CN103368976B - Network security evaluation device based on attack graph adjacent matrix - Google Patents
Network security evaluation device based on attack graph adjacent matrix Download PDFInfo
- Publication number
- CN103368976B CN103368976B CN201310329096.1A CN201310329096A CN103368976B CN 103368976 B CN103368976 B CN 103368976B CN 201310329096 A CN201310329096 A CN 201310329096A CN 103368976 B CN103368976 B CN 103368976B
- Authority
- CN
- China
- Prior art keywords
- network
- main frame
- matrix
- attack
- attack graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides a network security evaluation device based on an attack graph adjacent matrix. The network security evaluation device comprises an information collection device, an atom attack graph generation device, a matrix calculation device, a network safety analyzing device and a result appearing device, wherein the information collection device is used for collecting all information in a network; the atom attack graph generation device is used for generating an initial atom attack graph between a main engine pair needed for carrying out subsequent analysis on network safety; the matrix calculation device is used for converting the generated atom attack graph into the corresponding adjacent matrix and is also used for calculating a corresponding iteration matrix of the adjacent matrix through setting iteration times; the network safety analyzing device is used for obtaining information including a key main engine, a key path and the like on the basis of the finally-generated iteration matrix; the result appearing device is used for visually appearing the found key main engine and key path and a network vulnerability index. The network security evaluation device disclosed by the invention is high in efficiency and is suitable for large-scale and high-speed networks. The network security evaluation device can improve the instantaneity of evaluating a target network. The evaluation accuracy rate is high, and the key path and the key main engine can be accurately recognized. The visualization degree is high so that the network security evaluation device is convenient for a manager to check, analyze and maintain.
Description
Technical field
A kind of network security assessment device based on attack graph adjacency matrix that the present invention proposes, belongs to computer network security technology field.
Background technology
Along with informationalized popularization, China's netizen's quantity constantly rises.According to the 31st the China Internet network state of development statistical report issued CNNIC (CNNIC) in January, 2013, end in by the end of December, 2012, China has had 5.64 hundred million netizens, adds 0.26 hundred million person-time with compared with statistics in by the end of June, 2012; Internet penetration reaches 42.1%, comparatively improves 3.8 percentage points the end of the year 2011.Industrialization and network technology are constantly updated progressive, computer network penetrated into we work, living and studying every aspect, bring great convenience to our daily life, such as: we can utilize network to carry out doing shopping, booking tickets and plane ticket, predetermined hotel, check that news understands up-to-date information both domestic and external, online stock trading as early as possible Simultaneously also there is the portal website of oneself in a lot of state enterprise, make computer network be no matter civilian, commercial or national defence all plays more and more important effect.
Because networking does not initially have the defect of too much consideration safety problem and ICP/IP protocol itself, also have economic interests to order about lower increasing lawless person and network is carried out to attack destruction, steals user sensitive information etc.Assault in recent years occurs again and again, and the attack means that assailant uses is also more brilliant.Only the great assault of outburst in 2012 just has more than ten to rise, comprising: the stolen event of source code, great hacker attack event, Malware wreak havoc event, information-leakage event, great Vulnerability events, operating system security event, go abroad from domestic well-known e-commerce website-store, Jingdone district esbablished corporation Symantec and Zappos, LinkedIn etc. have been subjected to attack, even the well-known institution of higher learning such as Cambridge of Britain, the Harvard University of the U.S. all fails to escape death by sheer luck.These attacks are made us sending out and are economized above, and network security problem has become restriction country and the significant bottleneck of enterprise's long term growth, so analysis and evaluation security status exactly, network management personnel can be helped to improve network protection ability.Assault no matter is to individual, enterprise or country all can bring about great losses, according to statistics, only Chinese netizen needs the expense paid for network attack just to reach more than 150 hundred million every year, has great economic benefit and practical value so manage network security.And the basis that network security manages will be assessed network security exactly; by fully assess threat and influence degree that unsafe factor may bring and find crucial main frame and key attack path basis on, the possibility attacked by take appropriate measures initiatively protection calculation machine and network security thus reduction system and destroy.
Traditional vulnerability assessment instrument is simply superposed each risk that independently leak may bring, and the leak merely deposited in awareness network can not critic network safe condition exactly.In real network environment, attack main frame and want the authority obtaining destination host to operate destination host, centre often needs through multiple main frame as springboard.And network attack map comprehensively analyzes network configuration and vulnerability information from assailant's angle, the leak and fragility knowing and deposit in network can not only be known, can also find that attack path crucial in complex network and crucial main frame make safety analysis personnel to take measures targeted specifically to improve internet security.Domestic and international researcher has made a lot of research and has obtained certain achievement to this, propose a lot of attack graph generation model and algorithm.But the attack graph utilizing existing method to generate is applicable to small scale network (main frame number of units <5), the attack graph utilizing these methods to generate in especially ultra-large network on a large scale will very complicatedly, huge be unfavorable for being further analyzed.Adjacency matrix is adopted only to need setting up simple atomic strike figure, do not need to set up all attack paths, not only be conducive to network manager and find out the first kind in large scale network and the crucial main frame of Equations of The Second Kind quickly and easily, thus contribute to keeper and security maintenance is carried out to network with having emphasis, wherein the crucial main frame of the first kind refers to that the fail safe of main frame self is very large to the safety effects of other main frames in network, is also likely attacked once be subjected to a lot of main frame in attacking network; The crucial main frame of Equations of The Second Kind refers to that in network, a lot of main frame can be launched a offensive to this main frame.
Network security assessment needs hard real-time, high visibility result, so the method that this patent proposition use calculates Iterative Matrix based on atomic strike figure adjacency matrix is assessed internet security, monotonicity hypothesis is proposed simultaneously: assailant can not launch a offensive to obtain existing authority, and assailant also can not enter the state of process before a series of attack state is got back to again and that is not deposit loop; The complexity of attack graph can be reduced, improve the visual of attack graph.
Patent related to the present invention
Log in State Intellectual Property Office of the People's Republic of China, according to keyword " attack graph " search, find 4 Patents, according to keyword " network security assessment " search, find 2 Patents.
A kind of attack drawing generating method (application number: 200710144693.1) of depth-first
This patent proposes a kind of attack drawing generating method based on depth-priority-searching method, first all security factors of current network are collected to form initial condition, then use prolog systematic search assailant to arrive before dbjective state the network state of likely process, again according to the dependence structure attack path between the network state searched, finally the attack path of structure is combined into network attack map.The advantage of this patent is the scale that the depth-priority-searching method used not only reduces attack graph, and can also make not deposit non-targeted node in attack graph.The proposition of this invention mainly attack graph generating algorithm, not deep attack graph is analyzed of finally also just simple generation attack graph.
Attack graph generation system (the application number: 200810037824.0) of network-oriented security alarm association
This patent proposes one and reports collection module, Connectivity analysis of network module, the attack graph generation system that data structure sets up module, knowledge base associates with the network-oriented security alarm of attack graph generation module by network initial configuration information module, OVAL vulnerability scanning.The advantage of this attack graph generation system is beneficial to Project Realization, but this patent just generates attack graph, do not use attack graph to carry out further analysis and evaluation to network security.
A kind of intrusion response mode (application number: 201110181511.4) based on attack graph
This patent be the reference model-IRAG model of intrusion detection and response basis on propose to operate, response and loss three kinds of costs select corresponding safeguard procedures with this.The present invention only considers next step attack process of the attack of assailant, the response of system and assailant, mainly select the attack of Income Maximum for the response action of system and assailant, and the network security assessment relation based on attack graph adjacency matrix that we propose not very large.
A kind of Network Safety Analysis (application number: 201210224533.9) solving K maximum probability attack graph
This patent stores the maximum front K bar attack path of accumulated probability, mainly in order to solve the problem of depositing in the network security assessment algorithm based on access level vector by each node: can only identify the maximum probability path generating each node of attacking network and the front K bar attack path that can not generate attacking network node maximum probability.The present invention just considers the problem of attack path, does not but assess for other factors, so assessment is comprehensive not.
A kind of (application number: 200910050505.8) of the network safety evaluation method based on NBA
This patent is connected in network or independently a stream regarded as by bag, analyzed the network behavior parameter of every platform main frame in network through the attribute of all streams of network by recorded stream, and the maximum threshold values that the network behavior parameter calculating each main frame allows, if the characteristic ginseng value of certain main frame is greater than maximum threshold values just to think that network occurs abnormal in network.A mainly network safety evaluation method for behavioural analysis Network Based, and the network safety evaluation method relation based on attack graph adjacency matrix that we propose is little.
A kind of vulnerability scanning system of network-oriented security evaluation and processing method (application number: 200910112916.5) thereof
Vulnerability scanning system and intruding detection system combine by this patent, and introduce warning function and scheduling feature, make system can carry out vulnerability scanning and security evaluation to objective network selectively and form that portion is comparatively objective, vulnerability scanning report accurately.The present invention is network notice warning module produced by warning module and report to the police and scanned whole network by dispatching process module driver sweep engine modules when there are abnormal conditions.This patent can not identify the important information such as critical path and crucial main frame.
Summary of the invention
Object of the present invention is in the following technical problem solved:
One, high efficiency, is applicable to extensive and express network
One of design object of the present invention to be applicable in catenet and express network; thus analysis and evaluation can be carried out to large-scale computer network security and take further to defend safeguard measure to ensure the safety of network accordingly, this just proposes very high requirement to the efficiency of internet security appraisal procedure proposed by the invention.The internet security appraisal procedure that the present invention proposes is based on atomic strike figure adjacency matrix, only need to know that basic invasion does not need to obtain all attack paths in advance and sets up atomic strike figure, therefore have very high efficiency, the attack graph simultaneously set up neither be so complicated and carry out calculating with matrix and carry out assessment to network security and can use in large network environment.
Two, the data of analysis and evaluation are carried out to internet security more reliable
One of design object of the present invention is that the data of carrying out analysis and evaluation to network security are more reliable, thus can search out crucial main frame exactly network manager is safeguarded objective network with can having emphasis.The network security assessment device that the present invention proposes is that the simple attack figure of basic attack relation between main frame each in reaction network pair is configured to initial adjacency matrix, and utilizes handling function to carry out interative computation to it, obtains final Iterative Matrix.It is experience according to network management personnel that usual critical host is established a capital really, and the critical host determined in such cases has very strong subjective consciousness, might not be the crucial main frame truly reflecting network condition.And use based on all more accurate, reliable in the method overall network safety analysis of Iterative Matrix and the searching of the crucial main frame of two classes.
Three, visualization is high
One of design object of the present invention be by assessment after result visualization show, the main frame or path that network management personnel are known clearly go wrong in network, convenient and safe attendant safeguards network, manages.The network security assessment device that the present invention proposes is finally to network security assessment.
In order to solve the problem, the present invention by the following technical solutions:
Based on a network security assessment device for attack graph adjacency matrix, it is characterized in that comprising:
Information collection apparatus: all information in real-time collecting network;
Atomic strike figure generating apparatus: generate the initial atomic strike figure carrying out between main frame required for subsequent analysis pair to network security;
Matrix computations device: one is the atomic strike figure of generation is converted into corresponding adjacency matrix, and two is calculate Iterative Matrix corresponding to adjacency matrix by arranging iterations;
Network Safety Analysis device: the basis of the Iterative Matrix finally generated obtains the crucial information such as main frame, critical path of two classes, if certain paths is greater than the initial threshold of setting by the maximum probability of attacking, claim this path to be critical path.
Result presents device: dynamically show in crucial for two classes finally found main frame and critical path network topological diagram.
In technique scheme, described information receiver: collect the network topology in objective network, routing rule and firewall information, utilize scanning tools or webmastering software to obtain the network equipment and host configuration information, adopt the basic configuration information that vulnerability scanning strategy scan for networks main frame obtains host computer system and the vulnerability information deposited.
In technique scheme, described vulnerability scanning strategy is divided into active and passive type two kinds,
Active vulnerability scanning strategy: the difference according to scanning means is divided into again Host Based Hole Detection and network Hole Detection;
Host Based Hole Detection: installation agent or service on destination host, the access file system of main frame, registration table, system service and audit information, it is complete that to scan institute leaky;
Network Hole Detection: mainly by network remote scanning computer;
Passive type vulnerability scanning strategy: feature based matching principle: passively target acquisition main frame network data flow and it is analyzed, then carry out mating with vulnerability definitions rule in database and judge whether host computer system deposits leak.
In technique scheme, described atomic strike figure generating apparatus: the network topological information utilizing information collection apparatus to obtain, main frame vulnerability information, be 1 generate atomic strike figure initial between main frame pair according to general host machine attack figure generating algorithm by limiting attack step number, determine attack graph state node weight, namely determine to implement attack cost;
The determination of attack graph state node weight can use PageRank computation model R (H)=(1-d)/N+d* (R (H
1)/C (H
1)+...+R (H
n)/C (H
n)), wherein n represents the quantity of state node in attack graph, and R (H) represents the weights of attack graph state node H, and d is the general value of damping coefficient is 0.85, R (H
i) represent the H pointing to state node H
ithe weights of node, C (H
i): state node H
ithe quantity of out-degree camber line.Also the AccessComplexity field attribute value E in NVD database can be used to quantize to be used for representing weight, as: E be height then weight then weight is 0.61, E during to be 0.35, E be is low, to be 0.71, E be weight that indefinite right of speech refetches value is also 0.71.Can with CAPEC storehouse for determining the foundation of weights, Very Low, Low, Medium, High, Very High five ranks in typical attack possibility occurrence in attack information and assailant's ability and knowledge requirement attribute are quantized, last span is fallen in interval [0,1].
In technique scheme, described matrix computations device:
Atomic strike figure between the main frame of generation pair is converted into corresponding adjacency matrix: if <H between two main frames
i, H
j> can generate the then corresponding attack graph adjacency matrix element a of attack graph
ij=Weight; Wherein H
i, H
jrepresent main frame i and main frame j, i, j=1,2 ..., n (n is All hosts quantity sum in network), Weight is then that weight represents H
ito H
jthe maximum probability of success attack.
Assailant utilizes leak to carry out attack to main frame to cause main frame loss of assets, the assets size of loss is not only relevant with the attack of the leak utilized and initiation, also be closely related with the significance level of assets, so the loss of state node is determined by the degree of danger of the significance level of main frame and leak.
We use L (h, v) represent that node loses, L (h, v)=C (h) * S (v), wherein C (h) represents the significance level of main frame, we provide the difference of service and network function to be divided into different grades to quantize to it according to main frame, make its span fall in interval [0,1]; S (v) represents the order of severity that fragility works the mischief, and utilizes CVSS scoring to quantize, and its span is fallen in interval [0,10].
Adjacency matrix A=(a
ij)
m × l, B=(b
ij)
m × l, be all 0, C by diagonal entry be a m * n matrix, and element in C simultaneously diagonal entry be all 0, be denoted as
wherein a
ij, b
ijrepresent the element in adjacency matrix A and B respectively, the row, column of m, l representing matrix.
If A=B, m=l, then C is the 2 step Iterative Matrix of A, so
the n being just called A walks Iterative Matrix.
In technique scheme, described Network Safety Analysis device:
By checking the element value being greater than given threshold value in calculate each time loss Iterative Matrix, look for place's critical path;
Row element each in the Iterative Matrix finally generated sued for peace respectively and according to sorting from big to small, finding out and being greater than given threshold value line number, and then obtaining the crucial main frame of the first kind,
Column element each in the Iterative Matrix finally generated obtained come and according to descending sequence, find out the row number being greater than given threshold value, and then obtaining the crucial main frame of Equations of The Second Kind;
Use the method for weighted average polymerization to be polymerized main frame fragility simultaneously and try to achieve network vulnerability Index Assessment value to judge the level of security of objective network.
In technique scheme, described result presents device:
Display in the crucial main frame obtained and critical path network topology structure figure visually, and the different color of network security level is represented.
The beneficial effect that technical solution of the present invention is brought:
One, high efficiency, is applicable to extensive and express network
Appraisal procedure of the present invention is atomic strike figure between Intrusion Detection based on host pair, does not need to generate all attack paths to build attack graph, and therefore the complexity of attack graph is not high, is applicable to extensive and express network.
Two, assess accuracy rate high, critical path and crucial main frame can be identified exactly
Network security assessment device of the present invention is that the simple attack figure of basic attack relation between main frame each in reaction network pair is configured to initial adjacency matrix, and utilizes handling function to carry out interative computation to it, obtains final Iterative Matrix.Critical host is found out, so assessment accuracy rate is high by the experience analysis of matrix found out to crucial main frame and critical path instead of depend merely on network management personnel.
Three, real-time, visualization is high
Appraisal procedure of the present invention is information based on real-time collecting objective network and sets up simple attack figure between main frame pair fast, uses matrix computations speed quick, but improves the real-time assessed objective network to a certain extent.Show dynamically in the crucial main frame that the present invention finds out the most at last and critical path network topology structure figure and network safety grade different colours is represented, so visualization is high, facilitates network management personnel to check, analyze, process.
Accompanying drawing explanation
Fig. 1 is the atomic strike figure between simple main frame of the present invention pair.
Embodiment
Provide a specific embodiment of the network security assessment device that the present invention proposes below, the present embodiment is not only applicable to mininet, applicable equally to catenet.
The embodiment of the present invention one:
The execution mode of information collection apparatus
The connected mode of each main frame in network can be obtained from network topology structure chart.Under normal circumstances, a network is divided into the several different region separated by fire compartment wall or router, and the main frame in each region is interconnected.If do not know network topological diagram, various route search algorithm and related protocol is then utilized to comprise: DNS, ICMP, SNMP, RIP, OSPF, operating system and architecture related protocol, to obtain the routing iinformation of each equipment in whole network, then utilize the Automatic generation of information acquired to need topology diagram.Scanning tools or webmastering software is utilized to obtain the network equipment and host configuration information.Because main frame needs to provide service must open self port, so exist by the possibility of long-range attack, fragility also deposited by main frame self simultaneously, so need to obtain the vulnerability information that network and equipment in network are deposited, can carry out by vulnerability scanning strategy the equipment deposited in scan for networks and network.
Wherein vulnerability scanning strategy is divided into active and passive type two kinds, and active vulnerability scanning strategy is divided into Host Based Hole Detection and network Hole Detection these two kinds again by the difference according to scanning means; Wherein Host Based Hole Detection is installation agent or service on destination host, the access file system of main frame, registration table, system service and audit information, and complete to scan institute leaky; And network Hole Detection is mainly by network remote scanning computer; Passive type vulnerability scanning strategy is that feature based matching principle is carried out: passively target acquisition main frame network data flow and it is analyzed, then carry out mating with vulnerability definitions rule in database and judge whether host computer system deposits leak.
