CN105681338B - Vulnerability exploit probability of success computational methods and network security risk management method - Google Patents

Vulnerability exploit probability of success computational methods and network security risk management method Download PDF

Info

Publication number
CN105681338B
CN105681338B CN201610125022.XA CN201610125022A CN105681338B CN 105681338 B CN105681338 B CN 105681338B CN 201610125022 A CN201610125022 A CN 201610125022A CN 105681338 B CN105681338 B CN 105681338B
Authority
CN
China
Prior art keywords
node
attack
post
probability
safeguard procedures
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610125022.XA
Other languages
Chinese (zh)
Other versions
CN105681338A (en
Inventor
高岭
高妮
王帆
王海
雷艳婷
申元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwest University
Original Assignee
Northwest University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwest University filed Critical Northwest University
Priority to CN201610125022.XA priority Critical patent/CN105681338B/en
Publication of CN105681338A publication Critical patent/CN105681338A/en
Application granted granted Critical
Publication of CN105681338B publication Critical patent/CN105681338B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to vulnerability exploit probability of success computational methods and network security risk management methods.The vulnerability exploit probability of success derives from loophole utilizability probability size in involved vulnerability exploit probability of success computational methods, network hole considers loophole utilizability probability size with time dynamic using probability of success computational methods, establish static and dynamic loophole utilizability evaluation index, can be with the utilizability of accurate quantification loophole, and improve the diversity of loophole utilizability assessment result.The network security risk management method structure protection cost of the present invention and the economics index and quantification of targets method for attacking income, optimal prevention policies can effectively be solved using the optimization algorithm of population, the final safety for ensureing target of attack node, limiting the security risk for effectively reducing overall network under the conditions of cost budgeting.

Description

Vulnerability exploit probability of success computational methods and network security risk management method
Technical field
The invention belongs to computer network security technology fields, and in particular to a kind of vulnerability exploit probability of success computational methods And network security risk management method.
Background technology
It is essentially due to computer techno-stress system that computer network system, which faces complicated attack, There are loopholes in design, exploitation, operation, maintenance, configuration process.
Network attack is a kind of multi-step process of complexity, and external attacker analyzes internal network, and there are the mutual passes of loophole Connection relationship, and then start multi-step attack, so that attacker is occupied more resources, finally target of attack is damaged.Multistep is attacked Hitting has the characteristics that multistage negotiation, purpose, concealed.And conventional security defence method, such as fire wall, intrusion detection system System, only identifies attack, is a kind of passive type defence method, to unknown, multistage, hidden attack row as far as possible For that can not timely respond to, this proposes new challenge to traditional safety defense method.
Network security risk evaluation method based on attack graph can analyze the interrelated relationship of loophole and resulting Potential threat.And the risk assessment based on attack graph depends on the utilizability size of each loophole.Therefore, to single loophole The quantitative evaluation of utilizability just seems particularly important.Most current research work is relied solely on obtains leakage by CVSS scorings The utilizability size in hole, and CVSS methods only consider the static feature utilized by attacker of loophole itself, do not account for The variation of time, vulnerability exploit code utilizability and patch utilizability all can dynamically change therewith.And influence loophole can profit There are many factor with property, and how correctly to distribute the weighing factor value of these factors is that the main of loophole utilizability quantitative evaluation is asked Topic.
Current network security challenge and breach are research active defense new model, new technology and method, pass through risk Evaluation measures judge current safety situation, and implement active safety defense mechanism according to judging result.Theoretically, It the loophole of All hosts and stamps patch in identification network and just can really release security risk.However, giving loophole in practice Patch installing normally results in different costs, and the loophole patch installing to all identifications in practical application is infeasible.For Assessment and the safety for reinforcing overall network are established loophole and are utilized by attack graph modeling multi-step attack step Causality.In the application of attack graph, the risk of current network or information system is assessed, optimal prevention policies is calculated and is fitted Control risk and attack loss to degree.The safety prevention measure that safety officer takes generally comprises modification firewall configuration, more New software closes system service and patch installing etc..In network security risk management, each safety prevention measure has certain Cost is protected, it is a complicated problem that how income and cost, which are weighed,.Therefore, under limited protection cost conditions, how It chooses optimal prevention policies and has become current research hot issue.Currently based on the network security initiative type safeguard technology of attack graph When calculating network security risk, uncertain factor present in network attack is seldom considered.And previous optimization algorithm Optimal prevention policies, such as greedy algorithm are not solved effectively.
Invention content
In view of the drawbacks of the prior art or insufficient, an object of the present invention is to provide a kind of vulnerability exploit probability of success meter Calculation method.
Vulnerability exploit probability of success computational methods provided by the present invention include:
Step 1, original aggressor figure is obtained, the original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S, wherein I takes positive integer, Si∈ S, i=1,2, 3,...,I;
Several directed edge E include several vulnerability exploit sides;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) it is front and back Node, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode;
Step 2, the vulnerability exploit probability of success on all vulnerability exploit sides, wherein vulnerability exploit side E are calculatedv∈(Spre, Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (1)
AV is loophole vpostCVSS (general loophole points-scoring system) in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value, T is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819.
The second object of the present invention is to provide a kind of Bayes's attack graph construction method.
Bayes's attack graph construction method provided by the invention includes:
Step 1, network original aggressor figure is obtained, the network original aggressor figure, which includes several nodes and several, to be had Xiang Bian;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein I takes just whole Number, Si∈ S, i=1,2,3 ..., I, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node Si Or for there are the node of loophole or be attack income node, and when i >=2, attribute status node SiFather's node set Pa [Si] and ancestor node set It is not sky;N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) it is front and back Node, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] no For sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) before Posterior nodal point, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky, Astart∈Pa[Send];
Step 2, the Bayes's attack graph for building original aggressor figure, includes the following steps:
Step 2.1, the vulnerability exploit probability of success on all vulnerability exploit sides, wherein vulnerability exploit side E are calculatedv∈(Spre, Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (2)
In formula 2:AV is loophole vpostCVSS (general loophole points-scoring system) in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value, T is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
Step 2.2, the success attack probability on all success attack sides is calculated, wherein arbitrary success attack side Ea∈(Astart, Send) success attack probability P (Astart) be:Node AstartWhen with vulnerability information publication, attack tool and attack method, P (Astart) it is 0.8;Node AstartWhen with vulnerability information publication and attack method without attack tool, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
Step 2.3, the local condition probability distribution table LCPD of all properties state node is calculated:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
Step 2.4, the prior probability of all properties state node is calculated:
(1)S1Prior probability P (S1)=0.7;
(2) the prior probability P (S of the attribute status node of i >=2i) be:
In formula 3, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] be Node SjFather's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
The third object of the present invention is to provide a kind of network security risk management method.
Network security risk management method provided by the present invention includes:
Step 1, Bayes's attack graph is built using claim 2 the method;
Step 2, prevention policies are provided according to monitored network environment, based on protection cost and attack income analysis, profit With the optimal prevention policies of PSO Algorithm, optimal prevention policies finally are implemented to Bayes's attack graph:
Income node S is arbitrarily attacked under prevention policies TendThe safeguard procedures that belonging network equipment is implemented are Mk, safeguard procedures MkRepresent a kind of mode disconnected in network connection, disabling service, patch installing or installation 4 generic operation of safety product;Prevention policies T For safeguard procedures set M={ Mk| k=1 ..., m } boolean vector indicate, as:T=(T1,T2,...,Tk,...,Tm),
The fitness function of the particle cluster algorithm be α SG (T)+(1- α) SC (T), meet fitness function α SG (T)+ (1- α) SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
The initial attack income of Bayes's attack graphP(Send) it is attack income section Point SendPrior probability;G(Send) it is attack income node SendAttack income, G1For confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, it is complete Whole property loses G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartCorresponding loophole description Include execute arbitrary code, execute arbitrary files, overwrite arbitrary in information files、gain privileges、obtain privileges、root privileges、administrative When a kind of description field in privileges and elevation of privilege vulnerability, G4=1, it is no Then, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For The preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
SG (T) is that Bayes's attack graph implements the attack income after prevention policies T, Safeguard procedures MkWhen having enabled,PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards;RkArbitrarily to attack income node SendImplement safeguard procedures MkAffiliated action type Impact probability preference heterogeneity, R1The preference heterogeneity of posterior probability influence, R are carried out for disabling service class safeguard procedures2To disconnect net Network connection class safeguard procedures are carried out the preference heterogeneity of posterior probability influence, R3After being carried out for installation safety product class safeguard procedures The preference heterogeneity of impact probability, R4For patch installing class safeguard procedures be carried out posterior probability influence preference heterogeneity, 0<Rk≤ 100, Rk According to safeguard procedures MkValue R1、R2、R3Or R4;As safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
SC (T) is that Bayes's attack graph implements the protection cost after prevention policies T,CkIt indicates to appoint Meaning attack income node SendImplement safeguard procedures MkProtection cost, 0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendThe economic value value of belonging network equipment, Economic value is bigger, and its value is bigger;QkArbitrarily to attack income node SendImplement safeguard procedures MkProtection cost preference because Son, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures, Q2For the protection cost of patch installing class safeguard procedures Preference heterogeneity, Q3For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q4For installation safety product class safeguard procedures Protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to safeguard procedures MkValue Q1、Q2、Q3Or Q4
α is the preference weight for attacking income, 0≤α≤1.
Further, attack income node S of the inventionendWhen belonging network equipment stores Enterprises'Business Secrets Information, 0.7 ≤imp(asset)≤1;Attack income node SendWhen belonging network equipment provides business event service, 0.4≤imp (asset) <0.7;Attack income node SendWhen belonging network equipment stores individual privacy information, 0<imp(asset)<0.4.
Further, method of the invention institute applicable network equipment includes web page server, mail server, domain name service Device, database server, Ftp server, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's clothes When device, gateway server, web page server, mail server, name server or the PC machine of being engaged in, the corresponding values of imp (asset) are 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
The fourth object of the present invention is to provide a kind of network security risk management system.
Network security risk provided by the present invention manages system:Risk identification subsystem, data storage and management Subsystem, the attack graph based on MulVAL tools generate subsystem, risk assessment subsystem, network based on Bayes's attack graph Safety risk management subsystem;
The risk identification subsystem, to complete identification all-network facility information, find network topology structure, analysis The vulnerability information of connectivity, identification All hosts between host;
The data storage and management subsystem, to complete between network equipment information, network topology structure, host The storage and management of the data such as connectivity, loophole;
The attack graph based on MulVAL tools generates subsystem, to complete to acquire risk identification subsystem In all information inputs to MulVAL tools, final visual network original aggressor figure;
The network original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein I takes just whole Number, Si∈ S, i=1,2,3 ..., I, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node Si Or for there are the node of loophole or be attack income node, and when i >=2, attribute status node SiFather's node set Pa [Si] and ancestor node set It is not sky;N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) it is front and back Node, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] no For sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) before Posterior nodal point, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky, Astart∈Pa[Send];
The risk assessment subsystem based on Bayes's attack graph includes:Vulnerability exploit probability of success computing module is attacked Probability of success value module, LCPD computing modules, risk evaluation module are hit, wherein:
The vulnerability exploit probability of success computing module calculates the vulnerability exploit probability of success on all vulnerability exploit sides, Middle vulnerability exploit side Ev∈(Spre,Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (4)
In formula 4:AV is loophole vpostCVSS (general loophole points-scoring system) in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value, T is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
The success attack parameter probability valuing module calculates the success attack probability on all success attack sides, wherein arbitrarily attacking Hit successfully side Ea∈(Astart,Send) success attack probability P (Astart) be:Node AstartWith vulnerability information publication, attack When tool and attack method, P (Astart) it is 0.8;Node AstartWith vulnerability information publication and attack method without attack tool When, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
The risk evaluation module, to calculate the prior probability of all properties state node in attack graph:
(1)S1Prior probability P (S1)=0.7;
(2) the attribute status node S of i >=2i, the prior probability P (S of i >=2i) it is attribute status node SiWith its all ancestral The joint probability of first node, prior probability P (Si) be:
In formula 5, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] be Node SjFather's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
The network security risk management subsystem includes Safeguard tactics management module, costs and benefits analysis module Module is chosen with optimal prevention policies;
The Safeguard tactics management module defines prevention policies T, under prevention policies T according to monitored network environment Arbitrary attack income node SendThe safeguard procedures that belonging network equipment is carried out are Mk, safeguard procedures MkIt represents and disconnects network company It connects, disable service, patch installing or installation safety product;Prevention policies T is safeguard procedures set M={ Mk| k=1 ..., m } Boolean vector expression, as:T=(T1,T2,...,Tk,...,Tm),
The costs and benefits analysis module calculates the initial attack income SG of Bayes's attack graph0, Bayes's attack graph Implement the attack income SG (T) after prevention policies T, Bayes's attack graph implements the protection cost SC (T) after prevention policies T:
In formula 6:P(Send) it is attack income node SendPrior probability;
G(Send) it is attack income node SendAttack income,G1For Confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, integrality Lose G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartCorresponding loophole description information In comprising execute arbitrary code, execute arbitrary files, overwrite arbitrary files、gain privileges、obtain privileges、root privileges、administrative When a kind of description field in privileges and elevation of privilege vulnerability, G4=1, it is no Then, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For The preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
Safeguard procedures MkWhen having enabled, PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards;RkIt is arbitrary Attack income node SendImplement safeguard procedures MkAffiliated action type impact probability preference heterogeneity, R1It is anti-for disabling service class Shield measure is carried out the preference heterogeneity of posterior probability influence, R2It is carried out posterior probability influence to disconnect network connection class safeguard procedures Preference heterogeneity, R3The preference heterogeneity of posterior probability influence, R are carried out for installation safety product class safeguard procedures4It is protected for patch installing class Measure be carried out posterior probability influence preference heterogeneity, 0<Rk≤ 100, RkAccording to safeguard procedures MkValue R1、R2、R3Or R4;When anti- Shield measure MkWhen not enabled, PM(Send|Mk)=P (Send);
CkIndicate arbitrary attack income node SendImplement safeguard procedures MkProtection cost,0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendThe economic value value of belonging network equipment, economic value is bigger, and its value is bigger;QkArbitrarily to attack income node Send Implement safeguard procedures MkProtection cost preference heterogeneity, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures, Q2For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q3For disabling service class safeguard procedures protection cost preference because Son, Q4For install safety product class safeguard procedures protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to anti- Shield measure MkValue Q1、Q2、Q3Or Q4
The optimal prevention policies choose module, based on protection cost and attack income analysis, are asked using particle cluster algorithm Solve optimal prevention policies:
The fitness function of the particle cluster algorithm be α SG (T)+(1- α) SC (T), meet fitness function α SG (T)+ (1- α) SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
α is the preference weight for attacking income, 0≤α≤1.
Further, the attack income node S of present systemendWhen belonging network equipment stores Enterprises'Business Secrets Information, 0.7≤imp(asset)≤1;Attack income node SendWhen belonging network equipment provides business event service, 0.4≤imp (asset)<0.7;Attack income node SendWhen belonging network equipment stores individual privacy information, 0<imp(asset)<0.4.
Further, present system institute applicable network equipment include web page server, mail server, name server, Database server, Ftp server, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's clothes When device, gateway server, web page server, mail server, name server or the PC machine of being engaged in, the corresponding values of imp (asset) are 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
Compared with prior art, the present invention has the advantages that:
The present invention network hole using the probability of success derive from loophole utilizability probability size, network hole utilize at Work(method for calculating probability considers loophole utilizability probability size with time dynamic, establishes static and dynamic leakage Hole utilizability evaluation index, can be with the utilizability of accurate quantification loophole, and improves the more of loophole utilizability assessment result Sample.
The Bayes's attack graph construction method of the present invention considers the uncertain factor of attack:Vulnerability exploit The probability of success and success attack probability can more accurately assess the risk of current network;
The network security risk management method of the present invention builds protection cost and attacks the economics index of income in detail And quantification of targets method, optimal prevention policies can effectively be solved using the optimization algorithm of population, finally ensure target of attack The safety of node, limiting the security risk for effectively reducing overall network under the conditions of cost budgeting.
The risk identification subsystem of the network security risk management system of the present invention merges multi-source secure data, has established Standby risk assessment element system;Attack graph based on MulVAL tools generates subsystem and generates original attack using MulVAL tools Figure is hit, the time complexity of the tool is O (n2), wherein n is host number in network, has higher efficiency and can preferably expand Malleability, and it is easy to Project Realization.Network security risk management system solves the problems, such as the retrospect of network attack source, realizes master The Security mechanism of dynamic defence.
Description of the drawings
Fig. 1 is that the present invention is based on the general frame figures that the network security risk of Bayes's attack graph manages system.
Fig. 2 is a kind of evaluation index hierarchical chart of the dynamic loophole availability analysis method based on fuzzy theory.
Fig. 3 is the probability calculation of attack graph.
Fig. 4 is network topological diagram.
Fig. 5 is the attack graph of network shown in Fig. 4.
Fig. 6 is the attack income that income node is each attacked in attack graph shown in Fig. 5.
Specific implementation mode
Technical scheme of the present invention is described in further detail below in conjunction with the accompanying drawings, but not limited to this.
The present invention is available using a kind of dynamic loophole availability analysis method qualitative assessment loophole of analytic hierarchy process (AHP) Property probability size, method and step are as follows:
Step 1:Choose loophole utilizability evaluation index
Step 1.1:From American National information security vulnerability database (National Vulnerability Database, NVD) CVSS (general loophole points-scoring system) in base set of properties extraction access vector AV, access complexity AC, certification Au tri- Static State Index, and patch restorability class mono- dynamic indicator of RL is extracted from temporal set of properties, table 1 gives this four indexs Associated ratings in CVSS and corresponding scoring;
Table 1
Step 1.2:From vulnerability scan of increasing income (Open Source Vulnerability Database, OSVDB) Loophole publication date is extracted in time attribute.After loophole discloses, over time, code utilizability can therewith dynamically Change.Using the probability size of formula (7) calculation code utilizability, and then builds code utilizability another dynamically refers to Mark:
Wherein, PexploitFor loophole vpostCode utilizability probability value, t is current date to loophole vpostIt is open Total number of days on date, t take positive integer;
Step 1.3:Establish evaluation index hierarchy Model, as shown in Figure 2
Step 2:5 indexs that step 1 obtains are resolved into the layers such as target, criterion, scheme, such as table using analytic hierarchy process (AHP) Shown in 2:
Table 2
Step 3:Using being published in《Computer application is studied》Document " the loophole hazard rating based on fuzzy theory of periodical The analytic hierarchy process (AHP) of assessment ", 5 indexs of numerical procedure layer to the weight of destination layer loophole utilizability relative importance to Amount, is expressed as:W=(w1,w2,w3,w4,w5), wherein w1+w2+w3+w4+w5=1.Final calculation result is respectively:w1= 0.073、w2=0.118, w3=0.191, w4=0.2361, w5=0.3819.Therefore, loophole utilizability probability acquiring size Mode is as follows:
Sore=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5
Source using the loophole utilizability probability size as the vulnerability exploit probability of success, is expressed as:
P(vpost)=Sore (8)
Wherein, P (vpost) indicate the vulnerability exploit probability of success.
In order to explain a kind of calculating process of the vulnerability exploit probability of success computational methods proposed, to a specific loophole CVE-2015-0838 is calculated, and the limitation which describes operation in core buffer boundary is inappropriate, long-range attack person By special package file arbitrary code can be executed using the loophole.The detailed of the loophole can be obtained from NVD databases Information, as shown in table 3.
Table 3
CVE is numbered CVE-2015-0838
Access vector Remote network access
Access complexity It is low
Certification Certification is not needed
Issuing time 2015-03-31
Patch restorability class Official's patch
The time of disclosure of loophole is on March 31st, 2015, it is assumed that current date is on May 31st, 2015, therefore, works as the day before yesterday Total number of days of phase to loophole publication date is 60 days, is according to formula (7) calculation code utilizability:
Therefore, calculating the vulnerability exploit probability of success according to formula (8) is:
P(vpost)=1 × 0.073+0.71 × 0.118+0.704 × 0.191+0.87 × 0.2361+0.9352 × 0.3819
=0.8538
With reference to figure 1, it is as follows that network security risk of the invention manages system and method:
Step 1:Risk identification
Step 1.1:Institute in network is obtained using OVAL scanners based on OVAL vulnerability scanning assessment reports collection module 111 There is the loophole of host to report, and the loophole data being collected into are stored to data storage and management subsystem 12 and are managed concentratedly;
Step 1.2:The communication that Connectivity analysis of network module 112 obtains each host in network by firewall system is advised Then, and by connectivity data between the host being collected into it stores to data storage and management subsystem 12;
Step 1.3:Network equipments configuration management module 113 obtains net using ManageEngine network topology management softwares Network facility information and topological structure, and stored to data storage and management subsystem 12;
Step 2:Attack graph based on MulVAL tools generates subsystem 13 and is converted into the loophole got report Datalog data formats, as the input.P input files of MulVAL tools, after running MulVAL tools, output is attacked Hit figure information, be mainly stored in node file VERTICES.CSV and side file ARCS.CSV, finally with AttackGraph.pdf files visualize attack graph, and the time complexity of the attack graph generating algorithm of MulVAL tools is O (n2), wherein n is host number in network, therefore has higher efficiency and preferable scalability.
Step 3:Obtain the attack graph based on Bayes
Calculate the vulnerability exploit probability of success P (v of the attack graphpost), success attack probability P (Astart), LCPD tables, priori Probability P (Si)。
Step 3.1:Vulnerability exploit probability of success computing module 141 is using the loophole utilizability probability size as leakage Hole utilizes the source of the probability of success, is expressed as:
P(vpost)=Sore (9)
Wherein, P (vpost) indicate that the vulnerability exploit probability of success, Sore indicate loophole utilizability probability size.
Step 3.2:Success attack parameter probability valuing module 142 is according to attack type to attacking probability of success P (Astart) carry out Configuration, arbitrary success attack side Ea∈(Astart,Send) success attack probability P (Astart) be:Node AstartWith loophole When information publication, attack tool and attack method, P (Astart) it is 0.8;Node AstartWith vulnerability information publication and attacker When method is without attack tool, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
Step 3.3:LCPD computing modules 143 calculate the local condition probability distribution table LCPD of all properties state node, Its acquisition modes is as follows:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
In order to show the calculating process of LCPD, does derive explanation in figure 3.Node S1It is external attribute state node, Node S2、S3And S4It is attribute status node.S4It is S3、S2And S1Descendant node.The vulnerability exploit probability of success is according to formula (9) It calculates, A1And A2Success attack probability be respectively configured as 0.2 and 0.8, external attribute state node S according to attack type1Elder generation Test probability P (S1)=0.7, S2、S3And S4LCPD respectively according to described in step 3.3 calculate obtain.
Step 3.4:Risk evaluation module 144 calculates the prior probability of all properties state node:
(1)S1Prior probability P (S1)=0.7;
(2) the attribute status node S of i >=2i, the prior probability P (S of i >=2i) it is attribute status node SiWith its all ancestral The joint probability of first node, prior probability P (Si) be:
Wherein, P (Si,Ancestor[Si]) indicate SiWith its all ancestor node Ancestor [Si] joint probability, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] it is node SjFather's node Set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
In figure 3, according to formula (10), node S2、S3And S4The calculating process of prior probability be not:
P(S2)=P (S2,S1)=P (S2=1 | S1=1) × P (S1)=0.86 × 0.7=0.602
P(S3)=P (S3,S1)=P (S3=1 | S1=1) × P (S1)=0.39 × 0.7=0.273
Step 4:Network security risk manages subsystem 15
Structure protection cost and the index and quantification of targets method for attacking income obtain optimal protection using particle cluster algorithm Strategy implements optimal prevention policies, the final security risk for reducing overall network to Bayes's attack graph.
Step 4.1:Safeguard tactics management module (151) defines and arbitrarily attacks income node S under prevention policies TendIt is real The safeguard procedures applied are Mk, safeguard procedures MkRepresent attack income node SendBelonging network equipment only execute disconnect network connection, A kind of mode in disabling service, patch installing or installation 4 generic operation of safety product;Prevention policies T is safeguard procedures set M= {Mk| k=1 ..., m } boolean vector indicate, as:T=(T1,T2,...,Tk,...,Tm),
Step 4.2:Costs and benefits analysis module 152 establishes protection cost and attacks the safety index and index amount of income Change method.
(1) the initial attack income SG of Bayes's attack graph is calculated0
Wherein:P(Send) it is attack income node SendPrior probability;
G(Send) it is attack income node SendAttack income, acquisition modes are:
G1For confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality Lose G1, integrity loss G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartIt is corresponding Include execute arbitrary code, execute arbitrary files, overwrite in loophole description information arbitrary files、gain privileges、obtain privileges、root privileges、 A kind of describing word in administrative privileges and elevation of privilege vulnerability Duan Shi, G4=1, otherwise, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For integrity loss preference because Son, P2=75, P3For the preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;Table 4 provides This 4 index associated ratings and corresponding scoring.
Table 4
For example, attacker reaches a certain attack income section after atomic strike successfully occurs using the intrinsic loophole of some software The confidentiality loss value of point is 0.66 minute, and privilege-escalation value is 1 point, and calculating corresponding attack income according to formula (11) is
(2) it calculates Bayes's attack graph and implements the attack income SG (T) after prevention policies T, acquisition modes are as follows:
Wherein, PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards, acquisition modes are such as Under:
RkArbitrarily to attack income node SendImplement safeguard procedures MkAffiliated action type impact probability preference heterogeneity, R1The preference heterogeneity of posterior probability influence, R are carried out for disabling service class safeguard procedures1=100, R2It is anti-to disconnect network connection class Shield measure is carried out the preference heterogeneity of posterior probability influence, R2=50, R3It is carried out posterior probability for installation safety product class safeguard procedures The preference heterogeneity of influence, R3=30, R4The preference heterogeneity of posterior probability influence, R are carried out for patch installing class safeguard procedures4=20;When Safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
(3) it calculates Bayes's attack graph and implements the protection cost SC (T) after prevention policies T, acquisition modes are as follows:
Wherein, CkIndicate arbitrary attack income node SendImplement safeguard procedures MkProtection cost, acquisition modes are as follows:
Wherein, 0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendBelonging network equipment Economic value value, economic value is bigger, and its value is bigger;As attack income node SendBelonging network equipment stores trade secret When information, 0.7≤imp (asset)≤1;As attack income node SendWhen belonging network equipment provides business event service, 0.4 ≤imp(asset)<0.7;As attack income node SendWhen belonging network equipment stores individual privacy information, 0<imp(asset) <0.4。
As shown in figure 4, the network equipment include web page server, mail server, name server, database server, Ftp server, gateway server, registrar server and PC machine;Attack income node SendBelonging network equipment is number According to library server, Ftp server, registrar server, gateway server, web page server, mail server, domain name When server or PC machine, the corresponding values of imp (asset) are 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
QkArbitrarily to attack income node SendImplement safeguard procedures MkProtection cost preference heterogeneity, Q1Connect to disconnect network Meet the protection cost preference heterogeneity of class safeguard procedures, Q2For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q3For disabling Service the protection cost preference heterogeneity of class safeguard procedures, Q4For install safety product class safeguard procedures protection cost preference because Son, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to safeguard procedures MkValue Q1、Q2、Q3Or Q4, configure Q1=100, Q2=80, Q3= 60, Q4=40.
For example, safeguard procedures MkTo disconnect the internet connection of Ftp server, counted according to formula (13) Calculate protection cost CkFor
Step 4.3:Optimal prevention policies choose module (153), in the Bayes's attack graph and network security that step 3 obtains Under conditions of management cost budget B, an optimal prevention policies are solved so that:
1) value of function alpha SG (T)+(1- α) SC (T) is minimum;
2)SC(T)≤B.
Wherein, T=(T1,T2,...,Tk,...,Tm) it is expressed as one group of decision variable, α is the preference weight for attacking income, 0≤α≤1.The specific value of attack income preference weight of the present invention is determined according to the significance level of attack income, if it is to enterprise Industry management is more important, then α values are bigger.
Optimal Safeguard tactics Algorithms of Selecting based on population realizes that process includes the following steps:
1) fitness function fitness (X)=α SG (X)+(1- α) SC (X) in particle cluster algorithm is defined;
2) in the population and D dimension spaces that scale is n, i-th of particle initial position X of random initializtioni=(Xi1, Xi2,...,Xid,...,XiD) and speed Vi=(Vi1,Vi2,...,Vid,...,ViD), initialize optimal prevention policies T=(0, 0,...,0)1×D, initialization maximum iteration K.Meet:The position value of d dimensions is 0 or 1, and the speed value of d dimensions is symbol The random number of standardization normal distribution, SC (Xi)≤B.Wherein, 1≤i≤n, 1≤d≤D.
Then generator matrixWith
3) at the kth iteration, by each particle XiBring fitness function intoSeek its value, wherein 1≤k ≤K;
4) according to formula:
Calculate the local optimum position of i-th of particleFor all particles, according to formula:
Calculate global optimum position
5) according to formula:
The speed of each particle and position when update kth time iteration respectively;
If 6) meet maximum iteration K so that optimal prevention policiesAnd it exports T and exits;Otherwise step is turned to It is rapid 3).
In order to explain the implementation result of the optimal Safeguard tactics Algorithms of Selecting based on population proposed, net is given It is as shown in Figure 4 that network tests topological environmental.Current network device includes web page server (Web server, WS), mail server (Mail server, MS), name server (DNS server, DS), database server (Database server, DBS), Ftp server (FTP server, FS), gateway server (Gateway server, GS), registrar server (Administrator server, AS) and PC machine, the network communication rule of each server are matched by firewall system It sets, as shown in table 5.Attack income node SendBelonging network equipment is database server, Ftp server, administrator When server, gateway server, web page server, mail server, name server or PC machine, the corresponding values of imp (asset) It is 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3.
Table 5
All vulnerability informations present in network system are obtained using the vulnerability scanners of OVAL, as shown in table 6.It utilizes The original aggressor figure that MulVAL tools generate, as shown in Figure 5.
Table 6
Each attack income node S is calculated according to formula (11)endAttack income G (Send), as shown in Figure 6.
Safeguard procedures M is provided under given network environmentk, each protection is calculated separately according to formula (13) and (12) and is arranged The protection cost C appliedkWith the probability P after implementation safeguard proceduresM(Send|Mk), as shown in table 7.
Table 7
Mk Description Ck PM(Send|Mk)
M1 Disconnect the network connection of DBS 35.7 0.136
M2 Disconnect the network connection of FS 32.13 0.25
M3 Disconnect the network connection of AS 28.56 0.032
M4 Disconnect the network connection of GS 24.99 0.162
M5 Disconnect the network connection of WS 21.42 0.158
M6 Disconnect the network connection of MS 17.85 0.121
M7 The patch of loophole CVE-2014-1466 is beaten to DBS 28.6 0.054
M8 The patch of loophole CVE-2012-2526 is beaten to FS 25.74 0.1
M9 The patch of loophole CVE-2009-0692 is beaten to AS 22.88 0.012
M10 The patch of loophole CVE-2007-4752 is beaten to GS 20.02 0.065
M11 The patch of loophole CVE-2015-1635 is beaten to WS 17.16 0.063
M12 The patch of loophole CVE-2004-0840 is beaten to MS 14.3 0.049
M13 Disable the SQL services of DBS 21.4 0.272
M14 Disable the SSH/FTP services of FS 19.26 0.5
M15 Disable the TCP/IP services of AS 17.12 0.065
M16 Disable the TCP/IP services of GS 14.98 0.324
M17 Disable the HTTP service of WS 12.84 0.316
M18 Disable the SMTP services of MS 10.7 0.243
M19 Fire wall is installed to GS 10 0.121
M20 Intruding detection system is installed to GS 10 0.121
Given network security management cost budgeting B=100, preference weight α=0.5 of setting attack income, population number n =100.Select available safeguard procedures number NumberM=20, i.e. T number of decision variable is safeguard procedures number NumberM, Therefore, population dimension D=NumberM=20.Inertia weight w=0.8, Studying factors c are set1=c2=2, random number r1=r2= 0.5, maximum iteration K=100.Using the optimal Safeguard tactics Algorithms of Selecting based on population of this patent, obtain Optimal prevention policies T=(0,0,0,0,0,0,0,1,0,0,0,1,1,0,1,0,1,0,0,1), corresponding enabled safeguard procedures Collection is combined into { M8,M12,M13,M15,M17,M20, SC=99.4.

Claims (7)

1. a kind of Bayes's attack graph construction method, which is characterized in that method includes:
Step 1, original aggressor figure is obtained, the original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein Si∈ S, i=1,2,3 ..., I, I take positive integer, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node SiOr for there are loopholes Node or be attack income node, and when i >=2, attribute status node SiFather node set Pa [Si] and ancestor node Set Ancestor [Si] it is not sky, N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) front and back section Point, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] be not Sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) front and back section Point, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky, Astart∈Pa[Send];
Step 2, the Bayes's attack graph for building original aggressor figure, includes the following steps:
Step 2.1, the vulnerability exploit probability of success on all vulnerability exploit sides, wherein vulnerability exploit side E are calculatedv∈(Spre,Spost) Vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (2)
In formula 2:AV is loophole vpostCVSS in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,α=0.260, b'= 0.00161, t is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
Step 2.2, the success attack probability on all success attack sides is calculated, wherein arbitrary success attack side Ea∈(Astart,Send) Success attack probability P (Astart) be:Node AstartWhen with vulnerability information publication, attack tool and attack method, P (Astart) it is 0.8;Node AstartWhen with vulnerability information publication and attack method without attack tool, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
Step 2.3, the local condition probability distribution table LCPD of all properties state node is calculated:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
Step 2.4, the prior probability of all properties state node is calculated:
(1)S1Prior probability P (S1)=0.7;
(2) the prior probability P (S of the attribute status node of i >=2i) be:
In formula 3, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] it is node Sj Father's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions.
2. a kind of network security risk management method, which is characterized in that method includes:
Step 1, Bayes's attack graph is built using claim 1 the method;
Step 2, prevention policies are provided according to monitored network environment, based on protection cost and attack income analysis, utilizes grain Swarm optimization solves optimal prevention policies, finally implements optimal prevention policies to Bayes's attack graph:
Income node S is arbitrarily attacked under prevention policies TendThe safeguard procedures that belonging network equipment is implemented are Mk, safeguard procedures MkGeneration Table disconnects network connection, disabling service, patch installing or installation safety product;Prevention policies T is safeguard procedures set M={ Mk|k =1 ..., m } boolean vector indicate, as:T=(T1,T2,...,Tk,...,Tm),
The fitness function of the particle cluster algorithm is α SG (T)+(1- α) SC (T), meets fitness function α SG (T)+(1- α) SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
The initial attack income of Bayes's attack graphP(Send) it is attack income node SendPrior probability;G(Send) it is attack income node SendAttack income, G1For confidentiality loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, it is complete Whole property loses G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartCorresponding loophole description Include execute arbitrary code, execute arbitrary files, overwrite arbitrary in information files、gain privileges、obtain privileges、root privileges、administrative When a kind of description field in privileges and elevation of privilege vulnerability, G4=1, it is no Then, G4=0;P1For the preference heterogeneity of confidentiality loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For The preference heterogeneity of loss of availability, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
SG (T) is that Bayes's attack graph implements the attack income after prevention policies T, Safeguard procedures MkWhen having enabled,PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards;RkArbitrarily to attack income node SendImplement safeguard procedures MkAffiliated action type Impact probability preference heterogeneity, R1The preference heterogeneity of posterior probability influence, R are carried out for disabling service class safeguard procedures2To disconnect net Network connection class safeguard procedures are carried out the preference heterogeneity of posterior probability influence, R3After being carried out for installation safety product class safeguard procedures The preference heterogeneity of impact probability, R4For patch installing class safeguard procedures be carried out posterior probability influence preference heterogeneity, 0<Rk≤ 100, Rk According to safeguard procedures MkValue R1、R2、R3Or R4;As safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
SC (T) is that Bayes's attack graph implements the protection cost after prevention policies T,CkExpression is arbitrarily attacked Hit income node SendImplement safeguard procedures MkProtection cost,0<imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendThe economic value value of belonging network equipment, economic valence Value is bigger, and imp (asset) value is bigger;QkArbitrarily to attack income node SendImplement safeguard procedures MkProtection cost preference because Son, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures, Q2For the protection cost of patch installing class safeguard procedures Preference heterogeneity, Q3For the protection cost preference heterogeneity of disabling service class safeguard procedures, Q4For installation safety product class safeguard procedures Protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to safeguard procedures MkValue Q1、Q2、Q3Or Q4
α is the preference weight for attacking income, 0≤α≤1.
3. network security risk management method as claimed in claim 2, which is characterized in that attack income node SendAffiliated net When network equipment stores Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1;Attack income node SendBelonging network equipment carries When being serviced for business event, 0.4≤imp (asset)<0.7;Attack income node SendBelonging network equipment stores individual privacy When information, 0<imp(asset)<0.4.
4. network security risk management method as claimed in claim 2, which is characterized in that
The network equipment includes web page server, mail server, name server, database server, file transmission clothes Business device, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's service When device, gateway server, web page server, mail server, name server or PC machine, the corresponding values of imp (asset) are 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
5. a kind of network security risk manages system, which is characterized in that system includes:Risk identification subsystem, data storage with Manage subsystem, attack graph based on MulVAL tools generates subsystem, the risk assessment subsystem based on Bayes's attack graph, Network security risk manages subsystem;
The risk identification subsystem, to complete identification all-network facility information, find network topology structure, analysis host Between connectivity, identify All hosts vulnerability information;
The data storage and management subsystem, to complete the connection between network equipment information, network topology structure, host The storage and management of the data such as property, loophole;
The attack graph based on MulVAL tools generates subsystem, all to complete to acquire risk identification subsystem In information input to MulVAL tools, final visual network original aggressor figure;
The network original aggressor figure includes several nodes and several directed edges;
Several described nodes include I attribute status node S and N number of atomic strike node A, wherein I takes positive integer, Si∈S, I=1,2,3 ..., I, S1For the external attribute state node of original aggressor figure, when i >=2, attribute status node SiOr to there is leakage The node in hole is attack income node, and when i >=2, attribute status node SiFather node set Pa [Si] and ancestor node Set Ancestor [Si] it is not sky, N takes positive integer, An∈ A, n=1,2,3 ..., N;
Several directed edge E include several vulnerability exploits while and when several success attacks;
Ev∈(Spre,Spost) it is any one vulnerability exploit side, Spre、SpostRespectively side Ev∈(Spre,Spost) front and back section Point, Spre、Spost∈ S, SpostFor any one, there are loophole vpostNode, SpostFather node set Pa [Spost] be not Sky, Spre∈Pa[Spost];
Ea∈(Astart,Send) it is any one success attack side, Astart、SendRespectively side Ea∈(Astart,Send) it is front and back Node, Astart∈ A, Send∈S,SendFor any one attack income node, SendFather node set Pa [Send] it is not sky, Astart∈Pa[Send];
The risk assessment subsystem based on Bayes's attack graph includes:Vulnerability exploit probability of success computing module, attack at Work(parameter probability valuing module, LCPD computing modules, risk evaluation module, wherein:
The vulnerability exploit probability of success computing module calculates the vulnerability exploit probability of success on all vulnerability exploit sides, wherein leaking Hole utilizes side Ev∈(Spre,Spost) vulnerability exploit probability of success P (vpost) be:
P(vpost)=AV × w1+AC×w2+Au×w3+RL×w4+Pexploit×w5 (4)
In formula 4:AV is loophole vpostCVSS in base set of properties access vector,
AC is loophole vpostCVSS in base set of properties access complexity,
Au is loophole vpostCVSS in base set of properties certification,
RL is loophole vpostCVSS in temporal set of properties patch restorability class,
The value of AV, AC, Au, RL are according to the index of correlation definition in CVSS;
PexploitFor loophole vpostCode utilizability probability value,α=0.260, b'= 0.00161, t is current date to loophole vpostTotal number of days of publication date, t take positive integer;
w1=0.073, w2=0.118, w3=0.191, w4=0.2361, w5=0.3819;
The success attack parameter probability valuing module calculates the success attack probability on all success attack sides, wherein arbitrary attack at Work(side Ea∈(Astart,Send) success attack probability P (Astart) be:Node AstartWith vulnerability information publication, attack tool When with attack method, P (Astart) it is 0.8;Node AstartWhen with vulnerability information publication and attack method without attack tool, P (Astart) it is 0.6;Node AstartWhen with vulnerability information publication without attack method and attack tool, P (Astart) it is 0.2;
The LCPD computing modules calculate the local condition probability distribution table LCPD of all properties state node:
(1) there are the node S of loopholepostLCPD function P (Spost|Pa[Spost]) be:
(2) attack income node SendLCPD function P (Send|Pa[Send]) be:
The risk evaluation module, to calculate the prior probability of all properties state node in attack graph:
(1)S1Prior probability P (S1)=0.7;
(2) the attribute status node S of i >=2i, the prior probability P (S of i >=2i) it is attribute status node SiIt is saved with its all ancestors The joint probability of point, prior probability P (Si) be:
In formula 5, P (Si|Pa[Si]) it is attribute status node SiLCPD functions, SjFor SiAncestor node, Pa [Sj] it is node Sj Father's node set, P (Sj|Pa[Sj]) it is node SjLCPD functions;
Network security risk management subsystem includes Safeguard tactics management module, costs and benefits analysis module and most Excellent prevention policies choose module;
The Safeguard tactics management module defines prevention policies T according to monitored network environment, arbitrary under prevention policies T Attack income node SendThe safeguard procedures that belonging network equipment is implemented are Mk, safeguard procedures MkIt represents and disconnects network connection, disabling Service, patch installing or installation safety product;Prevention policies T is safeguard procedures set M={ Mk| k=1 ..., m boolean vector It indicates, as:T=(T1,T2,...,Tk,...,Tm),
The costs and benefits analysis module calculates the initial attack income SG of Bayes's attack graph0, Bayes's attack graph implement Attack income SG (T), Bayes's attack graph after prevention policies T implement the protection cost SC (T) after prevention policies T:
In formula 6:P(Send) it is attack income node SendPrior probability;
G(Send) it is attack income node SendAttack income,G1For secret Property loss, G2For integrity loss, G3For loss of availability, G4For privilege-escalation, wherein confidentiality loses G1, integrity loss G2, loss of availability G3Value according to the index of correlation definition in CVSS;Node AstartIt is wrapped in corresponding loophole description information Arbitrary containing execute code, execute arbitrary files, overwrite arbitrary files, Gain privileges, obtain privileges, root privileges, administrative privileges and When a kind of description field in elevation of privilege vulnerability, G4=1, otherwise, G4=0;P1For machine The preference heterogeneity of close property loss, P1=100, P2For the preference heterogeneity of integrity loss, P2=75, P3For the inclined of loss of availability The good factor, P3=50, P4For the preference heterogeneity of privilege-escalation, P4=25;
Safeguard procedures MkWhen having enabled, PM(Send|Mk) indicate attribute status node SendImplement safeguard procedures MkProbability afterwards;RkArbitrarily to attack income node SendIt is real Apply safeguard procedures MkAffiliated action type impact probability preference heterogeneity, R1It is general after being carried out for disabling service class safeguard procedures The preference heterogeneity that rate influences, R2To disconnect the preference heterogeneity that network connection class safeguard procedures are carried out posterior probability influence, R3For installation Safety product class safeguard procedures are carried out the preference heterogeneity of posterior probability influence, R4It is carried out posterior probability for patch installing class safeguard procedures The preference heterogeneity of influence, 0<Rk≤ 100, RkAccording to safeguard procedures MkValue R1、R2、R3Or R4;As safeguard procedures MkWhen not enabled, PM(Send|Mk)=P (Send);
CkIndicate arbitrary attack income node SendImplement safeguard procedures MkProtection cost,0<Imp (asset)≤1, imp (asset) is according to arbitrary attack income node SendThe economic value value of belonging network equipment, economic value is bigger, and its value is bigger;QkArbitrarily to attack income node Send Implement safeguard procedures MkProtection cost preference heterogeneity, Q1To disconnect the protection cost preference heterogeneity of network connection class safeguard procedures, Q2For the protection cost preference heterogeneity of patch installing class safeguard procedures, Q3For disabling service class safeguard procedures protection cost preference because Son, Q4For install safety product class safeguard procedures protection cost preference heterogeneity, 0<Qq≤ 100, Q1>Q2>Q3>Q4, QkAccording to anti- Shield measure MkValue Q1、Q2、Q3Or Q4
The optimal prevention policies choose module, based on protection cost and attack income analysis, most using PSO Algorithm Excellent prevention policies:
The fitness function of the particle cluster algorithm is α SG (T)+(1- α) SC (T), meets fitness function α SG (T)+(1- α) SC (T) value is minimum, and SC (T)≤B, B are network security management cost budgeting;
α is the preference weight for attacking income, 0≤α≤1.
6. network security risk as claimed in claim 5 manages system, which is characterized in that
Attack income node SendWhen belonging network equipment stores Enterprises'Business Secrets Information, 0.7≤imp (asset)≤1;Attack Income node SendWhen belonging network equipment provides business event service, 0.4≤imp (asset)<0.7;Attack income node Send When belonging network equipment stores individual privacy information, 0<imp(asset)<0.4.
7. network security risk as claimed in claim 5 manages system, which is characterized in that
The network equipment includes web page server, mail server, name server, database server, file transmission clothes Business device, gateway server, registrar server and PC machine;
The attack income node SendBelonging network equipment is database server, Ftp server, administrator's service When device, gateway server, web page server, mail server, name server or PC machine, the corresponding values of imp (asset) are 1.0,0.9,0.8,0.7,0.6,0.5,0.4,0.3;
R1=100, R2=50, R3=30, R4=20;
Q1=100, Q2=80, Q3=60, Q4=40.
CN201610125022.XA 2016-03-04 2016-03-04 Vulnerability exploit probability of success computational methods and network security risk management method Expired - Fee Related CN105681338B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610125022.XA CN105681338B (en) 2016-03-04 2016-03-04 Vulnerability exploit probability of success computational methods and network security risk management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610125022.XA CN105681338B (en) 2016-03-04 2016-03-04 Vulnerability exploit probability of success computational methods and network security risk management method

Publications (2)

Publication Number Publication Date
CN105681338A CN105681338A (en) 2016-06-15
CN105681338B true CN105681338B (en) 2018-10-30

Family

ID=56306861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610125022.XA Expired - Fee Related CN105681338B (en) 2016-03-04 2016-03-04 Vulnerability exploit probability of success computational methods and network security risk management method

Country Status (1)

Country Link
CN (1) CN105681338B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534195B (en) * 2016-12-19 2019-10-08 杭州信雅达数码科技有限公司 A kind of network attack person's behavior analysis method based on attack graph
CN108270723B (en) * 2016-12-30 2020-11-13 全球能源互联网研究院有限公司 Method for acquiring predicted attack path of power network
CN106921653B (en) * 2017-01-25 2022-03-18 全球能源互联网研究院 Reinforcing strategy generation method for network vulnerability
CN108959931B (en) * 2017-05-24 2022-03-01 阿里巴巴集团控股有限公司 Vulnerability detection method and device, information interaction method and equipment
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN108200095B (en) * 2018-02-09 2021-02-23 华北电力科学研究院有限责任公司 Method and device for determining vulnerability of Internet boundary security policy
CN108683654B (en) * 2018-05-08 2020-05-05 北京理工大学 Network vulnerability assessment method based on zero-day attack graph
CN109918935B (en) * 2019-03-19 2020-10-09 北京理工大学 Optimization method of internal divulgence threat protection strategy
CN110708287B (en) * 2019-09-03 2020-12-29 浙江大学 Intrusion response method based on attack graph and psychological theory
CN110557393B (en) * 2019-09-05 2021-10-12 腾讯科技(深圳)有限公司 Network risk assessment method and device, electronic equipment and storage medium
CN110992071B (en) * 2020-02-27 2020-10-13 零犀(北京)科技有限公司 Service strategy making method and device, storage medium and electronic equipment
CN112632555A (en) * 2020-12-15 2021-04-09 国网河北省电力有限公司电力科学研究院 Node vulnerability scanning method and device and computer equipment
CN112995176A (en) * 2021-02-25 2021-06-18 国电南瑞科技股份有限公司 Network attack reachability calculation method and device applied to power communication network
CN113076541B (en) * 2021-03-09 2023-06-27 麒麟软件有限公司 Vulnerability scoring model and method of operating system based on back propagation neural network
WO2022205132A1 (en) * 2021-03-31 2022-10-06 华为技术有限公司 Method and apparatus for determining protection plan of attack path
WO2022205122A1 (en) * 2021-03-31 2022-10-06 华为技术有限公司 Method and apparatus for determining defense scheme, device, and computer-readable storage medium
CN113094715B (en) * 2021-04-20 2023-08-04 国家计算机网络与信息安全管理中心 Network security dynamic early warning system based on knowledge graph
CN114465758A (en) * 2021-12-14 2022-05-10 哈尔滨理工大学 Network situation awareness method based on Bayesian decision network
CN116561767B (en) * 2023-05-19 2024-04-02 国家计算机网络与信息安全管理中心 Vulnerability assessment method, vulnerability assessment device, vulnerability assessment equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724210A (en) * 2012-06-29 2012-10-10 上海海事大学 Network security analytical method for solving K maximum probability attack graph

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724210A (en) * 2012-06-29 2012-10-10 上海海事大学 Network security analytical method for solving K maximum probability attack graph

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Improving CVSS-based vulnerability prioritization and response with context information;FRUHWIRTH C, MANNISTO T.;《无》;20091231;535-543 *
基于模糊理论的漏洞危害等级评估;马驰等;《计算机应用研究》;20131105;第31卷(第3期);816-818 *
基于贝叶斯攻击图的动态安全风险评估模型;高妮等;《四川大学学报(工程科学版)》;20160112;第48卷(第1期);112-118 *
贝叶斯推理在攻击图节点置信度计算中的应用;张少俊等;《软件学报》;20100915;全文 *

Also Published As

Publication number Publication date
CN105681338A (en) 2016-06-15

Similar Documents

Publication Publication Date Title
CN105681338B (en) Vulnerability exploit probability of success computational methods and network security risk management method
Li et al. RETRACTED ARTICLE: Information security model of block chain based on intrusion sensing in the IoT environment
EP3211854B1 (en) Cyber security
Kotenko et al. A cyber attack modeling and impact assessment framework
Abraham et al. Cyber security analytics: a stochastic model for security quantification using absorbing markov chains
EP4033387A1 (en) Cyber security
Pradeep Mohan Kumar et al. Intrusion detection system based on GA‐fuzzy classifier for detecting malicious attacks
Rahim et al. Detecting the Phishing Attack Using Collaborative Approach and Secure Login through Dynamic Virtual Passwords.
Shmatko et al. Development of methodological foundations for designing a classifier of threats to cyberphysical systems
Chen et al. Multi-level adaptive coupled method for industrial control networks safety based on machine learning
Rakhimberdiev et al. Prospects for the use of neural network models in the prevention of possible network attacks on modern banking information systems based on blockchain technology in the context of the digital economy
Chen et al. Risk assessment of cyber attacks on power grids considering the characteristics of attack behaviors
Mishra et al. DDoS vulnerabilities analysis and mitigation model in cloud computing
Vijayakumar et al. Network security using multi-layer neural network
Yan et al. Game-theoretical Model for Dynamic Defense Resource Allocation in Cyber-physical Power Systems Under Distributed Denial of Service Attacks
Malyuk et al. Information security theory for the future internet
Gao et al. Quantitative risk assessment of threats on scada systems using attack countermeasure tree
He et al. A network security risk assessment framework based on game theory
Samuel Cyber situation awareness perception model for computer network
Iyengar et al. Chaotic theory based defensive mechanism against distributed denial of service attack in cloud computing environment
Song Public cloud network intrusion and internet legal supervision based on abnormal feature detection
Zuo et al. Security-critical components recognition algorithm for complex heter-ogeneous information systems
Qi et al. Dynamic Assessment and VaR-Based Quantification of Information Security Risk
Kang et al. Multi-dimensional security risk assessment model based on three elements in the IoT system
Obimbo et al. Multiple SOFMs working cooperatively in a vote-based ranking system for network intrusion detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20181030

CF01 Termination of patent right due to non-payment of annual fee