CN106411576B - Attack drawing generating method based on state transition network network challenge model - Google Patents

Attack drawing generating method based on state transition network network challenge model Download PDF

Info

Publication number
CN106411576B
CN106411576B CN201610812499.5A CN201610812499A CN106411576B CN 106411576 B CN106411576 B CN 106411576B CN 201610812499 A CN201610812499 A CN 201610812499A CN 106411576 B CN106411576 B CN 106411576B
Authority
CN
China
Prior art keywords
attack
node
state
network
depth
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610812499.5A
Other languages
Chinese (zh)
Other versions
CN106411576A (en
Inventor
王辉
陈甫旺
刘琨
贺军义
汪志英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University of Technology
Original Assignee
Henan University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University of Technology filed Critical Henan University of Technology
Priority to CN201610812499.5A priority Critical patent/CN106411576B/en
Publication of CN106411576A publication Critical patent/CN106411576A/en
Application granted granted Critical
Publication of CN106411576B publication Critical patent/CN106411576B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of attack drawing generating method based on state transition network network challenge model, the state node that can be added in attack graph is saved using queue structure, then a state node is taken out from queue, the state node of state node set off in search and the taking-up from the taking-up has other state nodes of connection relationship, if the vulnerability attack on other described state nodes is reachable, and the depth of vulnerability attack and cost are within the acceptable range, then other state nodes are added in queue, and other state nodes are added in attack graph.The state node taken out in queue is circuited sequentially in this way, and when queue is empty, circulation terminates, and completes attack map generalization.When calculating attack and spending, it is contemplated that the correlation for attacking the value Acx of complexity between the value-at-risk Dsk that is found improves the accuracy of attack graph generation.In addition, by emulation experiment, the attack graph of the attack graph obtained using the embodiment of the present invention compared with before-improvement is more succinct.