The execution mode of atomic strike figure generating apparatus
Have the various elements such as server, subscriber's main station, router and fire compartment wall in network, in this patent, these elements may depositing safety issue are all referred to as main frame by us.The network topological information utilizing information collection apparatus to obtain, main frame vulnerability information are to generate initial atomic strike figure, and this needs to determine that weight namely implements attack cost.In the present invention, attack graph state node weight can use PageRank computation model R (H)=(1-d)/N+d* (R (H
1)/C (H
1)+...+R (H
n)/C (H
n)), wherein n represents the quantity of state node in attack graph, and R (H) represents the weights of attack graph state node H, and d is the general value of damping coefficient is 0.85, R (H
i) represent the H pointing to state node H
ithe weights of node, C (H
i): state node H
ithe quantity of out-degree camber line.Also the AccessComplexity field attribute value E in NVD database can be used to quantize to be used for representing weight, as: E be height then weight then weight is 0.61, E during to be 0.35, E be is low, to be 0.71, E be weight that indefinite right of speech refetches value is also 0.71.Can with CAPEC storehouse for determining the foundation of weights, Very Low, Low, Medium, High, Very High five ranks in typical attack possibility occurrence in attack information and assailant's ability and knowledge requirement attribute are quantized, last span is fallen in interval [0,1].
The execution mode of matrix computations device
Atomic strike figure between the main frame of generation pair is converted into corresponding adjacency matrix: if <H between two main frames
i, H
j> can generate the then corresponding attack graph adjacency matrix element a of attack graph
ij=Weight; Wherein H
i, H
jrepresent main frame i and main frame j, i, j=1,2 ..., n (n is All hosts quantity sum in network), Weight is then that weight represents H
ito H
jthe maximum probability of success attack.
Assailant utilizes leak to carry out attack to main frame to cause main frame loss of assets, the assets size of loss is not only relevant with the attack of the leak utilized and initiation, also be closely related with the significance level of assets, so the loss of state node is determined by the degree of danger of the significance level of main frame and leak.Use L (h, v) represent that node loses, L (h, v)=C (h) * S (v), wherein C (h) represents the significance level of main frame, we provide the difference of service and network function to be divided into different grades to quantize to it according to main frame, make its span fall in interval [0,1]; S (v) represents the order of severity that fragility works the mischief, and utilizes CVSS scoring to quantize, and its span is fallen in interval [0,10].
Adjacency matrix A=(a
ij)
m × l, B=(b
ij)
m × l, be all 0, C by diagonal entry be a m * n matrix, and the element in C
diagonal entry is all 0 simultaneously, is denoted as
wherein a
ij, b
ijrepresent the element in adjacency matrix A and B respectively, the row, column of m, l representing matrix.If A=B, m=l, then C is the 2 step Iterative Matrix of A, so
the n being just called A walks Iterative Matrix.
Can by arranging corresponding iterations to calculate corresponding Iterative Matrix so that assess network security below in this device.The atomic strike figure of hypotheses creation is illustrated in fig. 1 shown below, and the value in its interior joint represents the significance level of main frame, and the probability then expression fragility below of the expression successful attack before in the logarithm on the limit of connected node is utilized the harm caused.The adjacency matrix A of its correspondence is
The execution mode of network security assessment device
By checking the element value being greater than given threshold value in calculate each time loss Iterative Matrix, if in element value main frame loss adjacency matrix, representing that two main frames once attack formed path by leak is exactly a critical path; If row element each in the Iterative Matrix finally generated is sued for peace and according to sorting from big to small by iteration respectively, find out and be greater than given threshold value line number, and then obtain the crucial main frame of the first kind, column element each in the Iterative Matrix finally generated is obtained come and according to descending sequence, find out the row number being greater than given threshold value, and then obtain the crucial main frame of Equations of The Second Kind.Such as, element value b in main frame loss adjacency matrix B
46and b
56all be greater than the initial threshold 0.7 of setting, illustrate that the atomic strike path that main frame 4 utilizes leak to carry out main frame 7 and the path that main frame 5 utilizes fragility to be formed the atomic strike that main frame 7 carries out are all critical paths.Suppose that the iterations set is exactly 1, after each row element summation of adjacency matrix A according to sequence be from big to small then: the third line 1.0> the 2nd row 0.9=the 1st row 0.9> the 5th row 0.7> the 4th row 0.6> the 6th row 0, wherein the 3rd, two a, row element and be all greater than initial threshold 0.8, then main frame 1 is described, 2,3 belong to the crucial main frame of the first kind; After each column element summation of adjacency matrix A according to sequence be from big to small: the 4th row 1.3=the 6th row 1.3> the 2nd row 0.6=the 5th arranges 0.6> the 3rd and arranges 0.3> first row 0, wherein the 4th row and the 6th column element and be all greater than initial threshold main frame 4 is then described, 6 belong to Equations of The Second Kind key main frame; Wherein threshold value change environmentally also can along with adjusting.
Use the method for weighted average polymerization to be polymerized main frame fragility simultaneously and try to achieve network vulnerability Index Assessment value to judge the level of security of objective network.
