CN103748992B - Network attack intention dynamic recognition system based on Timed Automata - Google Patents

Abstract

The invention provides a kind of network attack intention dynamic recognition system based on Timed Automata, comprising: attack intension database, vulnerability knowledge base, attack knowledge base, attack intension hypotheses creation module, behavior generation module, attack path figure generation module, fragility state description module, intention recognition module; Applicative time automaton is described the transition process of the state of fragility in real time, according to the transition process of the fragility state of the attack intension set of this network of the attack path figure of network, the output of attack intension hypotheses creation module, the output of fragility state description module, calculate the probability of realizing of each attack intension.Native system uses dynamic intention recognition method, can carry out in real time intention recognition according to the multidate information of flow of event, has not only considered attack information, and has considered respondent behavior information, can be good at adapting to network Attack Defence feature.

Description

Network attack intention dynamic recognition system based on Timed Automata

Technical field

The present invention relates to the network attack intention dynamic recognition system based on Timed Automata, belong to computer network security technology field.

Background technology

Along with development and the application of computer network, network security problem becomes increasingly conspicuous.The network user mainly provides safety guarantee by safety means such as intruding detection system, fire compartment wall and antivirus softwares at present.But the warning of these safety means or daily record exist, and warning level is low, false dismissal false-alarm is many, lack the shortcomings such as association analysis, response lag, can not meet the needs of network security detection and Identification.Therefore, only the hiding attack intension in identification behind from these attacks, could attack by accurate recognition network, thereby prevention is attacked in time.

It is the important channel that understanding and recognition network are attacked that the association analysis of security incident is built to Attack Scenarios.Cuppens etc. deliver " Recognizing Malicious Intention in an Intrusion Detection Process " in Second Committee hybrid intelligent system in 2002 international conference, in literary composition, the prerequisite of attack, consequence are carried out to modeling, according to the prerequisite of follow-up behavior, whether mate to come to two behavior direct correlation with the consequence of previously behavior.The method comes with some shortcomings: need to define complicated correlation rule, associated level is low, and search volume is large, and computational efficiency is low, can not be for online processing.

Ning etc. deliver " Constructing Attack Scenarios through Correlation of Intrusion Alerts " in the 9th ACM computer and communication security meeting, propose by the associated method that automatically generates attack strategies of reporting to the police in literary composition.Attack strategies is described by attack strategies figure, and node represents attack, the time sequencing that limit representative is attacked, and the restriction relation of limit and node associates attack.The method will be carried out association after different but essential identical super warning of the extensive one-tenth of warning of some forms again.But the method is not considered the confidence level of security incident, lack probabilistic description and disposal ability in attack detection and intention recognition.

Warning association analysis is mainly by the warning of intruding detection system, to refine invader's attack, thereby builds Attack Scenarios.This method seldom or is not considered the impact on attack of network environment and prevention policies, therefore, associated accuracy and efficiency are not high, the inferential capability of shortage to follow-on attack behavior and attack intension, and can not be according to real-time attack and respondent behavior recognition network attack intension dynamically.

Timed Automata ^[123]to have introduced time-constrain on the basis of finite state machine, in order to describe behavior and the status change of real-time system, refer to R Alur and D Dill.A theory of timed automata[J] .Theoretical Computer Science, 1994,126 (2): 183-235.Invader, in attack process, attacks the assurance on opportunity and has determined the success or failure that attack intension is realized the opportunity of system responses.Therefore, herein Applicative time automaton is described the status change process of fragility, and Dynamic Recognition invader's attack intension on this basis.

Intention identification (Intention Recognition) is the process of the intention of intelligent body perception and cognitive other intelligent bodies.Say technically, by observing behavior and these behaviors of intelligent body, the impact of environment is inferred to its intention exactly ^[56].Network attack intention identification (Network Attack Intention Recognition) is perception and inference network invader's attack intension the process of finding and predict its attack planning.Network attack intention identification is a kind of intention identification of confrontation type, is also a multi-level reasoning process from state, behavior to intention.By transducer, come sensing network ambient condition, attack state and attack information, invader's intention identifying is converted into the reasoning process of intention hypothesis

Summary of the invention

The object of the present invention is to provide a kind of network attack intention dynamic recognition system based on Timed Automata, according to the multidate information of flow of event, carry out in real time intention recognition.

The present invention is based on to give a definition:

The defect that the mistake of the hardware, software, assembly, agreement that fragility refers to computer system in design, coding, configuration or implementation procedure and the deficiency in security strategy cause, comprises environment configurations (as maximum password length, auth type), managing defect of security breaches (overflow in RuIIS server buffers district), mistake etc.The attribute of fragility include but not limited to fragility title, utilize difficulty (NTC), precondition collection and consequence collection.Utilize the definition of difficulty (NTC) and obtain can list of references Zhang Yongzheng paper " research of the multidimensional quantified property weakness classification based on elevation of privilege ".

Attack.Attack is the action that assailant utilizes network vulnerability to cause system safety state occur to shift, and is to realize attack intension and the operating unit that carries out.The attribute of attack includes but not limited to title, precondition collection and the consequence collection of attack.

Respondent behavior.Respondent behavior is that defender is for the security protection strategy occurring or imminent intrusion behavior is taked, attack-response or disaster recovery behavior.The attribute of respondent behavior includes but not limited to title, effect object and the action time of respondent behavior.

Attack intension: attack intension is the description of assailant's ultimate aim is that assailant wishes to reach basic imagination and the plan that certain attacks object.

The present invention is a kind of network attack intention dynamic recognition system based on Timed Automata, comprises as lower module: attack intension database, vulnerability knowledge base, attack knowledge base, attack intension hypotheses creation module, behavior generation module, attack path figure generation module, fragility state description module, intention recognition module;

Described attack knowledge base, behavior generation module, fragility state description module, intention recognition module are connected successively; Attack intension database, attack intension hypotheses creation module are connected successively with intention recognition module; Vulnerability knowledge base, attack path figure generation module are connected successively with intention recognition module; Wherein

Attack intension database, for storing according to the attack intension of attacking consequence classification;

Vulnerability knowledge base, for storing various vulnerability informations and prerequisite collection thereof and consequence collection;

Attack knowledge base, for storing various attack behavior and attribute thereof;

Attack intension hypotheses creation module, for according to the concrete Key Asset of network environment and the corresponding relation of demand for security and attack intension database attack intension, determines the attack intension for each Key Asset, finally obtains the attack intension set of this network;

Wherein Key Asset includes but not limited to key message, key service, key equipment; Demand for security includes but not limited to confidentiality, integrality and availability; The application point of the corresponding attack intension of Key Asset; Demand for security is corresponding with the classification of attack intension;

Behavior generation module, for according to the behavioural information of flow of event generating network of input, behavioural information comprises attack and respondent behavior, behavior generation module comprises that attack generates submodule and respondent behavior generates submodule.Wherein,

Attack generates submodule: for by different and other attributes of the only time attribute in time window all the identical intruding detection system from flow of event report to the police and be mapped as the same attack of attack knowledge base, and store; It is for the predefined maximum effect time quantum of attack that attack generates time window in submodule;

Respondent behavior generates submodule, for directly reading respondent behavior the response events information from incoming event stream, and stores;

Attack path figure generation module, for generating the attack path figure of whole network; Method is as follows,

Input message: main frame set HOST, the fragility set VULN of the particular network that main frame set forms, annexation set CONN between main frame, attack intension collection platform INHY.

1. to each main frame in main frame set HOST, carry out operation as follows:

A. according to the result of detection of vulnerability scanners, generate the fragility set VULN of this main frame _h, then in vulnerability knowledge base, search for fragility set VULN _hin each fragility vuln _iprecondition set vuln_pre and consequence set vuln_post;

B. at the fragility set VULN of this main frame _hin, search for all fragility vuln that meet _i+1precondition set vuln_pre be fragility vuln _ithe fragility vuln of subset of consequence set vuln_post _i+1, think from vuln _ito vuln _i+1limit, wherein a vuln _i, vuln _i+1∈ VULN _h; After the limit of repeating in Search Results is deleted, the limit collection of this main frame is added on remaining all limits to;

C. by the fragility set VULN of this main frame _hin all fragility as summit, add the vertex set of this main frame to; According to vertex set and Bian Ji, these summits and limit are linked together, generate the attack path figure of this main frame;

2. to each main frame in main frame set HOST, between main frame, annexation set CONN, take out the main frame host that all and this main frame have annexation ^*, according to step method 1., generate these main frames host ^*attack path figure separately; If at these main frames host ^*in, the consequence collection of a fragility of main frame i is for obtaining root or user authority, and the prerequisite of a fragility of main frame j integrates as long-range attack, these two fragility coupled together, thereby obtains the attack path figure of the whole network consisting of main frame set;

3. to each attack intension in attack intension set INHY, in the fragility set VULN of the particular network that search consists of main frame set, there is causal fragility with this attack intension, using this attack intension as having causal fragility vuln with this attack intension _isubsequent node, the attack path figure Graph of generating network.

Fragility state description module: this module application Timed Automata describe in real time fragility state transition process and send to intention recognition module, described migration is that the attack that obtained by behavior generation module and respondent behavior trigger;

In this module, set residing five state: the S1 of fragility and represent that the current state of fragility is normal, but have the condition of successfully being utilized; S2 represents that fragility is detected; S3 represents that fragility is attacked; It is complete that S4 represents that fragility is utilized, and assailant obtains corresponding income; S5 representative response plays a role, and the condition that fragility is utilized has not existed within a period of time.

In this module, define a signal factor that can reflect in real time fragility state.For the different conditions of fragility, give signal factor different numerical value.

Intention recognition module, for according to the transition process of the fragility state of the attack intension set of this network of the attack path figure Graph of network, the output of attack intension hypotheses creation module, the output of fragility state description module, calculate the probability of realizing of each attack intension.

In this module, intention recognition step is as follows:

(1) for complete attack path a: path in the attack path figure Graph of network _k=(u, vuln ₁..., vuln _n, v), wherein u is present node, v is attack intension node, λ (τ, vuln _i, S _u) be fragility vuln _iresiding state S in time zone τ _usignal factor, the influence degree that the real-time status of its reflection fragility realizes attack intension, u=1 wherein, 2,3,4,5; Attack path path _kthe probability APPI that realizes by following formula, calculate:

$\mathrm{APPI}\left({\mathrm{path}}_k\right)=\underset{i=1}{\overset{n}{\mathrm{\Π}}}\mathrm{\λ}(\mathrm{\τ},{\mathrm{vu}\ln }_i,S_u)\·\mathrm{NTC}\left({\mathrm{vu}\ln }_i\right)$

NTC (vuln wherein _i) be fragility vuln _iutilize difficulty;

(2), by search network attack path figure, obtain m bar and from starting point u, arrive the attack path of attack intension intent node v: { path _k, k=1,2 ..., m}.In this m bar attack path, if wherein any one be successfully completed, think that assailant has realized this attack intension; The computational methods that realize probability AIP of each attack intension are as follows:

$\mathrm{AIP}\left(\mathrm{intent}\right)=1-\underset{k=1}{\overset{m}{\mathrm{\Π}}}(1-\mathrm{APPI}\left({\mathrm{path}}_k\right))$

The probability AIP that realizes of each attack intension is the possibility that this attack intension is realized, and in network system, the fragility status signal factor changes, and need to recalculate the probability of realizing of each attack intension.

Contrast prior art, beneficial effect of the present invention is, the technical program is a kind of dynamic intention recognition method, can carry out in real time intention recognition according to the multidate information of flow of event, not only considered attack information, and considered respondent behavior information, can be good at adapting to network Attack Defence feature.

Accompanying drawing explanation

Fig. 1-attack intension hypotheses creation module logical schematic;

The network attack intention dynamic recognition system module map of Fig. 2-based on Timed Automata;

Fig. 3-fragility state transition diagram.

Embodiment

Below in conjunction with drawings and Examples, the technical program is further explained.

The present invention is a kind of network attack intention dynamic recognition system based on Timed Automata, mainly comprises as lower module:

Attack intension database, for storing according to the attack intension of attacking consequence classification, for example, during classification, by attack intension be divided into illegal privilege-escalation, reveal information, distort information, denial of service and illegally use resource.

Vulnerability knowledge base, for storing various vulnerability informations and prerequisite collection thereof and consequence collection.

Attack knowledge base, for storing various attack behavior and attribute thereof;

Attack intension hypotheses creation module, for the concrete Key Asset of network environment of basis and the corresponding relation of demand for security and attack intension database attack intension, determine the attack intension for each Key Asset, for example, confidentiality corresponding illegal privilege-escalation, reveal information and illegally use resource, the corresponding illegal privilege-escalation of integrality, distort information, availability corresponding illegal promote authority, denial of service.Finally obtain the attack intension set of this network.

Wherein Key Asset includes but not limited to key message, key service, key equipment; Demand for security includes but not limited to confidentiality, integrality and availability; The application point of the corresponding attack intension of Key Asset; Demand for security is corresponding with the classification of attack intension.Corresponding illegal privilege-escalation, reveal information of demand for security in the present embodiment, distort information, denial of service and illegally use resource.The logical schematic of attack intension hypotheses creation module is shown in accompanying drawing 1.

Behavior generation module, for according to the behavioural information of flow of event generating network of input, behavioural information comprises attack and respondent behavior.Behavior generation module comprises that attack generates submodule and respondent behavior generates submodule.

Attack generates submodule: for by different and other attributes of the only time attribute in time window all the identical intruding detection system from flow of event report to the police and be mapped as the same attack of attack knowledge base, and store; Attack generates submodule and comprises an attack knowledge base, for storing various attack behavior and attribute thereof.

Be explained as follows:

The warning of intruding detection system is defined as intruding detection system warning space to the adaptation function of attack is to the mapping between assailant's attack space: EXT (alert) → action.

For example: alert1=(202.77.162.213,172.16.115.20,54792,32773,03/07-23:08:07.359636, Generic Protocol Command Decode, RPC sadmind UDP PING) be exactly the warning message of an intruding detection system.Action1=(sadmind_port_request, rpc_port_scan, be 03/07-23:08:07) attack showing, this warning message is that this attack triggers, and thinks to exist between them to exist and shine upon EXT (alert1) → action1.

It is for the predefined maximum effect time quantum of attack that attack generates time window in submodule, for example, for existing warning alerti and new warning alertj, its timestamp is respectively alerti.time and alertj.time, if | alertj.time-alerti.time| < δ, and EXT (alerti)=EXT (alertj)=actionk, will newly report to the police alertj and warning alerti merges, be [alerti.time the action time of attack actionk, alertj.time], δ is that the window of given time window is long.

Respondent behavior generates submodule.In response events information from incoming event stream, directly read respondent behavior, and store.

Attack path figure generation module:

Input message: main frame set HOST, the fragility set VULN of the particular network that main frame set forms, annexation set CONN between main frame, attack intension set INHY.

1. to each main frame in main frame set HOST, carry out operation as follows:

A. according to the result of detection of vulnerability scanners, generate the fragility set VULN of this main frame _h, then in vulnerability knowledge base, search for fragility set VULN _hin each fragility vuln _iprecondition set vuln_pre and consequence set vuln_post;

B. at the fragility set VULN of this main frame _hin, search for all fragility vuln that meet _i+1precondition set vuln_pre be fragility vuln _ithe fragility vuln of subset of consequence set vuln_post _i+1, think from vuln _ito vuln _i+1limit, wherein a vuln _i, vuln _i+1∈ VULN _h; After the limit of repeating in Search Results is deleted, the limit collection of this main frame is added on remaining all limits to;

C. by the fragility set VULN of this main frame _hin all fragility as summit, add the vertex set of this main frame to; According to vertex set and Bian Ji, these summits and limit are linked together, generate the attack path figure of this main frame;

2. to each main frame in main frame set HOST, between main frame, annexation set CONN, take out the main frame host that all and this main frame have annexation ^*, according to step method 1., generate these main frames host ^*attack path figure separately; If at these main frames host ^*in, the consequence collection of a fragility of main frame i is for obtaining root or user authority, and the prerequisite of a fragility of main frame j integrates as long-range attack, these two fragility coupled together, thereby obtains the attack path figure of the whole network consisting of main frame set;

3. to each attack intension in attack intension set INHY, in the fragility set VULN of the particular network that search consists of main frame set, there is causal fragility with this attack intension, using this attack intension as having causal fragility vuln with this attack intension _isubsequent node, the attack path figure Graph of generating network.

Fragility state description module

This module application Timed Automata is described the transition process of the state of fragility in real time, and described migration is that the attack and the respondent behavior that by behavior generation module, are obtained trigger.Timed Automata theory can be with reference to the paper " A theory of timed automata " of Alur and Dill.

In this module, set residing five state: the S1 of fragility and represent that the current state of fragility is normal, but have the condition of successfully being utilized; S2 represents that fragility is detected; S3 represents that fragility is attacked; It is complete that S4 represents that fragility is utilized, and assailant obtains corresponding income; S5 representative response plays a role, and the condition that fragility is utilized has not existed within a period of time.

Fig. 3 has described the state transition process of the fragility based on Timed Automata.S1, S2, S3, S4 and S5 represent that respectively residing five state: the S1 of fragility represent that the current state of fragility is normal, but have the condition of successfully being utilized; S2 represents that fragility is detected; S3 represents that fragility is attacked; It is complete that S4 represents that fragility is utilized, and assailant obtains corresponding income; S5 representative response plays a role, and the condition that fragility is utilized has not existed within a period of time.T1, t2, the action time that t3 is attack, r_time is the action time of response.

Transition process between fragility state shown in Fig. 3 is as follows:

(1) S1 → S2, assailant is scanned fragility, that is: attack a12 occurs.

(2) S2 → S1, after attack finishes a period of time, attack effect disappears or respondent behavior r21 plays a role, and system returns to initial condition S1, and t1 is the action time of attack a12.

(3) S2 → S3, continues offensive attack behavior a23, and attack is confirmed, but attack is not yet successful, as: attempted-admin.

(4) S2 → S4, attack a24 success, fragility is utilized, as: successful-admin.

(5) S2 → S5, during assailant's offensive attack, respondent behavior r25 proves effective, and the condition of attacking has not been existed.

(6) S1 → S3, assailant is attacking or assailant's attack is confirmed.

(7) S3 → S1, assailant attacks failure or the attack function time finishes, y > t2 (state is from S1 → S3) now, x > t3 (state is from S1 → S2 → S3); Or respondent behavior r31 plays a role and causes attacking and cannot continue.

(8) S1 → S5, system responses behavior r15 proves effective, and the condition of attacking has not been existed, as: system closedown, software upgrading etc.

(9) S3 → S5, when assailant's offensive attack, system responses behavior r35 proves effective, and the condition of attacking has not been existed.

(10) S3 → S4, attack a34 success, fragility is utilized, or main frame is captured.

(11) S5 → S1, r_time action time of respondent behavior finishes, and fragility is got back to initial condition S1, as: system boot, service is restarted etc.

Define a signal factor that can reflect in real time fragility state.For the different conditions of fragility, give signal factor different numerical value.For example fragility is when state S1, and signal factor value is 0.4.Fragility is when state S2, and signal factor value is 0.7.Fragility is when state S3, and signal factor value is 1.0.Fragility is when state S4, and signal factor value is 1/NTC.Fragility is when state S5, and signal factor value is 0.

Intention recognition module, for according to the attack path figure Graph (VERTEX, EDGE) of network, calculate the probability of realizing of each attack intension.

Identification step is as follows:

(1), in network attack path figure, invader, in order to realize attack intension, must guarantee that all fragility all can successfully be utilized from a paths of present node u arrival attack intension node v.For complete attack path a: path in the attack path figure Graph (VERTEX, EDGE) of network _k=(u, vuln ₁..., vuln _n, v), wherein u is present node, v is attack intension node, λ (τ, vuln _i, S _u) be fragility vuln _iresiding state S in time zone τ _usignal factor, the influence degree that the real-time status of its reflection fragility realizes attack intension, u=1 wherein, 2,3,4,5.Therefore, attack path path _krealize probability APPI and can calculate by following formula:

$\mathrm{APPI}\left({\mathrm{path}}_k\right)=\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}\mathrm{\&lambda;}(\mathrm{\&tau;},{\mathrm{vu}\ln }_i,S_u)\&CenterDot;\mathrm{NTC}\left({\mathrm{vu}\ln }_i\right)$

NTC (vuln wherein _i) be fragility vuln _iutilize difficulty;

(2), by search network attack path figure, obtain m bar and from starting point u, arrive the attack path of attack intension intent node v: { path _k, k=1,2 ..., m}.In this m bar attack path, if wherein any one be successfully completed, think that assailant has realized this attack intension.Therefore, between each attack path, be the relation of "or", the computational methods that realize probability AIP of each attack intension are as follows:

$\mathrm{AIP}\left(\mathrm{intent}\right)=1-\underset{k=1}{\overset{m}{\mathrm{\&Pi;}}}(1-\mathrm{APPI}\left({\mathrm{path}}_k\right))$

The probability AIP that realizes of each attack intension is the possibility that this attack intension is realized, and in network system, the fragility status signal factor changes, and need to recalculate the probability of realizing of each attack intension.

Above-described specific descriptions; object, technical scheme and beneficial effect to invention further describe; institute is understood that; the foregoing is only specific embodiments of the invention; the protection range being not intended to limit the present invention; within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (3)

1. the network attack based on Timed Automata is intended to dynamic recognition system, it is characterized in that, comprise as lower module: attack intension database, vulnerability knowledge base, attack knowledge base, attack intension hypotheses creation module, behavior generation module, attack path figure generation module, fragility state description module, intention recognition module;

Described attack knowledge base, behavior generation module, fragility state description module, intention recognition module are connected successively; Attack intension database, attack intension hypotheses creation module are connected successively with intention recognition module; Vulnerability knowledge base, attack path figure generation module are connected successively with intention recognition module; Wherein

Attack intension database, for storing according to the attack intension of attacking consequence classification;

Vulnerability knowledge base, for storing various vulnerability informations and prerequisite collection thereof and consequence collection;

Attack knowledge base, for storing various attack behavior and attribute thereof;

Attack intension hypotheses creation module, for according to the concrete Key Asset of network environment and the corresponding relation of demand for security and attack intension database attack intension, determines the attack intension for each Key Asset, finally obtains the attack intension set of this network;

Behavior generation module, for according to the behavioural information of flow of event generating network of input, behavioural information comprises attack and respondent behavior, behavior generation module comprises that attack generates submodule and respondent behavior generates submodule;

In described behavior generation module, attack generates submodule, for by different and other attributes of only time attribute in time window all the identical intruding detection system from flow of event report to the police and be mapped as the same attack of attack knowledge base, and store; Respondent behavior generates submodule, for directly reading respondent behavior the response events information from incoming event stream, and stores;

It is for the predefined maximum effect time quantum of attack that attack generates time window in submodule;

Attack path figure generation module, for generating the attack path figure of whole network;

Fragility state description module, Applicative time automaton describe in real time fragility state transition process and send to intention recognition module, described migration is that the attack that obtained by behavior generation module and respondent behavior trigger;

In fragility state description module, setting residing five states of fragility is: S1 represents that the current state of fragility is normal, but has the condition of successfully being utilized; S2 represents that fragility is detected; S3 represents that fragility is attacked; It is complete that S4 represents that fragility is utilized, and assailant obtains corresponding income; S5 representative response plays a role, and the condition that fragility is utilized has not existed within a period of time;

In fragility state description module, for the different conditions of fragility, give signal factor different numerical value, described signal factor is for reflecting in real time fragility state;

Intention recognition module, for according to the transition process of the fragility state of the attack intension set of this network of the attack path figure of network, the output of attack intension hypotheses creation module, the output of fragility state description module, calculate the probability of realizing of each attack intension;

Wherein, in intention recognition module, intention recognition step is as follows:

(1) for complete attack path a: path in the attack path figure Graph of network _k=(u, vuln ₁..., vuln _n, v), wherein u is present node, v is attack intension node, λ (τ, vuln _i, S _u) be fragility vuln _iresiding state S in time zone τ _usignal factor, the influence degree that the real-time status of its reflection fragility realizes attack intension, u=1 wherein, 2,3,4,5; Attack path path _kthe probability APPI that realizes by following formula, calculate:

NTC (vuln wherein _i) be fragility vuln _iutilize difficulty;

(2), by search network attack path figure, obtain m bar and from starting point u, arrive the attack path of attack intension intent node v: { path _k, k=1,2 ..., m}; In this m bar attack path, if wherein any one be successfully completed, think that assailant has realized this attack intension; The computational methods that realize probability AIP of each attack intension are as follows:

The probability AIP that realizes of each attack intension is the possibility that this attack intension is realized, and in network system, the fragility status signal factor changes, and need to recalculate the probability of realizing of each attack intension.

2. the network attack based on Timed Automata is intended to dynamic recognition system according to claim 1, it is characterized in that, in described attack intension hypotheses creation module, Key Asset comprises key message, key service, key equipment; Demand for security comprises confidentiality, integrality and availability; The application point of the corresponding attack intension of Key Asset; Demand for security is corresponding with the classification of attack intension.

3. the network attack based on Timed Automata is intended to dynamic recognition system according to claim 1, it is characterized in that, in attack path figure generation module, the method that generates attack path figure is as follows:

Input message: main frame set HOST, the fragility set VULN of the particular network that main frame set forms, annexation set CONN between main frame, attack intension set INHY;

1. to each main frame in main frame set HOST, carry out operation as follows:

A. according to the result of detection of vulnerability scanners, generate the fragility set VULN of this main frame _h, then in vulnerability knowledge base, search for fragility set VULN _hin each fragility vuln _iprecondition set vuln_pre and consequence set vuln_post;

B. at the fragility set VULN of this main frame _hin, search for all fragility vuln that meet _i+1precondition set vuln_pre be fragility vuln _ithe fragility vuln of subset of consequence set vuln_post _i+1, think from vuln _ito vuln _i+1limit, wherein a vuln _i, vuln _i+1∈ VULN _h; After the limit of repeating in Search Results is deleted, the limit collection of this main frame is added on remaining all limits to;

C. by the fragility set VULN of this main frame _hin all fragility as summit, add the vertex set of this main frame to; According to vertex set and Bian Ji, these summits and limit are linked together, generate the attack path figure of this main frame;

2. to each main frame in main frame set HOST, between main frame, annexation set CONN, take out the main frame host that all and this main frame have annexation ^*, according to step method 1., generate these main frames host ^*attack path figure separately; If at these main frames host ^*in, the consequence collection of a fragility of main frame i is for obtaining root or user authority, and the prerequisite of a fragility of main frame j integrates as long-range attack, these two fragility coupled together, thereby obtains the attack path figure of the whole network consisting of main frame set;

3. to each attack intension in attack intension set INHY, in the fragility set VULN of the particular network that search consists of main frame set, there is causal fragility with this attack intension, using this attack intension as having causal fragility vuln with this attack intension _isubsequent node, the attack path figure Graph of generating network.

Images