CN105681338A - Vulnerability exploiting success probability calculation method and network security risk management method - Google Patents

Abstract

The invention relates to a vulnerability exploiting success probability calculation method and a network security risk management method. In the vulnerability exploiting success probability calculation method, the vulnerability exploiting success probability is derived from the vulnerability exploitation probability size. The network vulnerability exploiting success probability calculation method considers that the vulnerability exploitation probability size dynamically varies with time, establishes static and dynamic vulnerability exploitation evaluation indexes, can accurately quantize the vulnerability exploitation, and improves the diversity of vulnerability exploitation evaluation results. The network security risk management method constructs economics indexes of the protection cost and the attack income and an index quantitative method. An optimal protection strategy can be effectively calculated by using a particle swarm optimization algorithm, and finally the security of attacked target nodes is ensured. The security risk of a whole network is effectively reduced in a limiting cost budgeting condition.

Description

Vulnerability exploit probability of success computational methods and network security risk management method

Technical field

The invention belongs to computer network security technology field, be specifically related to a kind of vulnerability exploit probability of success computational methods and network security risk management method.

Background technology

Computer network system faces the attack of complexity, essentially, is owing to computer techno-stress system exists leak in design, exploitation, operation, maintenance, configuration process.

Network attack is the multi-step process of a kind of complexity, and external attacker is analyzed internal network and be there is the interrelated relation of leak, and then starts multi-step attack, makes assailant occupy more resource, finally target of attack is damaged. Multi-step attack has multistage negotiation, purposiveness, concealed feature. And conventional security defence method, such as fire wall, intruding detection system, simply identify aggressive behavior as far as possible, is a kind of passive type defence method, unknown, multistage, hidden aggressive behavior cannot be timely responded to, and this proposes new challenge to traditional safety defense method.

Network security risk evaluation method based on attack graph can analyze the interrelated relation of leak and consequent potential threat. And the utilizability size of each leak is depended on based on the risk assessment of attack graph. Therefore, the quantitative evaluation of single leak utilizability is just seemed particularly important. Most current research work is relied solely on to be marked by CVSS and obtains the utilizability size of leak, and CVSS method only considers the feature that the leak static state person of being hacked own utilizes, not accounting for change over time, vulnerability exploit code utilizability and patch utilizability all can dynamically change therewith. And the factor that affects leak utilizability is a lot, the weighing factor value how correctly distributing these factors is the subject matter of leak utilizability quantitative evaluation.

Current network security challenge and breach are research active defense new model, new technology and methods, by risk assessment means, current safety situation are judged, and implement active safety defense mechanism according to judged result. Theoretically, identify the leak of All hosts in network and stamp patch and just can really release potential safety hazard. But, normally result in different costs in practice leak patch installing, the leak patch installing giving all identifications in the middle of practical application is infeasible. In order to assess and strengthen the safety of overall network, by attack graph modeling multi-step attack step, set up the cause effect relation of leak and utilization. In the application of attack graph, the risk of assessment current network or information system, calculate optimum prevention policies and moderately control risk and attack loss. The safety prevention measure that safety officer takes generally comprises amendment firewall configuration, updates software, closes system service and patch installing etc. In network security risk manages, it is a complicated problem that every kind of safety prevention measure has certain protection cost, income and cost how to weigh. Therefore, under limited protection cost conditions, the prevention policies how choosing optimum has become current research hot issue. It is currently based on the network security initiative type safeguard technology of attack graph when computing network security risk, seldom considers the uncertain factor existed in network attack. And conventional optimized algorithm does not solve optimum prevention policies, such as greedy algorithm effectively.

Summary of the invention

For defect or the deficiency of prior art, an object of the present invention is to provide a kind of vulnerability exploit probability of success computational methods.

Vulnerability exploit probability of success computational methods provided by the present invention include:

Step 1, obtains original aggressor figure, and described original aggressor figure includes several nodes and some directed edges;

Several nodes described include I attribute status node S, and wherein, I takes positive integer, S_i∈ S, i=1,2,3 ..., I;

Described some directed edge E include some vulnerability exploit limits;

E_v∈(S_pre,S_post) for any one vulnerability exploit limit, S_pre、S_postRespectively limit E_v∈(S_pre,S_post) front and back node, S_pre、S_post∈ S, S_postLeak v is there is for any one_postNode;

Step 2, calculates the vulnerability exploit probability of success on all vulnerability exploit limits, wherein vulnerability exploit limit E_v∈(S_pre,S_post) vulnerability exploit probability of success P (v_post) it is:

P(v_post)=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅(1)

AV is leak v_postCVSS (general leak marking system) in base set of properties access vector,

AC is leak v_postCVSS in the access complexity of base set of properties,

Au is leak v_postCVSS in the certification of base set of properties,

RL is leak v_postCVSS in the patch restorability class of temporal set of properties,

The value of AV, AC, Au, RL is according to the index of correlation definition in CVSS;

P_exploitFor leak v_postThe probit of code utilizability,T is current date to leak v_postTotal natural law of publication date, t takes positive integer;

w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819.

The two of the purpose of the present invention are to provide a kind of Bayes's attack graph construction method.

Bayes's attack graph construction method provided by the invention includes:

Step 1, obtains network original aggressor figure, and described network original aggressor figure includes several nodes and some directed edges;

Several nodes described include I attribute status node S and N number of atomic strike node A, and wherein, I takes positive integer, S_i∈ S, i=1,2,3 ..., I, S₁For the external attribute state node of original aggressor figure, during i >=2, attribute status node S_iOr for there is the node of leak or for attacking income node, and during i >=2, attribute status node S_iFather node set Pa [S_i] and ancestor node setIt is not all empty; N takes positive integer, A_n∈ A, n=1,2,3 ..., N;

Described some directed edge E include some vulnerability exploit limits and some success attack limits;

E_v∈(S_pre,S_post) for any one vulnerability exploit limit, S_pre、S_postRespectively limit E_v∈(S_pre,S_post) front and back node, S_pre、S_post∈ S, S_postLeak v is there is for any one_postNode, S_postFather node set Pa [S_post] it is not empty, S_pre∈Pa[S_post];

E_a∈(A_start,S_end) for any one success attack limit, A_start、S_endRespectively limit E_a∈(A_start,S_end) front and back node, A_start∈ A, S_end∈S,S_endIncome node, S is attacked for any one_endFather node set Pa [S_end] it is not empty, A_start∈Pa[S_end];

Step 2, builds Bayes's attack graph of original aggressor figure, comprises the following steps:

Step 2.1, calculates the vulnerability exploit probability of success on all vulnerability exploit limits, wherein vulnerability exploit limit E_v∈(S_pre,S_post) vulnerability exploit probability of success P (v_post) it is:

P(v_post)=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅(2)

In formula 2: AV is leak v_postCVSS (general leak marking system) in base set of properties access vector,

AC is leak v_postCVSS in the access complexity of base set of properties,

Au is leak v_postCVSS in the certification of base set of properties,

RL is leak v_postCVSS in the patch restorability class of temporal set of properties,

The value of AV, AC, Au, RL is according to the index of correlation definition in CVSS;

P_exploitFor leak v_postThe probit of code utilizability,T is current date to leak v_postTotal natural law of publication date, t takes positive integer;

w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819;

Step 2.2, calculates the success attack probability on all success attack limits, wherein any success attack limit E_a∈(A_start,S_end) success attack probability P (A_start) it is: node A_startWhen there is vulnerability information issue, attack tool and attack method, P (A_start) it is 0.8; Node A_startWhen there is vulnerability information issue and attack method without attack tool, P (A_start) it is 0.6; Node A_startWhen there is vulnerability information issue without attack method and attack tool, P (A_start) it is 0.2;

Step 2.3, calculates the local condition probability distribution table LCPD of all properties state node:

(1) there is the node S of leak_postLCPD function P (S_post|Pa[S_post]) it is:

(2) income node S is attacked_endLCPD function P (S_end|Pa[S_end]) it is:

Step 2.4, calculates the prior probability of all properties state node:

(1)S₁Prior probability P (S₁)=0.7;

(2) the prior probability P (S of the attribute status node of i >=2_i) it is:

$P\left(S_i\right)=P\left(S_i\right|Pa\[S_i\])\×\underset{j=1}{\overset{J}{\mathrm{\Π}}}P\left(S_j\right|Pa\[S_j\])---\left(3\right)$

In formula 3, P (S_i|Pa[S_i]) for attribute status node S_iLCPD function, S_jFor S_iAncestor node, Pa [S_j] for node S_jFather's node set, P (S_j|Pa[S_j]) it is node S_jLCPD function.

The three of the purpose of the present invention are to provide a kind of network security risk management method.

Network security risk management method provided by the present invention includes:

Step 1, adopts method described in claim 2 to build Bayes's attack graph;

Step 2, provides prevention policies according to monitored network environment, based on protection cost and attack income analysis, utilizes PSO Algorithm optimum prevention policies, and Bayes's attack graph is finally implemented optimum prevention policies:

Income node S is arbitrarily attacked under prevention policies T_endThe safeguard procedures that belonging network equipment is implemented are M_k, safeguard procedures M_kRepresent and disconnect network connection, disabling service, patch installing or a kind of mode in safety product 4 generic operation is installed; Prevention policies T is safeguard procedures set M={M_k| k=1 ..., the boolean vector of m} represents, is: T=(T₁,T₂,...,T_k,...,T_m),

The fitness function of described particle cluster algorithm is α SG (T)+(1-α) SC (T), meet fitness function α SG (T)+(1-α) SC (T) value minimum, SC (T)≤B, B is network security management cost budgeting;

Bayes's attack graph initially attack incomeP(S_end) for attacking income node S_endPrior probability; G (S_end) for attacking income node S_endAttack income,G₁For confidentiality loss, G₂For integrity loss, G₃For loss of availability, G₄For privilege-escalation, wherein, confidentiality loses G₁, integrity loss G₂, loss of availability G₃Value according to the index of correlation definition in CVSS; Node A_startWhen corresponding leak describes a kind of description field comprised in information in executearbitrarycode, executearbitraryfiles, overwritearbitraryfiles, gainprivileges, obtainprivileges, rootprivileges, administrativeprivileges and elevationofprivilegevulnerability, G₄=1, otherwise, G₄=0; P₁For the preference heterogeneity of confidentiality loss, P₁=100, P₂For the preference heterogeneity of integrity loss, P₂=75, P₃For the preference heterogeneity of loss of availability, P₃=50, P₄For the preference heterogeneity of privilege-escalation, P₄=25;

SG (T) implements the attack income after prevention policies T for Bayes's attack graph,Safeguard procedures M_kWhen enabling,P_M(S_end|M_k) represent attribute status node S_endImplement safeguard procedures M_kAfter probability; R_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kThe impact probability preference heterogeneity of affiliated action type, R₁The preference heterogeneity of posterior probability impact, R is implemented for disabling service class safeguard procedures₂The preference heterogeneity of posterior probability impact, R is implemented for disconnecting network connection class safeguard procedures₃The preference heterogeneity of posterior probability impact, R is implemented for installing safety product class safeguard procedures₄The preference heterogeneity of posterior probability impact, 0 < R is implemented for patch installing class safeguard procedures_k≤ 100, R_kAccording to safeguard procedures M_kValue R₁、R₂、R₃Or R₄; As safeguard procedures M_kDuring not enabled, P_M(S_end|M_k)=P (S_end);

SC (T) implements the protection cost after prevention policies T for Bayes's attack graph,C_kRepresent and arbitrarily attack income node S_endImplement safeguard procedures M_kProtection cost,0 < imp (asset)≤1, imp (asset) is according to arbitrarily attacking income node S_endThe economic worth value of belonging network equipment, economic worth its value more big is more big; Q_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kProtection cost preference heterogeneity, Q₁The protection cost preference heterogeneity of class safeguard procedures, Q is connected for disconnecting network₂For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q₃For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q₄For installing the protection cost preference heterogeneity of safety product class safeguard procedures, 0 < Q_q≤ 100, Q₁>Q₂>Q₃>Q₄, Q_kAccording to safeguard procedures M_kValue Q₁、Q₂、Q₃Or Q₄;

α is the preference weight attacking income, 0≤α≤1.

Further, the attack income node S of the present invention_endDuring belonging network device storage Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1; Attack income node S_endWhen belonging network equipment provides business event service, 0.4≤imp (asset) < 0.7; Attack income node S_endDuring belonging network device storage individual privacy information, 0 < imp (asset) < 0.4.

Further, the method institute applicable network equipment of the present invention includes web page server, mail server, name server, database server, Ftp server, gateway server, registrar server and PC;

Described attack income node S_endWhen belonging network equipment is database server, Ftp server, registrar server, gateway server, web page server, mail server, name server or PC, the corresponding value of imp (asset) is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;

R₁=100, R₂=50, R₃=30, R₄=20;

Q₁=100, Q₂=80, Q₃=60, Q₄=40.

The four of the purpose of the present invention are to provide a kind of network security risk management system.

Network security risk provided by the present invention management system include: risk identification subsystem, data storage and management subsystem, based on MulVAL instrument attack graph generate subsystem, based on the risk assessment subsystem of Bayes's attack graph, network security risk management subsystem;

Described risk identification subsystem, in order to complete to identify the vulnerability information of all-network facility information, discovery network topology structure, the connectedness analyzed between main frame, identification All hosts;

Described data storage and management subsystem, in order to complete the storage and management of the data such as connectedness between network equipment information, network topology structure, main frame, leak;

The described attack graph based on MulVAL instrument generates subsystem, and all information in order to complete being acquired by risk identification subsystem are input in MulVAL instrument, final visual network original aggressor figure;

Described network original aggressor figure includes several nodes and some directed edges;

Several nodes described include I attribute status node S and N number of atomic strike node A, and wherein, I takes positive integer, S_i∈ S, i=1,2,3 ..., I, S₁For the external attribute state node of original aggressor figure, during i >=2, attribute status node S_iOr for there is the node of leak or for attacking income node, and during i >=2, attribute status node S_iFather node set Pa [S_i] and ancestor node setIt is not all empty; N takes positive integer, A_n∈ A, n=1,2,3 ..., N;

Described some directed edge E include some vulnerability exploit limits and some success attack limits;

E_v∈(S_pre,S_post) for any one vulnerability exploit limit, S_pre、S_postRespectively limit E_v∈(S_pre,S_post) front and back node, S_pre、S_post∈ S, S_postLeak v is there is for any one_postNode, S_postFather node set Pa [S_post] it is not empty, S_pre∈Pa[S_post];

E_a∈(A_start,S_end) for any one success attack limit, A_start、S_endRespectively limit E_a∈(A_start,S_end) front and back node, A_start∈ A, S_end∈S,S_endIncome node, S is attacked for any one_endFather node set Pa [S_end] it is not empty, A_start∈Pa[S_end];

The described risk assessment subsystem based on Bayes's attack graph includes: vulnerability exploit probability of success computing module, success attack parameter probability valuing module, LCPD computing module, risk evaluation module, wherein:

Described vulnerability exploit probability of success computing module, calculates the vulnerability exploit probability of success on all vulnerability exploit limits, wherein vulnerability exploit limit E_v∈(S_pre,S_post) vulnerability exploit probability of success P (v_post) it is:

P(v_post)=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅(4)

In formula 4: AV is leak v_postCVSS (general leak marking system) in base set of properties access vector,

AC is leak v_postCVSS in the access complexity of base set of properties,

Au is leak v_postCVSS in the certification of base set of properties,

RL is leak v_postCVSS in the patch restorability class of temporal set of properties,

The value of AV, AC, Au, RL is according to the index of correlation definition in CVSS;

P_exploitFor leak v_postThe probit of code utilizability,T is current date to leak v_postTotal natural law of publication date, t takes positive integer;

w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819;

Described success attack parameter probability valuing module, calculates the success attack probability on all success attack limits, wherein any success attack limit E_a∈(A_start,S_end) success attack probability P (A_start) it is: node A_startWhen there is vulnerability information issue, attack tool and attack method, P (A_start) it is 0.8; Node A_startWhen there is vulnerability information issue and attack method without attack tool, P (A_start) it is 0.6; Node A_startWhen there is vulnerability information issue without attack method and attack tool, P (A_start) it is 0.2;

(1) there is the node S of leak_postLCPD function P (S_post|Pa[S_post]) it is:

(2) income node S is attacked_endLCPD function P (S_end|Pa[S_end]) it is:

Described risk evaluation module, in order to calculate the prior probability of all properties state node in attack graph:

(1)S₁Prior probability P (S₁)=0.7;

(2) the attribute status node S of i >=2_i, the prior probability P (S of i >=2_i) for attribute status node S_iThe joint probability of ancestor nodes all with it, prior probability P (S_i) it is:

$P\left(S_i\right)=P\left(S_i\right|Pa\&lsqb;S_i\&rsqb;)\&times;\underset{j=1}{\overset{J}{\mathrm{\&Pi;}}}P\left(S_j\right|Pa\&lsqb;S_j\&rsqb;)---\left(5\right)$

In formula 5, P (S_i|Pa[S_i]) for attribute status node S_iLCPD function, S_jFor S_iAncestor node, Pa [S_j] for node S_jFather's node set, P (S_j|Pa[S_j]) it is node S_jLCPD function.

Described network security risk management subsystem includes Safeguard tactics management module, costs and benefits analysis module and optimum prevention policies and chooses module;

Described Safeguard tactics management module, defines prevention policies T according to monitored network environment, arbitrarily attacks income node S under prevention policies T_endThe effective safeguard procedures of belonging network equipment are M_k, safeguard procedures M_kRepresent and disconnect network connection, disabling service, patch installing or safety product is installed; Prevention policies T is safeguard procedures set M={M_k| k=1 ..., the boolean vector of m} represents, is: T=(T₁,T₂,...,T_k,...,T_m),

Described costs and benefits analysis module, calculates the initial of Bayes's attack graph and attacks income SG₀, Bayes's attack graph implements the attack income SG (T) after prevention policies T, Bayes's attack graph implements protection cost SC (T) after prevention policies T:

${\mathrm{SG}}_0=\underset{S_{end}\&Element;S}{\mathrm{\&Sigma;}}P\left(S_{end}\right)\&times;G\left(S_{end}\right)---\left(6\right)$

In formula 6: P (S_end) for attacking income node S_endPrior probability;

G(S_end) for attacking income node S_endAttack income,G₁For confidentiality loss, G₂For integrity loss, G₃For loss of availability, G₄For privilege-escalation, wherein, confidentiality loses G₁, integrity loss G₂, loss of availability G₃Value according to the index of correlation definition in CVSS; Node A_startWhen corresponding leak describes a kind of description field comprised in information in executearbitrarycode, executearbitraryfiles, overwritearbitraryfiles, gainprivileges, obtainprivileges, rootprivileges, administrativeprivileges and elevationofprivilegevulnerability, G₄=1, otherwise, G₄=0; P₁For the preference heterogeneity of confidentiality loss, P₁=100, P₂For the preference heterogeneity of integrity loss, P₂=75, P₃For the preference heterogeneity of loss of availability, P₃=50, P₄For the preference heterogeneity of privilege-escalation, P₄=25;

Safeguard procedures M_kWhen enabling,P_M(S_end|M_k) represent attribute status node S_endImplement safeguard procedures M_kAfter probability; R_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kThe impact probability preference heterogeneity of affiliated action type, R₁The preference heterogeneity of posterior probability impact, R is implemented for disabling service class safeguard procedures₂The preference heterogeneity of posterior probability impact, R is implemented for disconnecting network connection class safeguard procedures₃The preference heterogeneity of posterior probability impact, R is implemented for installing safety product class safeguard procedures₄The preference heterogeneity of posterior probability impact, 0 < R is implemented for patch installing class safeguard procedures_k≤ 100, R_kAccording to safeguard procedures M_kValue R₁、R₂、R₃Or R₄; As safeguard procedures M_kDuring not enabled, P_M(S_end|M_k)=P (S_end);

C_kRepresent and arbitrarily attack income node S_endImplement safeguard procedures M_kProtection cost,0 < imp (asset)≤1, imp (asset) is according to arbitrarily attacking income node S_endThe economic worth value of belonging network equipment, economic worth its value more big is more big; Q_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kProtection cost preference heterogeneity, Q₁The protection cost preference heterogeneity of class safeguard procedures, Q is connected for disconnecting network₂For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q₃For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q₄For installing the protection cost preference heterogeneity of safety product class safeguard procedures, 0 < Q_q≤ 100, Q₁>Q₂>Q₃>Q₄, Q_kAccording to safeguard procedures M_kValue Q₁、Q₂、Q₃Or Q₄;

Described optimum prevention policies chooses module, based on protection cost and attack income analysis, utilizes PSO Algorithm optimum prevention policies:

The fitness function of described particle cluster algorithm is α SG (T)+(1-α) SC (T), meet fitness function α SG (T)+(1-α) SC (T) value minimum, SC (T)≤B, B is network security management cost budgeting;

α is the preference weight attacking income, 0≤α≤1.

Further, the attack income node S of present system_endDuring belonging network device storage Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1; Attack income node S_endWhen belonging network equipment provides business event service, 0.4≤imp (asset) < 0.7; Attack income node S_endDuring belonging network device storage individual privacy information, 0 < imp (asset) < 0.4.

Further, present system institute applicable network equipment includes web page server, mail server, name server, database server, Ftp server, gateway server, registrar server and PC;

Described attack income node S_endWhen belonging network equipment is database server, Ftp server, registrar server, gateway server, web page server, mail server, name server or PC, the corresponding value of imp (asset) is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;

R₁=100, R₂=50, R₃=30, R₄=20;

Q₁=100, Q₂=80, Q₃=60, Q₄=40.

Compared with prior art, there is advantages that

The network hole of the present invention utilizes the probability of success to derive from leak utilizability probability size, network hole utilizes probability of success computational methods to consider what leak utilizability probability size dynamically changed over time, set up static and dynamic leak utilizability evaluation index, can the utilizability of accurate quantification leak, and improve the multiformity of leak utilizability assessment result.

Bayes's attack graph construction method of the present invention considers the uncertain factor of attack: the vulnerability exploit probability of success and success attack probability, can assess the risk of current network more accurately;

The network security risk management method of the present invention builds protection cost in detail and attacks economics index and the quantification of targets method of income, the optimized algorithm adopting population can solve optimum prevention policies effectively, the final safety ensureing target of attack node, effectively reduces the security risk of overall network when limiting cost budgeting.

The risk identification subsystem of the network security risk management system of the present invention merges multi-source secure data, establishes complete risk assessment element system; Attack graph based on MulVAL instrument generates subsystem employing MulVAL instrument generation original aggressor figure, and the time complexity of this instrument is O (n²), wherein n is host number in network, has higher efficiency and good extensibility, and is prone to Project Realization. Network security risk management system solves the difficult problem that network attack source is reviewed, it is achieved that the Security mechanism of Initiative Defense.

Accompanying drawing explanation

Fig. 1 is the present invention general frame figure based on the network security risk management system of Bayes's attack graph.

Fig. 2 is the evaluation index hierarchical chart of a kind of dynamic leak availability analysis method based on fuzzy theory.

Fig. 3 is the probability calculation of attack graph.

Fig. 4 is network topological diagram.

Fig. 5 is the attack graph of network shown in Fig. 4.

Fig. 6 is the attack income of each attack income node in attack graph shown in Fig. 5.

Detailed description of the invention

Below in conjunction with accompanying drawing, technical scheme is described in further detail, but is not limited to this.

The present invention utilizes the dynamic leak availability analysis method qualitative assessment leak utilizability probability size of a kind of analytic hierarchy process (AHP), and its method step is as follows:

Step 1: choose leak utilizability evaluation index.

Step 1.1: from American National information security vulnerability database (NationalVulnerabilityDatabase, NVD) CVSS (general leak marking system) extracts in base set of properties and accesses vector AV, access complexity AC, tri-Static State Indexes of certification Au, and extracting mono-dynamic indicator of patch restorability class RL from temporal set of properties, table 1 gives these four indexs associated ratings in CVSS and corresponding scoring;

Table 1

Step 1.2: extract leak publication date from the time attribute of vulnerability scan of increasing income (OpenSourceVulnerabilityDatabase, OSVDB). After leak is open, As time goes on, code utilizability can dynamically change therewith. Utilize formula (7) to calculate the probability size of code utilizability, and then build another dynamic indicator of code utilizability:

$P_{\exp loit}=1-{\left(\frac{b^{\&prime;}}{t}\right)}^{\mathrm{\&alpha;}};\mathrm{\&alpha;}=0.260,b^{\&prime;}=0.00161---\left(7\right)$

Wherein, P_exploitFor leak v_postThe probit of code utilizability, t is current date to leak v_postTotal natural law of publication date, t takes positive integer;

Step 1.3: set up evaluation index hierarchy Model, as shown in Figure 2.

Step 2: 5 indexs step 1 obtained utilize analytic hierarchy process (AHP) to resolve into the layers such as target, criterion, scheme, as shown in table 2:

Table 2

Step 3: use the analytic hierarchy process (AHP) of the document " the leak hazard rating based on fuzzy theory is assessed " being published in " computer utility research " periodical, 5 indexs of the numerical procedure layer weight vectors to destination layer leak utilizability relative importance, is expressed as: W=(w₁,w₂,w₃,w₄,w₅), wherein, w₁+w₂+w₃+w₄+w₅=1. Final calculation result is respectively as follows: w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819. Therefore, leak utilizability probability acquiring size mode is as follows:

Sore=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅

Adopt described leak utilizability probability size as the source of the vulnerability exploit probability of success, be expressed as:

P(v_post)=Sore (8)

Wherein, P (v_post) represent the vulnerability exploit probability of success.

In order to explain the calculating process of proposed a kind of vulnerability exploit probability of success computational methods, one concrete leak CVE-2015-0838 is calculated, it is incorrect that this leak describes the restriction of operation in core buffer border, and long-range attack person can utilize this leak to perform arbitrary code by special package file. The details of this leak can be obtained, as shown in table 3 from NVD data base.

Table 3

CVE numbers	CVE-2015-0838
		Access vector	Remote network access
Access complexity	Low
		Certification	Do not need certification
Issuing time	2015-03-31
		Patch restorability class	Official's patch

The time of disclosure of leak is on March 31st, 2015, it is assumed that current date is on May 31st, 2015, and therefore, current date is 60 days to total natural law of leak publication date, calculates code utilizability according to formula (7) and is:

$P_{\exp loit}=1-{\left(\frac{0.00161}{60}\right)}^{0.26}=0.9352$

Therefore, calculating the vulnerability exploit probability of success according to formula (8) is:

P(v_post)=1 × 0.073+0.71 × 0.118+0.704 × 0.191+0.87 × 0.2361+0.9352 × 0.3819

=0.8538

With reference to Fig. 1, the network security risk management system and method for the present invention is as follows:

Step 1: risk identification.

Step 1.1: adopt OVAL scanning device to obtain the leak report of All hosts in network based on OVAL vulnerability scanning assessment report collection module 111, and the leak data collected are stored to data storage and management subsystem 12 and manage concentratedly;

Step 1.2: Connectivity analysis of network module 112 obtains the rule of communication of each main frame in network by firewall system, and stores connectivity data between the main frame collected to data storage and management subsystem 12;

Step 1.3: network equipments configuration management module 113 uses ManageEngine network topology management software to obtain network equipment information and topological structure, and is stored to data storage and management subsystem 12;

Step 2: the attack graph generation subsystem 13 based on MulVAL instrument converts the leak got report to Datalog data form, it can be used as the input.P input file of MulVAL instrument, after running MulVAL instrument, the attack graph information of output, it is mainly stored in node file VERTICES.CSV and limit file ARCS.CSV, final with AttackGraph.pdf file visual presentation attack graph, the time complexity of the attack graph generating algorithm of MulVAL instrument is O (n²), wherein n is host number in network, therefore has higher efficiency and good extensibility.

Step 3: obtain based on Bayesian attack graph

Calculate the vulnerability exploit probability of success P (v of this attack graph_post), success attack probability P (A_start), LCPD table, prior probability P (S_i)。

Step 3.1: vulnerability exploit probability of success computing module 141 adopts described leak utilizability probability size as the source of the vulnerability exploit probability of success, is expressed as:

P(v_post)=Sore (9)

Wherein, P (v_post) representing the vulnerability exploit probability of success, Sore represents leak utilizability probability size.

Step 3.2: success attack parameter probability valuing module 142 according to attack type to attack probability of success P (A_start) configured, any success attack limit E_a∈(A_start,S_end) success attack probability P (A_start) it is: node A_startWhen there is vulnerability information issue, attack tool and attack method, P (A_start) it is 0.8; Node A_startWhen there is vulnerability information issue and attack method without attack tool, P (A_start) it is 0.6; Node A_startWhen there is vulnerability information issue without attack method and attack tool, P (A_start) it is 0.2;

Step 3.3:LCPD computing module 143 calculates the local condition probability distribution table LCPD of all properties state node, and it is as follows that it obtains mode:

(1) there is the node S of leak_postLCPD function P (S_post|Pa[S_post]) it is:

(2) income node S is attacked_endLCPD function P (S_end|Pa[S_end]) it is:

In order to show the calculating process of LCPD, do derivation explanation in figure 3. Node S₁It is external attribute state node, node S₂、S₃And S₄It it is attribute status node. S₄It is S₃、S₂And S₁Descendant node. The vulnerability exploit probability of success calculates according to formula (9), A₁And A₂Success attack probability be respectively configured as 0.2 and 0.8 according to attack type, external attribute state node S₁Prior probability P (S₁)=0.7, S₂、S₃And S₄LCPD respectively according to step 3.3 calculate obtain.

Step 3.4: risk evaluation module 144 calculates the prior probability of all properties state node:

(1)S₁Prior probability P (S₁)=0.7;

(2) the attribute status node S of i >=2_i, the prior probability P (S of i >=2_i) for attribute status node S_iThe joint probability of ancestor nodes all with it, prior probability P (S_i) it is:

$P\left(S_i\right)=P\left(S_i\right|Ancestor\&lsqb;S_i\&rsqb;)\&times;P\left(S_i\right|Pa\&lsqb;S_i\&rsqb;)\&times;\underset{j=1}{\overset{J}{\mathrm{\&Pi;}}}P\left(S_j\right|Pa\&lsqb;S_j\&rsqb;)---\left(10\right)$

Wherein, P (S_i,Ancestor[S_i]) represent S_iAncestor node Ancestor [Ss all with it_i] joint probability, P (S_i|Pa[S_i]) for attribute status node S_iLCPD function, S_jFor S_iAncestor node, Pa [S_j] for node S_jFather's node set, P (S_j|Pa[S_j]) it is node S_jLCPD function.

In figure 3, according to formula (10), node S₂、S₃And S₄The calculating process of prior probability be not:

P(S₂)=P (S₂,S₁)=P (S₂=1 | S₁=1) × P (S₁)=0.86 × 0.7=0.602

P(S₃)=P (S₃,S₁)=P (S₃=1 | S₁=1) × P (S₁)=0.39 × 0.7=0.273

$\begin{array}{c}P\left(S_4\right)=P(S_4,S_3,S_2,S_1)\\ =\underset{\&Exists;S_2,S_3=1}{\mathrm{\&Sigma;}}P\left(S_4\right|S_3,S_2)\&CenterDot;P\left(S_3\right|S_1)\&CenterDot;P\left(S_2\right|S_1)\&CenterDot;P\left(S_1\right)\\ =P\left(S_4\right|S_3=1,S_2=1)\&CenterDot;P(S_3=1|S_1=1)\&CenterDot;P(S_2=1|S_1=1)\&CenterDot;P\left(S_1\right)\\ +P\left(S_4\right|S_3=1,S_2=0)\&CenterDot;P(S_3=1|S_1=1)\&CenterDot;P(S_2=0|S_1=1)\&CenterDot;P\left(S_1\right)\\ +P\left(S_4\right|S_3=0,S_2=1)\&CenterDot;P(S_3=0|S_1=1)\&CenterDot;P(S_2=1|S_1=1)\&CenterDot;P\left(S_1\right)\\ =0.84\&times;0.86\&times;0.39\&times;0.7+0.8\&times;0.14\&times;0.39\&times;0.7+0.2\&times;0.86\&times;0.61\&times;0.7\\ =0.301\end{array}$

Step 4: network security risk management subsystem 15

Build protection cost and attack index and the quantification of targets method of income, utilizing particle cluster algorithm to obtain optimum prevention policies, Bayes's attack graph is implemented optimum prevention policies, the final security risk reducing overall network.

Step 4.1: arbitrarily attack income node S under Safeguard tactics management module (151) definition prevention policies T_endThe safeguard procedures implemented are M_k, safeguard procedures M_kRepresent and attack income node S_endBelonging network equipment only performs to disconnect network and connects, disable service, patch installing or install a kind of mode in safety product 4 generic operation; Prevention policies T is safeguard procedures set M={M_k| k=1 ..., the boolean vector of m} represents, is: T=(T₁,T₂,...,T_k,...,T_m),

Step 4.2: costs and benefits analysis module 152 is set up protection cost and attacks safety index and the quantification of targets method of income.

(1) calculate the initial of Bayes's attack graph and attack income SG₀:

${\mathrm{SG}}_0=\underset{S_{end}\&Element;S}{\mathrm{\&Sigma;}}P\left(S_{end}\right)\&times;G\left(S_{end}\right)$

Wherein: P (S_end) for attacking income node S_endPrior probability;

G(S_end) for attacking income node S_endAttack income, its acquisition mode is:

$G\left(S_{end}\right)=\underset{g=1}{\overset{4}{\mathrm{\&Sigma;}}}\frac{P_g}{{\mathrm{\&Sigma;}}_{g=1}^4{P}_g}\&times;G_g\&times;100---\left(11\right)$

G₁For confidentiality loss, G₂For integrity loss, G₃For loss of availability, G₄For privilege-escalation, wherein, confidentiality loses G₁, integrity loss G₂, loss of availability G₃Value according to the index of correlation definition in CVSS; Node A_startWhen corresponding leak describes a kind of description field comprised in information in executearbitrarycode, executearbitraryfiles, overwritearbitraryfiles, gainprivileges, obtainprivileges, rootprivileges, administrativeprivileges and elevationofprivilegevulnerability, G₄=1, otherwise, G₄=0; P₁For the preference heterogeneity of confidentiality loss, P₁=100, P₂For the preference heterogeneity of integrity loss, P₂=75, P₃For the preference heterogeneity of loss of availability, P₃=50, P₄For the preference heterogeneity of privilege-escalation, P₄=25; Table 4 gives this 4 index associated ratings and corresponding scoring.

Table 4

Such as, the leak that assailant utilizes certain software intrinsic arrives the confidentiality loss value of a certain attack income node after successfully there is atomic strike be 0.66 point, and privilege-escalation value is 1 point, calculates corresponding income of attacking according to formula (11) and is

(2) calculating the attack income SG (T) after Bayes's attack graph implements prevention policies T, it is as follows that it obtains mode:

$SG\left(T\right)=\underset{S_{end}\&Element;S}{\mathrm{\&Sigma;}}{P}_M\left(S_{end}\right|M_k)\&times;G\left(S_{end}\right)$

Wherein, P_M(S_end|M_k) represent attribute status node S_endImplement safeguard procedures M_kAfter probability, its obtain mode as follows:

$P_M\left(S_{end}\right|M_k)=P\left(S_{end}\right)\&times;\frac{R_k}{{\mathrm{\&Sigma;}}_{r=1}^4{R}_r}---\left(12\right)$

R_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kThe impact probability preference heterogeneity of affiliated action type, R₁The preference heterogeneity of posterior probability impact, R is implemented for disabling service class safeguard procedures₁=100, R₂The preference heterogeneity of posterior probability impact, R is implemented for disconnecting network connection class safeguard procedures₂=50, R₃The preference heterogeneity of posterior probability impact, R is implemented for installing safety product class safeguard procedures₃=30, R₄The preference heterogeneity of posterior probability impact, R is implemented for patch installing class safeguard procedures₄=20; As safeguard procedures M_kDuring not enabled, P_M(S_end|M_k)=P (S_end);

(3) calculating protection cost SC (T) after Bayes's attack graph implements prevention policies T, it is as follows that it obtains mode:

$SC\left(T\right)=\underset{k=1}{\overset{m}{\mathrm{\&Sigma;}}}{T}_k{C}_k$

Wherein, C_kRepresent and arbitrarily attack income node S_endImplement safeguard procedures M_kProtection cost, its obtain mode as follows:

$C_k=\frac{Q_k}{{\mathrm{\&Sigma;}}_{q=1}^4{Q}_q}\&times;imp\left(asset\right)\&times;100---\left(13\right)$

Wherein, 0 < imp (asset)≤1, imp (asset) is according to arbitrarily attacking income node S_endThe economic worth value of belonging network equipment, economic worth its value more big is more big; When attacking income node S_endDuring belonging network device storage trade secret information, 0.7≤imp (asset)≤1; When attacking income node S_endWhen belonging network equipment provides business event service, 0.4≤imp (asset) < 0.7; When attacking income node S_endDuring belonging network device storage individual privacy information, 0 < imp (asset) < 0.4.

As shown in Figure 4, the network equipment includes web page server, mail server, name server, database server, Ftp server, gateway server, registrar server and PC; Attack income node S_endWhen belonging network equipment is database server, Ftp server, registrar server, gateway server, web page server, mail server, name server or PC, the corresponding value of imp (asset) is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;

Q_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kProtection cost preference heterogeneity, Q₁The protection cost preference heterogeneity of class safeguard procedures, Q is connected for disconnecting network₂For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q₃For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q₄For installing the protection cost preference heterogeneity of safety product class safeguard procedures, 0 < Q_q≤ 100, Q₁>Q₂>Q₃>Q₄, Q_kAccording to safeguard procedures M_kValue Q₁、Q₂、Q₃Or Q₄, configure Q₁=100, Q₂=80, Q₃=60, Q₄=40.

Such as, safeguard procedures M_kInternet for disconnecting Ftp server connects, and calculates protection cost C according to formula (13)_kFor

Step 4.3: optimum prevention policies chooses module (153), when Bayes's attack graph that step 3 obtains and network security management cost budgeting B, solves an optimum prevention policies so that:

1) value of function alpha SG (T)+(1-α) SC (T) is minimum;

2)SC(T)≤B.

Wherein, T=(T₁,T₂,...,T_k,...,T_m) it being expressed as one group of decision variable, α is the preference weight attacking income, 0≤α≤1. The attack concrete value of income preference weight of the present invention is determined according to the significance level attacking income, if it is more important to business administration, then α value is more big.

Realize process based on the optimum Safeguard tactics Algorithms of Selecting of population to comprise the following steps:

1) fitness function fitness (X)=α SG (X)+(1-α) SC (X) in definition particle cluster algorithm;

2) in the population that scale is n and D dimension space, random initializtion i-th particle initial position X_i=(X_i1,X_i2,...,X_id,...,X_iD) and speed V_i=(V_i1,V_i2,...,V_id,...,V_iD), the optimum prevention policies T=of initialization (0,0 ..., 0)_1×D, initialize maximum iteration time K. Meet: the position value of d dimension is 0 or 1, the random number that speed value is conformance with standard normal distribution of d dimension, SC (X_i)≤B. Wherein, 1≤i≤n, 1≤d≤D.

Then generator matrixWith

3) when kth time iteration, by each particle X_iBring fitness function intoSeek its value, wherein, 1≤k≤K;

4) according to formula:

$p_i^k=\left\{\begin{array}{cc}{X}_i^k,& \begin{array}{cc}if& fitness\left(X_i^k\right)\&le;fitness\left(p_i^{k-1}\right)\end{array};\\ p_i^{k-1},& \begin{array}{cc}if& fitness\left(X_i^k\right)>fitness\left(p_i^{k-1}\right)\end{array}.\end{array}\right.$

Calculate the local optimum position of i-th particleFor all particles, according to formula:

$p_g^k=min(p_1^k,p_2^k,...,p_n^k)$

Calculate global optimum position

5) according to formula:

$V_{id}^k={\mathrm{wV}}_{id}^{k-1}+c_1{r}_1(p_{id}^k-X_{id}^{k-1})+c_2{r}_2(p_{gd}^k-X_{id}^{k-1})$

$X_{id}^k=X_{id}^{k-1}+V_{id}^k$

Update speed and the position of each particle during kth time iteration respectively;

6) if meeting maximum iteration time K so that optimum prevention policiesAnd export T and exit; Otherwise turn to step 3).

In order to explain the implementation result of the proposed optimum Safeguard tactics Algorithms of Selecting based on population, given network experiment topological environmental is as shown in Figure 4. Current network device includes web page server (Webserver, WS), mail server (Mailserver, MS), name server (DNSserver, DS), database server (Databaseserver, DBS), Ftp server (FTPserver, FS), gateway server (Gatewayserver, GS), registrar server (Administratorserver, and PC AS), the network service rule of each server is configured by firewall system, as shown in table 5. Attack income node S_endWhen belonging network equipment is database server, Ftp server, registrar server, gateway server, web page server, mail server, name server or PC, the corresponding value of imp (asset) is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3.

Table 5

The vulnerability scanners using OVAL obtains all vulnerability informations existed in network system, as shown in table 6. Utilize the original aggressor figure that MulVAL instrument generates, as shown in Figure 5.

Table 6

Each attack income node S is calculated according to formula (11)_endAttack income G (S_end), as shown in Figure 6.

Safeguard procedures M is provided under given network environment_k, the protection cost C of each safeguard procedures is calculated respectively according to formula (13) and (12)_kWith the probability P after enforcement safeguard procedures_M(S_end|M_k), as shown in table 7.

Table 7

Mk	Describe	Ck	PM(Send|Mk)
				M1	The network disconnecting DBS connects	35.7	0.136
M2	The network disconnecting FS connects	32.13	0.25
				M3	The network disconnecting AS connects	28.56	0.032
M4	The network disconnecting GS connects	24.99	0.162
				M5	The network disconnecting WS connects	21.42	0.158
M6	The network disconnecting MS connects	17.85	0.121
				M7	The patch of leak CVE-2014-1466 is beaten to DBS	28.6	0.054
M8	The patch of leak CVE-2012-2526 is beaten to FS	25.74	0.1
				M9	The patch of leak CVE-2009-0692 is beaten to AS	22.88	0.012
M10	The patch of leak CVE-2007-4752 is beaten to GS	20.02	0.065
				M11	The patch of leak CVE-2015-1635 is beaten to WS	17.16	0.063
M12	The patch of leak CVE-2004-0840 is beaten to MS	14.3	0.049
				M13	The SQL service of disabling DBS	21.4	0.272
M14	The SSH/FTP service of disabling FS	19.26	0.5
				M15	The TCP/IP service of disabling AS	17.12	0.065
M16	The TCP/IP service of disabling GS	14.98	0.324
				M17	The HTTP service of disabling WS	12.84	0.316
M18	The SMTP service of disabling MS	10.7	0.243
				M19	To GS, fire wall is installed	10	0.121
M20	To GS, intruding detection system is installed	10	0.121

Given network security management cost budgeting B=100, arranges preference weight α=0.5 attacking income, population number n=100. Select available safeguard procedures number Number_M=20, namely decision variable T number is safeguard procedures number Number_M, therefore, population dimension D=Number_M=20. Inertia weight w=0.8, Studying factors c are set₁=c₂=2, random number r₁=r₂=0.5, maximum iteration time K=100. Use the optimum Safeguard tactics Algorithms of Selecting based on population of this patent, it is thus achieved that optimum prevention policies T=(0,0,0,0,0,0,0,1,0,0,0,1,1,0,1,0,1,0,0,1), corresponding enabled safeguard procedures set is { M₈,M₁₂,M₁₃,M₁₅,M₁₇,M₂₀, SC=99.4.

Claims (8)

1. a vulnerability exploit probability of success computational methods, it is characterised in that method includes:

Step 1, obtains original aggressor figure, and described original aggressor figure includes several nodes and some directed edges;

Several nodes described include I attribute status node S, and wherein, I takes positive integer, S_i∈ S, i=1,2,3 ..., I;

Described some directed edge E include some vulnerability exploit limits;

E_v∈(S_pre,S_post) for any one vulnerability exploit limit, S_pre、S_postRespectively limit E_v∈(S_pre,S_post) front and back node, S_pre、S_post∈ S, S_postLeak v is there is for any one_postNode;

Step 2, calculates the vulnerability exploit probability of success on all vulnerability exploit limits, wherein vulnerability exploit limit E_v∈(S_pre,S_post) vulnerability exploit probability of success P (v_post) it is:

P(v_post)=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅(1)

In formula 1:

AV is leak v_postCVSS in base set of properties access vector,

AC is leak v_postCVSS in the access complexity of base set of properties,

Au is leak v_postCVSS in the certification of base set of properties,

RL is leak v_postCVSS in the patch restorability class of temporal set of properties,

The value of AV, AC, Au, RL is according to the index of correlation definition in CVSS;

P_exploitFor leak v_postThe probit of code utilizability,T is current date to leak v_postTotal natural law of publication date, t takes positive integer;

w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819.

2. Bayes's attack graph construction method, it is characterised in that method includes:

Step 1, obtains original aggressor figure, and described original aggressor figure includes several nodes and some directed edges;

Several nodes described include I attribute status node S and N number of atomic strike node A, wherein, and S_i∈ S, i=1,2,3 ..., I, I takes positive integer, S₁For the external attribute state node of original aggressor figure, during i >=2, attribute status node S_iOr for there is the node of leak or for attacking income node, and during i >=2, attribute status node S_iFather node set Pa [S_i] and ancestor node set Ancestor [S_i] it is not all empty,N takes positive integer, A_n∈ A, n=1,2,3 ..., N;

Described some directed edge E include some vulnerability exploit limits and some success attack limits;

E_v∈(S_pre,S_post) for any one vulnerability exploit limit, S_pre、S_postRespectively limit E_v∈(S_pre,S_post) front and back node, S_pre、S_post∈ S, S_postLeak v is there is for any one_postNode, S_postFather node set Pa [S_post] it is not empty, S_pre∈Pa[S_post];

E_a∈(A_start,S_end) for any one success attack limit, A_start、S_endRespectively limit E_a∈(A_start,S_end) front and back node, A_start∈ A, S_end∈S,S_endIncome node, S is attacked for any one_endFather node set Pa [S_end] it is not empty, A_start∈Pa[S_end];

Step 2, builds Bayes's attack graph of original aggressor figure, comprises the following steps:

Step 2.1, calculates the vulnerability exploit probability of success on all vulnerability exploit limits, wherein vulnerability exploit limit E_v∈(S_pre,S_post) vulnerability exploit probability of success P (v_post) it is:

P(v_post)=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅(2)

In formula 2: AV is leak v_postCVSS in base set of properties access vector,

AC is leak v_postCVSS in the access complexity of base set of properties,

Au is leak v_postCVSS in the certification of base set of properties,

RL is leak v_postCVSS in the patch restorability class of temporal set of properties,

The value of AV, AC, Au, RL is according to the index of correlation definition in CVSS;

P_exploitFor leak v_postThe probit of code utilizability, $P_{\exp loit}=1-{\left(\frac{b^{\&prime;}}{t}\right)}^{\mathrm{\&alpha;}};\mathrm{\&alpha;}=0.260,b^{\&prime;}=0.00161,$ T is current date to leak v_postTotal natural law of publication date, t takes positive integer;

w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819;

Step 2.2, calculates the success attack probability on all success attack limits, wherein any success attack limit E_a∈(A_start,S_end) success attack probability P (A_start) it is: node A_startWhen there is vulnerability information issue, attack tool and attack method, P (A_start) it is 0.8; Node A_startWhen there is vulnerability information issue and attack method without attack tool, P (A_start) it is 0.6; Node A_startWhen there is vulnerability information issue without attack method and attack tool, P (A_start) it is 0.2;

Step 2.3, calculates the local condition probability distribution table LCPD of all properties state node:

(1) there is the node S of leak_postLCPD function P (S_post|Pa[S_post]) it is:

(2) income node S is attacked_endLCPD function P (S_end|Pa[S_end]) it is:

Step 2.4, calculates the prior probability of all properties state node:

(1)S₁Prior probability P (S₁)=0.7;

(2) the prior probability P (S of the attribute status node of i >=2_i) it is:

$P\left(S_i\right)=P\left(S_i\right|Pa\&lsqb;S_i\&rsqb;)\&times;\underset{j=1}{\overset{J}{\&Pi;}}P\left(S_j\right|Pa\&lsqb;S_j\&rsqb;)---\left(3\right)$

In formula 3, P (S_i|Pa[S_i]) for attribute status node S_iLCPD function, S_jFor S_iAncestor node, Pa [S_j] for node S_jFather's node set, P (S_j|Pa[S_j]) it is node S_jLCPD function.

3. a network security risk management method, it is characterised in that method includes:

Step 1, adopts method described in claim 2 to build Bayes's attack graph;

Step 2, provides prevention policies according to monitored network environment, based on protection cost and attack income analysis, utilizes PSO Algorithm optimum prevention policies, and Bayes's attack graph is finally implemented optimum prevention policies:

Income node S is arbitrarily attacked under prevention policies T_endThe safeguard procedures that belonging network equipment is implemented are M_k, safeguard procedures M_kRepresent and disconnect network connection, disabling service, patch installing or safety product is installed; Prevention policies T is safeguard procedures set M={M_k| k=1 ..., the boolean vector of m} represents, is: T=(T₁,T₂,...,T_k,...,T_m),

The fitness function of described particle cluster algorithm is α SG (T)+(1-α) SC (T), meet fitness function α SG (T)+(1-α) SC (T) value minimum, SC (T)≤B, B is network security management cost budgeting;

Bayes's attack graph initially attack incomeP(S_end) for attacking income node S_endPrior probability; G (S_end) for attacking income node S_endAttack income,G₁For confidentiality loss, G₂For integrity loss, G₃For loss of availability, G₄For privilege-escalation, wherein, confidentiality loses G₁, integrity loss G₂, loss of availability G₃Value according to the index of correlation definition in CVSS; Node A_startWhen corresponding leak describes a kind of description field comprised in information in executearbitrarycode, executearbitraryfiles, overwritearbitraryfiles, gainprivileges, obtainprivileges, rootprivileges, administrativeprivileges and elevationofprivilegevulnerability, G₄=1, otherwise, G₄=0; P₁For the preference heterogeneity of confidentiality loss, P₁=100, P₂For the preference heterogeneity of integrity loss, P₂=75, P₃For the preference heterogeneity of loss of availability, P₃=50, P₄For the preference heterogeneity of privilege-escalation, P₄=25;

SG (T) implements the attack income after prevention policies T for Bayes's attack graph,Safeguard procedures M_kWhen enabling,P_M(S_end|M_k) represent attribute status node S_endImplement safeguard procedures M_kAfter probability; R_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kThe impact probability preference heterogeneity of affiliated action type, R₁The preference heterogeneity of posterior probability impact, R is implemented for disabling service class safeguard procedures₂The preference heterogeneity of posterior probability impact, R is implemented for disconnecting network connection class safeguard procedures₃The preference heterogeneity of posterior probability impact, R is implemented for installing safety product class safeguard procedures₄The preference heterogeneity of posterior probability impact, 0 < R is implemented for patch installing class safeguard procedures_k≤ 100, R_kAccording to safeguard procedures M_kValue R₁、R₂、R₃Or R₄; As safeguard procedures M_kDuring not enabled, P_M(S_end|M_k)=P (S_end);

SC (T) implements the protection cost after prevention policies T for Bayes's attack graph,C_kRepresent and arbitrarily attack income node S_endImplement safeguard procedures M_kProtection cost,0 < imp (asset)≤1, imp (asset) is according to arbitrarily attacking income node S_endThe economic worth value of belonging network equipment, economic worth more big imp (asset) value is more big; Q_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kProtection cost preference heterogeneity, Q₁The protection cost preference heterogeneity of class safeguard procedures, Q is connected for disconnecting network₂For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q₃For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q₄For installing the protection cost preference heterogeneity of safety product class safeguard procedures, 0 < Q_q≤ 100, Q₁>Q₂>Q₃>Q₄, Q_kAccording to safeguard procedures M_kValue Q₁、Q₂、Q₃Or Q₄;

α is the preference weight attacking income, 0≤α≤1.

4. network security risk management method as claimed in claim 3, it is characterised in that attack income node S_endDuring belonging network device storage Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1; Attack income node S_endWhen belonging network equipment provides business event service, 0.4≤imp (asset) < 0.7; Attack income node S_endDuring belonging network device storage individual privacy information, 0 < imp (asset) < 0.4.

5. network security risk management method as claimed in claim 3, it is characterised in that

The described network equipment includes web page server, mail server, name server, database server, Ftp server, gateway server, registrar server and PC;

Described attack income node S_endWhen belonging network equipment is database server, Ftp server, registrar server, gateway server, web page server, mail server, name server or PC, the corresponding value of imp (asset) is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;

R₁=100, R₂=50, R₃=30, R₄=20;

Q₁=100, Q₂=80, Q₃=60, Q₄=40.

6. a network security risk management system, it is characterized in that, system includes: risk identification subsystem, data storage and management subsystem, based on MulVAL instrument attack graph generate subsystem, based on the risk assessment subsystem of Bayes's attack graph, network security risk management subsystem;

Described risk identification subsystem, in order to complete to identify the vulnerability information of all-network facility information, discovery network topology structure, the connectedness analyzed between main frame, identification All hosts;

Described data storage and management subsystem, in order to complete the storage and management of the data such as connectedness between network equipment information, network topology structure, main frame, leak;

The described attack graph based on MulVAL instrument generates subsystem, and all information in order to complete being acquired by risk identification subsystem are input in MulVAL instrument, final visual network original aggressor figure;

Described network original aggressor figure includes several nodes and some directed edges;

Several nodes described include I attribute status node S and N number of atomic strike node A, and wherein, I takes positive integer, S_i∈ S, i=1,2,3 ..., I, S₁For the external attribute state node of original aggressor figure, during i >=2, attribute status node S_iOr for there is the node of leak or for attacking income node, and during i >=2, attribute status node S_iFather node set Pa [S_i] and ancestor node set Ancestor [S_i] it is not all empty,N takes positive integer, A_n∈ A, n=1,2,3 ..., N;

Described some directed edge E include some vulnerability exploit limits and some success attack limits;

E_v∈(S_pre,S_post) for any one vulnerability exploit limit, S_pre、S_postRespectively limit E_v∈(S_pre,S_post) front and back node, S_pre、S_post∈ S, S_postLeak v is there is for any one_postNode, S_postFather node set Pa [S_post] it is not empty, S_pre∈Pa[S_post];

E_a∈(A_start,S_end) for any one success attack limit, A_start、S_endRespectively limit E_a∈(A_start,S_end) front and back node, A_start∈ A, S_end∈S,S_endIncome node, S is attacked for any one_endFather node set Pa [S_end] it is not empty, A_start∈Pa[S_end];

The described risk assessment subsystem based on Bayes's attack graph includes: vulnerability exploit probability of success computing module, success attack parameter probability valuing module, LCPD computing module, risk evaluation module, wherein:

Described vulnerability exploit probability of success computing module, calculates the vulnerability exploit probability of success on all vulnerability exploit limits, wherein vulnerability exploit limit E_v∈(S_pre,S_post) vulnerability exploit probability of success P (v_post) it is:

P(v_post)=AV × w₁+AC×w₂+Au×w₃+RL×w₄+P_exploit×w₅(4)

In formula 4: AV is leak v_postCVSS in base set of properties access vector,

AC is leak v_postCVSS in the access complexity of base set of properties,

Au is leak v_postCVSS in the certification of base set of properties,

RL is leak v_postCVSS in the patch restorability class of temporal set of properties,

The value of AV, AC, Au, RL is according to the index of correlation definition in CVSS;

P_exploitFor leak v_postThe probit of code utilizability,T is current date to leak v_postTotal natural law of publication date, t takes positive integer;

w₁=0.073, w₂=0.118, w₃=0.191, w₄=0.2361, w₅=0.3819;

Described success attack parameter probability valuing module, calculates the success attack probability on all success attack limits, wherein any success attack limit E_a∈(A_start,S_end) success attack probability P (A_start) it is: node A_startWhen there is vulnerability information issue, attack tool and attack method, P (A_start) it is 0.8; Node A_startWhen there is vulnerability information issue and attack method without attack tool, P (A_start) it is 0.6; Node A_startWhen there is vulnerability information issue without attack method and attack tool, P (A_start) it is 0.2;

Described LCPD computing module, calculates the local condition probability distribution table LCPD of all properties state node:

(1) there is the node S of leak_postLCPD function P (S_post|Pa[S_post]) it is:

(2) income node S is attacked_endLCPD function P (S_end|Pa[S_end]) it is:

Described risk evaluation module, in order to calculate the prior probability of all properties state node in attack graph:

(1)S₁Prior probability P (S₁)=0.7;

(2) the attribute status node S of i >=2_i, the prior probability P (S of i >=2_i) for attribute status node S_iThe joint probability of ancestor nodes all with it, prior probability P (S_i) it is:

$P\left(S_i\right)=P\left(S_i\right|Pa\&lsqb;S_i\&rsqb;)\&times;\underset{j=1}{\overset{J}{\&Pi;}}P\left(S_j\right|Pa\&lsqb;S_j\&rsqb;)---\left(5\right)$

In formula 5, P (S_i|Pa[S_i]) for attribute status node S_iLCPD function, S_jFor S_iAncestor node, Pa [S_j] for node S_jFather's node set, P (S_j|Pa[S_j]) it is node S_jLCPD function.

Described network security risk management subsystem includes Safeguard tactics management module, costs and benefits analysis module and optimum prevention policies and chooses module;

Described Safeguard tactics management module, defines prevention policies T according to monitored network environment, arbitrarily attacks income node S under prevention policies T_endThe safeguard procedures that belonging network equipment is implemented are M_k, safeguard procedures M_kRepresent and disconnect network connection, disabling service, patch installing or safety product is installed; Prevention policies T is safeguard procedures set M={M_k| k=1 ..., the boolean vector of m} represents, is: T=(T₁,T₂,...,T_k,...,T_m),

Described costs and benefits analysis module, calculates the initial of Bayes's attack graph and attacks income SG₀, Bayes's attack graph implements the attack income SG (T) after prevention policies T, Bayes's attack graph implements protection cost SC (T) after prevention policies T:

${\mathrm{SG}}_0=\underset{S_{end}\&Element;S}{\&Sigma;}P\left(S_{end}\right)\&times;G\left(S_{end}\right)---\left(6\right)$

In formula 6: P (S_end) for attacking income node S_endPrior probability;

G(S_end) for attacking income node S_endAttack income,G₁For confidentiality loss, G₂For integrity loss, G₃For loss of availability, G₄For privilege-escalation, wherein, confidentiality loses G₁, integrity loss G₂, loss of availability G₃Value according to the index of correlation definition in CVSS; Node A_startWhen corresponding leak describes a kind of description field comprised in information in executearbitrarycode, executearbitraryfiles, overwritearbitraryfiles, gainprivileges, obtainprivileges, rootprivileges, administrativeprivileges and elevationofprivilegevulnerability, G₄=1, otherwise, G₄=0; P₁For the preference heterogeneity of confidentiality loss, P₁=100, P₂For the preference heterogeneity of integrity loss, P₂=75, P₃For the preference heterogeneity of loss of availability, P₃=50, P₄For the preference heterogeneity of privilege-escalation, P₄=25;

Safeguard procedures M_kWhen enabling,P_M(S_end|M_k) represent attribute status node S_endImplement safeguard procedures M_kAfter probability; R_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kThe impact probability preference heterogeneity of affiliated action type, R₁The preference heterogeneity of posterior probability impact, R is implemented for disabling service class safeguard procedures₂The preference heterogeneity of posterior probability impact, R is implemented for disconnecting network connection class safeguard procedures₃The preference heterogeneity of posterior probability impact, R is implemented for installing safety product class safeguard procedures₄The preference heterogeneity of posterior probability impact, 0 < R is implemented for patch installing class safeguard procedures_k≤ 100, R_kAccording to safeguard procedures M_kValue R₁、R₂、R₃Or R₄; As safeguard procedures M_kDuring not enabled, P_M(S_end|M_k)=P (S_end);

C_kRepresent and arbitrarily attack income node S_endImplement safeguard procedures M_kProtection cost,0 < imp (asset)≤1, imp (asset) is according to arbitrarily attacking income node S_endThe economic worth value of belonging network equipment, economic worth its value more big is more big; Q_kFor arbitrarily attacking income node S_endImplement safeguard procedures M_kProtection cost preference heterogeneity, Q₁The protection cost preference heterogeneity of class safeguard procedures, Q is connected for disconnecting network₂For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q₃For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q₄For installing the protection cost preference heterogeneity of safety product class safeguard procedures, 0 < Q_q≤ 100, Q₁>Q₂>Q₃>Q₄, Q_kAccording to safeguard procedures M_kValue Q₁、Q₂、Q₃Or Q₄;

Described optimum prevention policies chooses module, based on protection cost and attack income analysis, utilizes PSO Algorithm optimum prevention policies:

The fitness function of described particle cluster algorithm is α SG (T)+(1-α) SC (T), meet fitness function α SG (T)+(1-α) SC (T) value minimum, SC (T)≤B, B is network security management cost budgeting;

α is the preference weight attacking income, 0≤α≤1.

7. network security risk management system as claimed in claim 6, it is characterised in that

Attack income node S_endDuring belonging network device storage Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1; Attack income node S_endWhen belonging network equipment provides business event service, 0.4≤imp (asset) < 0.7; Attack income node S_endDuring belonging network device storage individual privacy information, 0 < imp (asset) < 0.4.

8. network security risk management system as claimed in claim 6, it is characterised in that

The described network equipment includes web page server, mail server, name server, database server, Ftp server, gateway server, registrar server and PC;

Described attack income node S_endWhen belonging network equipment is database server, Ftp server, registrar server, gateway server, web page server, mail server, name server or PC, the corresponding value of imp (asset) is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;

R₁=100, R₂=50, R₃=30, R₄=20;

Q₁=100, Q₂=80, Q₃=60, Q₄=40.