CN105681338B - Vulnerability exploit probability of success computational methods and network security risk management method - Google Patents
Vulnerability exploit probability of success computational methods and network security risk management method Download PDFInfo
- Publication number
- CN105681338B CN105681338B CN201610125022.XA CN201610125022A CN105681338B CN 105681338 B CN105681338 B CN 105681338B CN 201610125022 A CN201610125022 A CN 201610125022A CN 105681338 B CN105681338 B CN 105681338B
- Authority
- CN
- China
- Prior art keywords
- node
- attack
- post
- probability
- safeguard procedures
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to vulnerability exploit probability of success computational methods and network security risk management methods.The vulnerability exploit probability of success derives from loophole utilizability probability size in involved vulnerability exploit probability of success computational methods, network hole considers loophole utilizability probability size with time dynamic using probability of success computational methods, establish static and dynamic loophole utilizability evaluation index, can be with the utilizability of accurate quantification loophole, and improve the diversity of loophole utilizability assessment result.The network security risk management method structure protection cost of the present invention and the economics index and quantification of targets method for attacking income, optimal prevention policies can effectively be solved using the optimization algorithm of population, the final safety for ensureing target of attack node, limiting the security risk for effectively reducing overall network under the conditions of cost budgeting.
Description
Technical field
The invention belongs to computer network security technology fields, and in particular to a kind of vulnerability exploit probability of success computational methods
And network security risk management method.
Background technology
It is essentially due to computer techno-stress system that computer network system, which faces complicated attack,
There are loopholes in design, exploitation, operation, maintenance, configuration process.
Network attack is a kind of multi-step process of complexity, and external attacker analyzes internal network, and there are the mutual passes of loophole
Connection relationship, and then start multi-step attack, so that attacker is occupied more resources, finally target of attack is damaged.Multistep is attacked
Hitting has the characteristics that multistage negotiation, purpose, concealed.And conventional security defence method, such as fire wall, intrusion detection system
System, only identifies attack, is a kind of passive type defence method, to unknown, multistage, hidden attack row as far as possible
For that can not timely respond to, this proposes new challenge to traditional safety defense method.
Network security risk evaluation method based on attack graph can analyze the interrelated relationship of loophole and resulting
Potential threat.And the risk assessment based on attack graph depends on the utilizability size of each loophole.Therefore, to single loophole
The quantitative evaluation of utilizability just seems particularly important.Most current research work is relied solely on obtains leakage by CVSS scorings
The utilizability size in hole, and CVSS methods only consider the static feature utilized by attacker of loophole itself, do not account for
The variation of time, vulnerability exploit code utilizability and patch utilizability all can dynamically change therewith.And influence loophole can profit
There are many factor with property, and how correctly to distribute the weighing factor value of these factors is that the main of loophole utilizability quantitative evaluation is asked
Topic.
Current network security challenge and breach are research active defense new model, new technology and method, pass through risk
Evaluation measures judge current safety situation, and implement active safety defense mechanism according to judging result.Theoretically,
It the loophole of All hosts and stamps patch in identification network and just can really release security risk.However, giving loophole in practice
Patch installing normally results in different costs, and the loophole patch installing to all identifications in practical application is infeasible.For
Assessment and the safety for reinforcing overall network are established loophole and are utilized by attack graph modeling multi-step attack step
Causality.In the application of attack graph, the risk of current network or information system is assessed, optimal prevention policies is calculated and is fitted
Control risk and attack loss to degree.The safety prevention measure that safety officer takes generally comprises modification firewall configuration, more
New software closes system service and patch installing etc..In network security risk management, each safety prevention measure has certain
Cost is protected, it is a complicated problem that how income and cost, which are weighed,.Therefore, under limited protection cost conditions, how
It chooses optimal prevention policies and has become current research hot issue.Currently based on the network security initiative type safeguard technology of attack graph
When calculating network security risk, uncertain factor present in network attack is seldom considered.And previous optimization algorithm
Optimal prevention policies, such as greedy algorithm are not solved effectively.
Invention content
In view of the drawbacks of the prior art or insufficient, an object of the present invention is to provide a kind of vulnerability exploit probability of success meter
Calculation method.
Vulnerability exploit probability of success computational methods provided by the present invention include:
Step 1, original aggressor figure is obtained, the original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S, wherein I takes positive integer, Si∈ S, i=1,2,
3,...,I;
Several directed edge E include several vulnerability exploit sides;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) it is front and back
Node, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode;
Step 2, the vulnerability exploit probability of success on all vulnerability exploit sides, wherein vulnerability exploit side E are calculatedv∈(Spre,
Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (1)
AV is loophole vpostCVSS (general loophole points-scoring system) in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,
T is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819.
The second object of the present invention is to provide a kind of Bayes's attack graph construction method.
Bayes's attack graph construction method provided by the invention includes:
Step 1, network original aggressor figure is obtained, the network original aggressor figure, which includes several nodes and several, to be had
Xiang Bian;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein I takes just whole
Number, Si∈ S, i=1,2,3 ..., I, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node Si
Or for there are the node of loophole or be attack income node, and when i >=2, attribute status node SiFather's node set Pa
[Si] and ancestor node set
It is not sky;N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) it is front and back
Node, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] no
For sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) before
Posterior nodal point, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky,
Astart∈Pa[Send];
Step 2, the Bayes's attack graph for building original aggressor figure, includes the following steps:
Step 2.1, the vulnerability exploit probability of success on all vulnerability exploit sides, wherein vulnerability exploit side E are calculatedv∈(Spre,
Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (2)
In formula 2:AV is loophole vpostCVSS (general loophole points-scoring system) in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,
T is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
Step 2.2, the success attack probability on all success attack sides is calculated, wherein arbitrary success attack side Ea∈(Astart,
Send) success attack probability P (Astart) be:Node AstartWhen with vulnerability information publication, attack tool and attack method, P
(Astart) it is 0.8;Node AstartWhen with vulnerability information publication and attack method without attack tool, P (Astart) it is 0.6;Node
AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
Step 2.3, the local condition probability distribution table LCPD of all properties state node is calculated:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
Step 2.4, the prior probability of all properties state node is calculated:
(1)S1Prior probability P (S1)=0.7;
(2) the prior probability P (S of the attribute status node of i >=2i) be:
In formula 3, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] be
Node SjFather's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
The third object of the present invention is to provide a kind of network security risk management method.
Network security risk management method provided by the present invention includes:
Step 1, Bayes's attack graph is built using claim 2 the method;
Step 2, prevention policies are provided according to monitored network environment, based on protection cost and attack income analysis, profit
With the optimal prevention policies of PSO Algorithm, optimal prevention policies finally are implemented to Bayes's attack graph:
Income node S is arbitrarily attacked under prevention policies TendThe safeguard procedures that belonging network equipment is implemented are Mk, safeguard procedures
MkRepresent a kind of mode disconnected in network connection, disabling service, patch installing or installation 4 generic operation of safety product;Prevention policies T
For safeguard procedures set M={ Mk| k=1 ..., m } boolean vector indicate, as:T=(T1,T2,...,Tk,...,Tm),
The fitness function of the particle cluster algorithm be α SG (T)+(1- α) SC (T), meet fitness function α SG (T)+
(1- α) SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
The initial attack income of Bayes's attack graphP(Send) it is attack income section
Point SendPrior probability;G(Send) it is attack income node SendAttack income,
G1For confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, it is complete
Whole property loses G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartCorresponding loophole description
Include execute arbitrary code, execute arbitrary files, overwrite arbitrary in information
files、gain privileges、obtain privileges、root privileges、administrative
When a kind of description field in privileges and elevation of privilege vulnerability, G4=1, it is no
Then, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For
The preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
SG (T) is that Bayes's attack graph implements the attack income after prevention policies T,
Safeguard procedures MkWhen having enabled,PM(Send|Mk) indicate attribute status node
SendImplement safeguard procedures MkProbability afterwards;RkArbitrarily to attack income node SendImplement safeguard procedures MkAffiliated action type
Impact probability preference heterogeneity, R1The preference heterogeneity of posterior probability influence, R are carried out for disabling service class safeguard procedures2To disconnect net
Network connection class safeguard procedures are carried out the preference heterogeneity of posterior probability influence, R3After being carried out for installation safety product class safeguard procedures
The preference heterogeneity of impact probability, R4For patch installing class safeguard procedures be carried out posterior probability influence preference heterogeneity, 0<Rk≤ 100, Rk
According to safeguard procedures MkValue R1、R2、R3Or R4;As safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
SC (T) is that Bayes's attack graph implements the protection cost after prevention policies T,CkIt indicates to appoint
Meaning attack income node SendImplement safeguard procedures MkProtection cost,
0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendThe economic value value of belonging network equipment,
Economic value is bigger, and its value is bigger;QkArbitrarily to attack income node SendImplement safeguard procedures MkProtection cost preference because
Son, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures, Q2For the protection cost of patch installing class safeguard procedures
Preference heterogeneity, Q3For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q4For installation safety product class safeguard procedures
Protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to safeguard procedures MkValue Q1、Q2、Q3Or Q4;
α is the preference weight for attacking income, 0≤α≤1.
Further, attack income node S of the inventionendWhen belonging network equipment stores Enterprises'Business Secrets Information, 0.7
≤imp(asset)≤1;Attack income node SendWhen belonging network equipment provides business event service, 0.4≤imp (asset)
<0.7;Attack income node SendWhen belonging network equipment stores individual privacy information, 0<imp(asset)<0.4.
Further, method of the invention institute applicable network equipment includes web page server, mail server, domain name service
Device, database server, Ftp server, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's clothes
When device, gateway server, web page server, mail server, name server or the PC machine of being engaged in, the corresponding values of imp (asset) are
1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
The fourth object of the present invention is to provide a kind of network security risk management system.
Network security risk provided by the present invention manages system:Risk identification subsystem, data storage and management
Subsystem, the attack graph based on MulVAL tools generate subsystem, risk assessment subsystem, network based on Bayes's attack graph
Safety risk management subsystem;
The risk identification subsystem, to complete identification all-network facility information, find network topology structure, analysis
The vulnerability information of connectivity, identification All hosts between host;
The data storage and management subsystem, to complete between network equipment information, network topology structure, host
The storage and management of the data such as connectivity, loophole;
The attack graph based on MulVAL tools generates subsystem, to complete to acquire risk identification subsystem
In all information inputs to MulVAL tools, final visual network original aggressor figure;
The network original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein I takes just whole
Number, Si∈ S, i=1,2,3 ..., I, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node Si
Or for there are the node of loophole or be attack income node, and when i >=2, attribute status node SiFather's node set Pa
[Si] and ancestor node set
It is not sky;N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) it is front and back
Node, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] no
For sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) before
Posterior nodal point, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky,
Astart∈Pa[Send];
The risk assessment subsystem based on Bayes's attack graph includes:Vulnerability exploit probability of success computing module is attacked
Probability of success value module, LCPD computing modules, risk evaluation module are hit, wherein:
The vulnerability exploit probability of success computing module calculates the vulnerability exploit probability of success on all vulnerability exploit sides,
Middle vulnerability exploit side Ev∈(Spre,Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (4)
In formula 4:AV is loophole vpostCVSS (general loophole points-scoring system) in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,
T is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
The success attack parameter probability valuing module calculates the success attack probability on all success attack sides, wherein arbitrarily attacking
Hit successfully side Ea∈(Astart,Send) success attack probability P (Astart) be:Node AstartWith vulnerability information publication, attack
When tool and attack method, P (Astart) it is 0.8;Node AstartWith vulnerability information publication and attack method without attack tool
When, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
The risk evaluation module, to calculate the prior probability of all properties state node in attack graph:
(1)S1Prior probability P (S1)=0.7;
(2) the attribute status node S of i >=2i, the prior probability P (S of i >=2i) it is attribute status node SiWith its all ancestral
The joint probability of first node, prior probability P (Si) be:
In formula 5, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] be
Node SjFather's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
The network security risk management subsystem includes Safeguard tactics management module, costs and benefits analysis module
Module is chosen with optimal prevention policies;
The Safeguard tactics management module defines prevention policies T, under prevention policies T according to monitored network environment
Arbitrary attack income node SendThe safeguard procedures that belonging network equipment is carried out are Mk, safeguard procedures MkIt represents and disconnects network company
It connects, disable service, patch installing or installation safety product;Prevention policies T is safeguard procedures set M={ Mk| k=1 ..., m }
Boolean vector expression, as:T=(T1,T2,...,Tk,...,Tm),
The costs and benefits analysis module calculates the initial attack income SG of Bayes's attack graph0, Bayes's attack graph
Implement the attack income SG (T) after prevention policies T, Bayes's attack graph implements the protection cost SC (T) after prevention policies T:
In formula 6:P(Send) it is attack income node SendPrior probability;
G(Send) it is attack income node SendAttack income,G1For
Confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, integrality
Lose G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartCorresponding loophole description information
In comprising execute arbitrary code, execute arbitrary files, overwrite arbitrary
files、gain privileges、obtain privileges、root privileges、administrative
When a kind of description field in privileges and elevation of privilege vulnerability, G4=1, it is no
Then, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For
The preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
Safeguard procedures MkWhen having enabled, PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards;RkIt is arbitrary
Attack income node SendImplement safeguard procedures MkAffiliated action type impact probability preference heterogeneity, R1It is anti-for disabling service class
Shield measure is carried out the preference heterogeneity of posterior probability influence, R2It is carried out posterior probability influence to disconnect network connection class safeguard procedures
Preference heterogeneity, R3The preference heterogeneity of posterior probability influence, R are carried out for installation safety product class safeguard procedures4It is protected for patch installing class
Measure be carried out posterior probability influence preference heterogeneity, 0<Rk≤ 100, RkAccording to safeguard procedures MkValue R1、R2、R3Or R4;When anti-
Shield measure MkWhen not enabled, PM(Send|Mk)=P (Send);
CkIndicate arbitrary attack income node SendImplement safeguard procedures MkProtection cost,0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node
SendThe economic value value of belonging network equipment, economic value is bigger, and its value is bigger;QkArbitrarily to attack income node Send
Implement safeguard procedures MkProtection cost preference heterogeneity, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures,
Q2For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q3For disabling service class safeguard procedures protection cost preference because
Son, Q4For install safety product class safeguard procedures protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to anti-
Shield measure MkValue Q1、Q2、Q3Or Q4;
The optimal prevention policies choose module, based on protection cost and attack income analysis, are asked using particle cluster algorithm
Solve optimal prevention policies:
The fitness function of the particle cluster algorithm be α SG (T)+(1- α) SC (T), meet fitness function α SG (T)+
(1- α) SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
α is the preference weight for attacking income, 0≤α≤1.
Further, the attack income node S of present systemendWhen belonging network equipment stores Enterprises'Business Secrets Information,
0.7≤imp(asset)≤1;Attack income node SendWhen belonging network equipment provides business event service, 0.4≤imp
(asset)<0.7;Attack income node SendWhen belonging network equipment stores individual privacy information, 0<imp(asset)<0.4.
Further, present system institute applicable network equipment include web page server, mail server, name server,
Database server, Ftp server, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's clothes
When device, gateway server, web page server, mail server, name server or the PC machine of being engaged in, the corresponding values of imp (asset) are
1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
Compared with prior art, the present invention has the advantages that:
The present invention network hole using the probability of success derive from loophole utilizability probability size, network hole utilize at
Work(method for calculating probability considers loophole utilizability probability size with time dynamic, establishes static and dynamic leakage
Hole utilizability evaluation index, can be with the utilizability of accurate quantification loophole, and improves the more of loophole utilizability assessment result
Sample.
The Bayes's attack graph construction method of the present invention considers the uncertain factor of attack:Vulnerability exploit
The probability of success and success attack probability can more accurately assess the risk of current network;
The network security risk management method of the present invention builds protection cost and attacks the economics index of income in detail
And quantification of targets method, optimal prevention policies can effectively be solved using the optimization algorithm of population, finally ensure target of attack
The safety of node, limiting the security risk for effectively reducing overall network under the conditions of cost budgeting.
The risk identification subsystem of the network security risk management system of the present invention merges multi-source secure data, has established
Standby risk assessment element system;Attack graph based on MulVAL tools generates subsystem and generates original attack using MulVAL tools
Figure is hit, the time complexity of the tool is O (n2), wherein n is host number in network, has higher efficiency and can preferably expand
Malleability, and it is easy to Project Realization.Network security risk management system solves the problems, such as the retrospect of network attack source, realizes master
The Security mechanism of dynamic defence.
Description of the drawings
Fig. 1 is that the present invention is based on the general frame figures that the network security risk of Bayes's attack graph manages system.
Fig. 2 is a kind of evaluation index hierarchical chart of the dynamic loophole availability analysis method based on fuzzy theory.
Fig. 3 is the probability calculation of attack graph.
Fig. 4 is network topological diagram.
Fig. 5 is the attack graph of network shown in Fig. 4.
Fig. 6 is the attack income that income node is each attacked in attack graph shown in Fig. 5.
Specific implementation mode
Technical scheme of the present invention is described in further detail below in conjunction with the accompanying drawings, but not limited to this.
The present invention is available using a kind of dynamic loophole availability analysis method qualitative assessment loophole of analytic hierarchy process (AHP)
Property probability size, method and step are as follows:
Step 1:Choose loophole utilizability evaluation index
Step 1.1:From American National information security vulnerability database (National Vulnerability Database, NVD)
CVSS (general loophole points-scoring system) in base set of properties extraction access vector AV, access complexity AC, certification Au tri-
Static State Index, and patch restorability class mono- dynamic indicator of RL is extracted from temporal set of properties, table 1 gives this four indexs
Associated ratings in CVSS and corresponding scoring;
Table 1
Step 1.2:From vulnerability scan of increasing income (Open Source Vulnerability Database, OSVDB)
Loophole publication date is extracted in time attribute.After loophole discloses, over time, code utilizability can therewith dynamically
Change.Using the probability size of formula (7) calculation code utilizability, and then builds code utilizability another dynamically refers to
Mark:
Wherein, PexploitFor loophole vpostCode utilizability probability value, t is current date to loophole vpostIt is open
Total number of days on date, t take positive integer;
Step 1.3:Establish evaluation index hierarchy Model, as shown in Figure 2
Step 2:5 indexs that step 1 obtains are resolved into the layers such as target, criterion, scheme, such as table using analytic hierarchy process (AHP)
Shown in 2:
Table 2
Step 3:Using being published in《Computer application is studied》Document " the loophole hazard rating based on fuzzy theory of periodical
The analytic hierarchy process (AHP) of assessment ", 5 indexs of numerical procedure layer to the weight of destination layer loophole utilizability relative importance to
Amount, is expressed as:W=(w1,w2,w3,w4,w5), wherein w1+w2+w3+w4+w5=1.Final calculation result is respectively:w1=
0.073、w2=0.118, w3=0.191, w4=0.2361, w5=0.3819.Therefore, loophole utilizability probability acquiring size
Mode is as follows:
Sore=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5
Source using the loophole utilizability probability size as the vulnerability exploit probability of success, is expressed as:
P(vpost)=Sore (8)
Wherein, P (vpost) indicate the vulnerability exploit probability of success.
In order to explain a kind of calculating process of the vulnerability exploit probability of success computational methods proposed, to a specific loophole
CVE-2015-0838 is calculated, and the limitation which describes operation in core buffer boundary is inappropriate, long-range attack person
By special package file arbitrary code can be executed using the loophole.The detailed of the loophole can be obtained from NVD databases
Information, as shown in table 3.
Table 3
CVE is numbered | CVE-2015-0838 |
Access vector | Remote network access |
Access complexity | It is low |
Certification | Certification is not needed |
Issuing time | 2015-03-31 |
Patch restorability class | Official's patch |
The time of disclosure of loophole is on March 31st, 2015, it is assumed that current date is on May 31st, 2015, therefore, works as the day before yesterday
Total number of days of phase to loophole publication date is 60 days, is according to formula (7) calculation code utilizability:
Therefore, calculating the vulnerability exploit probability of success according to formula (8) is:
P(vpost)=1 × 0.073+0.71 × 0.118+0.704 × 0.191+0.87 × 0.2361+0.9352 ×
0.3819
=0.8538
With reference to figure 1, it is as follows that network security risk of the invention manages system and method:
Step 1:Risk identification
Step 1.1:Institute in network is obtained using OVAL scanners based on OVAL vulnerability scanning assessment reports collection module 111
There is the loophole of host to report, and the loophole data being collected into are stored to data storage and management subsystem 12 and are managed concentratedly;
Step 1.2:The communication that Connectivity analysis of network module 112 obtains each host in network by firewall system is advised
Then, and by connectivity data between the host being collected into it stores to data storage and management subsystem 12;
Step 1.3:Network equipments configuration management module 113 obtains net using ManageEngine network topology management softwares
Network facility information and topological structure, and stored to data storage and management subsystem 12;
Step 2:Attack graph based on MulVAL tools generates subsystem 13 and is converted into the loophole got report
Datalog data formats, as the input.P input files of MulVAL tools, after running MulVAL tools, output is attacked
Hit figure information, be mainly stored in node file VERTICES.CSV and side file ARCS.CSV, finally with
AttackGraph.pdf files visualize attack graph, and the time complexity of the attack graph generating algorithm of MulVAL tools is O
(n2), wherein n is host number in network, therefore has higher efficiency and preferable scalability.
Step 3:Obtain the attack graph based on Bayes
Calculate the vulnerability exploit probability of success P (v of the attack graphpost), success attack probability P (Astart), LCPD tables, priori
Probability P (Si)。
Step 3.1:Vulnerability exploit probability of success computing module 141 is using the loophole utilizability probability size as leakage
Hole utilizes the source of the probability of success, is expressed as:
P(vpost)=Sore (9)
Wherein, P (vpost) indicate that the vulnerability exploit probability of success, Sore indicate loophole utilizability probability size.
Step 3.2:Success attack parameter probability valuing module 142 is according to attack type to attacking probability of success P (Astart) carry out
Configuration, arbitrary success attack side Ea∈(Astart,Send) success attack probability P (Astart) be:Node AstartWith loophole
When information publication, attack tool and attack method, P (Astart) it is 0.8;Node AstartWith vulnerability information publication and attacker
When method is without attack tool, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P
(Astart) it is 0.2;
Step 3.3:LCPD computing modules 143 calculate the local condition probability distribution table LCPD of all properties state node,
Its acquisition modes is as follows:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
In order to show the calculating process of LCPD, does derive explanation in figure 3.Node S1It is external attribute state node,
Node S2、S3And S4It is attribute status node.S4It is S3、S2And S1Descendant node.The vulnerability exploit probability of success is according to formula (9)
It calculates, A1And A2Success attack probability be respectively configured as 0.2 and 0.8, external attribute state node S according to attack type1Elder generation
Test probability P (S1)=0.7, S2、S3And S4LCPD respectively according to described in step 3.3 calculate obtain.
Step 3.4:Risk evaluation module 144 calculates the prior probability of all properties state node:
(1)S1Prior probability P (S1)=0.7;
(2) the attribute status node S of i >=2i, the prior probability P (S of i >=2i) it is attribute status node SiWith its all ancestral
The joint probability of first node, prior probability P (Si) be:
Wherein, P (Si,Ancestor[Si]) indicate SiWith its all ancestor node Ancestor [Si] joint probability, P
(Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] it is node SjFather's node
Set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
In figure 3, according to formula (10), node S2、S3And S4The calculating process of prior probability be not:
P(S2)=P (S2,S1)=P (S2=1 | S1=1) × P (S1)=0.86 × 0.7=0.602
P(S3)=P (S3,S1)=P (S3=1 | S1=1) × P (S1)=0.39 × 0.7=0.273
Step 4:Network security risk manages subsystem 15
Structure protection cost and the index and quantification of targets method for attacking income obtain optimal protection using particle cluster algorithm
Strategy implements optimal prevention policies, the final security risk for reducing overall network to Bayes's attack graph.
Step 4.1:Safeguard tactics management module (151) defines and arbitrarily attacks income node S under prevention policies TendIt is real
The safeguard procedures applied are Mk, safeguard procedures MkRepresent attack income node SendBelonging network equipment only execute disconnect network connection,
A kind of mode in disabling service, patch installing or installation 4 generic operation of safety product;Prevention policies T is safeguard procedures set M=
{Mk| k=1 ..., m } boolean vector indicate, as:T=(T1,T2,...,Tk,...,Tm),
Step 4.2:Costs and benefits analysis module 152 establishes protection cost and attacks the safety index and index amount of income
Change method.
(1) the initial attack income SG of Bayes's attack graph is calculated0:
Wherein:P(Send) it is attack income node SendPrior probability;
G(Send) it is attack income node SendAttack income, acquisition modes are:
G1For confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality
Lose G1, integrity loss G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartIt is corresponding
Include execute arbitrary code, execute arbitrary files, overwrite in loophole description information
arbitrary files、gain privileges、obtain privileges、root privileges、
A kind of describing word in administrative privileges and elevation of privilege vulnerability
Duan Shi, G4=1, otherwise, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For integrity loss preference because
Son, P2=75, P3For the preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;Table 4 provides
This 4 index associated ratings and corresponding scoring.
Table 4
For example, attacker reaches a certain attack income section after atomic strike successfully occurs using the intrinsic loophole of some software
The confidentiality loss value of point is 0.66 minute, and privilege-escalation value is 1 point, and calculating corresponding attack income according to formula (11) is
(2) it calculates Bayes's attack graph and implements the attack income SG (T) after prevention policies T, acquisition modes are as follows:
Wherein, PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards, acquisition modes are such as
Under:
RkArbitrarily to attack income node SendImplement safeguard procedures MkAffiliated action type impact probability preference heterogeneity,
R1The preference heterogeneity of posterior probability influence, R are carried out for disabling service class safeguard procedures1=100, R2It is anti-to disconnect network connection class
Shield measure is carried out the preference heterogeneity of posterior probability influence, R2=50, R3It is carried out posterior probability for installation safety product class safeguard procedures
The preference heterogeneity of influence, R3=30, R4The preference heterogeneity of posterior probability influence, R are carried out for patch installing class safeguard procedures4=20;When
Safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
(3) it calculates Bayes's attack graph and implements the protection cost SC (T) after prevention policies T, acquisition modes are as follows:
Wherein, CkIndicate arbitrary attack income node SendImplement safeguard procedures MkProtection cost, acquisition modes are as follows:
Wherein, 0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendBelonging network equipment
Economic value value, economic value is bigger, and its value is bigger;As attack income node SendBelonging network equipment stores trade secret
When information, 0.7≤imp (asset)≤1;As attack income node SendWhen belonging network equipment provides business event service, 0.4
≤imp(asset)<0.7;As attack income node SendWhen belonging network equipment stores individual privacy information, 0<imp(asset)
<0.4。
As shown in figure 4, the network equipment include web page server, mail server, name server, database server,
Ftp server, gateway server, registrar server and PC machine;Attack income node SendBelonging network equipment is number
According to library server, Ftp server, registrar server, gateway server, web page server, mail server, domain name
When server or PC machine, the corresponding values of imp (asset) are 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
QkArbitrarily to attack income node SendImplement safeguard procedures MkProtection cost preference heterogeneity, Q1Connect to disconnect network
Meet the protection cost preference heterogeneity of class safeguard procedures, Q2For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q3For disabling
Service the protection cost preference heterogeneity of class safeguard procedures, Q4For install safety product class safeguard procedures protection cost preference because
Son, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to safeguard procedures MkValue Q1、Q2、Q3Or Q4, configure Q1=100, Q2=80, Q3=
60, Q4=40.
For example, safeguard procedures MkTo disconnect the internet connection of Ftp server, counted according to formula (13)
Calculate protection cost CkFor
Step 4.3:Optimal prevention policies choose module (153), in the Bayes's attack graph and network security that step 3 obtains
Under conditions of management cost budget B, an optimal prevention policies are solved so that:
1) value of function alpha SG (T)+(1- α) SC (T) is minimum;
2)SC(T)≤B.
Wherein, T=(T1,T2,...,Tk,...,Tm) it is expressed as one group of decision variable, α is the preference weight for attacking income,
0≤α≤1.The specific value of attack income preference weight of the present invention is determined according to the significance level of attack income, if it is to enterprise
Industry management is more important, then α values are bigger.
Optimal Safeguard tactics Algorithms of Selecting based on population realizes that process includes the following steps:
1) fitness function fitness (X)=α SG (X)+(1- α) SC (X) in particle cluster algorithm is defined;
2) in the population and D dimension spaces that scale is n, i-th of particle initial position X of random initializtioni=(Xi1,
Xi2,...,Xid,...,XiD) and speed Vi=(Vi1,Vi2,...,Vid,...,ViD), initialize optimal prevention policies T=(0,
0,...,0)1×D, initialization maximum iteration K.Meet:The position value of d dimensions is 0 or 1, and the speed value of d dimensions is symbol
The random number of standardization normal distribution, SC (Xi)≤B.Wherein, 1≤i≤n, 1≤d≤D.
Then generator matrixWith
3) at the kth iteration, by each particle XiBring fitness function intoSeek its value, wherein 1≤k
≤K;
4) according to formula:
Calculate the local optimum position of i-th of particleFor all particles, according to formula:
Calculate global optimum position
5) according to formula:
The speed of each particle and position when update kth time iteration respectively;
If 6) meet maximum iteration K so that optimal prevention policiesAnd it exports T and exits;Otherwise step is turned to
It is rapid 3).
In order to explain the implementation result of the optimal Safeguard tactics Algorithms of Selecting based on population proposed, net is given
It is as shown in Figure 4 that network tests topological environmental.Current network device includes web page server (Web server, WS), mail server
(Mail server, MS), name server (DNS server, DS), database server (Database server, DBS),
Ftp server (FTP server, FS), gateway server (Gateway server, GS), registrar server
(Administrator server, AS) and PC machine, the network communication rule of each server are matched by firewall system
It sets, as shown in table 5.Attack income node SendBelonging network equipment is database server, Ftp server, administrator
When server, gateway server, web page server, mail server, name server or PC machine, the corresponding values of imp (asset)
It is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3.
Table 5
All vulnerability informations present in network system are obtained using the vulnerability scanners of OVAL, as shown in table 6.It utilizes
The original aggressor figure that MulVAL tools generate, as shown in Figure 5.
Table 6
Each attack income node S is calculated according to formula (11)endAttack income G (Send), as shown in Figure 6.
Safeguard procedures M is provided under given network environmentk, each protection is calculated separately according to formula (13) and (12) and is arranged
The protection cost C appliedkWith the probability P after implementation safeguard proceduresM(Send|Mk), as shown in table 7.
Table 7
Mk | Description | Ck | PM(Send|Mk) |
M1 | Disconnect the network connection of DBS | 35.7 | 0.136 |
M2 | Disconnect the network connection of FS | 32.13 | 0.25 |
M3 | Disconnect the network connection of AS | 28.56 | 0.032 |
M4 | Disconnect the network connection of GS | 24.99 | 0.162 |
M5 | Disconnect the network connection of WS | 21.42 | 0.158 |
M6 | Disconnect the network connection of MS | 17.85 | 0.121 |
M7 | The patch of loophole CVE-2014-1466 is beaten to DBS | 28.6 | 0.054 |
M8 | The patch of loophole CVE-2012-2526 is beaten to FS | 25.74 | 0.1 |
M9 | The patch of loophole CVE-2009-0692 is beaten to AS | 22.88 | 0.012 |
M10 | The patch of loophole CVE-2007-4752 is beaten to GS | 20.02 | 0.065 |
M11 | The patch of loophole CVE-2015-1635 is beaten to WS | 17.16 | 0.063 |
M12 | The patch of loophole CVE-2004-0840 is beaten to MS | 14.3 | 0.049 |
M13 | Disable the SQL services of DBS | 21.4 | 0.272 |
M14 | Disable the SSH/FTP services of FS | 19.26 | 0.5 |
M15 | Disable the TCP/IP services of AS | 17.12 | 0.065 |
M16 | Disable the TCP/IP services of GS | 14.98 | 0.324 |
M17 | Disable the HTTP service of WS | 12.84 | 0.316 |
M18 | Disable the SMTP services of MS | 10.7 | 0.243 |
M19 | Fire wall is installed to GS | 10 | 0.121 |
M20 | Intruding detection system is installed to GS | 10 | 0.121 |
Given network security management cost budgeting B=100, preference weight α=0.5 of setting attack income, population number n
=100.Select available safeguard procedures number NumberM=20, i.e. T number of decision variable is safeguard procedures number NumberM,
Therefore, population dimension D=NumberM=20.Inertia weight w=0.8, Studying factors c are set1=c2=2, random number r1=r2=
0.5, maximum iteration K=100.Using the optimal Safeguard tactics Algorithms of Selecting based on population of this patent, obtain
Optimal prevention policies T=(0,0,0,0,0,0,0,1,0,0,0,1,1,0,1,0,1,0,0,1), corresponding enabled safeguard procedures
Collection is combined into { M8,M12,M13,M15,M17,M20, SC=99.4.
Claims (7)
1. a kind of Bayes's attack graph construction method, which is characterized in that method includes:
Step 1, original aggressor figure is obtained, the original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein Si∈ S, i=1,2,3 ...,
I, I take positive integer, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node SiOr for there are loopholes
Node or be attack income node, and when i >=2, attribute status node SiFather node set Pa [Si] and ancestor node
Set Ancestor [Si] it is not sky,
N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) front and back section
Point, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] be not
Sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) front and back section
Point, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky,
Astart∈Pa[Send];
Step 2, the Bayes's attack graph for building original aggressor figure, includes the following steps:
Step 2.1, the vulnerability exploit probability of success on all vulnerability exploit sides, wherein vulnerability exploit side E are calculatedv∈(Spre,Spost)
Vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (2)
In formula 2:AV is loophole vpostCVSS in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,α=0.260, b'=
0.00161, t is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
Step 2.2, the success attack probability on all success attack sides is calculated, wherein arbitrary success attack side Ea∈(Astart,Send)
Success attack probability P (Astart) be:Node AstartWhen with vulnerability information publication, attack tool and attack method, P
(Astart) it is 0.8;Node AstartWhen with vulnerability information publication and attack method without attack tool, P (Astart) it is 0.6;Node
AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
Step 2.3, the local condition probability distribution table LCPD of all properties state node is calculated:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
Step 2.4, the prior probability of all properties state node is calculated:
(1)S1Prior probability P (S1)=0.7;
(2) the prior probability P (S of the attribute status node of i >=2i) be:
In formula 3, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] it is node Sj
Father's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
2. a kind of network security risk management method, which is characterized in that method includes:
Step 1, Bayes's attack graph is built using claim 1 the method;
Step 2, prevention policies are provided according to monitored network environment, based on protection cost and attack income analysis, utilizes grain
Swarm optimization solves optimal prevention policies, finally implements optimal prevention policies to Bayes's attack graph:
Income node S is arbitrarily attacked under prevention policies TendThe safeguard procedures that belonging network equipment is implemented are Mk, safeguard procedures MkGeneration
Table disconnects network connection, disabling service, patch installing or installation safety product;Prevention policies T is safeguard procedures set M={ Mk|k
=1 ..., m } boolean vector indicate, as:T=(T1,T2,...,Tk,...,Tm),
The fitness function of the particle cluster algorithm is α SG (T)+(1- α) SC (T), meets fitness function α SG (T)+(1- α)
SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
The initial attack income of Bayes's attack graphP(Send) it is attack income node
SendPrior probability;G(Send) it is attack income node SendAttack income,
G1For confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, it is complete
Whole property loses G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartCorresponding loophole description
Include execute arbitrary code, execute arbitrary files, overwrite arbitrary in information
files、gain privileges、obtain privileges、root privileges、administrative
When a kind of description field in privileges and elevation of privilege vulnerability, G4=1, it is no
Then, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For
The preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
SG (T) is that Bayes's attack graph implements the attack income after prevention policies T,
Safeguard procedures MkWhen having enabled,PM(Send|Mk) indicate attribute status node
SendImplement safeguard procedures MkProbability afterwards;RkArbitrarily to attack income node SendImplement safeguard procedures MkAffiliated action type
Impact probability preference heterogeneity, R1The preference heterogeneity of posterior probability influence, R are carried out for disabling service class safeguard procedures2To disconnect net
Network connection class safeguard procedures are carried out the preference heterogeneity of posterior probability influence, R3After being carried out for installation safety product class safeguard procedures
The preference heterogeneity of impact probability, R4For patch installing class safeguard procedures be carried out posterior probability influence preference heterogeneity, 0<Rk≤ 100, Rk
According to safeguard procedures MkValue R1、R2、R3Or R4;As safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
SC (T) is that Bayes's attack graph implements the protection cost after prevention policies T,CkExpression is arbitrarily attacked
Hit income node SendImplement safeguard procedures MkProtection cost,0<imp
(asset)≤1, imp (asset) is according to arbitrary attack income node SendThe economic value value of belonging network equipment, economic valence
Value is bigger, and imp (asset) value is bigger;QkArbitrarily to attack income node SendImplement safeguard procedures MkProtection cost preference because
Son, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures, Q2For the protection cost of patch installing class safeguard procedures
Preference heterogeneity, Q3For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q4For installation safety product class safeguard procedures
Protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to safeguard procedures MkValue Q1、Q2、Q3Or Q4;
α is the preference weight for attacking income, 0≤α≤1.
3. network security risk management method as claimed in claim 2, which is characterized in that attack income node SendAffiliated net
When network equipment stores Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1;Attack income node SendBelonging network equipment carries
When being serviced for business event, 0.4≤imp (asset)<0.7;Attack income node SendBelonging network equipment stores individual privacy
When information, 0<imp(asset)<0.4.
4. network security risk management method as claimed in claim 2, which is characterized in that
The network equipment includes web page server, mail server, name server, database server, file transmission clothes
Business device, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's service
When device, gateway server, web page server, mail server, name server or PC machine, the corresponding values of imp (asset) are
1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
5. a kind of network security risk manages system, which is characterized in that system includes:Risk identification subsystem, data storage with
Manage subsystem, attack graph based on MulVAL tools generates subsystem, the risk assessment subsystem based on Bayes's attack graph,
Network security risk manages subsystem;
The risk identification subsystem, to complete identification all-network facility information, find network topology structure, analysis host
Between connectivity, identify All hosts vulnerability information;
The data storage and management subsystem, to complete the connection between network equipment information, network topology structure, host
The storage and management of the data such as property, loophole;
The attack graph based on MulVAL tools generates subsystem, all to complete to acquire risk identification subsystem
In information input to MulVAL tools, final visual network original aggressor figure;
The network original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein I takes positive integer, Si∈S,
I=1,2,3 ..., I, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node SiOr to there is leakage
The node in hole is attack income node, and when i >=2, attribute status node SiFather node set Pa [Si] and ancestor node
Set Ancestor [Si] it is not sky,
N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) front and back section
Point, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] be not
Sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) it is front and back
Node, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky,
Astart∈Pa[Send];
The risk assessment subsystem based on Bayes's attack graph includes:Vulnerability exploit probability of success computing module, attack at
Work(parameter probability valuing module, LCPD computing modules, risk evaluation module, wherein:
The vulnerability exploit probability of success computing module calculates the vulnerability exploit probability of success on all vulnerability exploit sides, wherein leaking
Hole utilizes side Ev∈(Spre,Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (4)
In formula 4:AV is loophole vpostCVSS in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,α=0.260, b'=
0.00161, t is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
The success attack parameter probability valuing module calculates the success attack probability on all success attack sides, wherein arbitrary attack at
Work(side Ea∈(Astart,Send) success attack probability P (Astart) be:Node AstartWith vulnerability information publication, attack tool
When with attack method, P (Astart) it is 0.8;Node AstartWhen with vulnerability information publication and attack method without attack tool, P
(Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
The LCPD computing modules calculate the local condition probability distribution table LCPD of all properties state node:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
The risk evaluation module, to calculate the prior probability of all properties state node in attack graph:
(1)S1Prior probability P (S1)=0.7;
(2) the attribute status node S of i >=2i, the prior probability P (S of i >=2i) it is attribute status node SiIt is saved with its all ancestors
The joint probability of point, prior probability P (Si) be:
In formula 5, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] it is node Sj
Father's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions;
Network security risk management subsystem includes Safeguard tactics management module, costs and benefits analysis module and most
Excellent prevention policies choose module;
The Safeguard tactics management module defines prevention policies T according to monitored network environment, arbitrary under prevention policies T
Attack income node SendThe safeguard procedures that belonging network equipment is implemented are Mk, safeguard procedures MkIt represents and disconnects network connection, disabling
Service, patch installing or installation safety product;Prevention policies T is safeguard procedures set M={ Mk| k=1 ..., m boolean vector
It indicates, as:T=(T1,T2,...,Tk,...,Tm),
The costs and benefits analysis module calculates the initial attack income SG of Bayes's attack graph0, Bayes's attack graph implement
Attack income SG (T), Bayes's attack graph after prevention policies T implement the protection cost SC (T) after prevention policies T:
In formula 6:P(Send) it is attack income node SendPrior probability;
G(Send) it is attack income node SendAttack income,G1For secret
Property loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, integrity loss
G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartIt is wrapped in corresponding loophole description information
Arbitrary containing execute code, execute arbitrary files, overwrite arbitrary files,
Gain privileges, obtain privileges, root privileges, administrative privileges and
When a kind of description field in elevation of privilege vulnerability, G4=1, otherwise, G4=0;P1For machine
The preference heterogeneity of close property loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For the inclined of loss of availability
The good factor, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
Safeguard procedures MkWhen having enabled,
PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards;RkArbitrarily to attack income node SendIt is real
Apply safeguard procedures MkAffiliated action type impact probability preference heterogeneity, R1It is general after being carried out for disabling service class safeguard procedures
The preference heterogeneity that rate influences, R2To disconnect the preference heterogeneity that network connection class safeguard procedures are carried out posterior probability influence, R3For installation
Safety product class safeguard procedures are carried out the preference heterogeneity of posterior probability influence, R4It is carried out posterior probability for patch installing class safeguard procedures
The preference heterogeneity of influence, 0<Rk≤ 100, RkAccording to safeguard procedures MkValue R1、R2、R3Or R4;As safeguard procedures MkWhen not enabled,
PM(Send|Mk)=P (Send);
CkIndicate arbitrary attack income node SendImplement safeguard procedures MkProtection cost,0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node
SendThe economic value value of belonging network equipment, economic value is bigger, and its value is bigger;QkArbitrarily to attack income node Send
Implement safeguard procedures MkProtection cost preference heterogeneity, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures,
Q2For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q3For disabling service class safeguard procedures protection cost preference because
Son, Q4For install safety product class safeguard procedures protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to anti-
Shield measure MkValue Q1、Q2、Q3Or Q4;
The optimal prevention policies choose module, based on protection cost and attack income analysis, most using PSO Algorithm
Excellent prevention policies:
The fitness function of the particle cluster algorithm is α SG (T)+(1- α) SC (T), meets fitness function α SG (T)+(1- α)
SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
α is the preference weight for attacking income, 0≤α≤1.
6. network security risk as claimed in claim 5 manages system, which is characterized in that
Attack income node SendWhen belonging network equipment stores Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1;Attack
Income node SendWhen belonging network equipment provides business event service, 0.4≤imp (asset)<0.7;Attack income node Send
When belonging network equipment stores individual privacy information, 0<imp(asset)<0.4.
7. network security risk as claimed in claim 5 manages system, which is characterized in that
The network equipment includes web page server, mail server, name server, database server, file transmission clothes
Business device, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's service
When device, gateway server, web page server, mail server, name server or PC machine, the corresponding values of imp (asset) are
1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610125022.XA CN105681338B (en) | 2016-03-04 | 2016-03-04 | Vulnerability exploit probability of success computational methods and network security risk management method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610125022.XA CN105681338B (en) | 2016-03-04 | 2016-03-04 | Vulnerability exploit probability of success computational methods and network security risk management method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105681338A CN105681338A (en) | 2016-06-15 |
CN105681338B true CN105681338B (en) | 2018-10-30 |
Family
ID=56306861
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610125022.XA Expired - Fee Related CN105681338B (en) | 2016-03-04 | 2016-03-04 | Vulnerability exploit probability of success computational methods and network security risk management method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105681338B (en) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106534195B (en) * | 2016-12-19 | 2019-10-08 | 杭州信雅达数码科技有限公司 | A kind of network attack person's behavior analysis method based on attack graph |
CN108270723B (en) * | 2016-12-30 | 2020-11-13 | 全球能源互联网研究院有限公司 | Method for acquiring predicted attack path of power network |
CN106921653B (en) * | 2017-01-25 | 2022-03-18 | 全球能源互联网研究院 | Reinforcing strategy generation method for network vulnerability |
CN108959931B (en) * | 2017-05-24 | 2022-03-01 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and device, information interaction method and equipment |
CN107528850A (en) * | 2017-09-05 | 2017-12-29 | 西北大学 | A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm |
CN108200095B (en) * | 2018-02-09 | 2021-02-23 | 华北电力科学研究院有限责任公司 | Method and device for determining vulnerability of Internet boundary security policy |
CN108683654B (en) * | 2018-05-08 | 2020-05-05 | 北京理工大学 | Network vulnerability assessment method based on zero-day attack graph |
CN109918935B (en) * | 2019-03-19 | 2020-10-09 | 北京理工大学 | Optimization method of internal divulgence threat protection strategy |
CN110708287B (en) * | 2019-09-03 | 2020-12-29 | 浙江大学 | Intrusion response method based on attack graph and psychological theory |
CN110557393B (en) * | 2019-09-05 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Network risk assessment method and device, electronic equipment and storage medium |
CN110992071B (en) * | 2020-02-27 | 2020-10-13 | 零犀(北京)科技有限公司 | Service strategy making method and device, storage medium and electronic equipment |
CN112632555A (en) * | 2020-12-15 | 2021-04-09 | 国网河北省电力有限公司电力科学研究院 | Node vulnerability scanning method and device and computer equipment |
CN112995176A (en) * | 2021-02-25 | 2021-06-18 | 国电南瑞科技股份有限公司 | Network attack reachability calculation method and device applied to power communication network |
CN113076541B (en) * | 2021-03-09 | 2023-06-27 | 麒麟软件有限公司 | Vulnerability scoring model and method of operating system based on back propagation neural network |
WO2022205132A1 (en) * | 2021-03-31 | 2022-10-06 | 华为技术有限公司 | Method and apparatus for determining protection plan of attack path |
WO2022205122A1 (en) * | 2021-03-31 | 2022-10-06 | 华为技术有限公司 | Method and apparatus for determining defense scheme, device, and computer-readable storage medium |
CN113094715B (en) * | 2021-04-20 | 2023-08-04 | 国家计算机网络与信息安全管理中心 | Network security dynamic early warning system based on knowledge graph |
CN114465758A (en) * | 2021-12-14 | 2022-05-10 | 哈尔滨理工大学 | Network situation awareness method based on Bayesian decision network |
CN116561767B (en) * | 2023-05-19 | 2024-04-02 | 国家计算机网络与信息安全管理中心 | Vulnerability assessment method, vulnerability assessment device, vulnerability assessment equipment and storage medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102724210A (en) * | 2012-06-29 | 2012-10-10 | 上海海事大学 | Network security analytical method for solving K maximum probability attack graph |
-
2016
- 2016-03-04 CN CN201610125022.XA patent/CN105681338B/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102724210A (en) * | 2012-06-29 | 2012-10-10 | 上海海事大学 | Network security analytical method for solving K maximum probability attack graph |
Non-Patent Citations (4)
Title |
---|
Improving CVSS-based vulnerability prioritization and response with context information;FRUHWIRTH C, MANNISTO T.;《无》;20091231;535-543 * |
基于模糊理论的漏洞危害等级评估;马驰等;《计算机应用研究》;20131105;第31卷(第3期);816-818 * |
基于贝叶斯攻击图的动态安全风险评估模型;高妮等;《四川大学学报(工程科学版)》;20160112;第48卷(第1期);112-118 * |
贝叶斯推理在攻击图节点置信度计算中的应用;张少俊等;《软件学报》;20100915;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN105681338A (en) | 2016-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105681338B (en) | Vulnerability exploit probability of success computational methods and network security risk management method | |
Li et al. | RETRACTED ARTICLE: Information security model of block chain based on intrusion sensing in the IoT environment | |
EP3211854B1 (en) | Cyber security | |
Kotenko et al. | A cyber attack modeling and impact assessment framework | |
Abraham et al. | Cyber security analytics: a stochastic model for security quantification using absorbing markov chains | |
EP4033387A1 (en) | Cyber security | |
Pradeep Mohan Kumar et al. | Intrusion detection system based on GA‐fuzzy classifier for detecting malicious attacks | |
Rahim et al. | Detecting the Phishing Attack Using Collaborative Approach and Secure Login through Dynamic Virtual Passwords. | |
Shmatko et al. | Development of methodological foundations for designing a classifier of threats to cyberphysical systems | |
Chen et al. | Multi-level adaptive coupled method for industrial control networks safety based on machine learning | |
Rakhimberdiev et al. | Prospects for the use of neural network models in the prevention of possible network attacks on modern banking information systems based on blockchain technology in the context of the digital economy | |
Chen et al. | Risk assessment of cyber attacks on power grids considering the characteristics of attack behaviors | |
Mishra et al. | DDoS vulnerabilities analysis and mitigation model in cloud computing | |
Vijayakumar et al. | Network security using multi-layer neural network | |
Yan et al. | Game-theoretical Model for Dynamic Defense Resource Allocation in Cyber-physical Power Systems Under Distributed Denial of Service Attacks | |
Malyuk et al. | Information security theory for the future internet | |
Gao et al. | Quantitative risk assessment of threats on scada systems using attack countermeasure tree | |
He et al. | A network security risk assessment framework based on game theory | |
Samuel | Cyber situation awareness perception model for computer network | |
Iyengar et al. | Chaotic theory based defensive mechanism against distributed denial of service attack in cloud computing environment | |
Song | Public cloud network intrusion and internet legal supervision based on abnormal feature detection | |
Zuo et al. | Security-critical components recognition algorithm for complex heter-ogeneous information systems | |
Qi et al. | Dynamic Assessment and VaR-Based Quantification of Information Security Risk | |
Kang et al. | Multi-dimensional security risk assessment model based on three elements in the IoT system | |
Obimbo et al. | Multiple SOFMs working cooperatively in a vote-based ranking system for network intrusion detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20181030 |
|
CF01 | Termination of patent right due to non-payment of annual fee |