A kind of network security assessment device based on attack graph adjacency matrix
Technical field
A kind of network security assessment device based on attack graph adjacency matrix that the present invention proposes, belongs to computer network security technology field.
Background technology
Along with informationalized popularization, China's netizen's quantity constantly rises.According to the 31st the China Internet network state of development statistical report issued CNNIC (CNNIC) in January, 2013, end in by the end of December, 2012, China has had 5.64 hundred million netizens, adds 0.26 hundred million person-time with compared with statistics in by the end of June, 2012; Internet penetration reaches 42.1%, comparatively improves 3.8 percentage points the end of the year 2011.Industrialization and network technology are constantly updated progressive, computer network penetrated into we work, living and studying every aspect, bring great convenience to our daily life, such as: we can utilize network to carry out doing shopping, booking tickets and plane ticket, predetermined hotel, check that news understands up-to-date information both domestic and external, online stock trading as early as possible Simultaneously also there is the portal website of oneself in a lot of state enterprise, make computer network be no matter civilian, commercial or national defence all plays more and more important effect.
Because networking does not initially have the defect of too much consideration safety problem and ICP/IP protocol itself, also have economic interests to order about lower increasing lawless person and network is carried out to attack destruction, steals user sensitive information etc.Assault in recent years occurs again and again, and the attack means that assailant uses is also more brilliant.Only the great assault of outburst in 2012 just has more than ten to rise, comprising: the stolen event of source code, great hacker attack event, Malware wreak havoc event, information-leakage event, great Vulnerability events, operating system security event, go abroad from domestic well-known e-commerce website-store, Jingdone district esbablished corporation Symantec and Zappos, LinkedIn etc. have been subjected to attack, even the well-known institution of higher learning such as Cambridge of Britain, the Harvard University of the U.S. all fails to escape death by sheer luck.These attacks are made us sending out and are economized above, and network security problem has become restriction country and the significant bottleneck of enterprise's long term growth, so analysis and evaluation security status exactly, network management personnel can be helped to improve network protection ability.Assault no matter is to individual, enterprise or country all can bring about great losses, according to statistics, only Chinese netizen needs the expense paid for network attack just to reach more than 150 hundred million every year, has great economic benefit and practical value so manage network security.And the basis that network security manages will be assessed network security exactly; by fully assess threat and influence degree that unsafe factor may bring and find crucial main frame and key attack path basis on, the possibility attacked by take appropriate measures initiatively protection calculation machine and network security thus reduction system and destroy.
Traditional vulnerability assessment instrument is simply superposed each risk that independently leak may bring, and the leak merely deposited in awareness network can not critic network safe condition exactly.In real network environment, attack main frame and want the authority obtaining destination host to operate destination host, centre often needs through multiple main frame as springboard.And network attack map comprehensively analyzes network configuration and vulnerability information from assailant's angle, the leak and fragility knowing and deposit in network can not only be known, can also find that attack path crucial in complex network and crucial main frame make safety analysis personnel to take measures targeted specifically to improve internet security.Domestic and international researcher has made a lot of research and has obtained certain achievement to this, propose a lot of attack graph generation model and algorithm.But the attack graph utilizing existing method to generate is applicable to small scale network (main frame number of units <5), the attack graph utilizing these methods to generate in especially ultra-large network on a large scale will very complicatedly, huge be unfavorable for being further analyzed.Adjacency matrix is adopted only to need setting up simple atomic strike figure, do not need to set up all attack paths, not only be conducive to network manager and find out the first kind in large scale network and the crucial main frame of Equations of The Second Kind quickly and easily, thus contribute to keeper and security maintenance is carried out to network with having emphasis, wherein the crucial main frame of the first kind refers to that the fail safe of main frame self is very large to the safety effects of other main frames in network, is also likely attacked once be subjected to a lot of main frame in attacking network; The crucial main frame of Equations of The Second Kind refers to that in network, a lot of main frame can be launched a offensive to this main frame.
Network security assessment needs hard real-time, high visibility result, so the method that this patent proposition use calculates Iterative Matrix based on atomic strike figure adjacency matrix is assessed internet security, monotonicity hypothesis is proposed simultaneously: assailant can not launch a offensive to obtain existing authority, and assailant also can not enter the state of process before a series of attack state is got back to again and that is not deposit loop; The complexity of attack graph can be reduced, improve the visual of attack graph.
Patent related to the present invention
Log in State Intellectual Property Office of the People's Republic of China, according to keyword " attack graph " search, find 4 Patents, according to keyword " network security assessment " search, find 2 Patents.
A kind of attack drawing generating method (application number: 200710144693.1) of depth-first
This patent proposes a kind of attack drawing generating method based on depth-priority-searching method, first all security factors of current network are collected to form initial condition, then use prolog systematic search assailant to arrive before dbjective state the network state of likely process, again according to the dependence structure attack path between the network state searched, finally the attack path of structure is combined into network attack map.The advantage of this patent is the scale that the depth-priority-searching method used not only reduces attack graph, and can also make not deposit non-targeted node in attack graph.The proposition of this invention mainly attack graph generating algorithm, not deep attack graph is analyzed of finally also just simple generation attack graph.
Attack graph generation system (the application number: 200810037824.0) of network-oriented security alarm association
This patent proposes one and reports collection module, Connectivity analysis of network module, the attack graph generation system that data structure sets up module, knowledge base associates with the network-oriented security alarm of attack graph generation module by network initial configuration information module, OVAL vulnerability scanning.The advantage of this attack graph generation system is beneficial to Project Realization, but this patent just generates attack graph, do not use attack graph to carry out further analysis and evaluation to network security.
A kind of intrusion response mode (application number: 201110181511.4) based on attack graph
This patent be the reference model-IRAG model of intrusion detection and response basis on propose to operate, response and loss three kinds of costs select corresponding safeguard procedures with this.The present invention only considers next step attack process of the attack of assailant, the response of system and assailant, mainly select the attack of Income Maximum for the response action of system and assailant, and the network security assessment relation based on attack graph adjacency matrix that we propose not very large.
A kind of Network Safety Analysis (application number: 201210224533.9) solving K maximum probability attack graph
This patent stores the maximum front K bar attack path of accumulated probability, mainly in order to solve the problem of depositing in the network security assessment algorithm based on access level vector by each node: can only identify the maximum probability path generating each node of attacking network and the front K bar attack path that can not generate attacking network node maximum probability.The present invention just considers the problem of attack path, does not but assess for other factors, so assessment is comprehensive not.
A kind of (application number: 200910050505.8) of the network safety evaluation method based on NBA
This patent is connected in network or independently a stream regarded as by bag, analyzed the network behavior parameter of every platform main frame in network through the attribute of all streams of network by recorded stream, and the maximum threshold values that the network behavior parameter calculating each main frame allows, if the characteristic ginseng value of certain main frame is greater than maximum threshold values just to think that network occurs abnormal in network.A mainly network safety evaluation method for behavioural analysis Network Based, and the network safety evaluation method relation based on attack graph adjacency matrix that we propose is little.
A kind of vulnerability scanning system of network-oriented security evaluation and processing method (application number: 200910112916.5) thereof
Vulnerability scanning system and intruding detection system combine by this patent, and introduce warning function and scheduling feature, make system can carry out vulnerability scanning and security evaluation to objective network selectively and form that portion is comparatively objective, vulnerability scanning report accurately.The present invention is network notice warning module produced by warning module and report to the police and scanned whole network by dispatching process module driver sweep engine modules when there are abnormal conditions.This patent can not identify the important information such as critical path and crucial main frame.
Summary of the invention
Object of the present invention is in the following technical problem solved:
One, high efficiency, is applicable to extensive and express network
One of design object of the present invention to be applicable in catenet and express network; thus analysis and evaluation can be carried out to large-scale computer network security and take further to defend safeguard measure to ensure the safety of network accordingly, this just proposes very high requirement to the efficiency of internet security appraisal procedure proposed by the invention.The internet security appraisal procedure that the present invention proposes is based on atomic strike figure adjacency matrix, only need to know that basic invasion does not need to obtain all attack paths in advance and sets up atomic strike figure, therefore have very high efficiency, the attack graph simultaneously set up neither be so complicated and carry out calculating with matrix and carry out assessment to network security and can use in large network environment.
Two, the data of analysis and evaluation are carried out to internet security more reliable
One of design object of the present invention is that the data of carrying out analysis and evaluation to network security are more reliable, thus can search out crucial main frame exactly network manager is safeguarded objective network with can having emphasis.The network security assessment device that the present invention proposes is that the simple attack figure of basic attack relation between main frame each in reaction network pair is configured to initial adjacency matrix, and utilizes handling function to carry out interative computation to it, obtains final Iterative Matrix.It is experience according to network management personnel that usual critical host is established a capital really, and the critical host determined in such cases has very strong subjective consciousness, might not be the crucial main frame truly reflecting network condition.And use based on all more accurate, reliable in the method overall network safety analysis of Iterative Matrix and the searching of the crucial main frame of two classes.
Three, visualization is high
One of design object of the present invention be by assessment after result visualization show, the main frame or path that network management personnel are known clearly go wrong in network, convenient and safe attendant safeguards network, manages.The network security assessment device that the present invention proposes is finally to network security assessment.
In order to solve the problem, the present invention by the following technical solutions:
Based on a network security assessment device for attack graph adjacency matrix, it is characterized in that comprising:
Information collection apparatus: all information in real-time collecting network;
Atomic strike figure generating apparatus: generate the initial atomic strike figure carrying out between main frame required for subsequent analysis pair to network security;
Matrix computations device: one is the atomic strike figure of generation is converted into corresponding adjacency matrix, and two is calculate Iterative Matrix corresponding to adjacency matrix by arranging iterations;
Network Safety Analysis device: the basis of the Iterative Matrix finally generated obtains the crucial information such as main frame, critical path of two classes, if certain paths is greater than the initial threshold of setting by the maximum probability of attacking, claim this path to be critical path.
Result presents device: dynamically show in crucial for two classes finally found main frame and critical path network topological diagram.
In technique scheme, described information receiver: collect the network topology in objective network, routing rule and firewall information, utilize scanning tools or webmastering software to obtain the network equipment and host configuration information, adopt the basic configuration information that vulnerability scanning strategy scan for networks main frame obtains host computer system and the vulnerability information deposited.
In technique scheme, described vulnerability scanning strategy is divided into active and passive type two kinds,
Active vulnerability scanning strategy: the difference according to scanning means is divided into again Host Based Hole Detection and network Hole Detection;
Host Based Hole Detection: installation agent or service on destination host, the access file system of main frame, registration table, system service and audit information, it is complete that to scan institute leaky;
Network Hole Detection: mainly by network remote scanning computer;
Passive type vulnerability scanning strategy: feature based matching principle: passively target acquisition main frame network data flow and it is analyzed, then carry out mating with vulnerability definitions rule in database and judge whether host computer system deposits leak.
In technique scheme, described atomic strike figure generating apparatus: the network topological information utilizing information collection apparatus to obtain, main frame vulnerability information, be 1 generate atomic strike figure initial between main frame pair according to general host machine attack figure generating algorithm by limiting attack step number, determine attack graph state node weight, namely determine to implement attack cost;
The determination of attack graph state node weight can use PageRank computation model R (H)=(1-d)/N+d* (R (H
1)/C (H
1)+...+R (H
n)/C (H
n)), wherein n represents the quantity of state node in attack graph, and R (H) represents the weights of attack graph state node H, and d is the general value of damping coefficient is 0.85, R (H
i) represent the H pointing to state node H
ithe weights of node, C (H
i): state node H
ithe quantity of out-degree camber line.Also the AccessComplexity field attribute value E in NVD database can be used to quantize to be used for representing weight, as: E be height then weight then weight is 0.61, E during to be 0.35, E be is low, to be 0.71, E be weight that indefinite right of speech refetches value is also 0.71.Can with CAPEC storehouse for determining the foundation of weights, Very Low, Low, Medium, High, Very High five ranks in typical attack possibility occurrence in attack information and assailant's ability and knowledge requirement attribute are quantized, last span is fallen in interval [0,1].
In technique scheme, described matrix computations device:
Atomic strike figure between the main frame of generation pair is converted into corresponding adjacency matrix: if <H between two main frames
i, H
j> can generate the then corresponding attack graph adjacency matrix element a of attack graph
ij=Weight; Wherein H
i, H
jrepresent main frame i and main frame j, i, j=1,2 ..., n (n is All hosts quantity sum in network), Weight is then that weight represents H
ito H
jthe maximum probability of success attack.
Assailant utilizes leak to carry out attack to main frame to cause main frame loss of assets, the assets size of loss is not only relevant with the attack of the leak utilized and initiation, also be closely related with the significance level of assets, so the loss of state node is determined by the degree of danger of the significance level of main frame and leak.
We use L (h, v) represent that node loses, L (h, v)=C (h) * S (v), wherein C (h) represents the significance level of main frame, we provide the difference of service and network function to be divided into different grades to quantize to it according to main frame, make its span fall in interval [0,1]; S (v) represents the order of severity that fragility works the mischief, and utilizes CVSS scoring to quantize, and its span is fallen in interval [0,10].
Adjacency matrix A=(a
ij)
m × l, B=(b
ij)
m × l, be all 0, C by diagonal entry be a m * n matrix, and element in C simultaneously diagonal entry be all 0, be denoted as
wherein a
ij, b
ijrepresent the element in adjacency matrix A and B respectively, the row, column of m, l representing matrix.
If A=B, m=l, then C is the 2 step Iterative Matrix of A, so
the n being just called A walks Iterative Matrix.
In technique scheme, described Network Safety Analysis device:
By checking the element value being greater than given threshold value in calculate each time loss Iterative Matrix, look for place's critical path;
Row element each in the Iterative Matrix finally generated sued for peace respectively and according to sorting from big to small, finding out and being greater than given threshold value line number, and then obtaining the crucial main frame of the first kind,
Column element each in the Iterative Matrix finally generated obtained come and according to descending sequence, find out the row number being greater than given threshold value, and then obtaining the crucial main frame of Equations of The Second Kind;
Use the method for weighted average polymerization to be polymerized main frame fragility simultaneously and try to achieve network vulnerability Index Assessment value to judge the level of security of objective network.
In technique scheme, described result presents device:
Display in the crucial main frame obtained and critical path network topology structure figure visually, and the different color of network security level is represented.
The beneficial effect that technical solution of the present invention is brought:
One, high efficiency, is applicable to extensive and express network
Appraisal procedure of the present invention is atomic strike figure between Intrusion Detection based on host pair, does not need to generate all attack paths to build attack graph, and therefore the complexity of attack graph is not high, is applicable to extensive and express network.
Two, assess accuracy rate high, critical path and crucial main frame can be identified exactly
Network security assessment device of the present invention is that the simple attack figure of basic attack relation between main frame each in reaction network pair is configured to initial adjacency matrix, and utilizes handling function to carry out interative computation to it, obtains final Iterative Matrix.Critical host is found out, so assessment accuracy rate is high by the experience analysis of matrix found out to crucial main frame and critical path instead of depend merely on network management personnel.
Three, real-time, visualization is high
Appraisal procedure of the present invention is information based on real-time collecting objective network and sets up simple attack figure between main frame pair fast, uses matrix computations speed quick, but improves the real-time assessed objective network to a certain extent.Show dynamically in the crucial main frame that the present invention finds out the most at last and critical path network topology structure figure and network safety grade different colours is represented, so visualization is high, facilitates network management personnel to check, analyze, process.
Accompanying drawing explanation
Fig. 1 is the atomic strike figure between simple main frame of the present invention pair.
Embodiment
Provide a specific embodiment of the network security assessment device that the present invention proposes below, the present embodiment is not only applicable to mininet, applicable equally to catenet.
The embodiment of the present invention one:
The execution mode of information collection apparatus
The connected mode of each main frame in network can be obtained from network topology structure chart.Under normal circumstances, a network is divided into the several different region separated by fire compartment wall or router, and the main frame in each region is interconnected.If do not know network topological diagram, various route search algorithm and related protocol is then utilized to comprise: DNS, ICMP, SNMP, RIP, OSPF, operating system and architecture related protocol, to obtain the routing iinformation of each equipment in whole network, then utilize the Automatic generation of information acquired to need topology diagram.Scanning tools or webmastering software is utilized to obtain the network equipment and host configuration information.Because main frame needs to provide service must open self port, so exist by the possibility of long-range attack, fragility also deposited by main frame self simultaneously, so need to obtain the vulnerability information that network and equipment in network are deposited, can carry out by vulnerability scanning strategy the equipment deposited in scan for networks and network.
Wherein vulnerability scanning strategy is divided into active and passive type two kinds, and active vulnerability scanning strategy is divided into Host Based Hole Detection and network Hole Detection these two kinds again by the difference according to scanning means; Wherein Host Based Hole Detection is installation agent or service on destination host, the access file system of main frame, registration table, system service and audit information, and complete to scan institute leaky; And network Hole Detection is mainly by network remote scanning computer; Passive type vulnerability scanning strategy is that feature based matching principle is carried out: passively target acquisition main frame network data flow and it is analyzed, then carry out mating with vulnerability definitions rule in database and judge whether host computer system deposits leak.
The execution mode of atomic strike figure generating apparatus
Have the various elements such as server, subscriber's main station, router and fire compartment wall in network, in this patent, these elements may depositing safety issue are all referred to as main frame by us.The network topological information utilizing information collection apparatus to obtain, main frame vulnerability information are to generate initial atomic strike figure, and this needs to determine that weight namely implements attack cost.In the present invention, attack graph state node weight can use PageRank computation model R (H)=(1-d)/N+d* (R (H
1)/C (H
1)+...+R (H
n)/C (H
n)), wherein n represents the quantity of state node in attack graph, and R (H) represents the weights of attack graph state node H, and d is the general value of damping coefficient is 0.85, R (H
i) represent the H pointing to state node H
ithe weights of node, C (H
i): state node H
ithe quantity of out-degree camber line.Also the AccessComplexity field attribute value E in NVD database can be used to quantize to be used for representing weight, as: E be height then weight then weight is 0.61, E during to be 0.35, E be is low, to be 0.71, E be weight that indefinite right of speech refetches value is also 0.71.Can with CAPEC storehouse for determining the foundation of weights, Very Low, Low, Medium, High, Very High five ranks in typical attack possibility occurrence in attack information and assailant's ability and knowledge requirement attribute are quantized, last span is fallen in interval [0,1].
The execution mode of matrix computations device
Atomic strike figure between the main frame of generation pair is converted into corresponding adjacency matrix: if <H between two main frames
i, H
j> can generate the then corresponding attack graph adjacency matrix element a of attack graph
ij=Weight; Wherein H
i, H
jrepresent main frame i and main frame j, i, j=1,2 ..., n (n is All hosts quantity sum in network), Weight is then that weight represents H
ito H
jthe maximum probability of success attack.
Assailant utilizes leak to carry out attack to main frame to cause main frame loss of assets, the assets size of loss is not only relevant with the attack of the leak utilized and initiation, also be closely related with the significance level of assets, so the loss of state node is determined by the degree of danger of the significance level of main frame and leak.Use L (h, v) represent that node loses, L (h, v)=C (h) * S (v), wherein C (h) represents the significance level of main frame, we provide the difference of service and network function to be divided into different grades to quantize to it according to main frame, make its span fall in interval [0,1]; S (v) represents the order of severity that fragility works the mischief, and utilizes CVSS scoring to quantize, and its span is fallen in interval [0,10].
Adjacency matrix A=(a
ij)
m × l, B=(b
ij)
m × l, be all 0, C by diagonal entry be a m * n matrix, and the element in C
diagonal entry is all 0 simultaneously, is denoted as
wherein a
ij, b
ijrepresent the element in adjacency matrix A and B respectively, the row, column of m, l representing matrix.If A=B, m=l, then C is the 2 step Iterative Matrix of A, so
the n being just called A walks Iterative Matrix.
Can by arranging corresponding iterations to calculate corresponding Iterative Matrix so that assess network security below in this device.The atomic strike figure of hypotheses creation is illustrated in fig. 1 shown below, and the value in its interior joint represents the significance level of main frame, and the probability then expression fragility below of the expression successful attack before in the logarithm on the limit of connected node is utilized the harm caused.The adjacency matrix A of its correspondence is
Main frame loss adjacency matrix B is
The execution mode of network security assessment device
By checking the element value being greater than given threshold value in calculate each time loss Iterative Matrix, if in element value main frame loss adjacency matrix, representing that two main frames once attack formed path by leak is exactly a critical path; If row element each in the Iterative Matrix finally generated is sued for peace and according to sorting from big to small by iteration respectively, find out and be greater than given threshold value line number, and then obtain the crucial main frame of the first kind, column element each in the Iterative Matrix finally generated is obtained come and according to descending sequence, find out the row number being greater than given threshold value, and then obtain the crucial main frame of Equations of The Second Kind.Such as, element value b in main frame loss adjacency matrix B
46and b
56all be greater than the initial threshold 0.7 of setting, illustrate that the atomic strike path that main frame 4 utilizes leak to carry out main frame 7 and the path that main frame 5 utilizes fragility to be formed the atomic strike that main frame 7 carries out are all critical paths.Suppose that the iterations set is exactly 1, after each row element summation of adjacency matrix A according to sequence be from big to small then: the third line 1.0> the 2nd row 0.9=the 1st row 0.9> the 5th row 0.7> the 4th row 0.6> the 6th row 0, wherein the 3rd, two a, row element and be all greater than initial threshold 0.8, then main frame 1 is described, 2,3 belong to the crucial main frame of the first kind; After each column element summation of adjacency matrix A according to sequence be from big to small: the 4th row 1.3=the 6th row 1.3> the 2nd row 0.6=the 5th arranges 0.6> the 3rd and arranges 0.3> first row 0, wherein the 4th row and the 6th column element and be all greater than initial threshold main frame 4 is then described, 6 belong to Equations of The Second Kind key main frame; Wherein threshold value change environmentally also can along with adjusting.
Use the method for weighted average polymerization to be polymerized main frame fragility simultaneously and try to achieve network vulnerability Index Assessment value to judge the level of security of objective network.
Result presents the execution mode of device
Show in the crucial main frame found out and critical path network topological diagram dynamically, carry out multiple attack through several main frames as springboard and just penetrate into if critical path is a main frame path that destination host formed, need first this path to be found out in topological structure use overstriking again line Dynamic Display out; The first kind and the crucial main frame of Equations of The Second Kind just represent with red and Huang in topology diagram respectively; The upper right corner of the fragility of current network then topological structure body represents with rectangular block, different colors represents network and is in different states, such as red expression network is now in grave danger state, yellow expression is in the hole etc., generate a tendency chart of throwing the net the dynamic change in time of network vulnerability inder simultaneously, and generate corresponding log information, be convenient to network management personnel and carry out the checking of later stage, analytical work.