Result presents the execution mode of device
Show in the crucial main frame found out and critical path network topological diagram dynamically, carry out multiple attack through several main frames as springboard and just penetrate into if critical path is a main frame path that destination host formed, need first this path to be found out in topological structure use overstriking again line Dynamic Display out; The first kind and the crucial main frame of Equations of The Second Kind just represent with red and Huang in topology diagram respectively; The upper right corner of the fragility of current network then topological structure body represents with rectangular block, different colors represents network and is in different states, such as red expression network is now in grave danger state, yellow expression is in the hole etc., generate a tendency chart of throwing the net the dynamic change in time of network vulnerability inder simultaneously, and generate corresponding log information, be convenient to network management personnel and carry out the checking of later stage, analytical work.
Claims (1)
1., based on a network security assessment device for attack graph adjacency matrix, it is characterized in that comprising:
Information collection apparatus: all information in real-time collecting network; Collect the network topology in objective network, routing rule and firewall information, utilize scanning tools or webmastering software to obtain the network equipment and host configuration information, use the basic configuration information that vulnerability scanning strategy scan for networks main frame obtains host computer system and the vulnerability information deposited;
Atomic strike figure generating apparatus: generate the initial atomic strike figure carrying out between main frame required for subsequent analysis pair to network security; The network topological information utilizing information collection apparatus to obtain, main frame vulnerability information, to generate initial atomic strike figure, determine attack graph state node weight, namely determine to implement attack cost;
Matrix computations device: one is the atomic strike figure of generation is converted into corresponding adjacency matrix, and two is calculate Iterative Matrix corresponding to adjacency matrix by arranging iterations;
Network Safety Analysis device: the basis of the final Iterative Matrix generated obtains crucial main frame, critical path information;
Described vulnerability scanning strategy is divided into active and passive type two kinds,
Active vulnerability scanning strategy: the difference according to scanning means is divided into again Host Based Hole Detection and network Hole Detection;
Host Based Hole Detection: installation agent or service on destination host, the access file system of main frame, registration table, system service and audit information, it is complete that to scan institute leaky;
Network Hole Detection: mainly by network remote scanning computer;
Passive type vulnerability scanning strategy: feature based matching principle: passively target acquisition main frame network data flow and it is analyzed, then carry out mating with vulnerability definitions rule in database and judge whether host computer system deposits leak;
Atomic strike figure between the main frame of generation pair is converted into corresponding adjacency matrix: between two main frames, <Hi, Hj> can generate the then corresponding attack graph adjacency matrix element aij=Weight of attack graph; Wherein Hi, Hj represent main frame i and main frame j, i, j=1,2 ..., n, n are All hosts quantity sums in network, and Weight is then that weight represents the maximum probability of Hi to Hj success attack;
Use L (h, v) represent that node loses, L (h, v)=C (h) * S (v), wherein C (h) represents the significance level of main frame, there is provided the difference of service and network function to be divided into different grades to quantize to it according to main frame, make its span fall in interval [0,1]; S (v) represents the order of severity that fragility works the mischief, and utilizes CVSS scoring to quantize, and makes its span fall in interval [0,10];
Matrix computations device:
Adjacency matrix A=(a
ij)
m × l, B=(b
ij)
m × l, diagonal entry is all 0, C is a m * n matrix, and the element in C
diagonal entry is all 0 simultaneously, is denoted as
wherein a
ij, b
ijrepresent the element in adjacency matrix A and B respectively, the row, column of m, l representing matrix, if A=B, m=l, then C is the 2 step Iterative Matrix of A, so
the n being just called A walks Iterative Matrix;
By checking the element value being greater than given threshold value in calculate each time loss Iterative Matrix, find out critical path;
Row element each in the Iterative Matrix finally generated sued for peace respectively and according to sorting from big to small, finding out and being greater than given threshold value line number, and then obtaining the crucial main frame of the first kind,
Column element each in the Iterative Matrix finally generated obtained come and according to descending sequence, find out the row number being greater than given threshold value, and then obtaining the crucial main frame of Equations of The Second Kind;
Use the method for weighted average polymerization to be polymerized main frame fragility simultaneously and try to achieve network vulnerability Index Assessment value to judge the level of security of objective network;
Also comprise result and present device: the crucial main frame found out and critical path are dynamically shown in topology diagram, critical path be a main frame through several main frames as springboard carry out multiple attack just penetrate into path that destination host formed then need first this path to be found out in topology diagram use overstriking again line Dynamic Display out; The first kind and the crucial main frame of Equations of The Second Kind just represent with red and Huang in topology diagram respectively; The fragility of current network then represents at the upper right corner of topology diagram rectangular block, different colors represents network and is in different states, red expression network is now in grave danger state, yellow expression is in the hole, generate a tendency chart of throwing the net the dynamic change in time of network vulnerability inder simultaneously, and generate corresponding log information;
The determination of attack graph state node weight is determined in the following ways:
Use PageRank computation model R (H)=(1-d)/N+d* (R (H
1)/C (H
1)+...+R (H
n)/C (H
n)), wherein n represents the quantity of state node in attack graph, and R (H) represents the weights of attack graph state node H, and d is the general value of damping coefficient is 0.85, R (H
i) represent the H pointing to state node H
ithe weights of node, C (H
i): state node H
ithe quantity of out-degree camber line;
Use the AccessComplexity field attribute value E in NVD database to quantize to be used for representing weight, E be height then weight then weight is 0.61, E during to be 0.35, E be is low, to be 0.71, E be weight that indefinite right of speech refetches value is 0.71.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310329096.1A CN103368976B (en) | 2013-07-31 | 2013-07-31 | Network security evaluation device based on attack graph adjacent matrix |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310329096.1A CN103368976B (en) | 2013-07-31 | 2013-07-31 | Network security evaluation device based on attack graph adjacent matrix |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103368976A CN103368976A (en) | 2013-10-23 |
| CN103368976B true CN103368976B (en) | 2015-03-04 |
Family
ID=49369513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310329096.1A Active CN103368976B (en) | 2013-07-31 | 2013-07-31 | Network security evaluation device based on attack graph adjacent matrix |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103368976B (en) |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105704093B (en) * | 2014-11-25 | 2018-06-12 | 中国移动通信集团设计院有限公司 | A kind of firewall access control policy error-checking method, apparatus and system |
| CN105991521B (en) * | 2015-01-30 | 2019-06-21 | 阿里巴巴集团控股有限公司 | Network risk assessment method and device |
| CN107332802B (en) * | 2016-04-28 | 2020-08-07 | 中国移动通信集团江西有限公司 | Firewall policy monitoring method and device |
| CN106657144B (en) * | 2017-01-20 | 2019-06-28 | 北京理工大学 | A kind of dynamic protection paths planning method based on enhancing study |
| CN106850607B (en) * | 2017-01-20 | 2019-09-20 | 北京理工大学 | The quantitative estimation method of network safety situation based on attack graph |
| CN107135221B (en) * | 2017-05-10 | 2020-05-05 | 上海海事大学 | Method for progressively solving K maximum probability attack path |
| CN108959931B (en) * | 2017-05-24 | 2022-03-01 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and device, information interaction method and equipment |
| CN107566376B (en) * | 2017-09-11 | 2020-05-05 | 中国信息安全测评中心 | Threat information generation method, device and system |
| CN108270774A (en) * | 2017-12-22 | 2018-07-10 | 杭州安恒信息技术有限公司 | A kind of attack detection and means of defence based on attack graph |
| CN109343009B (en) | 2018-10-31 | 2020-10-02 | 中国科学院电子学研究所 | Distance fuzzy suppression method, device and equipment based on nonlinear orthogonal waveform |
| CN109977680A (en) * | 2019-03-13 | 2019-07-05 | 北京国舜科技股份有限公司 | A kind of business datum security risk recognition methods and system |
| CN110401626B (en) * | 2019-03-14 | 2022-02-18 | 腾讯科技(深圳)有限公司 | Hacker attack grading detection method and device |
| CN110289995B (en) * | 2019-06-11 | 2021-02-02 | 同济大学 | Social network behavior monitoring method and device based on attribute attack graph |
| CN110557393B (en) * | 2019-09-05 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Network risk assessment method and device, electronic equipment and storage medium |
| CN110460481B (en) * | 2019-09-12 | 2022-02-25 | 南京经纬信安科技有限公司 | Identification method of network key assets |
| CN110572409B (en) * | 2019-09-16 | 2021-10-12 | 国家计算机网络与信息安全管理中心 | Industrial Internet security risk prediction method, device, equipment and storage medium |
| CN110781453B (en) * | 2019-09-23 | 2023-11-24 | 太原理工大学 | Network fragile edge recognition method based on complex theory |
| CN111193617B (en) * | 2019-12-17 | 2022-10-18 | 中移(杭州)信息技术有限公司 | Webpage tampering identification method and device, electronic equipment and storage medium |
| CN112003864B (en) * | 2020-08-25 | 2022-01-14 | 上海聚水潭网络科技有限公司 | Website security detection system and method based on full flow |
| CN112114579B (en) * | 2020-09-28 | 2023-07-25 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
| CN112904817B (en) * | 2021-01-19 | 2022-08-12 | 哈尔滨工业大学(威海) | Global safety detection system for intelligent manufacturing production line and working method thereof |
| CN112819336B (en) * | 2021-02-03 | 2023-12-15 | 国家电网有限公司 | Quantification method and system based on network threat of power monitoring system |
| CN113779591B (en) * | 2021-09-16 | 2023-11-03 | 中国民航大学 | Network host node security risk assessment method based on host importance |
| CN113949570B (en) * | 2021-10-18 | 2022-09-16 | 北京航空航天大学 | Penetration test attack path selection method and system based on attack graph |
| CN114143109B (en) * | 2021-12-08 | 2023-11-10 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN114301716B (en) * | 2022-02-22 | 2023-05-26 | 绿盟科技集团股份有限公司 | Network security assessment method and device, network security equipment and storage medium |
| CN115296896B (en) * | 2022-08-03 | 2023-07-18 | 中国电子科技集团公司信息科学研究院 | Attack path dynamic generation method and device and electronic equipment |
| CN117579398B (en) * | 2024-01-17 | 2024-04-02 | 国网浙江省电力有限公司 | Attack path prediction method and device based on distributed energy system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101162993B (en) * | 2007-11-29 | 2010-12-01 | 哈尔滨工程大学 | Network risk analysis method |
| CN102098306B (en) * | 2011-01-27 | 2013-08-28 | 北京信安天元科技有限公司 | Network attack path analysis method based on incidence matrixes |
-
2013
- 2013-07-31 CN CN201310329096.1A patent/CN103368976B/en active Active
Non-Patent Citations (2)
| Title |
|---|
| 基于主机攻击图的网络安全性研究;钟尚勤;《中国博士学位论文全文数据库》;20121126;5.1.1,5.1.2,5.2.1 * |
| 基于关联分析的漏洞检测和安全评估技术研究;王如义;《中国优秀硕士学位论文全文数据库》;20120710;2.2,4.1 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103368976A (en) | 2013-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103368976B (en) | Network security evaluation device based on attack graph adjacent matrix | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN110380896B (en) | Network security situation awareness system and method based on attack graph | |
| CN109005069B (en) | Network security knowledge graph association analysis method based on heaven-earth integrated network | |
| CN110620759B (en) | Multi-dimensional association-based network security event hazard index evaluation method and system | |
| CN105871882B (en) | Network security risk analysis method based on network node fragility and attack information | |
| CN106341414B (en) | A kind of multi-step attack safety situation evaluation method based on Bayesian network | |
| CN115296924B (en) | Network attack prediction method and device based on knowledge graph | |
| CN102340485B (en) | Network security situation awareness system and method based on information correlation | |
| CN107241352A (en) | A kind of net security accident classificaiton and Forecasting Methodology and system | |
| CN100463461C (en) | Active network safety loophole detector | |
| CN104539626A (en) | Network attack scene generating method based on multi-source alarm logs | |
| CN104348652A (en) | Method and device for evaluating system security based on correlation analysis | |
| CN107277039A (en) | A kind of network attack data analysis and intelligent processing method | |
| CN103368979A (en) | Network security verifying device based on improved K-means algorithm | |
| CN104125217A (en) | Cloud data center real-time risk assessment method based on mainframe log analysis | |
| CN103581186A (en) | Network security situation awareness method and system | |
| CN105208037A (en) | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection | |
| CN103152222B (en) | A kind of Intrusion Detection based on host group character detects speed and becomes the method for attacking domain name | |
| CN110351260A (en) | A kind of Intranet attack method for early warning, device and storage medium | |
| CN102137115A (en) | Method for evaluating malicious code attack effect of communication network | |
| CN110298170B (en) | Power SCADA system security assessment method considering blind attack factors | |
| CN106101071A (en) | The method that defence link drain type CC that a kind of Behavior-based control triggers is attacked | |
| CN113709176A (en) | Threat detection and response method and system based on secure cloud platform | |
| CN111191230A (en) | Fast network attack backtracking mining method based on convolutional neural network and application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Ting Inventor after: Zhang Xiaosong Inventor after: Niu Weina Inventor after: Chen Ruidong Inventor after: Wang Dong Inventor after: Zhang Jiansong Inventor after: Jiang Wei Inventor after: Li Jianbin Inventor before: Zhang Xiaosong Inventor before: Niu Weina Inventor before: Chen Ruidong Inventor before: Wang Dong Inventor before: Zhang Jiansong Inventor before: Li Jianbin |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: ZHANG XIAOSONG NIU WEINA CHEN RUIDONG WANG DONG ZHANG JIANSONG LI JIANBIN TO: CHEN TING ZHANG XIAOSONG NIU WEINA CHEN RUIDONG WANG DONG ZHANG JIANSONG JIANG WEI LI JIANBIN |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Xiaosong Inventor after: Niu Weina Inventor after: Chen Ruidong Inventor after: Wang Dong Inventor after: Chen Ting Inventor after: Zhang Jiansong Inventor after: Jiang Wei Inventor after: Li Jianbin Inventor before: Chen Ting Inventor before: Zhang Xiaosong Inventor before: Niu Weina Inventor before: Chen Ruidong Inventor before: Wang Dong Inventor before: Zhang Jiansong Inventor before: Jiang Wei Inventor before: Li Jianbin |
|
| CB03 | Change of inventor or designer information | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: CHEN TING ZHANG XIAOSONG NIU WEINA CHEN RUIDONG WANG DONG ZHANG JIANSONG JIANG WEI LI JIANBIN TO: ZHANG XIAOSONG NIU WEINA CHEN RUIDONG WANG DONG CHEN TING ZHANG JIANSONG JIANG WEI LI JIANBIN |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |