CN106453217A - Network attack path behavior prediction method based on path revenue calculation - Google Patents

Network attack path behavior prediction method based on path revenue calculation Download PDF

Info

Publication number
CN106453217A
CN106453217A CN201610241075.8A CN201610241075A CN106453217A CN 106453217 A CN106453217 A CN 106453217A CN 201610241075 A CN201610241075 A CN 201610241075A CN 106453217 A CN106453217 A CN 106453217A
Authority
CN
China
Prior art keywords
node
attack
path
resource
resource node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610241075.8A
Other languages
Chinese (zh)
Other versions
CN106453217B (en
Inventor
王辉
王哲
刘琨
许辉
贺军义
张长森
闫玺玺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University of Technology
Original Assignee
Henan University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University of Technology filed Critical Henan University of Technology
Priority to CN201610241075.8A priority Critical patent/CN106453217B/en
Publication of CN106453217A publication Critical patent/CN106453217A/en
Application granted granted Critical
Publication of CN106453217B publication Critical patent/CN106453217B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network attack path behavior prediction method based on path revenue calculation. The method comprises the steps of acquiring a to-be-evaluated network; acquiring all nodes in the to-be-evaluated network; calculating each ratio between revenue and cost of a path between two nodes; eliminating the paths with ratios which are smaller than one between the revenue and the cost from all the nodes, obtaining the paths after redundant path elimination as attack paths; calculating confidences of the nodes contained in the attack paths by means of a likelihood weighting algorithm; and outputting the attack paths and the confidences of the nodes contained in the attack paths. The network attack path behavior prediction method improves path prediction accuracy and can be widely applied in a network safety field.

Description

A kind of Forecasting Methodology of the network attack path behavior based on path income calculation
Technical field
The present invention relates to the Forecasting Methodology of network attack path behavior, particularly relate to a kind of based on path income calculation The Forecasting Methodology of network attack path behavior.
Background technology
The attack that computer network system faces in essence, is owing to computer system itself exists leak, And the threat of outside utilizes these leaks existing or fragility offensive attack, thus cause the generation of attack.In order to answer To the network security problem becoming increasingly conspicuous, except designing as far as possible in addition to security system, also need the fragility of coupling system to net Network is attacked and is effectively predicted and defend.
In recent years, researcher starts application Bayesian network and attack graph in the prediction of attack.Bayesian network Network has the advantages that to process uncertain data, and attack graph can assess system CVSS based on tender spots, automatically identifies possible Tender spots, and then by analyzing tender spots dependence, show all attack paths, finally play integrated estimation system and become safely The effect of gesture.Relative to attack graph, Bayesian network node and directed edge describe attack and the cause and effect of node resource depends on The relation of relying, describes uncertainty relation between node by confidence level, possesses the ability processing uncertainty relation.Thus, how will Bayesian network effectively merges with attack graph, and then Forecast attack path becomes the problem needing to solve accurately.
In a word, in prior art, with increasing of target network node, the attack path of generation exponentially increases, and Along with substantial amounts of path redundancy, and then affect the forecasting accuracy of attack path.
Content of the invention
In view of this, a kind of network attack path row based on path income calculation of offer is provided For Forecasting Methodology, improve path prediction accuracy.
In order to achieve the above object, the technical scheme that the present invention proposes is:
A kind of Forecasting Methodology of the network attack path behavior based on path income calculation, including:Obtain network to be assessed; Obtain all resource nodes in described network to be assessed and attack node;Intermediary resources node is connected with more than one forerunner Attacking node and attacking node with more than one rear-guard, starting resource node is connected with more than one rear-guard and attacks node, mesh Mark resource node is connected with more than one predecessor attack node;Wherein, resource node includes as network attack starting point Starting resource node, save with target as being positioned at start node on the target resource node of network attack impact point, network path Intermediary resources node between point;It according to network attack path, according to sequence of attack, is arranged on before the resource node being hacked And the attack node being directly connected to the resource node being hacked is as predecessor attack node, is arranged on the resource node being hacked The attack node being directly connected to below and with the resource node being hacked is as predecessor attack node;Calculate each described attack to save Ratio between path income between point and resource node and cost;From between above-mentioned all of attack node and resource node Path in remove the path less than 1 for the ratio between income and cost, obtain the path after removing redundant path, as attack Path;Utilize likelihood weighting algorithm, calculate the confidence level of contained attack node and resource node on described attack path;Output institute State the confidence level of contained attack node and resource node on attack path and described attack path.
In sum, the Forecasting Methodology based on the network attack path behavior of path income calculation of the present invention is passed through The calculating of node belief is converted into the calculating of attack cost-income by NVAG model, and by relatively low to some weights Resource node with attack node mark reduce redundant path.Further, the node identification for AND relation node, this Invention is added up mode by weights, ensure not increase redundant path and do not lose may the active path of attack on the premise of, Improve the accuracy of node belief.
Brief description
Fig. 1 is the flow chart of the Forecasting Methodology of the network attack path behavior based on path income calculation of the present invention.
Fig. 2 is network attack path NAP schematic diagram of the present invention.
Fig. 3 is the schematic diagram that the attack graph based on fragility of the present invention generates prototype.
Fig. 4 is NVAG model schematic of the present invention.
Fig. 5 is the generation process schematic of NAP of the present invention.
Fig. 6 is attack graph schematic diagram of the present invention.
Fig. 7 is NAP1 node belief of the present invention contrast schematic diagram.
Fig. 8 is NAP2 node belief of the present invention contrast schematic diagram.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, right below in conjunction with the accompanying drawings and the specific embodiments The present invention is described in further detail.
Fig. 1 is the Forecasting Methodology of the network attack path behavior based on path income calculation of the present invention.Such as Fig. 1 institute Showing, the present invention, based on the Forecasting Methodology of the network attack path behavior of path income calculation, comprises the steps:
Step 11, obtains network to be assessed.
Step 12, obtains all resource nodes in described network to be assessed and attack node;Intermediary resources node connects Having more than one predecessor attack node to attack node with more than one rear-guard, starting resource node is connected with more than one Rear-guard attacks node, and target resource node is connected with more than one predecessor attack node;Wherein, resource node includes as net Network is attacked the starting resource node of starting point, has been positioned on the target resource node of network attack impact point, network path Intermediary resources node between beginning node and destination node;It according to network attack path, according to sequence of attack, is arranged on and is hacked Resource node before and the attack node that is directly connected to the resource node being hacked as predecessor attack node, be arranged on by The attack node being directly connected to after the resource node attacked and with the resource node being hacked is as predecessor attack node.
In the present invention, network attack path NAP (Network Attack Path) is that network objectives resource is entered by assailant When row is attacked, first starting resource node is launched a offensive, change its state, then on this basis other resource nodes are entered Row is attacked.It is so repeated, until finally occupying the set of paths of destination node.As in figure 2 it is shown, assailant is from starting resource Node r1Set out, need to be through attacking node a1, intermediary resources node r2, attack node a2Or through attacking node a1, intermediary resources Node r3, expose one's past misdeeds node a2, eventually arrive at target resource node r4.Wherein, by r1、a1、r2、a2、r4The joint forming sequentially Point sequence is a NAP.Same r1、a1、r2、a2、r4This ordered nodes is also a NAP.
Step 13, calculates the ratio between the path income between each described attack node and resource node and cost; Remove the road less than 1 for the ratio between income and cost from the path between above-mentioned all of attack node and resource node Footpath, obtains the path after removing redundant path, as attack path.
Step 14, utilizes likelihood weighting algorithm, calculates putting of contained attack node and resource node on described attack path Reliability.
Step 15, exports the confidence of contained attack node and resource node on described attack path and described attack path Degree.
In the present invention, step 11 obtains the mode of assessment network as it is shown on figure 3, first, utilize network scanner to mesh Mark computer and network of relation are scanned, and the data obtaining related node fragility add system mode queue to;Secondly, System extracts any bar status information automatically in the middle of state queue, and this information is carried out information pair by network knowledge security vault module Ratio:If this information verifies as dangerous, then analyzing this information, and then determining tender spots feature, record is in tender spots list storehouse In CVSS.The present invention combines tender spots scanning tools, accelerates the unsafe factor in the middle of discovery main frame and network, improves system true Determine speed and the degree of accuracy of non-safety information.Tender spots feature in tender spots list storehouse in CVSS is carried out by intrusion feature database Extract and sum up, obtain the attack signature of non-safety information, determine its harmfulness.Finally, attack graph maker is special according to attacking Levy storehouse and generate attack graph, and export attack graph by visualization tool.
Step 13 includes:
Step 131, generates network vulnerability attack graph NVAG according to all attack nodes of described network with resource node.
Step 132, from described network vulnerability attack graph NVAG (NVAG, network vulnerability attack Graph), in, the path attacking status indicator without false is traveled through out, as attack path.
In the present invention, NVAG=(R, A, E, Val (ri), P, C) for having having of one or more AND-OR node composition To acyclic figure.Wherein, R={ri| i=0,1,2,3 ... N} is each resource node set, r0Represent starting resource node, rgRepresent Target resource node;Resource node riValue is 1 or 0, especially, ri=1 expression assailant successfully occupies this resource node, ri=0 represents unsuccessful this resource node that occupies of assailant, 1≤g≤N, and sets r0=1, g, N are integer.A={aj|j =1,2,3 ... N}, for attacking the set of node, is the AND-OR node set of a nonempty finite, node variable ajValue is True or false.E={e | e ∈ (R × A) ∪ (A × R) } represent all attack nodes and resource node in network attack map Directed edge between connection.e1=<aj, ri>∈ A × R represents ajFor for occupying resource riOccur attack, when Directed edge<aj, ri>The jth of upper generation time attacks weights ΦjWhen >=1, then directed edge;Otherwise,.e2=<riaj>∈ R × A is then contrary, represents that assailant occupies resource node riAfter again carry out attack row For aj.WhereinFor resource node assets value set, and riBy following four The key element tolerance being associated:Enterprise's secret (CS) leakage, personal information (PI) leakage, coverage (RI) and the wealth relating to Produce loss (PD).Assets value computing formula is as follows:
Here, w1, w2, w3, w4It is riThe measurement factor that resource node is associated weights shared in assets value.LCS, LPI, LRI, LPDFor reciprocity element level degree.P={p | p ∈ C1∪C2, C1For meeting attack ajSelect the bar occurring Part probability distribution, C2For attack ajSuccessful conditional probability distribution:Work as riOccupied sometimes could meet attack ajSend out Carded sliver part, now ajCan select to occur or do not attack, therefore p=(aj=ture | riOccupied) ∈ [0,1], p ∈ C1:If ajSelect attack, go to occupy ri+kResource node, occupying result is success or failure, therefore p=(ajSuccess | ajOccur Attack) ∈ [0,1], 1≤k≤N, i+k≤N and k is integer, p ∈ C2.AND relation represents all of child nodes Kid(n)Simultaneously Meet directive property condition and just can reach father node Father(n).The all of child nodes of OR relational representation meets any one refer to Tropism condition can reach father node.In conjunction with actual present invention definition, when the income of assailant's offensive attack is less than attack cost When, assailant then attacks substantially without to this target.Thus, network manager can judge to attack on this basis The attack path that the person of hitting may select, and then take effective safeguard procedures, reduce the successful probability of attack.
Step 132 includes:
Step 1321, according to the node topology order Ψ in described network vulnerability attack graph NVAG, crisp to described network Each in weak sexual assault figure NVAG is attacked node and is traveled through with resource node.
Step 1322, it is judged that attack the directed edge between node and resource node in described network vulnerability attack graph NVAG Direction.
Step 1323, if attacking node to resource node<aj, ri>Directed edge, then judge described oriented Ratio Φ between the path income on limit and costj;Wherein, i is the identification number of described resource node, and j is described attack node Identification number, ajIt is j-th attack node, riIt is i-th resource node, attack and pass through directed edge between node and resource nodeConnect, and i, j are natural number.
Step 1324, if Φj>=1, thenOtherwise, then.
Step 1325, is identified according to the attack state to described attack node for the judged result.
Step 1326, finds out and does not contains the path that false attacks status indicator, as attack path.
Wherein, the ratio between the income in described path and cost calculates according to below equation:Φj≈Gainj/Costmax; Wherein, identification number be j attack financial value Gain when node carries out network attackj=valiλjαj;Costj maxFor maximum Attack cost value;1≤j≤N, N are the total quantitys attacking node in network;valiIt is network attack ajTo riAssets value;λj It is network attack ajTo riThe control authority of obtained networking component corresponding grade weights after success;αjRefer to this attack The Land use systems of middle fragility affects coefficient to assailant's income.
Described resource node riCorresponding assets value is:vali=w1Lcs+w2LPI+w3LRI+w4LPD;Wherein, valiResource Node riThe key element tolerance that corresponding assets value is associated by following four:Enterprise secret CS reveals, personal information PI is revealed, Coverage RI and property loss PD relating to;w1, w2, w3, w4It is resource node riThe measurement factor being associated is in assets Weights shared in value;LCS, LPI, LRI, LPDFor reciprocity element level degree.
Step 132 also includes:
Step 1327, to e1The directed edge that there is AND relation in set judges, calculates more than two oriented respectively Ratio Φ between limit income and costj, it is then added, obtain ratio and ∑ Φj.Wherein, e1=<aj, ri>}∈A×R Represent and resource node riThe all attack nodes connecting are to resource node riThe attack collection of all attacks composition initiated Close;A={aj| j=1,2,3 ..., N} is for attacking the set of node;R={ri| i=0,1,2,3 ..., M} is resource node set, M is the number of resource node, and M is integer.
Step 1328, if ratio and ∑ Φj>=2, then described directed edge is labeled as true;It is otherwise labeled as false.
The directed edge being labeled as false is stored attack node set G abandoned by step 1329xIn.
Step 13210, according to attack node set G abandonedx, remove redundant path.
Step 14 includes:
Step 141, extracts n sample from the attack node and resource node of described attack path;Wherein, resource node Sample number be pRResource node R that is individual, that obtain with extractionkThe rear-guard connecting attacks node AmSample number have pAIndividual, and pR≥ pA、pR+pA<n;K, m are natural number, and k<i、m<j.
Step 142, when the attack node that sampling obtains or resource node all identify with false, then this sampling obtains The extraction weight attacking node or resource node be 0;The resource node obtaining when sampling without false mark and is initial During resource node, then the extraction weight of the resource node that this sampling obtains is 1.
Step 143, in sampling process, if sampling order is followed successively by the rear-guard that resource node is connected with resource node Attack node, then attacking of the described attack path before sampling searches the resource joint obtaining with sampling node and resource node Point RkThe all predecessor attack node A connectingm-1, and obtain the resource node R that extraction obtainskExtraction weightThe resource node R obtaining with extractionkThe rear-guard connecting attacks node AmExtraction weight ΔA=P (Am |Rk);Wherein, P (Rk|Am-1) at predecessor node Am-1In the presence of by network attack obtain extraction obtain resource joint Point RkProbability, P (Am|Rk) for extracting the resource node R obtainingkIn the presence of extraction obtain this rear-guard node AmGeneral Rate;T is natural number, and t is the resource node R obtaining with samplingkThe all predecessor attack node A connectingm-1Number;
In sampling process, if sampling order is followed successively by predecessor attack node, the resource node being connected with resource node, Then attacking of the described attack path before sampling searches the predecessor attack node A obtaining with sampling node and resource nodem-1 The all resource node R connectingk-1, and obtain the predecessor attack node A that sampling obtainsm-1Extraction weightThe predecessor attack node A obtaining with extractionm-1The resource node R connectingkExtraction weight ΔR'= P(Rk|Am-1);Wherein, P (Am-1|Rk-1) at the predecessor attack node A obtaining with samplingm-1The all resource node R connectingk-1 In the presence of extract the predecessor attack node A obtainingm-1Probability, P (Rk|Am-1) save for the predecessor attack obtaining in extraction Point Am-1In the presence of obtain the resource node R that obtains of extraction by network attackkProbability;V is natural number, and v for The predecessor attack node A that sampling obtainsm-1The all resource node R connectingk-1Number.
Step 144, if sampling order is followed successively by the rear-guard attack node that resource node is connected with resource node, then obtains Confidence level P (A | R) the ≈ Δ of contained attack node on the described attack path obtainingAR, resource node confidence level P (R | A)=ΔRA;If sampling order is followed successively by predecessor attack node, the resource node being connected with resource node, then acquire Described attack path on confidence level P ' (A | R) the ≈ Δ of contained attack nodeA′/ΔR', the confidence level P ' of resource node (R | A) =ΔR′/ΔA′.
Embodiment
In the present embodiment, NVAG model is as shown in Figure 4.Assailant is with r0As start node, with r5As destination node, Reaching destination node from start node has 3 paths.In order to clearly show that adjacent each resource node or attack relationships between nodes, this Invention uses oriented partial ordering relation collection incompatible expression attack path, i.e. NAPi=<r0, a1>,<a1, r1>,<r1, a2>...,<an, rn>, symbolization ∧ represents the AND relation between node.So, the present embodiment has three attack paths:
NAP1=<r0, a1∧a2>,<a1∧a2, r1>,<r1, a4>,<a4, r3>,<r3, a7>,<a7, r5>}.
NAP2=<r0, a3>,<r0, a1∧a2>,<a3, r2>,<r2∧<a1∧a2, r1>, a6>,<a6, r4>,<r4, a7>,< a7, r5>}.
NAP3=<r0, a3><a3, r2>,<r2, a5>,<a5, r3>,<r3, a7>,<a7, r5>}.
Attack is once to utilize process to node fragility, fragility utilize rule Rule=(Pre-resource, Vul, Post-resource).When attacking premise resource Pre-resource and meeting, can be according to fragility Vul of this node Initiate a step in a network to attack, and after assailant successfully initiates this time to attack, it is possible to obtain corresponding attack result, obtain Resource Post-resource after attack.
Pre-resource is to be obtained by the Land use systems of node fragility, utilizes the resource obtaining to combine node crisp Weak property carries out attack next time, and then obtains final goal resource.And common fragility Land use systems includes:Change control parameter MCPa, change measurement parameter MMPa, the distorting MCPr, intercept critical data information SPa, dereference server and hunt of control program Take control authority or password GPr etc..
In actual application, can forbid that undelegated people arbitrarily changes net by the rights management of different stage as shown in table 1 Network control assembly configuration, parameter and duty, it is ensured that the safety of equipment and control target.
Table 1 control authority rank and corresponding description
Attack result Post-resource=(Authority, Gain), represents the networking component control that assailant obtains Permission Levels and assailant successfully utilize the income that fragility obtains.
For the network attack of an attack path jth time, i.e. ajTo ri, its income is:Gainj=valiλjαj;Wherein, 1≤j≤N, valiIt is network attack ajTo riThe corresponding assets value of resource node;λjIt is successfully to carry out after jth time attacks, institute Obtain the control authority corresponding grade weights of networking component;αjRefer to the Land use systems of fragility in this attack to attack Person's income affect coefficient.
Gain that single successfully utilize fragility obtained is given belowjComputational methods:
First, all parameters are given with the form of grade, and carry out initial quantization.Wherein, assets value is associated Factor, grade classification is as shown in table 2.Weights can be arranged quantify to follow following partial ordering relation:PC > MCP > RE > LCC > W > R > N.The quantization that fragility Land use systems affects factor alpha should follow following partial ordering relation:MCPr > MCPa > MMPa > SPa > GPr.
Secondly, judgment matrix method is used to determine that each consequence factor corresponding to resource node is shared in assets value Weight w, selects domain expert m people, the ratio construction m's individual 4 × 4 according to the importance degree between the factor of consequence two-by-two that expert is given Judgment matrix s two-by-two(e):,
Wherein, m=10~30;E=1,2 ..., m;seElement formulaRepresent the consequence attribute w that expert e providespRelatively In consequence attribute wqSignificance level.According to the individual judgment matrix { s two-by-two of the m obtaining(1), s(2)..., s(m)After }, geometry is used to put down Equal method carries out comprehensively obtaining synthetical matrix S, and the element of S isP, q=1,2,3,4.
Finally, characteristic value Sw=γ is solvedmaxMain characteristic vector w is normalized, so that it may obtain consequence attribute weight coefficient by w Vector w '=(w1, w2, w3, w4)T.Thus obtain w1, w2, w3, w4.
Tender spots is attacked cost and is mainly determined by three factors:Attack degree of difficulty D, hidden degree H of fragility and attack Hit the time T successfully spending.The attack cost of single tender spots can be expressed as Costj1D+β2H+β3T, wherein β1,, β2, β3 For the relative weight of corresponding factor, specifically can choose according to actual conditions.The present invention sets maximum attack cost Costj max, with Select the path of high yield, and bigger probability determines redundant path;Meanwhile, the attack degree of depth can be limited, decrease insignificant Attack path.
Before network attack is implemented, can the attack against each other income-cost of beat time point of assailant is estimated analyzing, and uses following formula to sentence The feasibility of this sub-attack path disconnected:
Wherein, feasibility Φ is attacked in pathjIt is the ratio that assailant attacks income and intrusion scene.Only work as Φj>=1, i.e. When assailant can obtain income more than or equal to the cost oneself paid, assailant just can carry out attack at this paths, Final acquisition target of attack.
The present invention shows the generation process of NAP described in the inventive method as a example by Fig. 5.Attack graph according to Fig. 5, this Attack node each in attack graph, resource node are traveled through by invention by node topology order Ψ:First, it is determined that the side of directed edge To being whether to attack node to resource node<aj, ri>Directed edge, if then carrying out the judgement of weights, as weights Φj>=1, then;Otherwise,, and be identified this resource node for false.If, then this attack a is meanedjAbandon.
For attack graph as shown in Figure 4, traditional Bayesian inference likelihood weighting algorithm is used to calculate the confidence of node Degree, result of calculation is shown in Table 3;Here, effective sample number 5000 is tested;C represents C1=0.5 and C2=0.8, d represent C1=0.8 And C2=0.5;P (r0)~P (r5) represents starting resource node r0, intermediary resources node r1~r4, target resource node respectively The confidence level of r5;P ' (a1)~P ' (a7) represents the confidence level attacking node a1~a7 respectively.
Table 3 tradition Bayesian inference result
P(r0) P‘(a1) P’(a2) P’(a3) P(r1) P(r2) P’(a4) P’(a5) P’(a6) P(r3) P(r4) P’(a7) P(r5)
c 1 0.47 0.45 0.49 0.14 0.41 0.07 0.21 0.03 0.24 0.02 0.15 0.13
d 1 0.75 0.77 0.79 0.16 0.39 0.14 0.31 0.05 0.23 0.03 0.21 0.11
As a example by weighting parameter given in the attack graph shown in Fig. 6, use each resource that the method for the invention obtains Node, the confidence level of attack node are shown in Table 4;Here, testing effective sample number is 5000.
Each node belief that table 4 the inventive method obtains
P(r0) P‘(a1) P’(a2) P’(a3) P(r1) P(r2) P’(a4) P’(a5) P’(a6) P(r3) P(r4) P’(a7) P(r5)
c 1 0.43 0.47 0.45 0.13 0.36 0.05 0.18 0 0.19 0 0.11 0.09
d 1 0.74 0.76 0.77 0.15 0.39 0.12 0.21 0 0.17 0 0.14 0.06
The contrast of data in table can be obtained each resource node, the confidence level attacking node that two kinds of methods acquire Situation of change.For the change of observed data more intuitively, with path NAP1And NAP2As a example by, draw out node belief and become Changing in figure difference Fig. 7, Fig. 8 as shown in Figure 7, Figure 8, abscissa all represents each resource node and attacks node, and ordinate all represents Each resource node, the attack corresponding confidence level of node, Ta represents node belief change when traditional algorithm condition is c, and Tb is then Representing the change of node belief when traditional algorithm condition is d, it is different c, d two kinds that Ia with Ib then illustrates the inventive method Under the conditions of node belief change.
By Fig. 7 and 8 it can be seen that the node belief that algorithms of different obtains is different:The inventive method has confidence Degree is the node of 0, and in conventional method, confidence level is not the node of 0.Use the target resource node that the inventive method obtains Confidence level substantially low than the confidence level of target resource node using conventional method to obtain.This is owing to conventional method does not considers To path redundancy problem and income-Cost Problems, all paths can be selected to carry out attacking for it so that the confidence of target resource node Spend higher;And the inventive method solves path redundancy problem and income-Cost Problems simultaneously, assailant can select to oneself Beneficial or the superseded attack path nonsensical to oneself so that the confidence level of target nature node is relatively low.
The present invention also has an improvement, in conjunction with in the table 4 that the weighting parameter given in the attack graph shown in Fig. 6 obtains Data, it can be observed that, the node belief of a2 is not 0, here it is another of the present invention improves, AND node is designated The premise of false is no longer only to calculate the weights on a limit, and is by two even more polygon weights and adds up, and then judges Whether carry out " abandoning attacking ".
The invention have the advantages that:(1) prediction of attack and defence is always network safety filed research Focus, attack graph combines node fragility as the effective Forecasting Methodology of one, the present invention, by definition NVAG model, enter And the calculating of node belief is converted into the calculating of attack cost-income, by entering the node that some weights are relatively low Line identifier, further reduces redundant path.Incorporate the reasoning algorithm of Bayesian network on this basis, utilize prior probability meter Calculate posterior probability, further increase the accuracy of node belief.
(2), in improved likelihood weighting algorithm, for the node identification problem of AND relation node, the present invention proposes power The cumulative mode of value solves, and i.e. will not increase redundant path, and will not let slip the active path that assailant may select.Real Test result show the present invention work can more effective Forecast attack path and calculate node belief, and then reduce insincere Path redundancy, provide good preventative strategies for network security management.It is to say, not only effectively reduce redundant path, It also avoid attacking ignoring of leak of AND relation node, and then effectively increase the accuracy of path prediction.
In sum, these are only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention. All within the spirit and principles in the present invention, any modification, equivalent substitution and improvement etc. made, should be included in the present invention's Within protection domain.

Claims (8)

1. the Forecasting Methodology based on the network attack path behavior of path income calculation, it is characterised in that include:
Obtain network to be assessed;
Obtain all resource nodes in described network to be assessed and attack node;Intermediary resources node is connected with more than one Predecessor attack node attacks node with more than one rear-guard, and starting resource node is connected with more than one rear-guard and attacks joint Point, target resource node is connected with more than one predecessor attack node;Wherein, resource node includes initiateing as network attack It the starting resource node of point, on the target resource node of network attack impact point, network path, is positioned at start node and mesh Intermediary resources node between mark node;It according to network attack path, according to sequence of attack, is arranged on the resource node being hacked The attack node above and with the resource node being hacked being directly connected to, as predecessor attack node, is arranged on the resource being hacked The attack node being directly connected to after node and with the resource node being hacked is as predecessor attack node;
Calculate the ratio between the path income between each described attack node and resource node and cost;From above-mentioned all of Attack and the path between node and resource node is removed the path less than 1 for the ratio between income and cost, obtain removing superfluous Path behind remaining path, as attack path;
Utilize likelihood weighting algorithm, calculate the confidence level of contained attack node and resource node on described attack path;
Export the confidence level of contained attack node and resource node on described attack path and described attack path.
2. method according to claim 1, it is characterised in that described calculating each described attack node and resource node it Between path income and cost between ratio;Remove from the path between above-mentioned all of attack node and resource node and receive The path less than 1 for the ratio between benefit and cost, obtains the path after removing redundant path, as the step bag of attack path Include:
Generate network vulnerability attack graph NVAG according to all attack nodes of described network with resource node;
From described network vulnerability attack graph NVAG, travel through out and do not contain the path attacking status indicator false, as attack Path.
3. method according to claim 2, it is characterised in that described from described network vulnerability attack graph NVAG, time Going through out and not containing the path attacking status indicator false, the step as attack path includes:
According to the node topology order Ψ in described network vulnerability attack graph NVAG, to described network vulnerability attack graph NVAG In each attack node travel through with resource node;
Judge described network vulnerability attack graph NVAG is attacked the direction of each directed edge between node and resource node;
If attacking node to resource node<aj, ri>Directed edgeThen judge the path income of described directed edge And the ratio Φ between costj;Wherein, i is the identification number of described resource node, and j is the identification number of described attack node, ajFor Attack node, r j-thiIt is i-th resource node, attack and pass through directed edge between node and resource nodeEven Connect, and i, j are natural number;
If Φj>=1, thenOtherwise, then
It is identified according to the attack state to described attack node for the judged result;
Find out and do not contain the path that false attacks status indicator, as attack path.
4. method according to claim 3, it is characterised in that the path of described directed edge is benefited and the ratio between cost For:Φj=Gainj/Costj max;Wherein, GainjCarry out financial value during network attack for the attack node that identification number is j; Costj maxFor maximum attack cost value.
5. method according to claim 4, it is characterised in that Gainj=valiλjαjWherein, 1≤j≤N, N are in network Attack the total quantity of node;valiIt is network attack ajTo riAssets value;λjIt is network attack ajTo riObtained after success The control authority corresponding grade weights of networking component;αjRefer to that assailant is received by the Land use systems of fragility in this attack Beneficial affects coefficient.
6. method according to claim 5, it is characterised in that described resource node riCorresponding assets value is:vali= w1Lcs+w2LPI+w3LRI+w4LPD;Wherein, resource node riCorresponding assets value valiThe key element degree being associated by following four Amount:Enterprise's secret CS leakage, the leakage of personal information PI, coverage RI and property loss PD relating to;w1, w2, w3, w4 It is resource node riThe measurement factor being associated weights shared in assets value;LCS, LPI, LRI, LPDFor reciprocity key element etc. Stage.
7. method according to claim 2, it is characterised in that from described network vulnerability attack graph NVAG, travel through out Not containing false and attacking the path of status indicator, the step as screening attack path also includes:
Gather e to attacking1The middle directed edge that there is AND relation judges, calculates directed edge income and the generation of more than two respectively Ratio Φ between valencyj, it is then added, obtain ratio and ∑ Φj
If ratio and ∑ Φj>=2, then described directed edge is labeled as true;It is otherwise labeled as false;
The directed edge being labeled as false is stored attack node set G abandonedxIn;
According to attack node set G abandonedx, remove redundant path;
Wherein, e1=<aj, ri>∈ A × R represents and resource node riThe all attack nodes connecting are to resource node riInitiate All attacks composition attack set;A={aj| j=1,2,3 ..., N} is for attacking the set of node;R={ri| i= 0,1,2,3 ..., M} is resource node set, and M is the number of resource node, and M is integer.
8. method according to claim 7, it is characterised in that described utilize likelihood weighting algorithm, calculates described attack road On footpath, contained attack node includes with the step of the confidence level of resource node:
N sample is extracted from the attack node and resource node of described attack path;Wherein, the sample number of resource node is pR Resource node R that is individual, that obtain with extractionkThe rear-guard connecting attacks node AmSample number have pAIndividual, and pR≥pA、pR+pA< n; K, m are natural number, and k < i, m < j;
When the attack node that obtains of sampling or resource node all identify with false, then the attack node that this sampling obtains or The extraction weight of resource node is 0;When the resource node that sampling obtains identifies without false and is starting resource node, The extraction weight of the resource node that then this sampling obtains is 1;
In sampling process, if sampling order is followed successively by the rear-guard attack node that resource node is connected with resource node, then from The resource node R obtaining with sampling is searched in attacking of described attack path before sampling in node and resource nodekThe institute connecting There is predecessor attack node Am-1, and obtain the resource node R that extraction obtainskExtraction weightWith take out Obtain the resource node R arrivingkThe rear-guard connecting attacks node AmExtraction weight ΔA=P (Am|Rk);Wherein, P (Rk|Am-1) be At predecessor node Am-1In the presence of obtain the resource node R that obtains of extraction by network attackkProbability, P (Am|Rk) be The resource node R that extraction obtainskIn the presence of extraction obtain this rear-guard node AmProbability;T is natural number, and t is and takes out The resource node R that sample obtainskThe all predecessor attack node A connectingm-1Number;
In sampling process, if sampling order is followed successively by predecessor attack node, the resource node being connected with resource node, then from The predecessor attack node A obtaining with sampling is searched in attacking of described attack path before sampling in node and resource nodem-1Connect All resource node Rk-1, and obtain the predecessor attack node A that sampling obtainsm-1Extraction weightThe predecessor attack node A obtaining with extractionm-1The resource node R connectingkExtraction weight ΔR’ =P (Rk|Am-1);Wherein, P (Am-1|Rk-1) at the predecessor attack node A obtaining with samplingm-1The all resource nodes connecting Rk-1In the presence of extract the predecessor attack node A obtainingm-1Probability, P (Rk|Am-1) attack for the forerunner obtaining in extraction Beat time point Am-1In the presence of obtain the resource node R that obtains of extraction by network attackkProbability;V is natural number, and v For the predecessor attack node A obtaining with samplingm-1The all resource node R connectingk-1Number;
If sampling order is followed successively by the rear-guard attack node that resource node is connected with resource node, then acquire is described Confidence level P (A | R) the ≈ Δ of contained attack node on attack pathAR, confidence level P (R | the A)=Δ of resource nodeRA; If sampling order is followed successively by predecessor attack node, the resource node being connected with resource node, the then described attack acquiring Confidence level P ' (A | R) the ≈ Δ of contained attack node on pathA′/ΔR', the confidence level P ' of resource node (R | A)=ΔR′/ ΔA′.
CN201610241075.8A 2016-04-13 2016-04-13 A kind of prediction technique of the network attack path behavior based on path income calculation Expired - Fee Related CN106453217B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610241075.8A CN106453217B (en) 2016-04-13 2016-04-13 A kind of prediction technique of the network attack path behavior based on path income calculation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610241075.8A CN106453217B (en) 2016-04-13 2016-04-13 A kind of prediction technique of the network attack path behavior based on path income calculation

Publications (2)

Publication Number Publication Date
CN106453217A true CN106453217A (en) 2017-02-22
CN106453217B CN106453217B (en) 2019-10-25

Family

ID=58183484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610241075.8A Expired - Fee Related CN106453217B (en) 2016-04-13 2016-04-13 A kind of prediction technique of the network attack path behavior based on path income calculation

Country Status (1)

Country Link
CN (1) CN106453217B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107194069A (en) * 2017-05-23 2017-09-22 浙江工业大学 Link prediction method based on Bayesian estimation and great node benefit
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN107767258A (en) * 2017-09-29 2018-03-06 新华三大数据技术有限公司 Risk of Communication determines method and device
CN108429728A (en) * 2017-09-05 2018-08-21 河南理工大学 A kind of attack path prediction technique based on time gain compensation
CN108629474A (en) * 2017-03-24 2018-10-09 北京航天计量测试技术研究所 Flow safety evaluation method based on attack graph model
CN108965035A (en) * 2018-09-13 2018-12-07 南京信息工程大学 A kind of attack path prediction technique based on attack gain
CN110472419A (en) * 2019-07-18 2019-11-19 北京理工大学 A kind of network security risk evaluation method based on loss effect
CN110557393A (en) * 2019-09-05 2019-12-10 腾讯科技(深圳)有限公司 network risk assessment method and device, electronic equipment and storage medium
CN110868376A (en) * 2018-11-29 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable asset sequence in network environment
CN110868377A (en) * 2018-12-05 2020-03-06 北京安天网络安全技术有限公司 Method and device for generating network attack graph and electronic equipment
CN111222159A (en) * 2019-12-30 2020-06-02 中国电子科技集团公司第三十研究所 Cloud platform data leakage path identification method based on graph computing technology
CN111818055A (en) * 2020-07-09 2020-10-23 西安电子科技大学 Network attack path analysis method based on dynamic feedback
CN112235283A (en) * 2020-10-10 2021-01-15 南方电网科学研究院有限责任公司 Vulnerability description attack graph-based network attack evaluation method for power engineering control system
CN112804208A (en) * 2020-12-30 2021-05-14 北京理工大学 Network attack path prediction method based on attacker characteristic index
CN114362990A (en) * 2021-11-12 2022-04-15 安天科技集团股份有限公司 Attack path determination method and device, electronic equipment and readable storage medium
CN114710367A (en) * 2022-06-01 2022-07-05 武汉极意网络科技有限公司 Method and device for determining barrier cost of network flow and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301318A (en) * 2014-10-15 2015-01-21 北京国信灵通网络科技有限公司 Network reconnection method and device used for instant messaging application
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN104539601A (en) * 2014-12-19 2015-04-22 北京航空航天大学 Reliability analysis method and system for dynamic network attack process
CN104750929A (en) * 2015-03-30 2015-07-01 华南理工大学 Rail transit service efficiency invulnerability measurement method combining network point right

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN104301318A (en) * 2014-10-15 2015-01-21 北京国信灵通网络科技有限公司 Network reconnection method and device used for instant messaging application
CN104539601A (en) * 2014-12-19 2015-04-22 北京航空航天大学 Reliability analysis method and system for dynamic network attack process
CN104750929A (en) * 2015-03-30 2015-07-01 华南理工大学 Rail transit service efficiency invulnerability measurement method combining network point right

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王辉等: "基于贝叶斯推理的攻击路径预测研究", 《计算机应用研究》 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108629474A (en) * 2017-03-24 2018-10-09 北京航天计量测试技术研究所 Flow safety evaluation method based on attack graph model
CN108629474B (en) * 2017-03-24 2021-11-12 北京航天计量测试技术研究所 Process safety assessment method based on attack graph model
CN107194069A (en) * 2017-05-23 2017-09-22 浙江工业大学 Link prediction method based on Bayesian estimation and great node benefit
CN108429728B (en) * 2017-09-05 2020-11-06 河南理工大学 Attack path prediction method based on time gain compensation
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN108429728A (en) * 2017-09-05 2018-08-21 河南理工大学 A kind of attack path prediction technique based on time gain compensation
CN107767258A (en) * 2017-09-29 2018-03-06 新华三大数据技术有限公司 Risk of Communication determines method and device
CN107767258B (en) * 2017-09-29 2021-07-02 新华三大数据技术有限公司 Risk propagation determination method and device
CN108965035A (en) * 2018-09-13 2018-12-07 南京信息工程大学 A kind of attack path prediction technique based on attack gain
CN108965035B (en) * 2018-09-13 2021-06-29 南京信息工程大学 Attack path prediction method based on attack gain
CN110868376A (en) * 2018-11-29 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable asset sequence in network environment
CN110868377A (en) * 2018-12-05 2020-03-06 北京安天网络安全技术有限公司 Method and device for generating network attack graph and electronic equipment
CN110472419A (en) * 2019-07-18 2019-11-19 北京理工大学 A kind of network security risk evaluation method based on loss effect
CN110472419B (en) * 2019-07-18 2021-04-16 北京理工大学 Network security risk assessment method based on loss effect
CN110557393A (en) * 2019-09-05 2019-12-10 腾讯科技(深圳)有限公司 network risk assessment method and device, electronic equipment and storage medium
CN111222159B (en) * 2019-12-30 2022-07-05 中国电子科技集团公司第三十研究所 Cloud platform data leakage path identification method based on graph computing technology
CN111222159A (en) * 2019-12-30 2020-06-02 中国电子科技集团公司第三十研究所 Cloud platform data leakage path identification method based on graph computing technology
CN111818055A (en) * 2020-07-09 2020-10-23 西安电子科技大学 Network attack path analysis method based on dynamic feedback
CN112235283A (en) * 2020-10-10 2021-01-15 南方电网科学研究院有限责任公司 Vulnerability description attack graph-based network attack evaluation method for power engineering control system
CN112235283B (en) * 2020-10-10 2022-11-11 南方电网科学研究院有限责任公司 Vulnerability description attack graph-based network attack evaluation method for power engineering control system
CN112804208B (en) * 2020-12-30 2021-10-22 北京理工大学 Network attack path prediction method based on attacker characteristic index
CN112804208A (en) * 2020-12-30 2021-05-14 北京理工大学 Network attack path prediction method based on attacker characteristic index
CN114362990A (en) * 2021-11-12 2022-04-15 安天科技集团股份有限公司 Attack path determination method and device, electronic equipment and readable storage medium
CN114362990B (en) * 2021-11-12 2023-08-29 安天科技集团股份有限公司 Attack path determining method and device, electronic equipment and readable storage medium
CN114710367A (en) * 2022-06-01 2022-07-05 武汉极意网络科技有限公司 Method and device for determining barrier cost of network flow and electronic equipment
CN114710367B (en) * 2022-06-01 2022-08-02 武汉极意网络科技有限公司 Method and device for determining barrier cost of network flow and electronic equipment

Also Published As

Publication number Publication date
CN106453217B (en) 2019-10-25

Similar Documents

Publication Publication Date Title
CN106453217A (en) Network attack path behavior prediction method based on path revenue calculation
CN112348204B (en) Safe sharing method for marine Internet of things data under edge computing framework based on federal learning and block chain technology
Wang et al. Improving robustness to model inversion attacks via mutual information regularization
CN111835707B (en) Malicious program identification method based on improved support vector machine
CN112785157B (en) Risk identification system updating method and device and risk identification method and device
Fan et al. Jointly attacking graph neural network and its explanations
US11977626B2 (en) Securing machine learning models against adversarial samples through backdoor misclassification
CN109714364A (en) A kind of network security defence method based on Bayes&#39;s improved model
Khayyambashi et al. An approach for detecting profile cloning in online social networks
CN110472419A (en) A kind of network security risk evaluation method based on loss effect
CN114491541B (en) Automatic arrangement method of safe operation script based on knowledge graph path analysis
CN107231345A (en) Networks congestion control methods of risk assessment based on AHP
Laptiev et al. Dynamic model of cyber defense diagnostics of information systems with the use of fuzzy technologies
CN111881439B (en) Recognition model design method based on antagonism regularization
CN114417427A (en) Deep learning-oriented data sensitivity attribute desensitization system and method
Li et al. Network security situation assessment method based on Markov game model
Om Kumar et al. Intrusion detection model for IoT using recurrent kernel convolutional neural network
CN115883261A (en) ATT and CK-based APT attack modeling method for power system
Choi et al. PIHA: Detection method using perceptual image hashing against query-based adversarial attacks
Dondo A vulnerability prioritization system using a fuzzy risk analysis approach
CN111125747B (en) Commodity browsing privacy protection method and system for commercial website user
Chen et al. Unsupervised anomaly detection & diagnosis: A stein variational gradient descent approach
Alvar et al. Membership privacy protection for image translation models via adversarial knowledge distillation
Hu et al. VeriDIP: Verifying Ownership of Deep Neural Networks through Privacy Leakage Fingerprints
CN113378985A (en) Countermeasure sample detection method and device based on layer-by-layer correlation propagation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191025

Termination date: 20200413

CF01 Termination of patent right due to non-payment of annual fee
DD01 Delivery of document by public notice

Addressee: Yang Xiaobang

Document name: Notice of termination of patent right

DD01 Delivery of document by public notice