Description

Attack drawing generating method based on state transition network network challenge model
Technical field
The present invention relates to cyber-attack techniques, more particularly to a kind of attack graph based on state transition network network challenge model Generation method.
Background technique
The Safety Influence Factors of network are many-sided, multi-angles, and weakness present in network and its fragility are shadows Ring one of the important sexual factor of its safety.Attacker is according to the weakness letter in network in fact for the attack of weakness in network Breath and target information are achieved the purpose that obtain important information by certain means offensive attack or promote operating right.Together When, ability, experience and its control over environment of attacker determine his success attack probability.So the attack for weakness is usual It is also a kind of multi-step process of complexity, primary complete attack process generally will include a series of individual attacks, this A little individually attacks occur different network portions but it is interrelated.
Therefore, how the attack that is mutually related reasonably to be described, it has also become the big research heat of the one of network safety filed Point.In recent years, network security mostly turns to Initiative Defense by traditional Passive Defence, for the method model of current Initiative Defense Mainly have: Attack Description Language, Attack Tree, attack graph, attack net.
Cunningham's skink (Cunningham) proposes attack graph model earliest, thinks network by connecting by physically or logically mode The various assemblies connect form, and the directed edge in attack graph indicates the cost that attack needs to pay, and attacker passes through attacking network group Part promotes authority acquiring income.
Ritchie (Ritchey) et al. proposes the model detector method that can automatically generate attack graph, although this method Attack graph can be automatically generated, but due to including all states in model, this easily leads to state explosion problem and is not suitable with In large scale network.
Up to fluffy graceful (DapengMan) the global attack figure generating algorithm based on breadth-first search by setting threshold value come Reduce attack graph scale, although this method can reduce attack graph scale, but since breadth-first has certain limitation, should The attack graph that method generates should not also be applicable in large scale network.
The research of older generation's brainstrust all achieves comparable achievement in related fields, but in attack graph modeling process, The constraint condition of selection is different and emphasis on quantizating index is different, the attack graph of generation also difference.Meanwhile it attacking It hits redundant path in figure inevitably to exist, the scale for not only increasing attack graph also influences to reflect reality the objectivity of network And accuracy.So eliminating redundant path, reducing attack graph scale is to solve the inevitable choice of large scale network demand.
Summary of the invention
In view of this, the main purpose of the present invention is to provide a kind of small scale, speed is fast, intuitive is strong, accuracy is high Attack drawing generating method.
In order to achieve the above object, technical solution proposed by the present invention are as follows:
The present invention provides a kind of attack drawing generating method based on state transition network network challenge model, comprising:
Step 1 establishes network state node queue for the network that attacker to be attacked, and the source node in network is added It is added in the attack graph to the network state node queue, and by the source node;
Step 2, in the network state node queue non-empty, from the network state node queue take out a net Network state node judges whether the present node is destination node as present node;
Step 3, when the present node is not destination node, judge the present node attack depth and attack flower Take and whether spent in range in preset maximum attack depth and maximum attack, the attack spends Cost are as follows:
In formula: n indicate from source node to the number of nodes by the entire attack path of attack node j,
pejlIt indicates to be saved using described in the maximum attack weakness l successful attack of access authority on attack node j by attack Cost when point j, 0 < l < u, u be the weakness sum by attack node j,
Indicate to attack in the cost complexity value and the value-at-risk that is found relative coefficient,
K (0 < K < 1) indicates attack process to the dependent coefficient of attacker's experience, value determines by expertise,
Time indicate from source node in by the attack process of attack node j the number of repetition of similar attack,
ξ indicates that the compact coefficient of network, the coefficient reflect that the robustness of network, value are determined by expertise;
Step 4 spends in the maximum attack depth and maximum attack when the attack depth of the present node and attack When spending in range, all other state nodes for having connection relationship with the present node are searched;
Step 5, traversal search all weakness on other described state nodes, if from the present node to it is described other The attack of weakness on state node is reachable, then generates new state node, and the new state node is added to the net Network state queue, and the new state node for meeting preset condition is added in the attack graph;
Step 6, circulation execute the step 2-5, the end loop when network state node queue is empty, and raw At the attack graph.
Based on the technical solution of above-mentioned attack drawing generating method, the relative coefficientAre as follows:
In formula: PAFor in the cost attack complexity value,
PDFor in the cost the value-at-risk being found,
M is the probability statistics number for obtaining the attack complexity value and the value-at-risk being found.
Specifically, each present node includes with subordinate in the network state node queue that the step 1 is established Property:
The node ID of present node,
With present node have other state nodes of connection relationship node ID,
On other described state nodes weakness number,
Attacker to the access authority of the present node and other state nodes,
Connection relationship between the present node and other described state nodes,
Open service on other described state nodes,
The attack depth of the present node and attack are spent.
In the step 2, the node ID according to the present node judges whether the present node is destination node, When judging the present node is destination node, the method terminates.
In the step 3, when the present node attack depth beyond the range of the maximum attack depth and/ Or when the attack of the present node spends and attacks the range spent beyond the maximum, the step 3 terminates.
In the step 4, according to the network connection relation between the present node and other described state nodes, look into Look for all other state nodes for having connection relationship with the present node.
In the step 5, the new state node for meeting preset condition is added in the attack graph includes:
The attack depth of the new state node is calculated, the attack depth of the new state node is described current Add 1 in the attack depth of node;
Judge the new state node whether was stored in the network state queue;
If do not stored before, the new state node is added in the attack graph;
If stored before, it is described to judge the attack depth of the new state node stored before whether being equal to The new state node is added in the attack graph by the attack depth of new state node if being equal to.
In the step 5, if at least two weakness on from the present node to other state nodes described in one Attack it is reachable, and the vulnerability attack consequence of at least two weakness be obtain this described in other state nodes control When permission processed, the new state node is generated by the highest control authority that can be obtained.
In conclusion the attack drawing generating method of the present invention based on state transition network network challenge model, is calculating When attack is spent, not only allow for the attack complexity value Acx and value-at-risk Dsk that is found, and consider Acx and Dsk it Between correlation, improve attack graph generation accuracy.In addition, being obtained by emulation experiment using the embodiment of the present invention The attack graph of attack graph compared with before-improvement is more succinct, and by counting discovery, the calculated value that the attack is spent is closer in fact Border attacker's pays.Therefore, the embodiment of the invention provides a kind of small scale, speed is fast, intuitive is strong, accuracy is high attacks Hit drawing generating method.
Detailed description of the invention
Fig. 1 is a kind of network attack model (NST model) based on state transfer;
Fig. 2 is the specific example of a vulnerability attack for obtaining new permission;
Fig. 3 is the schematic diagram of the attack drawing generating method based on state transition network network challenge model in the embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, right below in conjunction with the accompanying drawings and the specific embodiments The present invention is described in further detail.
Fig. 1 is a kind of network attack model (NST model) based on state transfer.NST model can use a binary group table Show, i.e. NST=(NS, AR).Wherein, NS is the network state set of composition model, and AR is attack regular collection.
Network state set NS is indicated with following triple: NS=(Hd, Nl, Crol).
Hd is host in network, i.e. Hd=(hostid, os, sers, v).Hostid is the unique of host in difference network Identifier can be indicated with IP address;Os is the version information of the operating system run on host;Sers indicates opening for host Put service, available port number indicate;V indicates the weakness list on host, and weakness of the weakness comprising operating system, host are pacified The software vulnerabilities of dress or some other error configurations information etc..
Nl is network connection relation, i.e. NL=(src, dst, conn_pro).Src indicates source host;Dst indicates purpose master Machine;Conn_pro is indicated for connecting agreement or port between host.If connection relationship is not present in the two, conn_pro= Null, when the two is same host, conn_pro=localhost.
Crol is that attacker possesses the control authority to host.By control authority according to from big to small in this NST model Sequence is divided into three-level: system manager root;Conventional system user user;The visitor access of telecommunication network.
Attack rule AR is indicated with following binary group: AR=(VA, Cost), VA=(AP, t, AS), Cost=(Acx, Dsk)。
APIt indicates to carry out the precondition set that vulnerability attack must satisfy, i.e. A using weaknessP=(src_access, Conn_pro, dst_sers, dst_v).Src_access indicates attacker in attack source host up to should have minimum access less Permission;Conn_pro indicates the connection relationship that should meet between source host and destination host, guarantees the accessibility of attack;dst_ Sers indicates attacker's service open on obtainable destination host on destination host, guarantees the service that vulnerability attack relies on Availability;Dst_v indicates corresponding weakness on destination host.The precondition that vulnerability attack must satisfy concentrates each object Logical relation: when all objects exist and meet the requirements, vulnerability attack VAIt could occur.
In NST model, weakness refers to safe practice existing for computer hardware and software in computer system etc. and lacks Tactful defect present on falling into or managing.Weakness setElement viRefer to operation The software vulnerabilities and some other error configurations information that weakness item, host in system are installed, the weakness item can be attacked Person utilizes, menace network system safety.
ASIndicate consequence set, i.e. A caused by attackS=(rslt_access, rslt_conn, rslt_vs). Rslt_access indicates that after successful attack, attacker is in the access authority currently obtained on attack host;rslt_conn Indicate the change of network connection relation after successful attack;Rslt_vs then indicates the increased weakness of institute after successful attack.It is weak The logical relation of each object in consequence set caused by point is attacked: vulnerability attack VAAfter generation, consequence caused by attack Set can be and obtain new permission, increases new connection relationship or obtain new weakness.Primary attack causes after occurring Consequence can be their one or more of which.
T indicates status change, it indicates the primary change of the network state after vulnerability attack, can be and obtains new permission Process, increase the process of new connection relationship or be the process for obtaining new weakness.
Fig. 2 is the specific example of a vulnerability attack for obtaining new permission, specifically, attacker is from the host controlled H1 sets out, and using a loophole (CVE2016-1194) in the IIS Web service on host H2, obtains the Root power of host H2 Limit.The vulnerability attack should meet 4 preconditions: (1) attacker is at least User (i.e. U_H1) in the permission of source host H1; (2) Http of the accessible host H2 of host H1 services (i.e. Http_H1_H2);(3) the IIS Web service on host H2 is being It runs (i.e. Web_H2);(4) the IIS Web service on host H2 there are one number be CVE 2016-1194 loophole (i.e. V1194).Only when above 4 conditions all meet, attacker is likely to successfully initiate to attack host H2 from host H1 Hit (i.e. V1194_ H1_H2), attack result is: attacker may obtain the Root authority (i.e. R_H2) on host H2.
The cost that attacker's successful attack is spent by attack host, is denoted as Cost, can be indicated with a binary group, i.e. Cost =(Acx, Dsk)
Acx indicates attack complexity value, the probability statistics value for the difficulty for herein successfully being utilized weakness, as reflection The quantizating index of successful attack.This probability statistics value is known as attacking complexity value, is denoted as Acx.According to investigation statistics, grind Personnel are studied carefully by finding that discovering and using between period and attack complexity value Acx for weakness exists to the analysis of a large amount of security incidents A kind of mapping relations can give expression to difference of each weakness on attack complexity value Acx by this mapping relations.Table 1 For the quantization table of vulnerability attack complexity value Acx.
1 weakness Acx of table quantifies table
Dsk indicates the value-at-risk that is found, when will be directed to vulnerability attack herein, probability statistics value conduct that behavior is found The quantizating index of reflection attack failure.This probability statistics value is known as the value-at-risk being found, and is denoted as Dsk.According to American National General weakness scoring frame mechanism CVSS that infrastructure consultative committee NIAC is proposed, being intended to provide a set of opening (Commom Vulnerability Scoring System) assesses the big of Dsk value herein with the quantized value of CI/II/AI It is small.
2 CVSS Elementary Measures group index magnitude table of table
In weakness scoring frame mechanism CVSS, basic measurement group includes six Xiang Zhibiao: intrusion feature AV, authentication AU, attack complexity Acx, confidentiality influence CI, integrality influences II, availability impact AI.As can be seen from Table 2, weakness pair Intrusion feature is to attack lower, lower to attacker's authentication requirement, to attack lower, the phase of complexity requirement of status requirement Answer measure of criterions value bigger, the influence of CI/II/AI is smaller, therefore the value-at-risk Dsk being found is with regard to smaller.So herein with The quantized value of CI/II/AI assesses the size of Dsk value.
According to above-mentioned NST model, this paper presents a kind of attacks for being based on state transition network network challenge model (NST model) Drawing generating method, by introducing relative coefficientCome quantitatively analytical attack spend attack complexity value in (Cost) and by It was found that value-at-risk between relationship, and with this optimize attack spend calculating.Finally, being spent based on the attack after recalculating Generate attack graph.
As shown in figure 3, the invention proposes a kind of attacks based on state transition network network challenge model according to above-mentioned principle Drawing generating method.The generation method is summarized as follows: being generated attack graph mainly by means of INAG algorithm, in INAG algorithm, is made The state node that can be added in attack graph is saved with queue structure, and a state node is then taken out from queue, from The state node set off in search of the taking-up and the state node of the taking-up have other state nodes of connection relationship, if it is described its Vulnerability attack on his state node is reachable, and the depth of vulnerability attack and spends within the acceptable range, then by this its He is added in queue state node, and other state nodes are added in attack graph, otherwise by other state nodes Give up.The state node taken out in queue is circuited sequentially in this way, and when queue is empty, circulation terminates, and completes the life of attack graph At.
Specifically, which comprises
Step 1 establishes network state node queue for the network that attacker to be attacked, and the source node in network is added It is added in the attack graph to the network state node queue, and by the source node;
In the network state node queue, establish for each present node with properties:
(1) node ID (hostid) of present node;
(2) there is the node ID (dst) of other state nodes of connection relationship with present node;
(3) weakness on other described state nodes numbers (dst_v);
(4) access authority (Crol) of the attacker to the present node and other state nodes;
(5) connection relationship (conn_pro) between the present node and other described state nodes;
(6) service (sers) open on other described state nodes;
(7) the attack depth (deg) of the present node and attack spend (cost).
After establishing network state node queue, source node is added in queue first, and is built for the source node Found above-mentioned seven attribute.Also source node is added in the attack graph simultaneously.
Step 2, in the network state node queue non-empty, from the network state node queue take out a net Network state node judges whether the present node is destination node as present node;
In this step, the node ID according to the present node judges whether the present node is destination node, when When judging that the present node is destination node, the method terminates, and otherwise continues to execute following step.The section of present node Point ID is to discriminate between the unique identifier of each state node.
When starting, the network state node queue only includes source node, and network state node queue is non-empty at this time, The source node can be taken out as present node, and the node in the attribute by establishing in step 1 for present node ID (hostid) judges that the source node is not destination node, and continues to execute following step.
Later, for other state nodes being added in network state node queue, also according to node ID (hostid) Judge whether it is destination node, if it is destination node, then shows to have completed the attack of destination node, the life of attack graph Terminate at method.Otherwise, following step will be continued to execute.
Step 3, when the present node is not destination node, judge the present node attack depth and attack flower Take and whether is spent in range in preset maximum attack depth and maximum attack;
The attack depth of the source node is 0.All vulnerability attacks are all since source node, if vulnerability attack It is the attack from source node to other state nodes for having connection relationship with source node, then the attack depth of other state nodes Add 1 for the attack depth of source node;If vulnerability attack is it from other state nodes to the secondary for having connection relationship therewith The attack of his state node, then the attack depth of other state nodes of the secondary is that the attack depth of other state nodes adds 1.And so on, calculate the attack depth of present node.
It is the summation for attacking cost each time from source node to present node that the attack, which is spent, in the embodiment of the present invention In, the calculation method that the attack is spent is different from the calculation method that tradition attack is spent, and attack of the embodiment of the present invention is spent Calculation method considers the correlation between the attack complexity value Acx and value-at-risk Dsk being found, calculated in this approach It is a main constraints of step 2-5 circulation in the method (when the attack of the present node that attack, which spends Cost value, When spending the range spent beyond maximum attack, step 3 terminates, and does not continue to execute step 4 below and 5), guarantees step 2- 5 circulation can be with normal termination;Specifically with regard to its effect, by emulation experiment, the attack obtained using the embodiment of the present invention The attack graph of figure compared with before-improvement is more succinct, and passes through statistics discovery, and the calculated value that the attack is spent is closer actually to attack The person's of hitting pays.
In the present embodiment, the attack spends Cost are as follows:
In formula: n is indicated from source node to the number of nodes by the entire attack path of attack node j;
pejlIt indicates to be saved using described in the maximum attack weakness l successful attack of access authority on attack node j by attack Cost when point j, 0 < l < u, u are the weakness sum by attack node j;
Indicate the relative coefficient that complexity value and the value-at-risk being found are attacked in the cost;
K (0 < K < 1) indicates attack process to the dependent coefficient of attacker's experience, and value is determined by expertise;
Time indicates the number of repetition from source node similar attack in by the attack process of attack node j;
ξ indicates that the compact coefficient of network, the coefficient reflect that the robustness of network, value are determined by expertise.
If there is the secondary attack occurred for same weakness or multiple attack on an attack path, based on attacking for intelligence Main body is hit, subsequent repeat attack cost is certain to the attack cost less than first time, therefore, in attack process has weakness duplicate Vulnerability attack cost is also related to the dependent coefficient of attacker's experience with it.So above-mentioned formula considers the experience of attacker Dependent coefficient.
In above-mentioned formula, the relative coefficientAre as follows:
In formula: PAFor the attack complexity value in the cost;
PDFor the value-at-risk being found in the cost;
M is the probability statistics number for obtaining the attack complexity value and the value-at-risk being found.Because one weak The attack complexity of point and to be found value-at-risk not be objective reality, it is a probability using the acquisition of probability statistics principle Statistical value needs to do test of many times to obtain the two attributes of a weakness, and test can all obtain a class value every time, last benefit Approximation is obtained with probability statistics principle.M then indicates to carry out the number of probability statistics.
Table 3Absolute value and the correlation intensity table of comparisons
Present invention introducesConcept can quantitatively analytical attack complexity value Acx and the value-at-risk Dsk being found it Between relationship, so as to according to the calculation formula of above-mentioned Cost recalculate attack spend.FromCalculation formula it is found that this It is right that concept is based on Pearson product-moment correlation coefficient (Pearson product-moment correlation coefficient) The relationship of Acx and Dsk carries out quantitative analysis.
According to the definition of Pearson correlation coefficient,Absolute value is bigger, and coefficient is closer to 1 or -1, phase Guan Du is stronger;It is on the contraryCloser to 0, the degree of correlation is weaker.
In the step 3, when the attack depth of the present node is beyond the maximum attack depth Max_Depth's Range, and/or when the attack of the present node spends and spends the range of Max_Cost beyond the maximum attack, the step Rapid 3 terminate, and no longer execute step 4 below and 5;When the attack depth of the present node attacks depth Max_ in maximum Within the scope of Depth and when attack is spent within the scope of maximum attack cost Max_Cost, step 4 is continued to execute.Maximum attack It is preset that depth Max_Depth and maximum attack spend Max_Cost can be.
Step 4 spends in the maximum attack depth and maximum attack when the attack depth of the present node and attack When spending in range, all other state nodes for having connection relationship with the present node are searched;
In this step, it according to the network connection relation between the present node and other described state nodes, searches All other state nodes for having connection relationship with the present node.The network connection relation is current as in step 1 The connection relationship (conn_pro) in attribute that node is established.
Step 5, traversal search all weakness on other described state nodes, if from the present node to it is described other The attack of weakness on state node is reachable, then generates new state node, and the new state node is added to the net Network state queue, and the new state node for meeting preset condition is added in the attack graph;
In this step, (dst_v) Lai Jinhang weakness can be numbered by the weakness set in step 1 to search, weakness Number (dst_v) is to distinguish the unique identifier of weakness.
After finding all weakness, circuits sequentially and judge on from the present node to other described state nodes Whether vulnerability attack is reachable, and specific judgment step is as follows:
Step 51 circuits sequentially each weakness (other each described state nodes judged on other described state nodes At least one upper weakness) whether in front in the rule base of the attack rule AR, if not in rule base Weakness list (weakness is given up for this method, remains to make other subsequent analysis) is added in the weakness, then end step 5, that is, tie Shu Benci circulation;
If step 52, weakness in the rule base, judge whether the weakness meets progress vulnerability attack and must expire The precondition set of foot, i.e. AP=(src_access, conn_pro, dst_sers, dst_v), is unsatisfactory for, terminates this Circulation.
First, each at least one weakness on other described state nodes, that is, meet dst_v;
Secondly, judge whether the corresponding service (dst_sers) of the weakness opens, it is open then continue next step operate, otherwise Terminate this circulation;
If again, corresponding service opens, judge whether present node has the least privilege (src_ for obtaining the service Access), have, continue to operate in next step, otherwise terminate this circulation;
If finally, there is least privilege, judge that connection relationship whether there is.It is by the present node in steps of 5 Network connection relation between other described state nodes find described in other state nodes, therefore deposited between two nodes In connection relationship, that is, meet conn_pro.
It should be noted that four in step 52 judge sequence in no particular order.Said sequence is intended merely to the side of programming Just.
In steps of 5, by above-mentioned judgement, if weakness on from the present node to other described state nodes is attacked It hits reachable, then generates new state node according to previously described attack rule, which can be acquisition New permission increases new connection relationship and either obtains new weakness.The new state node is added to the network State queue will not regenerate new state node (in this way, passing through after repeatedly circulation, in step 1 if attack is unreachable The network state node queue established may be sky).
For meeting the new state node of preset condition, can be added in the attack graph, specifically:
Step 53, the attack depth for calculating the new state node, the attack depth of the new state node be Add 1 in the attack depth of the present node, i.e. Nas.depth=N_cunt.depth+1, Nas are new node, and N_cunt is Present node.The attack depth gauge of the attack depth computing method and present node described in step 3 of new state node herein Calculation method is identical, and details are not described herein again;
Step 54 judges the new state node whether was stored in the network state queue;
If step 55 did not store before, the new state node is added in the attack graph;
If step 56 stored before, judge to store before whether the attack depth of the new state node is equal to The new state node is added in the attack graph by the attack depth for the new state node crossed if being equal to.
When new state node is added in the attack graph, while generating using present node as starting point, new state Node is the side of terminal, and is added in attack graph.
Herein it should be noted that in the step 5, if from the present node to other state nodes described in one On at least two weakness attack it is reachable, and the vulnerability attack consequence of at least two weakness be obtain this described in When the control authority of other state nodes, the new state node is stored by the highest control authority that can be obtained.
Step 6, circulation execute the step 2-5, the end loop when network state node queue is empty, and raw At the attack graph.
After executing step 6, attack graph is all generated, and finally exports attack graph.
Attack drawing generating method of the present invention based on state transition network network challenge model is spent calculating attack When, the value-at-risk Dsk for not only allowing for attack complexity value Acx and being found, and consider the correlation between Acx and Dsk Property, improve the accuracy of attack graph generation.In addition, by emulation experiment, the attack graph that obtains using the embodiment of the present invention compared with Attack graph before improvement is more succinct, and by statistics discovery, the calculated value that the attack is spent is closer to actual attackers Pay.Therefore, the embodiment of the invention provides a kind of small scales, the attack graph generation that speed is fast, intuitive is strong, accuracy is high Method.
In conclusion the above is merely preferred embodiments of the present invention, being not intended to limit the scope of the present invention. All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in of the invention Within protection scope.

Claims (7)

1. a kind of attack drawing generating method based on state transition network network challenge model characterized by comprising
Step 1 establishes network state node queue for the network that attacker to be attacked, and the source node in network is added to institute Network state node queue is stated, and the source node is added in the attack graph;
Step 2, in the network state node queue non-empty, from the network state node queue take out one it is network-like State node judges whether the present node is destination node as present node;
Step 3, when the present node is not destination node, judge the present node attack depth and attack spend be No to spend in range in preset maximum attack depth and maximum attack, the attack spends Cost are as follows:
In formula: n indicate from source node to the number of nodes by the entire attack path of attack node j,
pejlIt indicates to utilize described in the maximum attack weakness l successful attack of access authority on attack node j by attack node j When cost, 0 < l < u, u be the weakness sum by attack node j,
Indicate to attack in the cost complexity value and the value-at-risk that is found relative coefficient,
K (0 < K < 1) indicates attack process to the dependent coefficient of attacker's experience, value determines by expertise,
Time indicate from source node in by the attack process of attack node j the number of repetition of similar attack,
ξ indicates that the compact coefficient of network, the coefficient reflect that the robustness of network, value are determined by expertise;
Relative coefficientAre as follows:
In formula: PAFor in the cost attack complexity value,
PDFor in the cost the value-at-risk being found,
M is the probability statistics number for obtaining the attack complexity value and the value-at-risk being found;
Step 4 spends in the maximum attack depth and maximum attack is spent when the attack depth of the present node and attack When in range, all other state nodes for having connection relationship with the present node are searched;
Step 5, traversal search all weakness on other described state nodes, if from the present node to other described states The attack of weakness on node is reachable, then generates new state node, the new state node is added to described network-like State queue, and the new state node for meeting preset condition is added in the attack graph;
Step 6, circulation execute the step 2-5, the end loop when network state node queue is empty, and generate institute State attack graph.
2. the attack drawing generating method according to claim 1 based on state transition network network challenge model, which is characterized in that In the network state node queue, each present node includes with properties:
The node ID of present node,
With present node have other state nodes of connection relationship node ID,
On other described state nodes weakness number,
Attacker to the access authority of the present node and other state nodes,
Connection relationship between the present node and other described state nodes,
Open service on other described state nodes,
The attack depth of the present node and attack are spent.
3. the attack drawing generating method according to claim 2 based on state transition network network challenge model, which is characterized in that In the step 2, the node ID according to the present node judges whether the present node is destination node, when judging When to state present node be destination node, the method terminates.
4. the attack drawing generating method according to claim 1 based on state transition network network challenge model, which is characterized in that In the step 3, when the attack depth of the present node is beyond the range of the maximum attack depth, and/or when described When the range that the attack cost of present node is spent beyond the maximum attack, step 3 end.
5. the attack drawing generating method according to claim 1 based on state transition network network challenge model, which is characterized in that In the step 4, according to the network connection relation between the present node and other described state nodes, search it is all with The present node has other state nodes of connection relationship.
6. the attack drawing generating method according to claim 1 based on state transition network network challenge model, which is characterized in that In the step 5, the new state node for meeting preset condition is added in the attack graph includes:
The attack depth of the new state node is calculated, the attack depth of the new state node is in the present node Attack depth on plus 1;
Judge the new state node whether was stored in the network state queue;
If do not stored before, the new state node is added in the attack graph;
If stored before, judge that the attack depth of the new state node stored before whether being equal to is described new The new state node is added in the attack graph by the attack depth of state node if being equal to.
7. the attack drawing generating method according to claim 6 based on state transition network network challenge model, which is characterized in that
In the step 5, if at least two weakness on from the present node to other state nodes described in one are attacked Hit it is reachable, and the vulnerability attack consequence of at least two weakness be obtain this described in other state nodes control In limited time, the new state node is generated by the highest control authority that can be obtained.
CN201610812499.5A 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model Expired - Fee Related CN106411576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610812499.5A CN106411576B (en) 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610812499.5A CN106411576B (en) 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model

Publications (2)

Publication Number Publication Date
CN106411576A CN106411576A (en) 2017-02-15
CN106411576B true CN106411576B (en) 2019-10-22

Family

ID=57999047

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610812499.5A Expired - Fee Related CN106411576B (en) 2016-08-30 2016-08-30 Attack drawing generating method based on state transition network network challenge model

Country Status (1)

Country Link
CN (1) CN106411576B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868376A (en) * 2018-11-29 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable asset sequence in network environment
CN110138764B (en) * 2019-05-10 2021-04-09 中北大学 Attack path analysis method based on hierarchical attack graph
JP7298701B2 (en) * 2019-09-27 2023-06-27 日本電気株式会社 Analysis system, method and program
JP7347521B2 (en) * 2019-09-27 2023-09-20 日本電気株式会社 Analytical systems, methods and programs
CN112637178B (en) * 2020-12-18 2022-09-20 成都知道创宇信息技术有限公司 Attack similarity calculation method and device, electronic equipment and readable storage medium
CN117200978B (en) * 2023-11-07 2024-02-13 中国移动紫金(江苏)创新研究院有限公司 Block chain safety test system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN104394177A (en) * 2014-12-16 2015-03-04 云南电力调度控制中心 Calculating method of attack target accessibility based on global attack graph

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN104394177A (en) * 2014-12-16 2015-03-04 云南电力调度控制中心 Calculating method of attack target accessibility based on global attack graph

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于特权提升的多维量化属性弱点分类法的研究;张永铮;《通信学报》;20040725;全文 *
网络攻击图生成算法研究;李玲娟等;《计算机技术与发展》;20101010;第171-175页 *

Also Published As

Publication number Publication date
CN106411576A (en) 2017-02-15

Similar Documents

Publication Publication Date Title
CN106411576B (en) Attack drawing generating method based on state transition network network challenge model
Li et al. LNNLS‐KH: A Feature Selection Method for Network Intrusion Detection
Benaicha et al. Intrusion detection system using genetic algorithm
CN107222491B (en) Intrusion detection rule creating method based on industrial control network variant attack
Liu et al. Network security risk assessment method based on HMM and attack graph model
CN109522716A (en) A kind of network inbreak detection method and device based on timing neural network
JP2018503203A (en) Determining acceptable activities based on acceptable activity rules
CN110213226A (en) Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor
CN112492059A (en) DGA domain name detection model training method, DGA domain name detection device and storage medium
CN114491541B (en) Automatic arrangement method of safe operation script based on knowledge graph path analysis
CN115987615A (en) Network behavior safety early warning method and system
Nadiammai et al. A comprehensive analysis and study in intrusion detection system using data mining techniques
Shi et al. A framework of intrusion detection system based on Bayesian network in IoT
Li et al. FIDS: Detecting DDoS through federated learning based method
Chen et al. Advanced persistent threat organization identification based on software gene of malware
Hlaing Feature selection and fuzzy decision tree for network intrusion detection
Arbex et al. IoT DDoS detection based on stream learning
Srilatha et al. DDoSNet: A deep learning model for detecting network attacks in cloud computing
KR20190028880A (en) Method and appratus for generating machine learning data for botnet detection system
Bahareth et al. Constructing attack scenario using sequential pattern mining with correlated candidate sequences
CN114444075B (en) Method for generating evasion flow data
Chen et al. Research on automatic vulnerability mining model based on knowledge graph
Wu Artificial neural network based DGA botnet detection
Sadioura et al. Selection of sub-optimal feature set of network data to implement Machine Learning models to develop an efficient NIDS
Jose et al. Prediction of network attacks using supervised machine learning algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191022

Termination date: 20200830