisfies, then this leak information is put into available leak table; The computational methods of the leak availability cumulative probability value that begins from the assailant are: will utilize the probability of availability value of each leak on the path to multiply each other from the leak that the assailant begins and draw; It is the maximum Priority Queues of keyword with leak availability cumulative probability value that available leak table is one, and promptly the maximum leak of cumulative probability value is positioned at Priority Queues foremost;
Step (4). if available leak table has been empty, then change step (5); Otherwise; Take out the maximum leak information of cumulative probability value in the available leak table; And this leak information removed from available leak table, judge whether the entry number of already present attack path on this leak place node has reached the K bar, if reached the K bar; Then the information of this time leak utilization does not need to keep, and changes step (4) section start and carries out; If the entry number of already present attack path is less than the K bar on this leak place node; That then takes out this leak utilizes consequence information, and the information of this time leak utilization is write the attack path information set of this node, then based on the consequence of utilizing of leak; Upgrade the access rights of assailant on this node; At last, this node as assailant's present located position, is changeed step (3) and carries out;
Every said attack path is a five-tuple, the leak availability cumulative probability value that the leak that this five-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begin from the assailant, leak utilize consequence information;
Step (5). available leak table has been empty, output result of calculation; The preceding K bar attack path of attacking each node has write the attack path ensemble of communication of each node, so, can directly export.
2. a kind of network security analytical method of finding the solution K maximum probability attack graph according to claim 1; It is characterized in that: said step (1) needs the value of input parameter K; The value explanation of parameter K needs to the maximum preceding K bar attack path of each node generating probability; If the attack path of attacking certain node, then only keeps the maximum preceding K paths of success attack probability greater than the K bar; If the attack path of attacking certain node is less than the K bar, then all attack paths all keep, and do not require this moment to generate K bar attack path.
3. a kind of network security analytical method of finding the solution K maximum probability attack graph according to claim 1, it is characterized in that: said step (1) needs the probability of availability value of each leak in the input system.
4. a kind of network security analytical method of finding the solution K maximum probability attack graph according to claim 1 is characterized in that: the descriptor of relevant vulnerability described in the step (3) comprises that leak availability precondition, leak probability of availability value and leak utilize consequence information; Said leak information is a four-tuple, the leak availability cumulative probability value that the leak that this four-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begins from the assailant.
5. a kind of network security analytical method of finding the solution K maximum probability attack graph according to claim 1 is characterized in that: said step (3) is used with leak availability cumulative probability value and is deposited available leak table as the maximum Priority Queues data structure of keyword.
6. a kind of network security analytical method of finding the solution K maximum probability attack graph according to claim 1 is characterized in that: said step (4) is carried out the leak utilization for from available leak table, taking out the maximum leak information of cumulative probability value.
7. a kind of network security analytical method of finding the solution K maximum probability attack graph according to claim 1; It is characterized in that: said step (4) is being carried out leak when utilizing; Whether the entry number that can judge already present attack path on this leak place node has reached the K bar; If reach the K bar, then the information of this time leak utilization can not keep; If the entry number of already present attack path is less than the K bar on this leak place node; That then takes out this leak utilizes consequence information; And the information of this time leak utilization write the attack path ensemble of communication of this node; Every attack path is a five-tuple, the leak availability cumulative probability value that the leak that this five-tuple comprises the node at leak numbering, leak place, begin from the assailant utilizes the path, begin from the assailant, leak utilize consequence information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210224533.9A CN102724210B (en) | 2012-06-29 | 2012-06-29 | Network security analytical method for solving K maximum probability attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210224533.9A CN102724210B (en) | 2012-06-29 | 2012-06-29 | Network security analytical method for solving K maximum probability attack graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102724210A true CN102724210A (en) | 2012-10-10 |
| CN102724210B CN102724210B (en) | 2015-02-11 |
Family
ID=46949872
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210224533.9A Active CN102724210B (en) | 2012-06-29 | 2012-06-29 | Network security analytical method for solving K maximum probability attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102724210B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681338A (en) * | 2016-03-04 | 2016-06-15 | 西北大学 | Vulnerability exploiting success probability calculation method and network security risk management method |
| CN108370499A (en) * | 2015-10-27 | 2018-08-03 | 黑莓有限公司 | Resource is detected to access |
| CN109167794A (en) * | 2018-09-25 | 2019-01-08 | 北京计算机技术及应用研究所 | A kind of attack detection method of network-oriented system security measure |
| CN111277561A (en) * | 2019-12-27 | 2020-06-12 | 北京威努特技术有限公司 | Network attack path prediction method and device and security management platform |
| CN112311780A (en) * | 2020-10-23 | 2021-02-02 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112926055A (en) * | 2021-03-09 | 2021-06-08 | 中国人民解放军空军工程大学 | Virus attack defense method based on time probability attack graph |
| CN113949570A (en) * | 2021-10-18 | 2022-01-18 | 北京航空航天大学 | Penetration test attack path selection method and system based on attack graph |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941502B (en) * | 2017-05-02 | 2020-10-20 | 北京理工大学 | Safety measurement method and device for internal network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
| CN101222317A (en) * | 2007-11-29 | 2008-07-16 | 哈尔滨工程大学 | Depth-first attack drawing generating method |
-
2012
- 2012-06-29 CN CN201210224533.9A patent/CN102724210B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
| CN101222317A (en) * | 2007-11-29 | 2008-07-16 | 哈尔滨工程大学 | Depth-first attack drawing generating method |
Non-Patent Citations (2)
| Title |
|---|
| KAI LI等: ""Network Security Evaluation Algorithm Based on Access Level Vectors"", 《THE 9TH INTERNATIONAL CONFERENCE FOR YOUNG COMPUTER SCIENTISTS,IEEE》, 21 November 2008 (2008-11-21), pages 1538 - 1544, XP031373399 * |
| 张玺 等: ""一种基于攻击图的漏洞风险评估方法"", 《计算机应用研究》, vol. 27, no. 1, 15 January 2010 (2010-01-15), pages 278 - 280 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108370499A (en) * | 2015-10-27 | 2018-08-03 | 黑莓有限公司 | Resource is detected to access |
| CN105681338A (en) * | 2016-03-04 | 2016-06-15 | 西北大学 | Vulnerability exploiting success probability calculation method and network security risk management method |
| CN105681338B (en) * | 2016-03-04 | 2018-10-30 | 西北大学 | Vulnerability exploit probability of success computational methods and network security risk management method |
| CN109167794A (en) * | 2018-09-25 | 2019-01-08 | 北京计算机技术及应用研究所 | A kind of attack detection method of network-oriented system security measure |
| CN109167794B (en) * | 2018-09-25 | 2021-05-14 | 北京计算机技术及应用研究所 | Attack detection method for network system security measurement |
| CN111277561A (en) * | 2019-12-27 | 2020-06-12 | 北京威努特技术有限公司 | Network attack path prediction method and device and security management platform |
| CN112311780A (en) * | 2020-10-23 | 2021-02-02 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112311780B (en) * | 2020-10-23 | 2023-02-14 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112926055A (en) * | 2021-03-09 | 2021-06-08 | 中国人民解放军空军工程大学 | Virus attack defense method based on time probability attack graph |
| CN112926055B (en) * | 2021-03-09 | 2024-04-26 | 中国人民解放军空军工程大学 | Virus attack defending method based on time probability attack graph |
| CN113949570A (en) * | 2021-10-18 | 2022-01-18 | 北京航空航天大学 | Penetration test attack path selection method and system based on attack graph |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102724210B (en) | 2015-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102724210B (en) | Network security analytical method for solving K maximum probability attack graph | |
| US12047396B2 (en) | System and method for monitoring security attack chains | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220060511A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| Lu et al. | A memory-efficient parallel string matching architecture for high-speed intrusion detection | |
| Trujillo-Rasua et al. | k-metric antidimension: A privacy measure for social graphs | |
| CN105637519A (en) | Cognitive information security using a behavior recognition system | |
| CN110602137A (en) | Malicious IP and malicious URL intercepting method, device, equipment and medium | |
| Ahmed et al. | Network traffic pattern analysis using improved information theoretic co-clustering based collective anomaly detection | |
| CN107733863A (en) | Daily record adjustment method and device under a kind of distributed hadoop environment | |
| Gomes et al. | Cryingjackpot: Network flows and performance counters against cryptojacking | |
| Wu et al. | TRacer: Scalable graph-based transaction tracing for account-based blockchain trading systems | |
| WO2021216163A2 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN111224941A (en) | Threat type identification method and device | |
| Zhang | Global behavior of a computer virus propagation model on multilayer networks | |
| CN107563220A (en) | A kind of computer based big data analysis and Control system and control method | |
| Zhang et al. | Network security situational awareness model based on threat intelligence | |
| CN112532598A (en) | Filtering method for real-time intrusion detection system | |
| CN110110528A (en) | Safety risk estimating method, device and the equipment of information system | |
| Eid et al. | IIoT network intrusion detection using machine learning | |
| Yan et al. | Game-theoretical Model for Dynamic Defense Resource Allocation in Cyber-physical Power Systems Under Distributed Denial of Service Attacks | |
| CN112468521B (en) | Data processing method and device based on privacy protection and server | |
| Cheng et al. | LTC: a fast algorithm to accurately find significant items in data streams | |
| CN117407884A (en) | Knowledge graph-based ATT & CK and CVE association method and system | |
| Ahmed | Reservoir-based network traffic stream summarization for anomaly detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |