CN106066964B - Network attack scheme evaluation method based on multi-level evaluation indexes - Google Patents

Network attack scheme evaluation method based on multi-level evaluation indexes Download PDF

Info

Publication number
CN106066964B
CN106066964B CN201610367994.XA CN201610367994A CN106066964B CN 106066964 B CN106066964 B CN 106066964B CN 201610367994 A CN201610367994 A CN 201610367994A CN 106066964 B CN106066964 B CN 106066964B
Authority
CN
China
Prior art keywords
attack
decision
level
attribute
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610367994.XA
Other languages
Chinese (zh)
Other versions
CN106066964A (en
Inventor
程瑞
雷璟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electronic Science Research Institute of CTEC
Original Assignee
Electronic Science Research Institute of CTEC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronic Science Research Institute of CTEC filed Critical Electronic Science Research Institute of CTEC
Priority to CN201610367994.XA priority Critical patent/CN106066964B/en
Publication of CN106066964A publication Critical patent/CN106066964A/en
Application granted granted Critical
Publication of CN106066964B publication Critical patent/CN106066964B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The invention provides an evaluation method of a network attack scheme based on a multi-level evaluation index, which comprises the following steps: step 1: constructing a comprehensive evaluation decision table; the comprehensive evaluation decision table comprises: a plurality of network attack schemes, network attack techniques used by the plurality of network attack schemes, and attack effects of the plurality of network attack schemes; step 2: preprocessing a preset initial decision value in the comprehensive evaluation decision table, and discretizing continuous data into three discrete decision values of 0, 1 and 2; and step 3: calculating an attack effect value of each object; and 4, step 4: and arranging the attack effect values of the objects in a descending order, wherein the higher the attack effect value is, the better the attack effect of the objects is. The invention does not depend on experience knowledge, and obtains a comprehensive evaluation result completely driven by data.

Description

Network attack scheme evaluation method based on multi-level evaluation indexes
Technical Field
The invention relates to the technical field of network attack, in particular to an evaluation method of a network attack scheme based on multi-level evaluation indexes.
Background
The network attack technology has a key role in mastering the initiative of information battles and obtaining the victory of modern network information battles. The traditional network attack technology is not intelligent enough, and mainly embodies that: (1) the traditional scattered unorganized attack mode cannot form resultant force; the intelligent network attack technology can detect the intention of an attacker, detected vulnerability information and environment information, intelligently call and combine attack means from an attack and defense resource library and timely provide decision support for a user; (2) the traditional attack mode is based on personal subjective experience, cannot fully utilize the existing knowledge and lacks learning and induction capabilities. The intelligent attack technology requires that the network system can learn from empirical and heuristic abstract knowledge which is respectively placed in various knowledge bases, reduce the attribute of the knowledge, and automatically extract and update rules from the attribute.
To realize effective network attack, it is critical to realize evaluation of different attack means and to find an effective attack mode for a similar target from the evaluation result. The network attack effect is often embodied by the comprehensive effect of various attack means, and the evaluation of the network attack effect through a single index is incomplete. Meanwhile, most of the information in the network attack process is inaccurate, inconsistent and incomplete, and the intelligent attack technology needs to find implicit knowledge from the incomplete information and reveal potential laws.
The traditional fuzzy information processing and knowledge acquisition method usually needs some priori knowledge and subjective judgment, is not completely based on data, and may cause 'distortion' to information processing. For example, fuzzy set and probabilistic statistical methods are common methods for processing uncertainty information, but these methods require much extra additional information or a priori knowledge, such as fuzzy membership functions and probability distribution functions, which are not easily available and objective in most cases.
Disclosure of Invention
The invention aims to solve the technical problem of providing an evaluation method of a network attack scheme based on a multi-level evaluation index, which does not depend on experience knowledge and obtains a comprehensive evaluation result completely driven by data.
The technical scheme adopted by the invention is that the evaluation method of the network attack scheme based on the multistage evaluation indexes comprises the following steps:
setting an object set U consisting of a network attack scheme; forming a condition attribute set C by using a network attack method used by a network attack scheme in the object set U; setting the attack effect of the network attack scheme as a decision attribute D;
the object set U comprises L objects UbB is 1,2, …, L; each object corresponds to a network attack scheme;
the condition attribute set C includes: n secondary indexes CiI ═ 1,2, …, N; each of the secondary indexes CiThe method comprises the following steps: m three-level indexes Cij,j=1,2,…,M;
Each object UbAt each three-level index CijAnd corresponding decision values are respectively arranged under the decision attribute D; for any three-level index CijOr decision attribute D, for each object UbClassifying the decision values of the objects U, and classifying the objects U with the same decision valuebForming an equivalence class; after classification, each has three levelsIndex CijThere are g equivalence classes
Figure BDA0001003268200000021
f is 1,2, …, g; each equivalence class
Figure BDA0001003268200000022
In is kfAn object;
Figure BDA0001003268200000023
the decision attribute D has q equivalence classes DtT is 1,2, …, q; each equivalence class DtHas ptAn object;
Figure BDA0001003268200000024
each object U is calculated according to the following formulabThe attack effect value of (TC); the higher the attack effect value TC is, the higher the object U isbThe better the attack effect:
Figure BDA0001003268200000025
wherein, XijIs an object UbAt the third level index CijA lower decision value;
ωijis a three-level index CijImportance weight for decision attribute D;
Figure BDA0001003268200000026
is a secondary index CiImportance weight for decision attribute D;
Ytis an object UbA decision value under decision attribute D;
θtis the importance weight of decision attribute D to conditional attribute set C.
Further, the three-level index CijImportance weight ω for decision attribute Dij,ωij∈[0,1]The calculation is performed according to the following formula:
Figure BDA0001003268200000031
wherein sig (C)ij,D)=H(D|Li0)-H(D|Li);
LiIs a secondary index CiCorresponding three-level index set;
Li0is set of indexes L in three levelsiMiddle removal of three-level index CijThe latter three-level index set;
sig(Cijand D) represents in a three-level index set LiMiddle removal of three-level index CijThe change values of the conditional entropy before and after;
h (D | L) is calculated according to the following formulai) And H (D | L)i0):
Figure BDA0001003268200000032
Figure BDA0001003268200000033
Wherein the content of the first and second substances,
Figure BDA0001003268200000034
Figure BDA0001003268200000035
Figure BDA0001003268200000036
as event DtAnd events
Figure BDA0001003268200000037
A joint probability of occurrence;
where card () represents the number of elements in the set.
Further, the secondary index CiImportance weighting for decision attribute D
Figure BDA0001003268200000038
Calculated according to the following formula:
Figure BDA0001003268200000039
wherein, the tetrad S ═ (U, a, V, f) is a knowledge expression system, wherein, the set a ═ C ═ D,
Figure BDA00010032682000000310
V=∪τ∈Av τ, V τ being the range of the element τ, the element τ belonging to the set A; f: UxA → V, which is an information function expressed as information values of each object in the set of objects U under different elements in the set A;
let beta belong to D, alpha belong to C, call W belong to U/beta as decision subset, for classification U/alpha, define Sα(W) is a supporting subset of W for the attribute α, and Sα(W)=∪V∈U/α,V∈WV; thus, the U/C is classified with respect to the conditional attribute setiThe supporting subset of decision attribute D is
Figure BDA0001003268200000041
Further, the importance weight θ of the decision attribute D to the condition attribute set CtThe calculation is performed according to the following formula:
Figure BDA0001003268200000042
further, the condition attribute set C includes 5 secondary indexes, which are respectively: network blocking, authority control, information counterfeiting, network monitoring and information stealing; the network congestion comprises 3 three-level indexes, which are respectively as follows: channel resource, network connection and storage space are forced; the authority control comprises 3 three-level indexes which are respectively as follows: password attack, trojan horse attack, buffer overflow attack; the information falsification comprises 2 three-level indexes which are respectively as follows: IP address spoofing, false message spoofing; the network monitoring comprises 2 three-level indexes which are respectively as follows: software-based snooping and hardware-based snooping; the information stealing includes 3 three-level indexes, which are respectively: network scanning, architecture detection and system service information collection.
By adopting the technical scheme, the invention at least has the following advantages:
compared with the existing multi-factor comprehensive evaluation method, the evaluation method introduced in the invention does not depend on the prior experience knowledge, is completely driven by data, and obtains the attack effect evaluation of each network attack scheme through calculation.
Drawings
Fig. 1 is a flowchart of an evaluation method for a network attack scenario based on multi-level evaluation indexes according to a second embodiment of the present invention;
fig. 2 is a schematic diagram of a multi-level evaluation index structure according to a second embodiment of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the present invention will be described in detail with reference to the accompanying drawings and preferred embodiments.
The first embodiment of the present invention provides a method for evaluating a network attack scheme based on a multi-level evaluation index, which specifically includes:
setting an object set U consisting of a network attack scheme; forming a condition attribute set C by using a network attack method used by a network attack scheme in the object set U; setting the attack effect of the network attack scheme as a decision attribute D;
the object set U comprises L objects Ub,b=1,2,…,L;
The condition attribute set C comprises N secondary indexes Ci,i=1,2,…N; each of the secondary indexes CiComprises M three-level indexes CijJ ═ 1,2, …, M; the number M of the three-level indexes included in each two-level index can be the same or different; the number N of the second-level indexes is not related to the number M of the third-level indexes, and the number N of the second-level indexes and the number M of the third-level indexes are not limited;
each object UbAt each three-level index CijAnd corresponding decision values are respectively arranged under the decision attribute D; for any three-level index CijOr decision attribute D, for each object UbClassifying the decision values of the objects U, and classifying the objects U with the same decision valuebForming an equivalence class; after classification, each three-level index CijThere are g equivalence classes
Figure BDA0001003268200000051
f is 1,2, …, g; each equivalence class
Figure BDA0001003268200000052
In is kfAn object;
Figure BDA0001003268200000053
the decision attribute D has q equivalence classes DtT is 1,2, …, q; each equivalence class DtHas ptAn object;
Figure BDA0001003268200000054
each object U is calculated according to the following formulabThe attack effect value of (TC); the higher the attack effect value TC is, the higher the object U isbThe better the attack effect:
Figure BDA0001003268200000055
wherein, XijIs an object UbAt the third level index CijA lower decision value;
ωijis a three-level index CijImportance weight for decision attribute D;
Figure BDA0001003268200000056
is a secondary index CiImportance weight for decision attribute D;
Ytis an object UbA decision value under decision attribute D;
θtis the importance weight of decision attribute D to conditional attribute set C.
Specifically, the three-level index CijImportance weight ω for decision attribute DijThe calculation is performed according to the following formula:
Figure BDA0001003268200000061
wherein sig (C)ij,D)=H(D|Li0)-H(D|Li);
LiIs a secondary index CiCorresponding three-level index set;
Li0is set of indexes L in three levelsiMiddle removal of three-level index CijThe latter three-level index set;
sig(Cijand D) represents in a three-level index set LiMiddle removal of three-level index CijThe change values of the conditional entropy before and after;
h (D | L) is calculated according to the following formulai) And H (D | L)i0):
Figure BDA0001003268200000062
Figure BDA0001003268200000063
Wherein the content of the first and second substances,
Figure BDA0001003268200000064
Figure BDA0001003268200000065
Figure BDA0001003268200000066
as event DtAnd events
Figure BDA0001003268200000067
A joint probability of occurrence;
where card () represents the number of elements in the set.
The secondary index CiImportance weighting for decision attribute D
Figure BDA0001003268200000068
Calculated according to the following formula:
Figure BDA0001003268200000069
wherein, the tetrad S ═ (U, a, V, f) is a knowledge expression system, wherein, the set a ═ C ═ D,
Figure BDA00010032682000000610
V=∪τ∈Av τ, V τ being the range of the element τ, the element τ belonging to the set A; f: UxA → V, which is an information function expressed as information values of each object in the set of objects U under different elements in the set A;
let beta belong to D, alpha belong to C, call W belong to U/beta as decision subset, for classification U/alpha, define Sα(W) is a supporting subset of W for the attribute α, and Sα(W)=∪V∈U/α,V∈WV; thus, the U/C is classified with respect to the conditional attribute setiThe supporting subset of decision attribute D is
Figure BDA0001003268200000071
According to the support subset SαDefinition of (W), SαThe tuple in (W) may have several different values on the condition attribute set, but any value contains the same decision value, and for any tuple in the decision table, as long as the value on X and S are the sameW(X) is the same value, then it has the same value as SWThe tuples in (X) have the same decision value, and in fact, such tuples are all contained in SWIn (X).
Importance weight theta of the decision attribute D to the condition attribute set CtThe calculation is performed according to the following formula:
Figure BDA0001003268200000072
further, the condition attribute set C includes 5 secondary indexes, which are respectively: network blocking, authority control, information counterfeiting, network monitoring and information stealing; the network congestion comprises 3 three-level indexes, which are respectively as follows: channel resource, network connection and storage space are forced; the authority control comprises 3 three-level indexes which are respectively as follows: password attack, trojan horse attack, buffer overflow attack; the information falsification comprises 2 three-level indexes which are respectively as follows: IP address spoofing, false message spoofing; the network monitoring comprises 2 three-level indexes which are respectively as follows: software-based snooping and hardware-based snooping; the information stealing includes 3 three-level indexes, which are respectively: network scanning, architecture detection and system service information collection.
A second embodiment of the present invention provides a method for evaluating a network attack scenario based on a multi-level evaluation index, as shown in fig. 1, including the following steps:
step S201: constructing a comprehensive evaluation decision table;
the comprehensive evaluation decision table comprises: a plurality of network attack schemes, network attack techniques used by the plurality of network attack schemes, and attack effects of the plurality of network attack schemes;
an object set U is formed by a network attack scheme, wherein the object set U comprises L objects UbB is 1,2, …, L, each object corresponds to a network attack scheme; setting a condition attribute set C consisting of network attack methods used by the network attack schemes in the object set U, wherein the condition attribute set C comprises N secondary indexes CiI ═ 1,2, …, N; each of the secondary indexes CiComprises M three-level indexes CijJ ═ 1,2, …, M; setting the attack effect of the network attack scheme as a decision attribute D; for each subject U according to experiment or factbAt each three-level index CijAnd giving corresponding decision values under the decision attribute D respectively;
specifically, as shown in fig. 2, the condition attribute set C includes 5 secondary indexes, which are respectively: network blocking, authority control, information counterfeiting, network monitoring and information stealing; the network congestion comprises 3 three-level indexes, which are respectively as follows: channel resource, network connection and storage space are forced; the authority control comprises 3 three-level indexes which are respectively as follows: password attack, trojan horse attack, buffer overflow attack; the information falsification comprises 2 three-level indexes which are respectively as follows: IP address spoofing, false message spoofing; the network monitoring comprises 2 three-level indexes which are respectively as follows: software-based snooping and hardware-based snooping; the information stealing includes 3 three-level indexes, which are respectively: network scanning, architecture detection and system service information collection.
Step S202: preprocessing a preset initial decision value in the comprehensive evaluation decision table, and discretizing continuous data into three discrete decision values of 0, 1 and 2;
the commonly used discretization method comprises an equal frequency division algorithm,
Figure BDA0001003268200000082
A Scaler algorithm, a discretization algorithm combining Boolean logic and rough set theory, an Nguyen greedy algorithm, an improved greedy algorithm and the like, wherein a comprehensive evaluation decision table after discretization pretreatment is shown in Table 1:
TABLE 1
Figure BDA0001003268200000081
Figure BDA0001003268200000091
Wherein Table 1 includes 10 different objects Ub1,2, …, 10; the method comprises 13 three-level indexes, wherein channel resource occupation X1, network connection occupation X2 and storage space occupation X3 belong to two-level index network blockage; password attack X4, Trojan horse attack X5 and buffer overflow attack X6 belong to the second-level index authority control; IP address spoofing X7 and false message spoofing X8 belong to secondary index information falsification; software-based monitoring X9 and hardware-based monitoring X10 belong to secondary index network monitoring; network scanning X11, system structure detection X12 and system service information collection X13 belong to secondary index information stealing;
for any three-level index CijAny secondary index CiAnd decision attribute D, for each object UbThe discrete decision values are classified, and the objects U with the same discrete decision value are classifiedbForming an equivalence class; after classification, each three-level index CijThere are g equivalence classes
Figure BDA0001003268200000092
f is 1,2, …, g; each equivalence class
Figure BDA0001003268200000093
In is kfAn object;
Figure BDA0001003268200000094
the decision attribute D has q equivalence classes DtT is 1,2, …, q; each equivalence class DtHas ptAn object;
Figure BDA0001003268200000095
for example, for the three-level indicator channel resource preemption X1, there are three equivalence classes, which are: an equivalence class with a discrete decision value of 0, an equivalence class with a discrete decision value of 1, and an equivalence class with a discrete decision value of 2; the equivalence class with the discrete decision value of 0 comprises two objects, namely U5 and U8; the equivalence class with the discrete decision value of 1 comprises four objects, namely U1, U3, U7 and U9; the equivalence class with a discrete decision value of 2 includes four objects, U2, U4, U6, and U10, respectively.
Step S203: each object U is calculated according to the following formula (1)bAttack effect value of (TC):
Figure BDA0001003268200000096
wherein, XijIs an object UbAt the third level index CijA lower decision value;
ωijis a three-level index CijImportance weight for decision attribute D;
Figure BDA0001003268200000097
is a secondary index CiImportance weight for decision attribute D;
Ytis an object UbA decision value under decision attribute D;
θtis the importance weight of decision attribute D to conditional attribute set C.
Specifically, the three-level index CijImportance weight ω for decision attribute Dij,ωij∈[0,1]The calculation is performed according to the following formula (2):
Figure BDA0001003268200000101
wherein sig (C)ij,D)=H(D|Li0)-H(D|Li);
LiIs a secondary index CiCorresponding three-level index set;
Li0is at threeSet of level indexes LiMiddle removal of three-level index CijThe latter three-level index set;
sig(Cijand D) represents in a three-level index set LiMiddle removal of three-level index CijThe change values of the conditional entropy before and after;
h (D | L) is calculated according to the following formulai) And H (D | L)i0):
Figure BDA0001003268200000102
Figure BDA0001003268200000103
Wherein the content of the first and second substances,
Figure BDA0001003268200000104
Figure BDA0001003268200000105
Figure BDA0001003268200000106
as event DtAnd events
Figure BDA0001003268200000107
A joint probability of occurrence;
where card () represents the number of elements in the set.
The secondary index CiImportance weighting for decision attribute D
Figure BDA0001003268200000108
Calculated according to the following equation (3):
Figure BDA0001003268200000109
wherein, the tetrad S ═ (U, a, V, f) is a knowledge expression system, wherein, the set a ═ C ═ D,
Figure BDA00010032682000001010
V=∪τ∈Av τ, V τ being the range of the element τ, the element τ belonging to the set A; f: UxA → V, which is an information function expressed as information values of each object in the set of objects U under different elements in the set A;
let beta belong to D, alpha belong to C, call W belong to U/beta as decision subset, for classification U/alpha, define Sα(W) is a supporting subset of W for the attribute α, and Sα(W)=∪V∈U/α,V∈WV; thus, the U/C is classified with respect to the conditional attribute setiThe supporting subset of decision attribute D is
Figure BDA0001003268200000111
Importance weight theta of the decision attribute D to the condition attribute set CtThe calculation is performed according to the following formula (4):
Figure BDA0001003268200000112
further, according to the above formula (2) and formula (3), the importance weight of the tertiary index and the importance weight of the secondary index to the decision attribute are first calculated:
for example: the second-level index authority control comprises three third-level indexes which are respectively: password attack X4, Trojan horse attack X5, and buffer overflow attack X6;
the process of calculating the importance weight of the three-level index password attack X4 is as follows:
the equivalence class controlled by the secondary index authority is divided into the following classes: { U1, U4}, { U2, U10}, { U3}, { U5, U8}, { U6, U9}, and { U7 }; after deleting the attack X4 of the third-level index password in the second-level index authority control, dividing the equivalence class of the second-level index authority control into: { U1, U4}, { U2, U10}, { U3}, { U5, U8}, { U6, U9}, and { U7 }; the equivalence classes of decision attribute D are divided into: { U1, U2, U4, U5, U7, U10}, { U3, U6}, { U8, U9 };
according to the formula
Figure BDA0001003268200000113
The following calculations were performed:
Figure BDA0001003268200000114
Figure BDA0001003268200000115
Figure BDA0001003268200000121
then the relative importance weight of the three-level index password attack X4 is H (D | C)20)-H(D|C2) 0, this indicates that the existence of the three-level index password attack X4 does not affect the interpretation capability of the two-level index authority control on the rule;
the process of calculating the importance weight of the secondary index authority control on the decision attribute D is as follows:
the support subset of the secondary index right control to the decision attribute D is as follows:
Figure BDA0001003268200000122
the importance weight of the secondary index authority control on the decision attribute D is as follows:
Figure BDA0001003268200000123
according to the method, the relative importance weights of other three-level indexes and the importance weights of the two-level indexes to the decision attributes can be respectively calculated, and the calculation results are shown in table 2:
TABLE 2
Figure BDA0001003268200000124
Calculate each object U according to equation (1), Table 1 and Table 2bThe attack effect value TC of (a), the results are shown in table 3:
TABLE 3
Object Attack effect value TC
U1 6.1478
U2 5.6895
U3 2.7898
U4 6.9086
U5 6.6352
U6 4.6054
U7 6.2247
U8 2.0239
U9 1.1893
U10 6.7698
For example: object U4The process of calculating the attack effect value TC of (1) is as follows:
TC=(2×0.094×0.7+2×0.668×0.7+2×0.238×0.7)+(1×0×0.6+2×0.713×0.6+0×0.287×0.6)+(2×0.691×0.8+0×0.309×0.8)+(2×0.237×0.3+2×0.763×0.3)+(1×0.421×0.6+2×0.000×0.6+2×0.579×0.6)+2=6.9086
step S204: the objects U are processed according to the sequence from big to smallbThe attack effect values TC of (a) are arranged, the results are as follows:
network attack scenario 4(6.9086) > network attack scenario 10(6.7698) > network attack scenario 5(6.6352) > network attack scenario 7(6.2247) > network attack scenario 1(6.1478) > network attack scenario 2(5.6895) > network attack scenario 6(4.6054) > network attack scenario 3(2.7898) > network attack scenario 8(2.0239) > network attack scenario 9 (1.1893);
it can be seen that the attack effect of the network attack scheme 4 is the best, and the attack effect of the network attack scheme 9 is the worst.
Compared with the conventional multi-factor comprehensive evaluation method, the evaluation method provided by the embodiment of the invention does not depend on the prior experience knowledge, is completely driven by data, and obtains the attack effect evaluation of each network attack scheme through calculation.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.

Claims (4)

1. A network attack scheme evaluation method based on multi-level evaluation indexes is characterized by comprising the following steps:
setting an object set U consisting of a network attack scheme; forming a condition attribute set C by using a network attack method used by a network attack scheme in the object set U; setting the attack effect of the network attack scheme as a decision attribute D;
the object set U comprises L objects UbB is 1,2, …, L; each object corresponds to a network attack scheme;
the condition attribute set C includes: n secondary indexes CiI ═ 1,2, …, N; each of the secondary indexes CiThe method comprises the following steps: m three-level indexes Cij,j=1,2,…,M;
Each object UbAt each three-level index CijAnd corresponding decision values are respectively arranged under the decision attribute D; for any three-level index CijOr decision attribute D, for each object UbClassifying the decision values of the objects U, and classifying the objects U with the same decision valuebForming an equivalence class; after classification, each three-level index CijThere are g equivalence classes
Figure FDA0003045580660000011
f is 1,2, …, g; each equivalence class
Figure FDA0003045580660000012
In is kfAn object;
Figure FDA0003045580660000013
the decision attribute D has q equivalence classes DtT is 1,2, …, q; each equivalence class DtHas ptAn object;
Figure FDA0003045580660000014
each object U is calculated according to the following formulabThe attack effect value of (TC);the higher the attack effect value TC is, the higher the object U isbThe better the attack effect:
Figure FDA0003045580660000015
wherein, XijIs an object UbAt the third level index CijA lower decision value;
ωijis a three-level index CijImportance weight for decision attribute D;
Figure FDA0003045580660000016
is a secondary index CiImportance weight for decision attribute D;
Ytis an object UbA decision value under decision attribute D;
θtis the importance weight of the decision attribute D to the condition attribute set C;
the three-level index CijImportance weight ω for decision attribute Dij,ωij∈[0,1]The calculation is performed according to the following formula:
Figure FDA0003045580660000021
wherein sig (C)ij,D)=H(D|Li0)-H(D|Li);
LiIs a secondary index CiCorresponding three-level index set;
Li0is set of indexes L in three levelsiMiddle removal of three-level index CijThe latter three-level index set;
sig(Cijand D) represents in a three-level index set LiMiddle removal of three-level index CijThe change values of the conditional entropy before and after;
h (D | L) is calculated according to the following formulai) And H (D | L)i0):
Figure FDA0003045580660000022
Figure FDA0003045580660000023
Wherein the content of the first and second substances,
Figure FDA0003045580660000024
Figure FDA0003045580660000025
Figure FDA0003045580660000026
as event DtAnd events
Figure FDA0003045580660000027
A joint probability of occurrence;
where card () represents the number of elements in the set.
2. The method for evaluating a cyber attack scenario according to claim 1, wherein the second level index C is a measure of a second level indexiImportance weighting for decision attribute D
Figure FDA0003045580660000028
Calculated according to the following formula:
Figure FDA0003045580660000029
wherein, let the quadruple S ═ (U, A, V, f) be a knowledgeExpression system, wherein the set A ═ C ^ D,
Figure FDA00030455806600000210
V=Uτ∈Av τ, V τ being the range of the element τ, the element τ belonging to the set A; f: UxA → V, which is an information function expressed as information values of each object in the set of objects U under different elements in the set A;
let beta belong to D, alpha belong to C, call W belong to U/beta as decision subset, for classification U/alpha, define Sα(W) is a supporting subset of W for the attribute α, and Sα(W)=UV∈U/α,V∈WV; thus, the U/C is classified with respect to the conditional attribute setiThe supporting subset of decision attribute D is
Figure FDA0003045580660000031
3. The method according to claim 2, wherein the decision attribute D has an importance weight θ for the condition attribute set CtThe calculation is performed according to the following formula:
Figure FDA0003045580660000032
4. the method for evaluating a network attack scheme based on multi-level evaluation indexes according to any one of claims 1 to 3, wherein the condition attribute set C comprises 5 secondary indexes, which are respectively: network blocking, authority control, information counterfeiting, network monitoring and information stealing; the network congestion comprises 3 three-level indexes, which are respectively as follows: channel resource, network connection and storage space are forced; the authority control comprises 3 three-level indexes which are respectively as follows: password attack, trojan horse attack, buffer overflow attack; the information falsification comprises 2 three-level indexes which are respectively as follows: IP address spoofing, false message spoofing; the network monitoring comprises 2 three-level indexes which are respectively as follows: software-based snooping and hardware-based snooping; the information stealing includes 3 three-level indexes, which are respectively: network scanning, architecture detection and system service information collection.
CN201610367994.XA 2016-05-30 2016-05-30 Network attack scheme evaluation method based on multi-level evaluation indexes Active CN106066964B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610367994.XA CN106066964B (en) 2016-05-30 2016-05-30 Network attack scheme evaluation method based on multi-level evaluation indexes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610367994.XA CN106066964B (en) 2016-05-30 2016-05-30 Network attack scheme evaluation method based on multi-level evaluation indexes

Publications (2)

Publication Number Publication Date
CN106066964A CN106066964A (en) 2016-11-02
CN106066964B true CN106066964B (en) 2021-08-17

Family

ID=57420878

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610367994.XA Active CN106066964B (en) 2016-05-30 2016-05-30 Network attack scheme evaluation method based on multi-level evaluation indexes

Country Status (1)

Country Link
CN (1) CN106066964B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109359738A (en) * 2018-10-19 2019-02-19 西南交通大学 A kind of Landslide hazard appraisal procedure based on QPSO-BP neural network
CN110011976B (en) * 2019-03-07 2021-12-10 中国科学院大学 Network attack destruction capability quantitative evaluation method and system
CN116866193B (en) * 2023-09-05 2023-11-21 中国电子信息产业集团有限公司第六研究所 Network attack drilling method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624782A (en) * 2011-10-31 2012-08-01 李宗诚 Internal concentrated harmonization system/information and communication technology (ICH/ICT) information fusion basis of internet
WO2012130384A1 (en) * 2011-03-25 2012-10-04 Eads Deutschland Gmbh Method for determing integrity in an evolutionary collaborative information system
CN103902816A (en) * 2014-03-12 2014-07-02 郑州轻工业学院 Electrification detection data processing method based on data mining technology
CN104331532A (en) * 2014-09-12 2015-02-04 广东电网公司江门供电局 Power transformer state evaluation method based on rough set-cloud model
US9092631B2 (en) * 2013-10-16 2015-07-28 Battelle Memorial Institute Computer-implemented security evaluation methods, security evaluation systems, and articles of manufacture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012130384A1 (en) * 2011-03-25 2012-10-04 Eads Deutschland Gmbh Method for determing integrity in an evolutionary collaborative information system
CN102624782A (en) * 2011-10-31 2012-08-01 李宗诚 Internal concentrated harmonization system/information and communication technology (ICH/ICT) information fusion basis of internet
US9092631B2 (en) * 2013-10-16 2015-07-28 Battelle Memorial Institute Computer-implemented security evaluation methods, security evaluation systems, and articles of manufacture
CN103902816A (en) * 2014-03-12 2014-07-02 郑州轻工业学院 Electrification detection data processing method based on data mining technology
CN104331532A (en) * 2014-09-12 2015-02-04 广东电网公司江门供电局 Power transformer state evaluation method based on rough set-cloud model

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于粗集神经网络的矿井通风系统方案优选方法研究与应用;张蕾;《优秀硕士学位论文 信息科技辑》;20120331;第2-5章 *
多目标风险型决策理论及方法研究;赵建兵;《优秀硕士学位论文 信息科技辑》;20030430;全文 *

Also Published As

Publication number Publication date
CN106066964A (en) 2016-11-02

Similar Documents

Publication Publication Date Title
Cheng et al. Outlier detection using isolation forest and local outlier factor
Xu et al. A survey of privacy preserving data publishing using generalization and suppression
CN105117322B (en) A kind of de-redundancy method based on multi-source alarm log security incident signature analysis
CN105447113B (en) A kind of information analysis method based on big data
Mahmood et al. Intrusion detection system based on K-star classifier and feature set reduction
CN105072214B (en) C&C domain name recognition methods based on domain name feature
CN106066964B (en) Network attack scheme evaluation method based on multi-level evaluation indexes
WO2016053714A1 (en) Protected indexing and querying of large sets of textual data
Cao et al. Combating friend spam using social rejections
CN112016078A (en) Method, device, server and storage medium for detecting forbidding of login equipment
CN110855716B (en) Self-adaptive security threat analysis method and system for counterfeit domain names
WO2019242441A1 (en) Dynamic feature-based malware recognition method and system and related apparatus
CN107172033B (en) WAF misjudgment identification method and device
CN105843930A (en) Video search method and device
CN115801361A (en) Network security operation and maintenance capability assessment method and system
CN107463845A (en) A kind of detection method, system and the computer-processing equipment of SQL injection attack
CN104090950B (en) Data flow clustering method integrating cluster existence strength
Zhu et al. PTAOD: A novel framework for supporting approximate outlier detection over streaming data for edge computing
Savenkov et al. Organizations Data Integrity Providing through Employee Behavioral Analysis Algorithms
Liu et al. Histogram publishing method based on differential privacy
Kim et al. A Bit Vector Based Binary Code Comparison Method for Static Malware Analysis.
Jiang et al. Poster: Scanning-free personalized malware warning system by learning implicit feedback from detection logs
CN110851826A (en) Method, device and equipment for detecting tampering of page and readable storage medium
Fu et al. EMD based visual similarity for detection of phishing webpages
CN115878848B (en) Antagonistic video sample generation method, terminal equipment and medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant