CN106411576A - Method for generating attack graphs based on status transition network attack model - Google Patents

Method for generating attack graphs based on status transition network attack model Download PDF

Info

Publication number
CN106411576A
CN106411576A CN201610812499.5A CN201610812499A CN106411576A CN 106411576 A CN106411576 A CN 106411576A CN 201610812499 A CN201610812499 A CN 201610812499A CN 106411576 A CN106411576 A CN 106411576A
Authority
CN
China
Prior art keywords
attack
node
state
network
depth
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610812499.5A
Other languages
Chinese (zh)
Other versions
CN106411576B (en
Inventor
王辉
陈甫旺
刘琨
贺军义
汪志英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University of Technology
Original Assignee
Henan University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University of Technology filed Critical Henan University of Technology
Priority to CN201610812499.5A priority Critical patent/CN106411576B/en
Publication of CN106411576A publication Critical patent/CN106411576A/en
Application granted granted Critical
Publication of CN106411576B publication Critical patent/CN106411576B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method for generating attack graphs based on a status transition network attack model. According to the method, a queue structure is used to save status nodes that can be added to an attack graph, and then one of the status nodes is taken from the queue. Starting from the taken status node, other status nodes related to the taken status node are searched for. If the vulnerability of one other status node can be reached by attacking, and the depth and cost of vulnerability attacking are within acceptable limits, the other status node is joined in both of the queue and the attack graph, in such a way, the status nodes in the queue are looped out in sequence, the loop ends till the queue becomes empty, and the attack graph is generated. During estimation of the attacking cost, the correlation between the attack complexity value Acx and the risk value of being found Dsk is considered, which improves the generating accuracy of the attacking graph. In addition, by means of simulation experiments, the attack graph generated by the embodiment of the invention is more concise than that generated before the improvement disclosed in the invention.

Description

Attack drawing generating method based on state transition network network attack model
Technical field
The present invention relates to cyber-attack techniques, more particularly to a kind of attack graph based on state transition network network attack model Generation method.
Background technology
The Safety Influence Factors of network are many-sided, multi-angles, and present in network, weakness and its vulnerability are shadows Ring one of important sexual factor of its safety.The attack that attacker is directed to weakness in network is according to the weakness letter in network in fact Breath and target information, reach the purpose obtaining important information or lifting operation authority by certain means offensive attack.With When, the ability of attacker, experience and its control over environment determine his success attack probability.So, the attack for weakness is usual It is also a kind of complicated multi-step process, once complete attack process typically can include a series of single aggressive behaviors, this Individually aggressive behavior generation is in different network portions but interrelated a bit.
Therefore, how the aggressive behavior that is mutually related reasonably to be described, it has also become a big research heat of network safety filed Point.In recent years, network security mostly turns to Initiative Defense by traditional Passive Defence, for the method model of current Initiative Defense Mainly have:Attack Description Language, Attack Tree, attack graph, attack net.
Cunningham's skink (Cunningham) proposes to attack graph model earliest, and it thinks network by by physically or logically mode even The various assemblies composition connecing, the directed edge in attack graph represents attacks the cost that needs are paid, and attacker passes through attacking network group Part lifts authority acquiring income.
Ritchie (Ritchey) et al. proposes the model detector method that can automatically generate attack graph although the method Attack graph can be automatically generated, but due to comprising all of state in model, this easily leads to state explosion problem to be not suitable with In large scale network.
Reach the global attack figure generating algorithm based on breadth-first search of fluffy graceful (DapengMan) by arrange threshold value Lai Reduce attack graph scale, although the method can reduce attack graph scale, because breadth-first has certain limitation, should The attack graph that method generates also should not be suitable for large scale network.
The research of older generation's brainstrust all achieves suitable achievement in association area, but in attack graph modeling process, The constraints chosen is different and emphasis of on quantizating index is different, the attack graph of generation also difference.Meanwhile, attack Hit in figure redundant path inevitably to exist, the scale not only increasing attack graph also affects the objectivity of network that reflects reality And accuracy.So, eliminate redundant path, reduce the inevitable choice that attack graph scale is solution large scale network demand.
Content of the invention
In view of this, present invention is primarily targeted at providing a kind of small scale, speed is fast, intuitive is strong, accuracy is high Attack drawing generating method.
In order to achieve the above object, technical scheme proposed by the present invention is:
The present invention provides a kind of attack drawing generating method based on state transition network network attack model, including:
Step 1, the network to be attacked for attacker set up network state node queue, and the source node in network is added To described network state node queue, and described source node is added in described attack graph;
Step 2, in described network state node queue non-NULL, from described network state node queue take out a net Network state node, as present node, judges whether described present node is destination node;
Step 3, when described present node is not destination node, judge described present node attack depth and attack flower Take whether in the range of maximum attack depth set in advance and maximum attack spend, described attack cost Cost is:
In formula:N represent from source node to described by attack the whole attack path of node j nodes,
peJL represents and is saved by attack using described in the maximum attack weakness successful attack of the access rights attacked on node j Cost during point j, 0 < l < u, u be described by attack node j on weakness sum,
Represent described spend in attack complexity value and be found the relative coefficient of value-at-risk,
K (0 < K < 1) represent the dependent coefficient to attacker's experience for the attack process, its value by expertise determine,
Time represent from source node to by attack node j attack process similar attack number of repetition,
ξ represents that network compacts coefficient, and this coefficient reflects the robustness of network, and its value is determined by expertise;
Step 4, the attack depth when described present node and attack spend in described maximum attack depth and maximum attack When in the range of cost, search all other state nodes having annexation with described present node;
Step 5, traversal search all weakness on other state nodes described, if from described present node to described other The attack of the weakness on state node is up to then generating new state node, described new state node is added to described net Network state queue, and be added to meeting pre-conditioned described new state node in described attack graph;
Step 6, circulation execute described step 2-5, until described network state node queue is space-time end loop and raw Become described attack graph.
Based on the technical scheme of above-mentioned attack drawing generating method, described relative coefficientFor:
In formula:PAFor described spend in attack complexity value,
PDFor described spend in the value-at-risk being found,
M is to obtain the described probability statistics number of times attacking complexity value and the described value-at-risk being found.
Specifically, in the network state node queue that described step 1 is set up, each present node is included with subordinate Property:
The node ID of present node,
With the node ID of other state nodes that present node has annexation,
On other state nodes described weakness numbering,
Attacker to the access rights of described present node and other state nodes described,
Annexation between described present node and other state nodes described,
Open service on other state nodes described,
The attack depth of described present node and attack spend.
In described step 2, judge whether described present node is destination node according to the node ID of described present node, When judging that described present node is destination node, methods described terminates.
In described step 3, when the attack depth of described present node exceed the described maximum scope attacking depth and/ Or when described present node is when attacking the scope that cost spends beyond described maximum attack, described step 3 terminates.
In described step 4, according to the network connection relation between described present node and other state nodes described, look into Look for all other state nodes having annexation with described present node.
In described step 5, include meeting pre-conditioned described new state node and being added to described attack graph:
Calculate the attack depth of described new state node, the attack depth of described new state node is described current Jia 1 in the attack depth of node;
Judge whether to store described new state node in described network state queue;
If do not stored before, described new state node is added in described attack graph;
If stored before, judge whether the attack depth of described new state node is described equal to stored before The attack depth of new state node, if being equal to, described new state node is added in described attack graph.
In described step 5, if at least two weakness from described present node to other state nodes described in Attack up to, and the vulnerability attack consequence of described at least two weakness be obtain this other state node described in one control During authority processed, generate described new state node by the highest control authority being obtained in that.
In sum, the attack drawing generating method based on state transition network network attack model of the present invention, is calculating Attack when spending, not only allow for attacking complexity value Acx and value-at-risk Dsk that is found, and consider Acx and Dsk it Between dependency, improve attack graph generation accuracy.Additionally, passing through emulation experiment, the application embodiment of the present invention draws Attack graph attack graph compared with before-improvement is more succinct, and is found by statistics, and the described value of calculation spending of attacking is closer to reality Border attacker pays.Therefore, embodiments provide a kind of small scale, speed is fast, intuitive is strong, high the attacking of accuracy Hit drawing generating method.
Brief description
Fig. 1 is a kind of network attack model (NST model) based on state transfer;
Fig. 2 is an instantiation obtaining the new vulnerability attack of authority;
Fig. 3 is the schematic diagram of the attack drawing generating method in the embodiment of the present invention based on state transition network network attack model.
Specific embodiment
For making the object, technical solutions and advantages of the present invention clearer, right below in conjunction with the accompanying drawings and the specific embodiments The present invention is described in further detail.
Fig. 1 is a kind of network attack model (NST model) based on state transfer.NST model can be with two tuple tables Show, i.e. NST=(NS, AR).Wherein, NS is the network state set of composition model, and AR is aggressive behavior regular collection.
Network state set NS is represented with following tlv triple:NS=(Hd, Nl, Crol).
Hd be network in main frame, that is, Hd=(hostid, os, sers, v).Hostid is the unique of main frame in difference network Identifier, can be represented with IP address;Os is the version information of the operating system run on main frame;Sers represents opening of main frame Put service, available port number is representing;V represents the weakness list on main frame, and weakness comprises the weakness of operating system, main frame is pacified The software vulnerabilities of dress or some other error configurations information etc..
Nl is network connection relation, i.e. NL=(src, dst, conn_pro).Src represents source host;Dst represents purpose master Machine;Conn_pro represents for connecting the agreement between main frame or port.If there is not annexation in the two, conn_pro= Null, when the two is same main frame, conn_pro=localhost.
Crol has the control authority to main frame for attacker.By control authority according to from big to small in this NST model Order is divided into three-level:System manager root;Conventional system user user;The visitor access of telecommunication network.
Aggressive behavior rule AR is with following two element group representations:AR=(VA, Cost), VA=(AP, t, AS), Cost=(Acx, Dsk).
APRepresent and carry out the precondition set that vulnerability attack must is fulfilled for, i.e. A using weaknessP=(src_access, Conn_pro, dst_sers, dst_v).Src_access represents that attacker up to should have minimum access less in attack source host Authority;Conn_pro represent the annexation that should meet between source host and destination host it is ensured that attack accessibility;dst_ Sers represents on attacker's obtainable destination host on destination host open service it is ensured that the service that relies on of vulnerability attack Availability;Dst_v represents corresponding weakness on destination host.The precondition that vulnerability attack must is fulfilled for concentrates each object Logical relation:And if only if, and all objects all exist and meet when requiring, vulnerability attack VACould occur.
In NST model, the safe practice that weakness refers to the presence such as computer hardware and software in computer system lacks Fall into or tactful defect present on management.Weakness setElement viRefer to operation Software vulnerabilities and some other error configurations information that weakness item in system, main frame are installed, this weakness item can be attacked Person utilizes, menace network system safety.
ASRepresent the consequence set that aggressive behavior leads to, i.e. AS=(rslt_access, rslt_conn, rslt_vs). Rslt_access represents after successful attack, and attacker is currently being attacked the access rights obtaining on main frame;rslt_conn Represent after successful attack, the change of network connection relation;Rslt_vs then represents the weakness being increased after successful attack.Weak Point attacks the logical relation of each object in the consequence set leading to:Vulnerability attack VAAfter generation, the consequence that aggressive behavior leads to Set can be obtained new authority, increase new annexation or obtain new weakness.Once attack and lead to after occurring Consequence can be their one or more of which.
T represents status change, and the once change of the network state after its expression vulnerability attack, can be to obtain new authority Process, increase the new process of annexation or be the process obtaining new weakness.
Fig. 2 is an instantiation obtaining the new vulnerability attack of authority, specifically, attacker is from the main frame being controlled H1 sets out, and using one of IIS Web service on main frame H2 leak (CVE2016-1194), obtains the Root power of main frame H2 Limit.This vulnerability attack should meet 4 preconditions:(1) attacker is at least User (i.e. U_H1) in the authority of source host H1; (2) main frame H1 can access Http service (i.e. Http_H1_H2) of main frame H2;(3) the IIS Web service on main frame H2 is being Run (i.e. Web_H2);(4) there is the leak that numbering is CVE 2016-1194 (i.e. in IIS Web service on main frame H2 V1194).Only when above 4 conditions all meet, attacker is only possible to successfully initiate main frame H2 is attacked from main frame H1 Hit (i.e. V1194_ H1_H2), attack result is:Attacker may obtain the Root authority (i.e. R_H2) on main frame H2.
Attacker's successful attack is attacked the cost of main frame cost, is designated as Cost, can use two element group representations, i.e. Cost =(Acx, Dsk)
Acx represents attack complexity value, and the probability statistics value of the difficulty successfully being utilized weakness herein, as reflection The quantizating index of successful attack.This probability statistics value referred to as attacks complexity value, is designated as Acx.According to investigation statisticses, grind Study carefully personnel to exist between complexity value Acx by the analysis of a large amount of security incidents is found with the cycle and attacking of discovering and using of weakness A kind of mapping relations, can give expression to each weakness by this mapping relations and attack the difference in complexity value Acx.Table 1 Quantization table for vulnerability attack complexity value Acx.
Table 1 weakness Acx quantifies table
Dsk represents the value-at-risk being found, herein will for vulnerability attack when, the probability statistics value conduct that behavior is found The quantizating index of failure is attacked in reflection.The value-at-risk that this probability statistics value is referred to as found, is designated as Dsk.According to American National General weakness scoring frame mechanism CVSS that infrastructure consultative committee NIAC proposes, aiming to provide a set of opening (Commom Vulnerabiliyt Scoring System), to assess the big of Dsk value with the quantized value of CI/II/AI herein Little.
Table 2 CVSS Elementary Measures group index value table
In weakness scoring frame mechanism CVSS, basic set of measurements comprises six indexs:Intrusion feature AV, authentication AU, attack complexity Acx, confidentiality impact CI, integrity impact II, availability impact AI.As can be seen from Table 2, weakness pair It is lower, lower to attacker's authentication requirement, to complexity lower, the phase of requirement attacked that intrusion feature attacks status requirement Answer measure of criterions value bigger, the impact of CI/II/AI is less, value-at-risk Dsk being therefore found is less.So, herein with The quantized value of CI/II/AI is assessing the size of Dsk value.
According to above-mentioned NST model, this paper presents a kind of attack Ji Yu state transition network network attack model (NST model) Drawing generating method, by introducing relative coefficientCome quantitatively analytical attack spend attack complexity value in (Cost) and Relation between the value-at-risk being found, and the calculating attacking cost is optimized with this.Finally, spent based on the attack after recalculating Take generation attack graph.
As shown in figure 3, according to above-mentioned principle, the present invention proposes a kind of attack based on state transition network network attack model Drawing generating method.This generation method is summarized as follows:To generate attack graph mainly by means of INAG algorithm, in INAG algorithm, to make Preserve the state node being added in attack graph with queue structure, from queue, then take out a state node, from The state node set off in search of this taking-up and the state node of this taking-up have other state nodes of annexation, if described its Vulnerability attack on his state node up to, and the depth of vulnerability attack and spend all within the acceptable range, then by this its He is added in queue state node, and this other state node is added in attack graph, otherwise by this other state node Give up.So the state node in queue is taken out in circulation successively, until queue is space-time, loop ends, and complete the life of attack graph Become.
Specifically, methods described includes:
Step 1, the network to be attacked for attacker set up network state node queue, and the source node in network is added To described network state node queue, and described source node is added in described attack graph;
In described network state node queue, set up for each present node with properties:
(1) node ID (hostid) of present node;
(2) there is the node ID (dst) of other state nodes of annexation with present node;
(3) weakness numbering (dst_v) on other state nodes described;
(4) access rights (Crol) to described present node and other state nodes described for the attacker;
(5) annexation (conn_pro) between described present node and other state nodes described;
(6) open service (sers) on other state nodes described;
(7) the attack depth (deg) of described present node and attack spend (cost).
After setting up network state node queue, first source node is added in queue, and builds for described source node Found above-mentioned seven attribute.Also source node is added in described attack graph simultaneously.
Step 2, in described network state node queue non-NULL, from described network state node queue take out a net Network state node, as present node, judges whether described present node is destination node;
In this step, judge whether described present node is destination node according to the node ID of described present node, when When to judge described present node be destination node, methods described terminates, and otherwise continues executing with below step.The section of present node Point ID is to discriminate between the unique identifier of each state node.
When starting, described network state node queue only comprises source node, and now network state node queue is non-NULL, This source node can be taken out as present node, and by step 1 for the node in the attribute of present node foundation ID (hostid) judges that this source node is not destination node, and continues executing with below step.
Afterwards, for other state nodes adding in network state node queue, also according to node ID (hostid) Judge whether it is destination node, if destination node, then show the attack of destination node has been completed, the life of attack graph One-tenth method terminates.Otherwise, below step will be continued executing with.
Step 3, when described present node is not destination node, judge described present node attack depth and attack flower Take whether in the range of maximum attack depth set in advance and maximum attack spend;
The attack depth of described source node is 0.All of vulnerability attack is all from the beginning of source node, if vulnerability attack The attack from source node to other state nodes having annexation with source node, then the attack depth of this other state node Attack depth for source node adds 1;If vulnerability attack be from this other state node to have therewith annexation secondary its The attack of his state node, then the attack depth of this other state node of secondary is that the attack depth of other state nodes described adds 1.By that analogy, calculate the attack depth of present node.
It is the summation attacking cost from source node to present node each time that described attack spends, in the embodiment of the present invention In, the computational methods of the computational methods of described attack cost and tradition attack cost are different, embodiment of the present invention attack cost Computational methods consider the dependency attacked between complexity value Acx and value-at-risk Dsk being found, and calculate in this approach Attack a main constraints (attack when described present node spending Cost value to be the circulation of step 2-5 in the method When spending beyond the maximum scope attacked and spend, step 3 terminates, and does not continue to execute step 4 below and 5) it is ensured that step 2- 5 circulation can be with normal termination;With regard to its effect specifically, by emulation experiment, apply the attack that the embodiment of the present invention draws Figure attack graph compared with before-improvement is more succinct, and is found by statistics, and the described value of calculation spending of attacking is attacked closer to actual The person of hitting pays.
In the present embodiment, the described cost Cost that attacks is:
In formula:N represents from source node to the described nodes attacked the whole attack path of node j;
peJL represents and is saved by attack using described in the maximum attack weakness successful attack of the access rights attacked on node j Cost during point j, 0 < l < u, u are the described weakness sum attacked on node j;
Represent and in described cost, attack complexity value and the relative coefficient of the value-at-risk being found;
K (0 < K < 1) represents the dependent coefficient to attacker's experience for the attack process, and its value is determined by expertise;
Time represents the number of repetition from source node similar attack to the attack process attacked node j;
ξ represents that network compacts coefficient, and this coefficient reflects the robustness of network, and its value is determined by expertise.
If one secondary attack or the multiple attack that same weakness occurs is existed on attack path, attacked based on intelligent Hit main body, follow-up repeat attack cost is certain to, less than primary attack cost, therefore, have weakness to repeat in attack process Vulnerability attack cost is also relevant to the dependent coefficient of attacker's experience with it.So, above-mentioned formula considers the experience of attacker Dependent coefficient.
In above-mentioned formula, described relative coefficientFor:
In formula:PAFor the attack complexity value in described cost;
PDFor the value-at-risk being found in described cost;
M is to obtain the described probability statistics number of times attacking complexity value and the described value-at-risk being found.Because one weak The attacks complexity of point and to be found value-at-risk be not objective reality, it is a probability using the acquisition of probability statistics principle Statistical value, this two attributes for obtaining a weakness need to do test of many times, and each test all can obtain a class value, finally profit Obtain approximation with probability statistics principle.M then represents the number of times carrying out probability statistics.
Table 3Absolute value and correlation intensity synopsis
Present invention introducesConcept can quantitatively analytical attack complexity value Acx and value-at-risk Dsk that is found it Between relation so that according to the computing formula of above-mentioned Cost recalculate attack spend.FromComputing formula understand, this It is right that concept is based on Pearson product-moment correlation coefficient (Pearson product-moment correlation coefficient) The relation of Acx and Dsk carries out quantitative analysis.
According to the definition of Pearson's correlation coefficient,Absolute value is bigger, and coefficient is closer to 1 or -1, phase Guan Du is stronger;OtherwiseIt is closer to 0, degree of association is weaker.
In described step 3, when the attack depth of described present node exceeds described maximum attack depth Max_Depth Scope and/or when described present node attack spend beyond described maximum attack the scope spending Max_Cost when, described step Rapid 3 end, no longer execute step 4 below and 5;When the attack depth of described present node attacks depth Max_ maximum In the range of Depth and when attack spends in the range of maximum attack cost Max_Cost, continue executing with step 4.This maximum is attacked Depth Max_Depth and maximum attack spend Max_Cost can be set in advance.
Step 4, the attack depth when described present node and attack spend in described maximum attack depth and maximum attack When in the range of cost, search all other state nodes having annexation with described present node;
In this step, according to the network connection relation between described present node and other state nodes described, search All other state nodes having annexation with described present node.It is current in described network connection relation, as step 1 Annexation (conn_pro) in the attribute that node is set up.
Step 5, traversal search all weakness on other state nodes described, if from described present node to described other The attack of the weakness on state node is up to then generating new state node, described new state node is added to described net Network state queue, and be added to meeting pre-conditioned described new state node in described attack graph;
In this step, weakness lookup, weakness can be carried out by weakness numbering (dst_v) setting in step 1 Numbering (dst_v) is the unique identifier of difference weakness.
After finding all weakness, cycle criterion is from described present node to other state nodes described successively Whether vulnerability attack is up to specifically judging that step is as follows:
Each weakness (each other state node described on other state nodes described in step 51, successively cycle criterion On at least one weakness) whether in the rule base of foregoing aggressive behavior rule AR, if not in rule base, This weakness is added weakness list (this weakness is given up for this method, remains to make other subsequent analysis), then end step 5, that is, ties Shu Benci circulates;
If step 52 weakness is in described rule base, judges whether this weakness meets and carry out vulnerability attack and must expire The precondition set of foot, i.e. AP=(src_access, conn_pro, dst_sers, dst_v), is unsatisfactory for, terminates this Circulation.
First, at least one weakness on each other state node described, that is, meet dst_v;
Secondly, judge whether the corresponding service of this weakness (dst_sers) opens, open then continuation next step operates, otherwise Terminate this circulation;
If corresponding service opens again, judge whether present node has the least privilege (src_ obtaining this service Access), have and then continue next step operation, otherwise terminate this circulation;
If finally having least privilege, judge that annexation whether there is.It is by described present node in steps of 5 Network connection relation and other state nodes described between find described in other state nodes, deposit between therefore two nodes In annexation, that is, meet conn_pro.
It should be noted that the four judgements order in no particular order in step 52.Said sequence is intended merely to the side programming Just.
In steps of 5, through above-mentioned judgement, if the attacking of the weakness from described present node to other state nodes described Hit up to then according to the state node that previously described aggressive behavior rule generation is new, this new state node can be obtained New authority, increase new annexation or obtain new weakness.Described new state node is added to described network State queue, if attacking unreachable, is not regenerated new state node (so, after multiple circulation, in step 1 The described network state node queue setting up may be sky).
For meeting pre-conditioned described new state node, can be added in described attack graph, specially:
Step 53, calculate the attack depth of described new state node, the attack depth of described new state node be Jia 1 in the attack depth of described present node, i.e. Nas.depth=N_cunt.depth+1, Nas are new node, N_cunt is Present node.The attack depth gauge attacking depth computing method and present node described in step 3 of new state node herein Calculation method is identical, and here is omitted;
Step 54, judge whether to store described new state node in described network state queue;
If step 55 did not store before, described new state node is added in described attack graph;
If step 56 stored before, judge whether the attack depth of described new state node is equal to and store before The attack depth of the described new state node crossed, if being equal to, described new state node is added in described attack graph.
When new state node is added in described attack graph, generate the state with present node as starting point, new simultaneously Node is the side of terminal, and is added in attack graph.
Herein it should be noted that in described step 5, if from described present node to other state nodes described in On at least two weakness attack up to, and the vulnerability attack consequence of described at least two weakness be acquisition this described in During the control authority of other state nodes, store described new state node by the highest control authority being obtained in that.
Step 6, circulation execute described step 2-5, until described network state node queue is space-time end loop and raw Become described attack graph.
After execution step 6, attack graph all generates, and finally exports attack graph.
Attack drawing generating method based on state transition network network attack model of the present invention, spends calculating to attack When, not only allow for value-at-risk Dsk attacked complexity value Acx and be found, and consider the correlation between Acx and Dsk Property, improve the accuracy of attack graph generation.Additionally, passing through emulation experiment, the attack graph that the application embodiment of the present invention draws is relatively Attack graph before improvement is more succinct, and is found by statistics, and the described value of calculation spending of attacking is closer to actual attackers Pay.Therefore, embodiments provide a kind of small scale, speed is fast, intuitive is strong, accuracy is high attack graph generates Method.
In sum, these are only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention. All any modification, equivalent substitution and improvement within the spirit and principles in the present invention, made etc., should be included in the present invention's Within protection domain.

Claims (8)

1. a kind of attack drawing generating method based on state transition network network attack model is it is characterised in that include:
Step 1, the network to be attacked for attacker set up network state node queue, and the source node in network is added to institute State network state node queue, and described source node is added in described attack graph;
Step 2, in described network state node queue non-NULL, from described network state node queue take out one network-like State node, as present node, judges whether described present node is destination node;
Step 3, when described present node is not destination node, judge described present node attack depth and attack cost be No set in advance maximum attack depth and maximum attack spend in the range of, described attack spends the Cost to be:
In formula:N represent from source node to described by attack the whole attack path of node j nodes,
When representing using being attacked node j described in the maximum attack weakness successful attack of the access rights attacked on node j Cost, 0 < 1 < u, u be described by attack node j on weakness sum,
Represent described spend in attack complexity value and be found the relative coefficient of value-at-risk,
K (0 < K < 1) represent the dependent coefficient to attacker's experience for the attack process, its value by expertise determine,
Time represent from source node to by attack node j attack process similar attack number of repetition,
ξ represents that network compacts coefficient, and this coefficient reflects the robustness of network, and its value is determined by expertise;
Step 4, the attack depth when described present node and attack spend in described maximum attack depth and maximum attack spends In the range of when, search all other state nodes having annexation with described present node;
Step 5, traversal search all weakness on other state nodes described, if from described present node to other states described The attack of the weakness on node is up to then generating new state node, described new state node is added to described network-like State queue, and be added to meeting pre-conditioned described new state node in described attack graph;
Step 6, circulation execute described step 2-5, until described network state node queue is space-time end loop, and generate institute State attack graph.
2. the attack drawing generating method based on state transition network network attack model according to claim 1 it is characterised in that Described relative coefficientFor:
ρ ∂ = Σ P A P D - Σ P A Σ P D M ( Σ ( P A ) 2 - ( Σ P A ) 2 M ) ( Σ ( P D ) 2 - ( Σ P D ) 2 M )
In formula:PAFor described spend in attack complexity value,
PDFor described spend in the value-at-risk being found,
M is to obtain the described probability statistics number of times attacking complexity value and the described value-at-risk being found.
3. the attack drawing generating method based on state transition network network attack model according to claim 1 and 2, its feature exists In, in described network state node queue, each present node is included with properties:
The node ID of present node,
With the node ID of other state nodes that present node has annexation,
On other state nodes described weakness numbering,
Attacker to the access rights of described present node and other state nodes described,
Annexation between described present node and other state nodes described,
Open service on other state nodes described,
The attack depth of described present node and attack spend.
4. the attack drawing generating method based on state transition network network attack model according to claim 3 it is characterised in that In described step 2, judge whether described present node is destination node according to the node ID of described present node, when judging When to state present node be destination node, methods described terminates.
5. the attack drawing generating method based on state transition network network attack model according to claim 1 and 2, its feature exists In in described step 3, when the attack depth of described present node exceeds the scope of described maximum attack depth and/or works as institute State when attacking the scope that cost spends beyond described maximum attack of present node, described step 3 terminates.
6. the attack drawing generating method based on state transition network network attack model according to claim 1 and 2, its feature exists In in described step 4, according to the network connection relation between described present node and other state nodes described, lookup institute There are other state nodes having annexation with described present node.
7. the attack drawing generating method based on state transition network network attack model according to claim 1 and 2, its feature exists In, in described step 5, including meeting pre-conditioned described new state node and being added to described attack graph:
Calculate the attack depth of described new state node, the attack depth of described new state node is in described present node Attack depth on Jia 1;
Judge whether to store described new state node in described network state queue;
If do not stored before, described new state node is added in described attack graph;
If stored before, judge that whether the attack depth of described new state node is equal to stored before described new The attack depth of state node, if being equal to, described new state node is added in described attack graph.
8. the attack drawing generating method based on state transition network network attack model according to claim 7 it is characterised in that
In described step 5, if the attacking of at least two weakness from described present node to other state nodes described in Hit up to, and the vulnerability attack consequence of described at least two weakness be obtain this other state node described in one control In limited time, generate described new state node by the highest control authority being obtained in that.
CN201610812499.5A 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model Expired - Fee Related CN106411576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610812499.5A CN106411576B (en) 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610812499.5A CN106411576B (en) 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model

Publications (2)

Publication Number Publication Date
CN106411576A true CN106411576A (en) 2017-02-15
CN106411576B CN106411576B (en) 2019-10-22

Family

ID=57999047

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610812499.5A Expired - Fee Related CN106411576B (en) 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model

Country Status (1)

Country Link
CN (1) CN106411576B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138764A (en) * 2019-05-10 2019-08-16 中北大学 A kind of attack path analysis method based on level attack graph
CN110868376A (en) * 2018-11-29 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable asset sequence in network environment
JPWO2021059521A1 (en) * 2019-09-27 2021-04-01
CN112637178A (en) * 2020-12-18 2021-04-09 成都知道创宇信息技术有限公司 Attack similarity calculation method and device, electronic equipment and readable storage medium
US20220329618A1 (en) * 2019-09-27 2022-10-13 Nec Corporation Analysis system, method, and program
CN117200978A (en) * 2023-11-07 2023-12-08 中国移动紫金(江苏)创新研究院有限公司 Chain-crossing circulation method of manageable blockchain asset and blockchain safety test system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN104394177A (en) * 2014-12-16 2015-03-04 云南电力调度控制中心 Calculating method of attack target accessibility based on global attack graph

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN104394177A (en) * 2014-12-16 2015-03-04 云南电力调度控制中心 Calculating method of attack target accessibility based on global attack graph

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张永铮: "基于特权提升的多维量化属性弱点分类法的研究", 《通信学报》 *
李玲娟等: "网络攻击图生成算法研究", 《计算机技术与发展》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868376A (en) * 2018-11-29 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable asset sequence in network environment
CN110138764A (en) * 2019-05-10 2019-08-16 中北大学 A kind of attack path analysis method based on level attack graph
CN110138764B (en) * 2019-05-10 2021-04-09 中北大学 Attack path analysis method based on hierarchical attack graph
JPWO2021059521A1 (en) * 2019-09-27 2021-04-01
US20220329618A1 (en) * 2019-09-27 2022-10-13 Nec Corporation Analysis system, method, and program
JP7298701B2 (en) 2019-09-27 2023-06-27 日本電気株式会社 Analysis system, method and program
US12034761B2 (en) 2019-09-27 2024-07-09 Nec Corporation Analysis system, method, and program
CN112637178A (en) * 2020-12-18 2021-04-09 成都知道创宇信息技术有限公司 Attack similarity calculation method and device, electronic equipment and readable storage medium
CN112637178B (en) * 2020-12-18 2022-09-20 成都知道创宇信息技术有限公司 Attack similarity calculation method and device, electronic equipment and readable storage medium
CN117200978A (en) * 2023-11-07 2023-12-08 中国移动紫金(江苏)创新研究院有限公司 Chain-crossing circulation method of manageable blockchain asset and blockchain safety test system
CN117200978B (en) * 2023-11-07 2024-02-13 中国移动紫金(江苏)创新研究院有限公司 Block chain safety test system

Also Published As

Publication number Publication date
CN106411576B (en) 2019-10-22

Similar Documents

Publication Publication Date Title
Zhuang et al. Smart contract vulnerability detection using graph neural networks
CN106411576A (en) Method for generating attack graphs based on status transition network attack model
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
Singla et al. Preparing network intrusion detection deep learning models with minimal data using adversarial domain adaptation
Navarro et al. A systematic survey on multi-step attack detection
Li et al. Analysis framework of network security situational awareness and comparison of implementation methods
Benaicha et al. Intrusion detection system using genetic algorithm
CN114547415A (en) Attack simulation method based on network threat information in industrial Internet of things
CN113221104A (en) User abnormal behavior detection method and user behavior reconstruction model training method
CN114491541A (en) Safe operation script automatic arrangement method based on knowledge graph path analysis
Karanam et al. Intrusion detection mechanism for large scale networks using CNN-LSTM
Alfakeeh et al. Hesitant fuzzy-sets based decision-making model for security risk assessment
Li et al. Network security situation assessment method based on Markov game model
CN111770111A (en) Quantitative analysis method for attack defense tree
Chen et al. Research on automatic vulnerability mining model based on knowledge graph
Alanzi et al. Detection of phishing websites by investigating their URLs using LSTM algorithm
Kayacik et al. Using self-organizing maps to build an attack map for forensic analysis
Haidar et al. E-banking Information Security Risks Analysis Based on Ontology
Patiño et al. A technological analysis of Colombia’s cybersecurity capacity: a systemic perspective from an organizational point of view
Sowinski-Mydlarz et al. Security analytics framework validation based on threat intelligence
Yu et al. Dynamic threat weight of network security communication based on multisource data analysis
CN112804192A (en) Method, apparatus, electronic device, program, and medium for monitoring hidden network leakage
Simonetto et al. TabularBench: Benchmarking Adversarial Robustness for Tabular Deep Learning in Real-world Use-cases
Jose et al. Prediction of network attacks using supervised machine learning algorithm
Aouad et al. Defender-centric Conceptual Cyber Exposure Ontology for Adaptive Cyber Risk Assessment.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191022

Termination date: 20200830

CF01 Termination of patent right due to non-payment of annual fee