CN102724210B - Network security analytical method for solving K maximum probability attack graph - Google Patents
Network security analytical method for solving K maximum probability attack graph Download PDFInfo
- Publication number
- CN102724210B CN102724210B CN201210224533.9A CN201210224533A CN102724210B CN 102724210 B CN102724210 B CN 102724210B CN 201210224533 A CN201210224533 A CN 201210224533A CN 102724210 B CN102724210 B CN 102724210B
- Authority
- CN
- China
- Prior art keywords
- node
- leak
- attack
- assailant
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention disclose a network security analytical method for solving a K maximum probability attack graph. The method specially includes: step (1) typing in system information and inputting the value of a parameter K; step (2) initializing a system; step (3) counting nodes which can be attacked by an attacker currently; step (4) judging whether a loophole table is empty, entering the step (5) if the loophole table is empty, taking out head-of-line nodes of an available loophole table otherwise for loophole using, judging whether the number of existing attack paths of the nodes is smaller than K, updating loophole using information and the position of the attacker and entering the step (3) for executing if the number of existing attack paths of the nodes is smaller than K, and entering the beginning position of the step (4) for continuing executing otherwise; and step (5) generating front K paths with the maximum probability of all attack nodes and finishing operation. By storing and accumulating the front K attack paths with the maximum probability at the nodes, the problem of the front K attack paths with the maximum probability at the attack nodes is solved.
Description
Technical field
The present invention relates to a kind of Network Security Analysis Method, particularly a kind of Network Security Analysis Method solving K maximum probability attack graph.
Background technology
One of network security institute of company focal point problem being to provide network service, hacker attacks event is in rising trend, and the service disruption caused due to assault or leaking data all bring immeasurable loss to enterprises and individuals user.Current, unit safety scanning technology, with internet security scanning technique comparative maturity, the security breaches on given computer can be found, and leak can be provided to repair patch, but these security sweep instruments lack the analysis to security association relation between internal system each leak, and the attack means of current hacker, from utilizing the single step of individual system leak to attack, developing into the multistep cascade progressively utilizing multiple system vulnerability constantly to promote oneself illegal authority and having attacked.Under multistep cascade attack mode, hacker may utilize multiple different software vulnerability progressively to promote the illegal authority of oneself continuously in the inside of A computer, also the long-range leak on B computer may be utilized, launch a offensive to B computer from A computer, thus on B computer, obtain unauthorized access authority or cause the serious consequences such as B Computer Service collapse.Therefore, effectively analyze the multistep cascade existed in given network and attack, have great importance to the fail safe analyzing given network, simultaneously also for the repairing of network safety prevention and security breaches provides valuable reference.
In prior art, as P.Ammann, D.Wijesekera, the people such as S.Kaushik are at " Proceedings of the 9th ACM Conference on Computer and Communications Security " 2002,217 – 224 pages deliver " Scalable, Graph-Based Network Vulnerability Analysis " (" the 9th Association for Computing Machinery's compunication and safe conference collection of thesis ", extendible, based on the network vulnerability analysis of figure), this article was published in the paper " A graph-based system for network-vulnerability analysis " (" new type of safe problem seminar collection of thesis in 1998 " on " Proceedings of the 1998workshop on New security paradigms " 71-79 page based on C.Phillips and L.P.Swiler in 1998, a kind of network vulnerability analysis system based on figure), propose " monotonicity " to suppose, point out that assault behavior normally progressively obtains more authority, that is the attacking ability that hacker possesses progressively promotes, this theory greatly reduces the size of attack graph state space, and still there is the ability describing most system safety sexual state, and the complexity calculating attack graph is become multinomial magnitude from index magnitude, attack graph algorithm is enable to analyze more massive network.Use the method can calculate the multistep cascade existed in network and attack, but there is certain problem in the method: the attack graph that 1, the method builds contains all multistep cascade attack paths existed in network, when the network node number such as main frame, server, router is more in a network, the quantity of the attack path comprised in the attack graph generated is larger, attack graph is made to become complicated, indigestion on the one hand; On the other hand, the amount of calculation that attack graph generates is added; 2, the attack graph that the method generates does not consider the complexity of attacking each leak, and the method can provide the attack step attacking each network node, but directly can not calculate the probability of success value of attacking each node.
In prior art, if the people such as Li Kai are at " Proceedings of the 9th International Conference for Young Computer Scientists " 2008, 1538-1544 page is delivered " Network Security Evaluation Algorithm Based on Access Level Vectors " (" the 9th young computer science proceeding ", network security assessment algorithm based on access level vector), the difference of each leak probability of availability value in consideration system, utilize the feature that probability product dullness does not increase, propose a kind of maximum probability attack path method that can calculate each node in arrival network, the method is used not need to generate complete attack graph, just the maximum probability attack path for each node can be calculated, but still there is certain problem in the method: the method can only generate the maximum probability attack path attacking each network node, and network security manager needs to understand the front K bar attack path of maximum probability attacking each network node usually, and (K is a positive integer variable, can be self-defined as required by keeper, during K=1, be maximum probability attack path), by solving of K maximum probability attack path, can better understand and the security breaches that exist in analytical system, the fail safe situation of evaluating system, for system vulnerability reparation provides reference.
Summary of the invention
In order to overcome the defect that above-mentioned prior art exists, the invention provides a kind of Network Security Analysis Method solving K maximum probability attack graph, the method is for any node in system, can solve the front K paths of the maximum probability attacking this node, the value of this parameter K can be self-defined by network security manager.
To achieve these goals, technical scheme of the present invention is as follows:
Concrete grammar of the present invention is:
Step (1). input system information; The initial information of the leak existed by each node in system, attack the input data of occurrence as the method for annexation in template knowledge base information, system between each node and parameter K; In system, the initial information of the leak of each node is scanned system node by unit security scanning software of the prior art and builds, attack template knowledge base to be built by inquiry software vulnerability database of the prior art (such as famous CVE storehouse, BugTraq storehouse, X-Force storehouse etc.), the probability of availability value of each leak is by the current general vulnerability assessment construction of knowledge base announced of inquiry; The value of parameter K illustrate need maximum for each node generating probability before K bar attack path, if the attack path attacking certain node is greater than K bar, then only retain the front K paths of success attack maximum probability; If the attack path attacking certain node is less than K bar, then all attack paths all retain, and now do not require to generate K bar attack path.
Described unit security scanning software is 360 security bundles.
Described software vulnerability database is the one in CVE storehouse, BugTraq storehouse and X-Force storehouse.
Step (2). system initialization; The attack path information aggregate that each node of initialization is preserved is empty set, the initial position of setting assailant.
Step (3). from the position residing for assailant, the security breaches that the node that inquiry assailant can directly access exists, template knowledge base is attacked in inquiry, obtains the descriptor of relevant vulnerability; If leak availability prerequisite meets, then this vulnerability information is put into available leak table; The computational methods of the leak availability cumulative probability value from assailant are: the probability of availability value of each leak on the vulnerability exploit path from assailant being multiplied draws; Available leak table is a maximum Priority Queues being keyword with leak availability cumulative probability value, and namely cumulative probability is worth maximum leak and is positioned at Priority Queues foremost.
Step (4) if. available leak table has been empty, then go to step (5); Otherwise, take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, judge whether the entry number of already present attack path on this leak place node has reached K bar, if reached K bar, then the information of this vulnerability exploit does not need to retain, and goes to step (4) section start and performs; If the entry number of already present attack path is less than K bar on this leak place node, that then takes out this leak utilizes consequence information, and the information of this vulnerability exploit is write the attack path information aggregate of this node, then consequence is utilized according to leak, upgrade the access rights of assailant on this node, finally, using this node as the current residing position of assailant, go to step (3) and perform.
The described attack path of every bar is a five-tuple, this five-tuple comprise leak numbering, the node at leak place, the vulnerability exploit path from assailant, the leak availability cumulative probability value from assailant, leak utilize consequence information.
Step (5). available leak table has been empty, exports result of calculation; The front K bar attack path attacking each node has write the attack path information aggregate of each node, so, can directly export.
Further, described step (1) needs the value of input parameter K, the value of parameter K illustrate need maximum for each node generating probability before K bar attack path, if the attack path attacking certain node is greater than K bar, then only retain the front K paths of success attack maximum probability; If the attack path attacking certain node is less than K bar, then all attack paths all retain, and now do not require to generate K bar attack path.
Further, described step (1) needs the probability of availability value of each leak in input system.
Further, the descriptor of relevant vulnerability described in step (3) comprises leak availability precondition, leak probability of availability value and vulnerability exploit consequence information; Described vulnerability information is a four-tuple, and this four-tuple comprises leak numbering, the node at leak place, the vulnerability exploit path from assailant, the leak availability cumulative probability value from assailant.
Further, the maximum Priority Queues data structure that it is keyword that described step (3) uses with leak availability cumulative probability value deposits available leak table.
Further, described step (4) is worth maximum vulnerability information for taking out cumulative probability from available leak table, carries out vulnerability exploit.
Further, described step (4) is when carrying out vulnerability exploit, and can judge whether the entry number of already present attack path on this leak place node has reached K bar, if reached K bar, then the information of this vulnerability exploit can not retain; If the entry number of already present attack path is less than K bar on this leak place node, that then takes out this leak utilizes consequence information, and the information of this vulnerability exploit is write the attack path information aggregate of this node, every bar attack path is a five-tuple, this five-tuple comprise leak numbering, the node at leak place, the vulnerability exploit path from assailant, the leak availability cumulative probability value from assailant, leak utilize consequence information.
Adopt the Network Security Analysis Method solving K maximum probability attack graph of technique scheme, by K bar attack path before each node storage cumulative probability is maximum, achieve solving of the front K bar attack path problem of the maximum probability attacking each node, thus achieve and solve K maximum probability attack graph; The value of parameter K can be self-defined; Consider that attack cost value can distinguish the risk degree of various multistep cascade attack path more accurately, compared to wall scroll maximum probability attack path, the front K bar attack path obtaining the maximum probability attacking each node provides abundanter tutorial message by for network security manager.Without the need to first building complete system attack figure, K paths before solving maximum probability according to the probability of availability value of each leak on complete system attack figure again, progressively obtains K paths before the maximum probability of the inner each node of attacking system in the process of dynamic construction attack graph.
Accompanying drawing illustrates:
Fig. 1 is the inventive method flow chart.
Fig. 2 is network topological diagram.
Fig. 3 is node access relation figure.
Fig. 4 is the initial information of the leak of each node and attacks template knowledge base hum pattern.
Fig. 5 is available leak table one.
Fig. 6 is available leak table two.
Fig. 7 is available leak table three.
Fig. 8 is available leak table four.
Fig. 9 is available leak table five.
Figure 10 is available leak table six.
Figure 11 is available leak table seven.
Figure 12 is available leak table eight.
Figure 13 is available leak table nine.
Figure 14 is available leak table ten.
Figure 15 is available leak table ten one.
Figure 16 is available leak table ten two.
Figure 17 is that the K=2 maximum probability attack path of each node exports summary sheet.
Embodiment:
In order to make technological means of the present invention, creation characteristic and reach object be easy to understand understand, set forth the present invention further below in conjunction with specific embodiment
Network topological diagram of the present invention as shown in Figure 2, node A represents assailant, node B, node C, node D, node E and node F represent the node in given computer network system, A can access node B, node C and node D, equally, node B, node C, node D, line between node E and node F represent the annexation between node.
Access relation in the present invention between each node as shown in Figure 3, from the second row, every a line represents the node set that a node can have access to, " √ " represents and can directly access, " X " represents and cannot directly access, as the second line display assailant directly can access assailant itself, node B, node C and node D, but node E and node F cannot be accessed.Access relation between node can be unidirectional, also can be two-way.In the present invention, definition access relation is unidirectional, but in concrete enforcement, can according to circumstances be defined as unidirectional or two-way.
The initial information of the leak comprised when each node is initial in the present invention and attack template knowledge base information are as shown in Figure 4, the initial information of leak comprises the node at leak numbering and leak place, attacks the probability of availability value that template knowledge base information comprises leak numbering, leak access precondition, vulnerability exploit consequence, leak; Wherein, leak access precondition illustrates and utilizes this leak to need the precondition possessed, vulnerability exploit consequence is expressed as the result that material gain can obtain with this leak, attacking consequence can be obtain authority, acquisition data, stopping Computer Service, obliterated data etc., in the present invention, leaky attack consequence be all defined as the control authority that assailant obtains this node.If assailant obtains the control authority of certain node, then show that assailant can continue to attack other node from this node, thus form multistep cascade attack.The subject matter that the present invention will solve is exactly when considering leak usable probability, calculates the problem of the front K bar multistep cascade attack path of the maximum probability attacking each node.
As shown in Figure 1, concrete grammar step of the present invention is as follows:
Step (1). input system information; The initial information of the leak existed by each node in system, attack the input data of occurrence as the method for annexation in template knowledge base information, system between each node and parameter K.In the present invention, Fig. 4 has contained and has attacked template knowledge base information, and the value of parameter K is set as 2.
Step (2). system initialization; The attack path information aggregate that each node of initialization is preserved is empty set, and the initial position of setting assailant is its exterior, as shown in the node A in Fig. 2.
Step (3). from the position residing for assailant, the security breaches that the node that inquiry assailant can directly access exists.The current location of assailant is at its exterior, and referring to Fig. 2 and Fig. 3, assailant can node B, node C and node D in access system, and referring to Fig. 4, the leak that assailant can utilize comprises: the leak V1 on node B, and success attack probability is 0.8; Leak V2 on node C, success attack probability is 0.4; Leak V3 on node D, success attack probability is 0.9.Available vulnerability information is put into available leak table, and vulnerability information is a four-tuple, and this four-tuple comprises leak numbering, the node at leak place, the vulnerability exploit path from assailant, the leak availability cumulative probability value from assailant; As shown in Figure 5, available leak table is a maximum Priority Queues being keyword with leak availability cumulative probability value, and namely cumulative probability is worth maximum leak and is positioned at Priority Queues foremost.In the present invention, by the descending of available leak table according to cumulative probability value, in actual applications, consider the data manipulations such as inquiry, insertion and deletion, use maximum Priority Queues data structure.Referring to Fig. 5, the form in " the vulnerability exploit path from assailant " is: assailant, next node, after leak numbering in bracket namely this will utilize at this node the numbering that leak is corresponding.Referring to Fig. 5, Article 1 record is as follows: AD (V3), and the implication of expression is: A represents assailant, and next node is node D, and the leak that node D utilizes numbering is V3.
Step (4). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 5, in current available leak table, cumulative probability is worth maximum leak numbering is V3, and corresponding cumulative probability value is 0.9.The information of V3 leak taken out from available leak table, this leak belongs to node D, and attack path record count corresponding on current node D is 0, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V3 according to Fig. 4 is the control authority that assailant obtains on node D, then need to do two pieces work: (1), add attack path record corresponding to node D, add the vulnerability exploit path A D (V3) from assailant, success attack probability is 0.9; (2), setting assailant current location be node D, represent assailant current can from node D initiate new attack.
Step (5). from the current residing position D of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can node C in access system and node F.As shown in Figure 4, the leak that assailant can utilize comprises: the leak V5 on (1), node C, and success attack probability is 0.4.The probability of success that assailant first attacks node D is 0.9, the probability of success of then attacking node C by node D is 0.4, so the CPS that assailant attacks node C by node D is 0.9*0.4=0.36, and namely the availability cumulative probability value of leak V5 is 0.36; (2) the leak V9, on node F, success attack probability is 0.1.The probability of success that assailant first attacks node D is 0.9, the probability of success of then attacking node F by node D is 0.1, so the CPS that assailant attacks node F by node D is 0.9*0.1=0.09, and namely the availability cumulative probability value of leak V9 is 0.09.Above-mentioned two available vulnerability informations are put into available leak table: Article 1 is (V5, C, AD (V3) C (V5), 0.36), vulnerability exploit path " AD (V3) C (V5) " wherein from assailant represents from assailant A, first utilize the leak V3 on node D, after obtaining the control authority of node D, the leak V5 on node C is utilized to attack node C by node D again, leak numbering bracket wraps up, thus distinguish with node numbering, A represents the original position of assailant, does not therefore have " (leak numbering) " information after A; Article 2 is (V9, F, AD (V3) F (V9), 0.09).The execution result of step (4) and step (5) as shown in Figure 6.
Step (6). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 6, in current available leak table, cumulative probability is worth maximum leak numbering is V1, and corresponding cumulative probability value is 0.8.The information of V1 leak taken out from available leak table, this leak belongs to node B, and attack path record count corresponding on current node B is 0, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V1 according to Fig. 4 is the control authority that assailant obtains on node B, then need to do two pieces work: (1), add attack path record corresponding to node B, add the vulnerability exploit path A B (V1) from assailant, success attack probability is 0.8; (2), setting assailant current location be node B, represent assailant current can from node B initiate new attack.
Step (7). from the current residing position B of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can node C in access system and node E.As shown in Figure 4, the leak that assailant can utilize comprises: the leak V4 on (1), node C, and success attack probability is 0.7.The probability of success that assailant first attacks node B is 0.8, the probability of success of then attacking node C by node B is 0.7, so the CPS that assailant attacks node C by node B is 0.8*0.7=0.56, and namely the availability cumulative probability value of leak V4 is 0.56; (2) the leak V6, on node E, success attack probability is 0.3.The probability of success that assailant first attacks node B is 0.8, the probability of success of then attacking node E by node B is 0.3, so the CPS that assailant attacks node E by node B is 0.8*0.3=0.24, and namely the availability cumulative probability value of leak V6 is 0.24.Above-mentioned two available vulnerability informations are put into available leak table: Article 1 is (V4, C, AB (V1) C (V4), 0.56), and Article 2 is (V6, E, AB (V1) E (V6), 0.24).The execution result of step (6) and step (7) as shown in Figure 7.
Step (8). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 7, in current available leak table, cumulative probability is worth maximum leak numbering is V4, and corresponding cumulative probability value is 0.56.The information of V4 leak taken out from available leak table, this leak belongs to node C, and attack path record count corresponding on current node C is 0, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V4 according to Fig. 4 is the control authority that assailant obtains on node C, then needs to do two pieces work: (1), add attack path record corresponding to node C, adds
vulnerability exploit road from assailant footpathaB (V1) C (V4), success attack probability is 0.56; (2), setting assailant current location be node C, represent assailant current can from node C initiate new attack.
Step (9). from the current residing position C of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can node E in access system.As shown in Figure 4, the vulnerability information that assailant can utilize comprises: the leak V7 on (1), node E, and success attack probability is 0.7.The CPS that assailant attacks node C by node B is 0.56, the probability of success of then attacking node E by node C is 0.7, so, the CPS that assailant attacks node E by node B and node C is 0.56*0.7=0.392, and namely the availability cumulative probability value of leak V7 is 0.392.An above-mentioned available vulnerability information (V7, E, AB (V1) C (V4) E (V7), 0.392) is put into available leak table.The execution result of the 8th step and the 9th step as shown in Figure 8.
Step (10). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 8, in current available leak table, cumulative probability is worth maximum leak numbering is V2, and corresponding cumulative probability value is 0.4.The information of V2 leak taken out from available leak table, this leak belongs to node C, and attack path record count corresponding on current node C is 1, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V2 according to Fig. 4 is the control authority that assailant obtains on node C, then need to do two pieces work: (1), add attack path record corresponding to node C, add the vulnerability exploit path A C (V2) from assailant, success attack probability is 0.4; (2), setting assailant current location be node C, represent assailant current can from node C initiate new attack.
Step (11). from the current residing position C of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can node E in access system.As shown in Figure 4, the leak that assailant can utilize comprises: the leak V7 on (1), node E, and success attack probability is 0.7.The CPS of assailant's directtissima node C is 0.4, the probability of success of then attacking node E by node C is 0.7, so, the CPS that assailant directly attacks node E by node C is 0.4*0.7=0.28, and namely on this attack path, the availability cumulative probability value of leak V7 is 0.28.An above-mentioned available vulnerability information (V7, E, AC (V2) E (V7), 0.28) is put into available leak table.The execution result of step (10) and step (11) as shown in Figure 9.
Step (12). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 9, in current available leak table, cumulative probability is worth maximum leak numbering is V7, and corresponding cumulative probability value is 0.392.The information of V7 leak taken out from available leak table, this leak belongs to node E, and attack path record count corresponding on current node E is 0, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V7 according to Fig. 4 is the control authority that assailant obtains on node E, then need to do two pieces work: (1), add attack path record corresponding to node E, add vulnerability exploit path A B (V1) C (V4) E (V7) from assailant, success attack probability is 0.392; (2), setting assailant current location be node E, represent assailant current can from node E initiate new attack.
Step (13). from the current residing position E of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can node F in access system.As shown in Figure 4, the leak that assailant can utilize comprises: the leak V8 on (1), node F, and success attack probability is 0.7.The CPS that assailant attacks node E by node B and node C is 0.392, the probability of success of then attacking node F by node E is 0.7, so, the CPS that assailant attacks node F by node B, node C and node E is successively 0.392*0.7=0.2744, and namely on this attack path, the availability cumulative probability value of leak V8 is 0.2744.An above-mentioned available vulnerability information (V8, F, AB (V1) C (V4) E (V7) F (V8), 0.2744) is put into available leak table.The execution result of step (12) and step (13) as shown in Figure 10.
Step (14). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 10, in current available leak table, cumulative probability is worth maximum leak numbering is V5, and corresponding cumulative probability value is 0.36.The information of V5 leak is taken out from available leak table, this leak belongs to node C, and attack path record count corresponding on current node C is 2, equal the value of parameter K, this K=2, illustrate that the K bar attack path for node C generates, and the CPS value of this K bar attack path is all greater than current attack path, and be the control authority that assailant obtains on node C according to the vulnerability exploit consequence that Fig. 4 inquires about leak V5, identical with the attack consequence of the attack path generated for node C, so, this attack path does not need to retain, current location C being labeled as assailant is not needed yet.The execution result of the 14 step as shown in figure 11.
Step (15). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 11, in current available leak table, cumulative probability is worth maximum leak numbering is V7, and corresponding cumulative probability value is 0.28.The information of V7 leak taken out from available leak table, this leak belongs to node E, and attack path record count corresponding on current node E is 1, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V7 according to Fig. 4 is the control authority that assailant obtains on node E, then need to do two pieces work: (1), add attack path record corresponding to node E, add vulnerability exploit path A C (V2) E (V7) from assailant, success attack probability is 0.28; (2), setting assailant current location be node E, represent assailant current can from node E initiate new attack.
Step (16). from the current residing position E of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can node F in access system.As shown in Figure 4, the leak that assailant can utilize comprises: the leak V8 on (1), node F, and success attack probability is 0.7.The CPS that assailant attacks node E by node C is 0.28, the probability of success of then attacking node F by node E is 0.7, so, the CPS that assailant attacks node F by node C and node E is successively 0.28*0.7=0.196, and namely on this attack path, the availability cumulative probability value of leak V8 is 0.196.An above-mentioned available vulnerability information (V8, F, AC (V2) E (V7) F (V8), 0.196) is put into available leak table.The execution result of step (15) and step (16) as shown in figure 12.
Step (17). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 12, in current available leak table, cumulative probability is worth maximum leak numbering is V8, and corresponding cumulative probability value is 0.2744.The information of V8 leak taken out from available leak table, this leak belongs to node F, and attack path record count corresponding on current node F is 0, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V8 according to Fig. 4 is the control authority that assailant obtains on node F, then need to do two pieces work: (1), add attack path record corresponding to node F, add vulnerability exploit path A B (V1) C (V4) E (V7) F (V8) from assailant, success attack probability is 0.2744; (2), setting assailant current location be node F, represent assailant current can from node F initiate new attack.
Step (18). from the current residing position F of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can not from node F initiate new attack, therefore also without the need to upgrading available leak table.The execution result of step (17) and step (18) as shown in figure 13.
Step (19). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 13, in current available leak table, cumulative probability is worth maximum leak numbering is V6, and corresponding cumulative probability value is 0.24.The information of V6 leak is taken out from available leak table, this leak belongs to node E, and attack path record count corresponding on current node E is 2, equal the value of parameter K, this K=2, illustrate that the K bar attack path for node E generates, and the CPS value of this K bar attack path is all greater than current attack path, and be the control authority that assailant obtains on node E according to the vulnerability exploit consequence that Fig. 4 inquires about leak V6, identical with the attack consequence of the attack path generated for node E, so, this attack path does not need to retain, current location E being labeled as assailant is not needed yet.The execution result of step (19) as shown in figure 14.
Step (20). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 14, in current available leak table, cumulative probability is worth maximum leak numbering is V8, and corresponding cumulative probability value is 0.196.The information of V8 leak taken out from available leak table, this leak belongs to node F, and attack path record count corresponding on current node F is 1, is less than the value of parameter K, this K=2, therefore needs utilize this leak thus generate attack path.The vulnerability exploit consequence of inquiring about leak V8 according to Fig. 4 is the control authority that assailant obtains on node F, then need to do two pieces work: (1), add attack path record corresponding to node F, add vulnerability exploit path A C (V2) E (V7) F (V8) from assailant, success attack probability is 0.196; (2), setting assailant current location be node F, represent assailant current can from node F initiate new attack.
Step (21). from the current residing position F of assailant, the security breaches that the node that inquiry assailant can directly access exists.Composition graphs 2 and Fig. 3 known, assailant can not from node F initiate new attack, therefore also without the need to upgrading available leak table.The execution result of step (20) and step (21) as shown in figure 15.
Step (22). take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, then utilize this vulnerability information to upgrade available leak table, upgrade node attack path.As shown in Figure 15, in current available leak table, cumulative probability is worth maximum leak numbering is V9, and corresponding cumulative probability value is 0.09.The information of V9 leak is taken out from available leak table, this leak belongs to node F, and attack path record count corresponding on current node F is 2, equal the value of parameter K, this K=2, illustrate that the K bar attack path for node F generates, and the CPS value of this K bar attack path is all greater than current attack path, and be the control authority that assailant obtains on node F according to the vulnerability exploit consequence that Fig. 4 inquires about leak V9, identical with the attack consequence of the attack path generated for node F, so, this attack path does not need to retain, current location F being labeled as assailant is not needed yet.The execution result of step (22) as shown in figure 16.
Step (23). current available leak table has been empty, and as shown in Figure 1, now the K maximum probability attack path of each node generates, and exports the K of each node, and this K=2 maximum probability attack path is summarized in Figure 17.As can be seen from Figure 17, node B and node D respectively generates an attack path respectively, this is determined by the input of the implementation case, that is, for the K maximum probability attack path problem solving each node, if the Actual path entry sum attacking certain node is less than K bar, is also correct; Node C, node E and node F generate two different maximum probability attack paths respectively, as can be seen from step above, in fact the total number can attacking the attack path of node C, node E or node F is greater than two, value due to input parameter K is 2, so algorithm saves two paths of maximum probability.
Step (24). algorithm end of run.
In the present invention, the access relation between definition node is unidirectional, in concrete enforcement, can according to circumstances be defined as unidirectional or two-way; Definition leaky attack consequence be the control authority that assailant obtains this node, in concrete enforcement, can according to circumstances to attack consequence segment, as be divided into acquisition can read right, can write permission, can perform authority, reading system data, stop service; Then to the attack consequence of each subdivision, the attack path of corresponding K bar maximum probability can all be generated; During concrete implementation step is explained, by the descending of available leak table according to cumulative probability value, in actual applications, consider the data manipulations such as inquiry, insertion and deletion, use maximum Priority Queues data structure, improve the operational efficiency of algorithm.
More than show and describe general principle of the present invention, principal character and advantage of the present invention.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; what describe in above-described embodiment and specification just illustrates principle of the present invention; the present invention also has various changes and modifications without departing from the spirit and scope of the present invention, and these changes and improvements all fall in the claimed scope of the invention.Application claims protection range is defined by appending claims and equivalent thereof.
Claims (1)
1. solve a Network Security Analysis Method for K maximum probability attack graph, it is characterized in that, the concrete grammar of the method is:
Step (1). input system information; The initial information of the leak existed by each node in system, attack the input data of occurrence as the method for annexation in template knowledge base information, system between each node and parameter K; In system, the initial information of the leak of each node is scanned system node by unit security scanning software of the prior art and builds, attack template knowledge base by inquiry software vulnerability database sharing of the prior art, the probability of availability value of each leak is by the current general vulnerability assessment construction of knowledge base announced of inquiry; The value of parameter K illustrate need maximum for each node generating probability before K bar attack path, if the attack path attacking certain node is greater than K bar, then only retain the front K paths of success attack maximum probability; If the attack path attacking certain node is less than K bar, then all attack paths all retain, and now do not require to generate K bar attack path; Described unit security scanning software is 360
Security bundle; Described software vulnerability database is the one in CVE storehouse, BugTraq storehouse and X-Force storehouse;
Step (2). system initialization; The attack path information aggregate that each node of initialization is preserved is empty set, the initial position of setting assailant;
Step (3). from the position residing for assailant, the security breaches that the node that inquiry assailant can directly access exists, template knowledge base is attacked in inquiry, obtains the descriptor of relevant vulnerability; If leak availability prerequisite meets, then this vulnerability information is put into available leak table; The computational methods of the leak availability cumulative probability value from assailant are: the probability of availability value of each leak on the vulnerability exploit path from assailant being multiplied draws; Available leak table is a maximum Priority Queues being keyword with leak availability cumulative probability value, and namely cumulative probability is worth maximum leak and is positioned at Priority Queues foremost; The descriptor of described relevant vulnerability comprises leak availability precondition, leak probability of availability value and vulnerability exploit consequence information; Described vulnerability information is a four-tuple, and this four-tuple comprises leak numbering, the node at leak place, the vulnerability exploit path from assailant, the leak availability cumulative probability value from assailant;
Step (4) if. available leak table has been empty, then go to step (5); Otherwise, take out cumulative probability in available leak table and be worth maximum vulnerability information, and this vulnerability information is removed from available leak table, judge whether the entry number of already present attack path on this leak place node has reached K bar, if reached K bar, then the information of this vulnerability exploit does not need to retain, and goes to step (4) section start and performs; If the entry number of already present attack path is less than K bar on this leak place node, that then takes out this leak utilizes consequence information, and the information of this vulnerability exploit is write the attack path information aggregate of this node, then consequence is utilized according to leak, upgrade the access rights of assailant on this node, finally, using this node as the current residing position of assailant, go to step (3) and perform; The described attack path of every bar is a five-tuple, this five-tuple comprise leak numbering, the node at leak place, the vulnerability exploit path from assailant, the leak availability cumulative probability value from assailant, leak utilize consequence information;
Step (5). available leak table has been empty, exports result of calculation; The front K bar attack path attacking each node has write the attack path information aggregate of each node, so, can directly export.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210224533.9A CN102724210B (en) | 2012-06-29 | 2012-06-29 | Network security analytical method for solving K maximum probability attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210224533.9A CN102724210B (en) | 2012-06-29 | 2012-06-29 | Network security analytical method for solving K maximum probability attack graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102724210A CN102724210A (en) | 2012-10-10 |
| CN102724210B true CN102724210B (en) | 2015-02-11 |
Family
ID=46949872
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210224533.9A Active CN102724210B (en) | 2012-06-29 | 2012-06-29 | Network security analytical method for solving K maximum probability attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102724210B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941502A (en) * | 2017-05-02 | 2017-07-11 | 北京理工大学 | A kind of security measure method and apparatus of internal network |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA3003500A1 (en) * | 2015-10-27 | 2017-05-04 | Blackberry Limited | Detecting resource access |
| CN105681338B (en) * | 2016-03-04 | 2018-10-30 | 西北大学 | Vulnerability exploit probability of success computational methods and network security risk management method |
| CN109167794B (en) * | 2018-09-25 | 2021-05-14 | 北京计算机技术及应用研究所 | Attack detection method for network system security measurement |
| CN111277561B (en) * | 2019-12-27 | 2022-05-24 | 北京威努特技术有限公司 | Network attack path prediction method and device and security management platform |
| CN112311780B (en) * | 2020-10-23 | 2023-02-14 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN113949570B (en) * | 2021-10-18 | 2022-09-16 | 北京航空航天大学 | Penetration test attack path selection method and system based on attack graph |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
| CN101222317A (en) * | 2007-11-29 | 2008-07-16 | 哈尔滨工程大学 | Depth-first attack drawing generating method |
-
2012
- 2012-06-29 CN CN201210224533.9A patent/CN102724210B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
| CN101222317A (en) * | 2007-11-29 | 2008-07-16 | 哈尔滨工程大学 | Depth-first attack drawing generating method |
Non-Patent Citations (2)
| Title |
|---|
| "Network Security Evaluation Algorithm Based on Access Level Vectors";Kai Li等;《The 9th International Conference for Young Computer Scientists,IEEE》;20081121;正文第1539页第1栏第35行第3节-第1543页第2栏第22行第6节,图1-3 * |
| "一种基于攻击图的漏洞风险评估方法";张玺 等;《计算机应用研究》;20100115;第27卷(第1期);全文 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941502A (en) * | 2017-05-02 | 2017-07-11 | 北京理工大学 | A kind of security measure method and apparatus of internal network |
| CN106941502B (en) * | 2017-05-02 | 2020-10-20 | 北京理工大学 | Safety measurement method and device for internal network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102724210A (en) | 2012-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102724210B (en) | Network security analytical method for solving K maximum probability attack graph | |
| US8839440B2 (en) | Apparatus and method for forecasting security threat level of network | |
| Trujillo-Rasua et al. | k-metric antidimension: A privacy measure for social graphs | |
| CN110445801B (en) | Situation sensing method and system of Internet of things | |
| CN105447113A (en) | Big data based informatiion analysis method | |
| CN103870751A (en) | Method and system for intrusion detection | |
| TW201428528A (en) | Method and device for identifying website user | |
| CN113486334A (en) | Network attack prediction method and device, electronic equipment and storage medium | |
| Wang et al. | Outsourcing privacy-preserving social networks to a cloud | |
| Keramati et al. | CVSS-based security metrics for quantitative analysis of attack graphs | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| CN110460608B (en) | Situation awareness method and system including correlation analysis | |
| Wu et al. | Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities | |
| Wang et al. | Constructing robust community structure against edge-based attacks | |
| US7954158B2 (en) | Characterizing computer attackers | |
| CN104320271B (en) | A kind of network equipment safety evaluation method and device | |
| CN110110528A (en) | Safety risk estimating method, device and the equipment of information system | |
| Che et al. | KNEMAG: key node estimation mechanism based on attack graph for IOT security | |
| Zhang et al. | Network security situational awareness model based on threat intelligence | |
| Gao et al. | Information Security Risk Assessment Based on Information Measure and Fuzzy Clustering. | |
| CN101901183B (en) | Method and device of test case for filtering | |
| Babu et al. | Privacy preserving social networking | |
| Geethakumari et al. | Regenerating cloud attack scenarios using LVM2 based system snapshots for forensic analysis | |
| Suthaharan et al. | An approach for automatic selection of relevance features in intrusion detection systems | |
| Awiszus et al. | Building resilience in cybersecurity: An artificial lab approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |