CN107835153B - Vulnerability situation data fusion method - Google Patents

Vulnerability situation data fusion method Download PDF

Info

Publication number
CN107835153B
CN107835153B CN201710909464.8A CN201710909464A CN107835153B CN 107835153 B CN107835153 B CN 107835153B CN 201710909464 A CN201710909464 A CN 201710909464A CN 107835153 B CN107835153 B CN 107835153B
Authority
CN
China
Prior art keywords
vulnerability
fusion
network
probabilities
probability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710909464.8A
Other languages
Chinese (zh)
Other versions
CN107835153A (en
Inventor
陶晓玲
刘丽燕
亢蕊楠
王勇
刘洋
周理胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin University of Electronic Technology
Original Assignee
Guilin University of Electronic Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin University of Electronic Technology filed Critical Guilin University of Electronic Technology
Priority to CN201710909464.8A priority Critical patent/CN107835153B/en
Publication of CN107835153A publication Critical patent/CN107835153A/en
Application granted granted Critical
Publication of CN107835153B publication Critical patent/CN107835153B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a vulnerability situation data fusion method, which can clearly define the concepts of vulnerability and the relation between the concepts by constructing a vulnerability data body, and effectively eliminate the inconsistency between heterogeneous data acquired by different acquisition tools; the difference of different scanning tools in the aspect of vulnerability evidence is considered, the trust degrees of the provided evidence are different, the vulnerability situation data scanned by different tools are fused by adopting a weighting-based D-S evidence theory method, and the relative weight in the fusion process represents the trust degree of each detection tool, so that the fusion result can reflect the real situation; better results can be obtained when multiple evidences conflict.

Description

Vulnerability situation data fusion method
Technical Field
The invention relates to the technical field of network security, in particular to a vulnerability situation data fusion method.
Background
With the rapid development of internet technology, networks gradually become an indispensable part of people's lives, and the network harm is more and more serious. Various security devices are used for detecting attack events in a network, but most of the devices are in independent working states, and network security managers cannot timely and accurately sense the state of the whole network. In this case, network security situation awareness technology comes up.
The network security situation perception means that mass, multi-source and heterogeneous security data are subjected to fusion processing to form specific situation information, corresponding conditions are judged through integration analysis, and future development trends are predicted. The vulnerability data refers to vulnerability information existing in the process of hardware device implementation, software security configuration strategy and protocol design, and an attacker can realize illegal intrusion and damage by utilizing the vulnerability data, so that the vulnerability data is one of main data sources for network security situation perception. However, on one hand, the vulnerability data presents the characteristics of multiple sources and heterogeneity, on the other hand, different safety equipment has different detection capabilities, and corresponding problems of missing report and false report exist. Therefore, an efficient and extensible vulnerability data fusion method is urgently needed to better serve situation assessment and situation prediction in network security situation awareness.
Disclosure of Invention
The invention provides a vulnerability situation data fusion method which is based on an ontology and a weighted D-S evidence theory, so that situation evaluation and situation prediction in network security situation perception can be better served.
In order to solve the problems, the invention is realized by the following technical scheme:
a vulnerability posture data fusion method comprises the following steps:
step 1, classifying and describing network vulnerability information resources by adopting an ontology, establishing a hierarchical relationship of resource description, and planning the network vulnerability information resources detected by different tools into a unified expression to obtain a network vulnerability ontology;
step 2, according to different detection capabilities of various detection tools, giving relative weights of the various detection tools and giving a first judgment threshold1And a second decision threshold2
Step 3, according to the network vulnerability ontology obtained in the step 1, carrying out basic probability distribution on each detection tool by utilizing each specific CVE number in the relevant attributes of the vulnerability and the severity of the vulnerability to obtain the basic probability of each detection tool for each specific CVE number, wherein the basic probability comprises the basic probability of the vulnerability existence, the basic probability of the vulnerability nonexistence and the basic probability of the vulnerability unknown;
step 4, according to the relative weights of the detection tools given in the step 2, weighting 3 basic probabilities of the detection tools obtained in the step 3 for each specific CVE number respectively to obtain the weighted probability of each detection tool for each specific CVE number, wherein the weighted probability comprises the weighted probability of vulnerability existence, the weighted probability of vulnerability nonexistence and the weighted probability of vulnerability unknown;
step 5, fusing the 3 kinds of weighted probabilities of the detection tools obtained in the step 4 aiming at each specific CVE number by using a pairwise cross fusion calculation method according to a synthetic rule of a D-S evidence theory, fusing vulnerability information of all the detection tools aiming at each specific CVE number, and obtaining a fusion probability aiming at each specific CVE number, wherein the fusion probability comprises a fusion probability of vulnerability existence, a fusion probability of vulnerability nonexistence and a fusion probability of vulnerability unknown;
step 6, constructing a filtering rule, and filtering the 3 kinds of fusion probabilities aiming at each specific CVE number obtained in the step 5 by adopting the filtering rule; if the filtering rule is satisfied, the fusion probability that the loopholes exist is simultaneously satisfied and is greater than the first judgment threshold1The fusion probability of unknown loopholes is less than a second decision threshold2And if the fusion probability of the existence of the vulnerability is greater than the fusion probability of the nonexistence of the vulnerability, the existence of the vulnerability is indicated; if the filtering rule is not satisfied, the vulnerability does not exist.
The substeps of step 1 above are as follows:
step 1-1, designing a network vulnerability body structure into a multilayer structure;
step 1-2, starting a corresponding Map function according to each network node, wherein each Map function takes a key value pair < network identifier, network IP address > as input;
step 1-3, the Map function operates the network node according to the network IP address, collects the related information of the network node, calls a network vulnerability collecting tool to capture the network vulnerability information, and transmits the collected network vulnerability information to the Combiner intermediate result;
step 1-4, the Combiner takes < network identifier, network vulnerability information > as key value pair, and sends the collected network vulnerability information into a protocol function;
and 1-5, generating a network vulnerability ontology through a reduction function of MapReduce.
In the step 1-1, vulnerability information is recorded in the first layer of the designed multi-layer network vulnerability body; the next layer of the vulnerability information records vulnerability-related attribute information, vulnerability carrier information, a mode adopted for detecting the vulnerability, a vulnerability detection result, a solution method aiming at different vulnerabilities and a tool used for scanning the vulnerability; the next layer of the vulnerability related attributes records the severity of the vulnerability, the name of the vulnerability, a general vulnerability scoring system, the summary of the vulnerability and the existing vulnerability number; the vulnerability carrier information records software, an operating system, a protocol, a host and a port.
The substeps of the above steps 1-5 are as follows:
step 1-5-1, newly building a network vulnerability ontology model in a protocol function;
step 1-5-2, analyzing network vulnerability information resources which are transmitted from the intermediate result and take < network identifiers and network vulnerability information > as key values by a protocol function, extracting resources which need to be subjected to ontology description and corresponding to corresponding positions in the network vulnerability ontology structure designed in the step 1-1;
step 1-5-3, establishing a basic concept of a network vulnerability ontology by a protocol function according to the network vulnerability ontology structure designed in the step 1-1, wherein the basic concept comprises vulnerability situation data information, relevant attribute information of the vulnerability situation data, carrier information of the vulnerability situation data, a mode adopted for detecting the vulnerability situation data, a detection result of the vulnerability situation data, a solution method aiming at different vulnerability situation data, a tool used for scanning the vulnerability situation data, the severity of the vulnerability situation data, the name of the vulnerability situation data, a general vulnerability situation data scoring system, a summary of the vulnerability situation data, numbers of existing vulnerability situation data, software, an operating system, a protocol, a host and a port;
step 1-5-4, creating a network vulnerability ontology basic concept by a protocol function according to the network vulnerability information resources extracted in the step 1-5-2, and adding a vulnerability situation data instance, a relationship between the network vulnerability situation data instance and the network vulnerability ontology basic concept for each network vulnerability ontology basic concept, wherein each vulnerability situation data instance corresponds to a specific vulnerability situation data;
and 1-5-5, storing the constructed ontology model into a Hadoop distributed file system in a network ontology language OW L file form by a protocol function.
In the step 5, when the 3 weighted probabilities of each specific CVE number of each detection tool obtained in the step 4 are fused by a pairwise fusion calculation method by using a synthesis rule of a D-S evidence theory, for the detection tools, a two-phase fusion method is adopted in which two phases are sequentially nested from front to back; namely, it is
Firstly, performing pairwise cross fusion on the 3 weighted probabilities of the second detection tool and the 3 weighted probabilities of the first detection tool to obtain 3 first-fusion probabilities;
then the 3 weighted probabilities of the third detection tool and the 3 probabilities of the first fusion are subjected to pairwise cross fusion to obtain 3 probabilities of the second fusion,
then, the 3 weighted probabilities of the fourth detection tool and the 3 probabilities of the second fusion are subjected to pairwise cross fusion to obtain 3 probabilities of the third fusion,
by analogy, the 3 weighted probabilities of the ith detection tool and the 3 probabilities of the (i-2) th fusion are subjected to pairwise crossing fusion to obtain the 3 probabilities of the (i-1) th fusion,
finally, performing pairwise fusion on the 3 weighted probabilities of the Nth detection tool and the 3 probabilities of the (N-2) th fusion to obtain 3 probabilities of the (N-1) th fusion, wherein the 3 probabilities of the (N-1) th fusion are finally required fusion probabilities, namely the fusion probability of the existence of the vulnerability, the fusion probability of the nonexistence of the vulnerability and the fusion probability of the unknown vulnerability;
the above i is 3,4, …, N, where N is the number of the detection tools.
In the step 5, during the first pairwise cross fusion, the calculation formula for obtaining the first fused 3 probabilities by pairwise cross fusion of the 3 weighted probabilities of the second detection tool and the 3 weighted probabilities of the first detection tool is:
Figure BDA0001424684090000031
Figure BDA0001424684090000032
Figure BDA0001424684090000033
k above1For the first collision information:
Figure BDA0001424684090000041
in the step 5, during the subsequent pairwise cross fusion after the first time, the calculation formula for obtaining the 3 probabilities for the fusion of the i-1 st time by pairwise cross fusion of the 3 weighted probabilities for the ith detection tool and the 3 probabilities for the fusion of the i-2 nd time is as follows:
Figure BDA0001424684090000042
Figure BDA0001424684090000043
Figure BDA0001424684090000044
k abovei-1For the ith-1 st piece of conflict information:
Figure BDA0001424684090000045
the probability calculation formula exists due to pairwise cross fusion
Figure BDA0001424684090000046
Therefore, when the two conflict information K is 1 during the first pairwise cross fusion, it indicates that the 2 probabilities cannot use the synthesis rule of the D-S evidence theory, and at this time, the 3 weighted probabilities of the second detection tool are deleted, and then the subsequent fusion is performed; when the two conflict information K is 1 in the subsequent pairwise cross fusion after the first time,the 2 probabilities cannot use the synthesis rule of the D-S evidence theory, and the 3 weighted probabilities of the ith detection tool are deleted and then subsequently fused.
Compared with the prior art, the vulnerability posture data fusion method has the advantages that:
1. by constructing the vulnerability data ontology, the concepts of the vulnerability and the relationship among the concepts can be clearly defined, and the inconsistency among the heterogeneous data acquired by different acquisition tools is effectively eliminated;
2. the difference of different scanning tools in the aspect of vulnerability evidence is considered, the trust degrees of the provided evidence are different, the vulnerability situation data scanned by different tools are fused by adopting a weighting-based D-S evidence theory method, and the relative weight in the fusion process represents the trust degree of each detection tool, so that the fusion result can reflect the real situation;
3. better results can be obtained when multiple evidences conflict.
Drawings
FIG. 1 is a general flow diagram of an embodiment of a vulnerability profile data fusion method;
FIG. 2 is a schematic diagram of a network vulnerability ontology construction;
FIG. 3 is a block diagram of a network vulnerability ontology;
FIG. 4 is a histogram of a single detection tool versus a weighted D-S evidence theory fusion effect;
FIG. 5 is a histogram comparing the effects of the fusion method of the D-S evidence theory and the weighted D-S evidence theory.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings in conjunction with specific examples.
The experimental data used in the embodiment of the vulnerability situation data fusion method are mainly obtained by scanning network equipment, an operating system, a database, application services and the like in an attack environment set up in a laboratory through detection tools OpenVAS and Nessus. The data scanned by the probe tool includes Scan Information, hostnformation, Result Summary, and Result Details.
In order to verify the effectiveness of the method, vulnerability information resources scanned by detection tools OpenVAS and Nessus are planned to be a data set which is uniformly expressed and used as a vulnerability situation fusion method example by using the ontology, the probability of existence of each vulnerability is given as P according to a scanning result, the probability of absence of the vulnerability is set as 0 in the example, and the unknown probability of the vulnerability is set as 1-P. The value of the probability P of the existence of the vulnerability in the OpenVAS is about 0.7, when the items only appear in Nessus, the basic probability distribution of the items corresponding to the OpenVAS is constructed to be nonexistent, the probability of the change of the basic probability distribution into nonexistent is 0.7, and the probability of unknown vulnerability is 0.3.
A vulnerability situation data fusion method is shown in a general structural block diagram of the vulnerability situation data fusion method, and is characterized in that vulnerability information resources collected by various detection tools are planned to be uniformly expressed by an ontology, fusion analysis is carried out on the basis by using a weighted D-S evidence theory, and results of the detection tools are integrated through structured probability distribution and weighted fusion processing, so that the fused results can reflect real conditions better. Specifically, the method comprises the following steps:
and step S1, classifying and describing the network vulnerability information resources by adopting the ontology, establishing a hierarchical relationship of resource description, and planning the network vulnerability information resources detected by different tools into a unified expression. See fig. 2.
S1-1, in the embodiment, the network Vulnerability body structure is designed to be a multi-layer structure, and Vulnerability information (Vulneravailability) is recorded in the first layer. The next layer of the vulnerability information records vulnerability-related attribute information (VulProperty), vulnerability carrier information (VulVector), a mode (Method) adopted for detecting the vulnerability, a vulnerability detection Result (Result), a Solution (Solution) for different vulnerabilities and a Tool (Tool) used for scanning the vulnerability. The next layer of the vulnerability related property (VulProperty) comprises the Severity (Severity) of the vulnerability, the name (name) of the vulnerability, a Common Vulnerability Scoring System (CVSS), a Summary (Summary) of the vulnerability and the number (CVE) of the existing vulnerability; the vulnerability carrier information (VulVector) records Software/operating system (Software/OS), Protocol (Protocol), Host (Host), and Port (Port), as shown in fig. 3.
S1-2, according to each network node (N in FIG. 2)1To Nn) Starting corresponding Map functions, each Map function having key value pairs<Network identifier, network IP address>(of FIG. 2<N1,IP1>To<Nn,IPn>) As an input;
s1-3, operating the network node by the Map function according to the network IP address, collecting the related information of the network node, calling a network vulnerability collecting tool to capture vulnerability information, and transmitting the collected vulnerability information to the Combiner intermediate result;
s1-4, Combiner and<network identifier, network vulnerability information>Is a key-value pair (of FIG. 2<N1,I1>To<Nn,In>) Sending the collected vulnerability information of each network into a reduction function (Reduce 1-Reduce m in FIG. 2);
s1-5, generating a network vulnerability ontology (ontology O in FIG. 2) through a reduction function of MapReduce1To Om)。
S1-5-1, newly building a network vulnerability ontology model in the protocol function;
s1-5-2, analyzing the network vulnerability information resource which is transmitted from the intermediate result and takes < network identifier, network vulnerability information > as key value pair by a protocol function, extracting the resource which needs to be subjected to ontology description, and corresponding to the corresponding position in the network vulnerability ontology structure designed in the step S1-1;
s1-5-3, establishing a basic concept of the network Vulnerability ontology according to the network Vulnerability ontology structure designed in the step S1-1 by a Protocol function, wherein the basic concept comprises Vulnerability data information (Vulneravailability), relevant attribute information (VulProperty) of the Vulnerability, carrier information (VulVector) of the Vulnerability, a Method (Method) adopted for detecting the Vulnerability, a detection Result (Result) of the Vulnerability, a Solution (Solution) for different vulnerabilities, a Tool (Tool) used for scanning the Vulnerability, a Vulnerability Severity (Severity), a name (name) of the Vulnerability, a universal Vulnerability scoring system (CVSS), a Summary (Summary) of the Vulnerability, a Vulnerability number (CVE) of the existing Vulnerability, a Software and operating system (Software/OS), a Protocol (Protocol), a Host (Host) and a Port (t);
s1-5-4, creating a basic concept of the network vulnerability ontology by a protocol function according to the network vulnerability information resources extracted in the step S1-5-2, and adding vulnerability instances, and the relationship between the network vulnerability instances and the basic concept of the network vulnerability ontology for each basic concept of the network vulnerability ontology, wherein each vulnerability instance corresponds to a specific vulnerability;
s1-5-5, storing the constructed ontology model into a Hadoop distributed file system in the form of a web ontology language OW L file by a protocol function.
Step S2, according to different detection capabilities of various detection tools, giving relative weights of the various detection tools and giving a first judgment threshold1And a second decision threshold2Specific values of (a).
According to the different detection capabilities of two detection tools, namely Nessus and OpenVSA, the relative weight Nessus and the OpenVSA of the two detection tools are given as 0.7 and 0.3 respectively, and specific values of a decision threshold are given1=0.5,2=0.1。
Step S3, because the vulnerability data refers to vulnerability information existing in the hardware device implementation, software security configuration strategy and protocol design process, the vulnerability is expressed by adopting vulnerabilities, and each specific vulnerability represents one vulnerability situation data instance in step 1. And (2) according to the network vulnerability ontology obtained in the step (1), performing basic probability distribution on each detection tool according to each specific CVE (common vulnerability and exposure) number in the related attributes of the vulnerability and the severity of the vulnerability, and obtaining the basic probability of the vulnerability existing, the basic probability of the vulnerability nonexistence and the unknown basic probability of each detection tool aiming at each specific CVE number.
According to the network vulnerability ontology obtained in step S1, performing basic probability distribution on two detection tools, namely, Nessus and OpenVSA, according to each specific CVE (public vulnerability and exposure) number and severity of the vulnerability in the relevant attributes of the vulnerability, and obtaining the basic probability of existence of a leak, the basic probability of absence of the vulnerability and the basic probability of unknown vulnerability of the two detection tools, namely, the Nessus and OpenVSA, for each specific CVE number, when only existing in Nessus;
TABLE 1
Figure BDA0001424684090000071
Step S4, weighting the basic probability, the basic probability of the absence of the vulnerability and the unknown basic probability of each detection tool for each specific CVE number obtained in step 3 according to the relative weights of the various detection tools given in step 2, and obtaining the weighted probability, the weighted probability of the absence of the vulnerability and the unknown weighted probability of each detection tool for each specific CVE number.
According to the relative weight Nessus and OpenVSA of the two detection tools given in the step S2 being 0.7 and 0.3, weighting the basic probability of the presence, the basic probability of the absence and the basic probability of the unknown vulnerability of the Nessus and OpenVSA detection tools obtained in the step S3 for each specific CVE number of the vulnerability to obtain the weighted probability of the presence, the weighted probability of the absence and the weighted probability of the unknown vulnerability of the Nessus and OpenVSA detection tools for each specific CVE number of the vulnerability, as shown in Table 2;
TABLE 2
Figure BDA0001424684090000072
Figure BDA0001424684090000081
Step S5, fusing the weighted probability of the presence of the vulnerability, the weighted probability of the absence of the vulnerability and the weighted probability of the unknown vulnerability of the Nessus and OpenVSA obtained in step S4 for each specific CVE number by a pairwise fusion calculation method by using a synthesis rule of a D-S evidence theory, fusing the vulnerability information of all detection tools for each specific CVE number, and obtaining the fusion probability of the presence of the vulnerability, the fusion probability of the absence of the vulnerability and the fusion probability of the unknown vulnerability for each specific CVE number, as shown in Table 3;
TABLE 3
Figure BDA0001424684090000082
S5-1, defining that K represents conflict information between two evidences, and for a specific CVE-numbered vulnerability, the vulnerability information collected by each detection tool represents one evidence, where K is a weighted probability of vulnerability existence of a first detection tool, a weighted probability of vulnerability non-existence of a second detection tool, and a weighted probability of vulnerability non-existence of the first detection tool, and the smaller the K value is, the smaller the conflict between two evidences is, the larger the K value is, the larger the conflict between two evidences is, when the K value is 1, the two evidences contradict each other, and the D-S synthesis rule cannot be used.
In the present embodiment, K is defined to represent collision information between two pieces of evidence, and K is 0.9 × 0.3+0.1 × 0 — 0.27.
S5-2、
Figure BDA0001424684090000091
Figure BDA0001424684090000092
In the present embodiment, it is preferred that,
Figure BDA0001424684090000093
Figure BDA0001424684090000094
S5-3、
Figure BDA0001424684090000095
Figure BDA0001424684090000096
in the present embodiment, it is preferred that,
Figure BDA0001424684090000097
Figure BDA0001424684090000098
S5-4、
Figure BDA0001424684090000099
Figure BDA00014246840900000910
in this embodiment, the fusion probability of the unknown vulnerability is 1-0.863-0.136-0.001.
Step S6, constructing a filtering rule, and filtering the fusion probability of the existence of the vulnerability, the fusion probability of the nonexistence of the vulnerability and the unknown fusion probability of the vulnerability of each specific CVE number obtained in the step 5 by adopting the filtering rule, wherein if the filtering rule is met, the vulnerability exists, and if the filtering rule is not met, the vulnerability does not exist.
Constructing a filtering rule, wherein the filtering rule is as follows: (1. the fusion probability of the existence of the loophole is larger than the first judgment threshold1Value of (2) fusion probability of unknown vulnerability is less than second decision threshold2The fusion probability of the existing loopholes is larger than the fusion probability of the nonexistent loopholes, and the judgment threshold given in the step 2 is determined according to the fusion probability of the existing loopholes, the nonexistent loopholes and the unknown loopholes of each specific CVE number obtained in the step 51And2if three conditions in the filtering rule are met at the same time, judging that the vulnerability exists, otherwise, judging that the vulnerability does not exist.
According to the steps, firstly, vulnerability situation data are taken as objects, fusion analysis is carried out on the vulnerability data obtained by scanning different detection tools on the basis of adopting a body to carry out layering, semantization and unified description, and the results of all the detection tools are synthesized from the actual situation of all the detection tools through structured probability distribution and weighted fusion processing, so that the accuracy and the comprehensiveness of the situation index data are improved.
In order to verify the effectiveness of the method, the relative weights of Nessus and OpenVAS are given by an expert system to be 0.7 and 0.3 in consideration of the characteristics of each detection tool and the difference in detection performance. The basic probability distribution function for constructing the OpenVAS and the fused probability are shown in table 3 when only the entries given in the news are calculated, and if D-S evidence theory fusion is adopted (that is, evidence weights provided by the tools are equal), the obtained fusion result is shown in table 4:
TABLE 4
Figure BDA0001424684090000101
When getting1=0.5,2When only a vulnerability entry is given in Nessus, when the weighted D-S evidence theory fusion is obtained according to the filtering rule, the severity is Critical, High and Medium, and the vulnerability is judged to exist; when the D-S evidence theory is used for fusion, only leakage holes exist when the severity is Critical and High, and the leakage hole items given under other conditions are judged not to be in the leakage hole. Compared with the result of weighted-based D-S evidence theory fusion, unweighted D-S evidence theory fusion only identifies a part of bugs. Because a weighted D-S evidence theory fusion method is adopted, the effectiveness of the detection tool evidence is fully considered, the detection tool with high weight plays a larger role in the synthesis process, and the detection tool with low weight plays a smaller role, thereby reducing the influence of the detection tool with low weight on the whole fusion process.
The test is carried out on 5 hosts in a built experimental environment, wherein 192.168.15.1, 192.168.15.2 and 192.168.15.4 hosts are provided with open-source operating systems which are specially used for testing the vulnerability of the system, so that more holes exist. The fused results using the weighted D-S evidence theory and the results using OpenVAS and Nessus, respectively, are shown in fig. 4. In fig. 4, the abscissa is the IP address of the host and the ordinate is the number of instances of network vulnerability in bars. In fig. 4, a vertical stripe cuboid represents a Nessus fusion effect, a horizontal stripe cuboid represents an OpenVas fusion effect, and an oblique stripe cuboid represents a weighted D-S evidence theory fusion effect. It can be seen from the results of fig. 4 that the results of different detection tools can be synthesized by using the weighted D-S evidence theory fusion method, which is more comprehensive than the results obtained by any of OpenVAS and Nessus.
The test is carried out on 5 hosts in a built experimental environment, wherein 192.168.15.1, 192.168.15.2 and 192.168.15.4 hosts are provided with open-source operating systems which are specially used for testing the vulnerability of the system, so that more holes exist. The result after fusing by using the weighted D-S evidence theory and the result after fusing by using the D-S evidence theory are shown in a graph 5. In fig. 5, the abscissa is the IP address of the host and the ordinate is the number of instances of network vulnerability in bars. In FIG. 5, the rectangular solid with horizontal stripes shows the theoretical fusion effect of the D-S evidence, and the rectangular solid with oblique stripes shows the theoretical fusion effect of the weighted D-S evidence. From the results of fig. 5, it can be seen that the number of vulnerabilities obtained by the weighted D-S evidence theory fusion method is more than that of the D-S evidence theory fusion method.
The experiments show that the vulnerability situation data fusion method provided by the invention integrates the results of all detection tools from the actual conditions of all detection tools, and improves the accuracy and comprehensiveness of situation index data.
It should be noted that, although the above-mentioned embodiments of the present invention are illustrative, the present invention is not limited thereto, and thus the present invention is not limited to the above-mentioned embodiments. Other embodiments, which can be made by those skilled in the art in light of the teachings of the present invention, are considered to be within the scope of the present invention without departing from its principles.

Claims (9)

1. A vulnerability posture data fusion method is characterized by comprising the following steps:
step 1, classifying and describing network vulnerability information resources by adopting an ontology, establishing a hierarchical relationship of resource description, and planning the network vulnerability information resources detected by different tools into a unified expression to obtain a network vulnerability ontology;
step 2, according to different detection capabilities of various detection tools, giving relative weights of the various detection tools and giving a first judgment threshold1And a second decision threshold2
Step 3, according to the network vulnerability ontology obtained in the step 1, carrying out basic probability distribution on each detection tool by utilizing each specific CVE number in the relevant attributes of the vulnerability and the severity of the vulnerability to obtain the basic probability of each detection tool for each specific CVE number, wherein the basic probability comprises the basic probability of the vulnerability existence, the basic probability of the vulnerability nonexistence and the basic probability of the vulnerability unknown;
step 4, according to the relative weights of the detection tools given in the step 2, weighting 3 basic probabilities of the detection tools obtained in the step 3 for each specific CVE number respectively to obtain the weighted probability of each detection tool for each specific CVE number, wherein the weighted probability comprises the weighted probability of vulnerability existence, the weighted probability of vulnerability nonexistence and the weighted probability of vulnerability unknown;
step 5, fusing the 3 kinds of weighted probabilities of the detection tools obtained in the step 4 aiming at each specific CVE number by using a pairwise cross fusion calculation method according to a synthetic rule of a D-S evidence theory, fusing vulnerability information of all the detection tools aiming at each specific CVE number, and obtaining a fusion probability aiming at each specific CVE number, wherein the fusion probability comprises a fusion probability of vulnerability existence, a fusion probability of vulnerability nonexistence and a fusion probability of vulnerability unknown;
step 6, constructing a filtering rule, and filtering the 3 kinds of fusion probabilities aiming at each specific CVE number obtained in the step 5 by adopting the filtering rule; if the filtering rule is satisfied, the fusion probability that the loopholes exist is simultaneously satisfied and is greater than the first judgment threshold1The fusion probability of unknown loopholes is less than a second decision threshold2And if the fusion probability of the existence of the vulnerability is greater than the fusion probability of the nonexistence of the vulnerability, the existence of the vulnerability is indicated; if the filtering rule is not satisfied, the vulnerability does not exist.
2. The vulnerability posture data fusion method of claim 1, wherein the substeps of step 1 are as follows:
step 1-1, designing a network vulnerability body structure into a multilayer structure;
step 1-2, starting a corresponding Map function according to each network node, wherein each Map function takes a key value pair < network identifier, network IP address > as input;
step 1-3, the Map function operates the network node according to the network IP address, collects the related information of the network node, calls a network vulnerability collecting tool to capture the network vulnerability information, and transmits the collected network vulnerability information to the Combiner intermediate result;
step 1-4, the Combiner takes < network identifier, network vulnerability information > as key value pair, and sends the collected network vulnerability information into a protocol function;
and 1-5, generating a network vulnerability ontology through a reduction function of MapReduce.
3. The vulnerability posture data fusion method according to claim 2, wherein in step 1-1, vulnerability information is recorded in the first layer of the designed multi-layer network vulnerability body; the next layer of the vulnerability information records vulnerability-related attribute information, vulnerability carrier information, a mode adopted for detecting the vulnerability, a vulnerability detection result, a solution method aiming at different vulnerabilities and a tool used for scanning the vulnerability; the next layer of the vulnerability related attributes records the severity of the vulnerability, the name of the vulnerability, a general vulnerability scoring system, the summary of the vulnerability and the existing vulnerability number; the vulnerability carrier information records software, an operating system, a protocol, a host and a port.
4. The vulnerability posture data fusion method of claim 2, wherein the substeps of steps 1-5 are as follows:
step 1-5-1, newly building a network vulnerability ontology model in a protocol function;
step 1-5-2, analyzing network vulnerability information resources which are transmitted from the intermediate result and take < network identifiers and network vulnerability information > as key values by a protocol function, extracting resources which need to be subjected to ontology description and corresponding to corresponding positions in the network vulnerability ontology structure designed in the step 1-1;
step 1-5-3, establishing a basic concept of a network vulnerability ontology by a protocol function according to the network vulnerability ontology structure designed in the step 1-1, wherein the basic concept comprises vulnerability situation data information, relevant attribute information of the vulnerability situation data, carrier information of the vulnerability situation data, a mode adopted for detecting the vulnerability situation data, a detection result of the vulnerability situation data, a solution method aiming at different vulnerability situation data, a tool used for scanning the vulnerability situation data, the severity of the vulnerability situation data, the name of the vulnerability situation data, a general vulnerability situation data scoring system, a summary of the vulnerability situation data, numbers of existing vulnerability situation data, software, an operating system, a protocol, a host and a port;
step 1-5-4, creating a network vulnerability ontology basic concept by a protocol function according to the network vulnerability information resources extracted in the step 1-5-2, and adding a vulnerability situation data instance, a relationship between the network vulnerability situation data instance and the network vulnerability ontology basic concept for each network vulnerability ontology basic concept, wherein each vulnerability situation data instance corresponds to a specific vulnerability situation data;
and 1-5-5, storing the constructed ontology model into a Hadoop distributed file system in a network ontology language OW L file form by a protocol function.
5. The vulnerability posture data fusion method according to claim 1, wherein in step 5, when fusing each detection tool obtained in step 4 by using a pairwise fusion calculation method for 3 weighted probabilities of each specific CVE number by using a synthesis rule of D-S evidence theory, for the detection tool, a two-phase fusion method is adopted in which two phases are nested in sequence from front to back; namely, it is
Firstly, performing pairwise cross fusion on the 3 weighted probabilities of the second detection tool and the 3 weighted probabilities of the first detection tool to obtain 3 first-fusion probabilities;
then the 3 weighted probabilities of the third detection tool and the 3 probabilities of the first fusion are subjected to pairwise cross fusion to obtain 3 probabilities of the second fusion,
then, the 3 weighted probabilities of the fourth detection tool and the 3 probabilities of the second fusion are subjected to pairwise cross fusion to obtain 3 probabilities of the third fusion,
by analogy, the 3 weighted probabilities of the ith detection tool and the 3 probabilities of the (i-2) th fusion are subjected to pairwise crossing fusion to obtain the 3 probabilities of the (i-1) th fusion,
finally, performing pairwise fusion on the 3 weighted probabilities of the Nth detection tool and the 3 probabilities of the (N-2) th fusion to obtain 3 probabilities of the (N-1) th fusion, wherein the 3 probabilities of the (N-1) th fusion are finally required fusion probabilities, namely the fusion probability of the existence of the vulnerability, the fusion probability of the nonexistence of the vulnerability and the fusion probability of the unknown vulnerability;
the above i is 3,4, …, N, where N is the number of the detection tools.
6. The vulnerability posture data fusion method of claim 5, wherein in step 5, in the first pairwise cross fusion, the calculation formula of 3 probabilities of the first fusion obtained by pairwise cross fusion of the 3 weighted probabilities of the second detection tool and the 3 weighted probabilities of the first detection tool is:
Figure FDA0002461086310000031
Figure FDA0002461086310000032
Figure FDA0002461086310000033
k above1Is the first conflicting information.
7. The method as claimed in claim 6, wherein the first conflict information K is generated when the first pairwise cross fusion is performed1Comprises the following steps:
Figure FDA0002461086310000034
8. the vulnerability posture data fusion method of claim 5, wherein in step 5, during the subsequent pairwise cross fusion after the first time, the calculation formula of 3 probabilities for the fusion of the i-th 1-th time obtained by pairwise cross fusion of the 3 weighted probabilities for the i-th detection tool and the 3 probabilities for the fusion of the i-th 2-th time is:
Figure FDA0002461086310000041
Figure FDA0002461086310000042
Figure FDA0002461086310000043
k abovei-1Is the i-1 st collision information.
9. The method as claimed in claim 8, wherein the i-1 st collision information K is obtained by the following two-by-two cross-fusion after the first timei-1Comprises the following steps:
Figure FDA0002461086310000044
CN201710909464.8A 2017-09-29 2017-09-29 Vulnerability situation data fusion method Active CN107835153B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710909464.8A CN107835153B (en) 2017-09-29 2017-09-29 Vulnerability situation data fusion method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710909464.8A CN107835153B (en) 2017-09-29 2017-09-29 Vulnerability situation data fusion method

Publications (2)

Publication Number Publication Date
CN107835153A CN107835153A (en) 2018-03-23
CN107835153B true CN107835153B (en) 2020-07-28

Family

ID=61647576

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710909464.8A Active CN107835153B (en) 2017-09-29 2017-09-29 Vulnerability situation data fusion method

Country Status (1)

Country Link
CN (1) CN107835153B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109766906B (en) * 2018-11-16 2021-02-23 中国人民解放军海军大连舰艇学院 Sea battlefield situation data fusion method and system based on event graph
CN111310195A (en) * 2020-03-27 2020-06-19 北京双湃智安科技有限公司 Security vulnerability management method, device, system, equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7225343B1 (en) * 2002-01-25 2007-05-29 The Trustees Of Columbia University In The City Of New York System and methods for adaptive model generation for detecting intrusions in computer systems
CN102034023A (en) * 2010-12-07 2011-04-27 上海交通大学 Evidence theory-based multi-source information fusion risk analysis method
CN102098180B (en) * 2011-02-17 2013-10-16 华北电力大学 Network security situational awareness method

Also Published As

Publication number Publication date
CN107835153A (en) 2018-03-23

Similar Documents

Publication Publication Date Title
US12047396B2 (en) System and method for monitoring security attack chains
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
CN112073411B (en) Network security deduction method, device, equipment and storage medium
Shittu et al. Intrusion alert prioritisation and attack detection using post-correlation analysis
Wang et al. An exhaustive research on the application of intrusion detection technology in computer network security in sensor networks
CN114679338A (en) Network risk assessment method based on network security situation awareness
US20120011590A1 (en) Systems, methods and devices for providing situational awareness, mitigation, risk analysis of assets, applications and infrastructure in the internet and cloud
CN109962891A (en) Monitor method, apparatus, equipment and the computer storage medium of cloud security
Asif et al. Network intrusion detection and its strategic importance
CN102790706B (en) Safety analyzing method and device of mass events
Hu et al. Attack scenario reconstruction approach using attack graph and alert data mining
CN103226675A (en) Traceability system and traceability method for analyzing intrusion behavior
Rizvi et al. Application of artificial intelligence to network forensics: Survey, challenges and future directions
Sen et al. On using contextual correlation to detect multi-stage cyber attacks in smart grids
Al-Mousa Generic Proactive IoT Cybercrime Evidence Analysis Model for Digital Forensics
Ouiazzane et al. A multi-agent model for network intrusion detection
CN107835153B (en) Vulnerability situation data fusion method
Gnatyuk et al. Studies on Cloud-based Cyber Incidents Detection and Identification in Critical Infrastructure.
Angelini et al. An attack graph-based on-line multi-step attack detector
Sen et al. Towards an approach to contextual detection of multi-stage cyber attacks in smart grids
Golushko et al. Application of advanced persistent threat actorstechniques aor evaluating defensive countermeasures
Yang et al. Network forensics in the era of artificial intelligence
Grottke et al. On the efficiency of sampling and countermeasures to critical-infrastructure-targeted malware campaigns
Leghris et al. Improved security intrusion detection using intelligent techniques
Osorno et al. Coordinated Cybersecurity Incident Handling-Roles, Processes, and Coordination Networks for Crosscutting Incidents

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20180323

Assignee: Guangxi Jun'an Network Security Technology Co.,Ltd.

Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY

Contract record no.: X2022450000459

Denomination of invention: A Method of Vulnerability Situation Data Fusion

Granted publication date: 20200728

License type: Common License

Record date: 20221228

EE01 Entry into force of recordation of patent licensing contract