CN108123962B - Method for generating BFS algorithm to attack graph by utilizing Spark - Google Patents

Method for generating BFS algorithm to attack graph by utilizing Spark Download PDF

Info

Publication number
CN108123962B
CN108123962B CN201810055240.XA CN201810055240A CN108123962B CN 108123962 B CN108123962 B CN 108123962B CN 201810055240 A CN201810055240 A CN 201810055240A CN 108123962 B CN108123962 B CN 108123962B
Authority
CN
China
Prior art keywords
host
vulnerability
available
authority
reachable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810055240.XA
Other languages
Chinese (zh)
Other versions
CN108123962A (en
Inventor
胡昌振
吕坤
黄竖骅
曹宁远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201810055240.XA priority Critical patent/CN108123962B/en
Publication of CN108123962A publication Critical patent/CN108123962A/en
Application granted granted Critical
Publication of CN108123962B publication Critical patent/CN108123962B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a method for generating an attack graph by utilizing Spark to realize a BFS algorithm, which belongs to the technical field of information security and comprises the specific operation steps of obtaining a network structure, obtaining bugs existing in each host in a network system, and establishing a host bug information table, updating the authority of the host through a breadth-first search (BFS) algorithm, and drawing the attack graph.

Description

Method for generating BFS algorithm to attack graph by utilizing Spark
Technical Field
The invention relates to a method for generating an attack graph by using a Spark to realize a BFS algorithm, belonging to the technical field of information security.
Background
At present, the network security analysis mainly comprises a rule-based method and a model-based method, and an attack graph is a model-based network security analysis method. The network attack graph is generated because there are some associations between vulnerabilities existing in the network, after a vulnerability is attacked successfully, an attacker can attack the next vulnerability more successfully, and the attack graph can well illustrate the relationship between vulnerabilities.
In order to generate the network attack graph, a large amount of data information of the network is needed, which mainly includes host information and network structure information, and the host information includes software information, vulnerability information, and the like. After the attack graph is generated, observation can be carried out according to the attack graph, and the optimal attack path problem attacked at the highest speed and the optimal protection technology of the network maintained with the minimum work can be visually displayed.
The general problem encountered in generating the attack graph at present is that the system state space is too large, and with the increase of host information, the information required for generating the attack graph grows exponentially, which will cause the storage space required by data to become huge, and the time required for operation also grows exponentially.
The method has the main advantages that ① a network structure is split into a plurality of parts, a plurality of machines jointly generate attack graphs and combine the attack graphs, ② the network structure graph is subjected to depth-first search traversal, a plurality of information node caches are not needed, and space is saved;
the final application of the generated attack graph needs to be fully considered in network modeling and attack graph generation, all attack paths need to be found out when penetration testing is carried out, the complexity or success probability of each atomic attack and the degree of damage brought by the successful utilization of the vulnerability and the like need to be considered when the method is used for risk analysis or the shortest attack path is found, and the cost of each vulnerability patch needs to be calculated when the method is used for guiding vulnerability patch management.
Therefore, the final application of the attack graph determines the model and the generation method to be established to a certain extent. The generation method of the attack graph represents the network model and the information data structure of the vulnerability database. At present, many attack graph generation methods exist, and in order to analyze, compare and evaluate the merits of the methods, an attack graph generation mechanism needs to be analyzed, attributes which can be used for analyzing and comparing the methods are found, the generation methods are classified, existing problems are found, and possible research findings are found.
Disclosure of Invention
The invention aims to solve the problems of low processing speed, incomplete attack graph generation and the like in the existing attack graph generation method, and provides a method for generating an attack graph by using Spark to realize a BFS algorithm.
The purpose of the invention is realized by the following technical scheme.
The invention provides a method for generating an attack graph by using Spark to realize a BFS algorithm, which comprises the following specific operation steps:
step one, acquiring a network structure.
Step 1.1: acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts.
The software application and host correspondence table comprises: host name and software application name.
Step 1.2: obtaining session links among all hosts in a network system, and establishing a session link table among the hosts. The inter-host session link table includes: a set of source host names and target host names.
Step 1.3: and establishing a host authority table for storing the authority owned by each host in the network system. The host authority table includes: host name and host permissions.
The initial state of the host permission table is null.
And step two, acquiring the vulnerabilities existing in each host in the network system, and establishing a host vulnerability information table. The host vulnerability information table includes: host name, vulnerability ID, pre-condition set and post-condition set.
And step three, updating the host authority through a Breadth First Search (BFS) algorithm.
And updating the host authority through a breadth-first search (BFS) algorithm on the basis of the operations of the first step and the second step. The specific operation is as follows:
step 3.1: more than one host is arranged as an initial host. A host having a session link with an originating host is referred to as a reachable host.
Step 3.2: establishing an available vulnerability information table, wherein the available vulnerability information table comprises: host name, vulnerability ID, pre-condition set and post-condition set.
The initial state of the available vulnerability information table is null.
Step 3.3: judging whether the vulnerability existing in the reachable host is a usable vulnerability or not according to the authority owned by the starting host and the precondition of the vulnerability existing in the reachable host, specifically: when the precondition of a certain bug in the reachable host is satisfied by the authority owned by the initial host, the bug is regarded as an available bug, and the available bug is added into an available bug information table; meanwhile, the post-condition of the available loopholes is used as the newly added authority of the reachable host, and the newly added authority is added into the host authority table.
To increase the running speed, the operation of step 3.3 may also be: using the distributed functionality of the Spark computation engine to: distributing a plurality of pieces of initial host information to different Spark clusters respectively, judging whether the vulnerability existing in the reachable host is an available vulnerability or not according to the authority owned by the initial host and the precondition of the vulnerability existing in the reachable host on each Spark cluster, and specifically: when the precondition of a certain vulnerability in the reachable host is all satisfied by the authority owned by the starting host, the vulnerability is regarded as an available vulnerability, and the information of the available vulnerability is returned to the Spark host. Adding the available vulnerabilities into an available vulnerability information table on a Spark host; meanwhile, the post-condition of the available vulnerability is used as the authority of the reachable host, and the authority of the reachable host is added into the host authority table.
Step 3.4: and traversing the reachable hosts, taking the current reachable hosts as initial hosts, and repeating the operations from the step 3.3 to the step 3.4 until all reachable hosts have no available bugs, and ending the operation.
And step four, drawing an attack graph.
And drawing an attack graph on the basis of the operation of the step three. The method specifically comprises the following steps:
all vulnerability IDs, pre-condition sets and post-condition sets in the available vulnerability information table are used as nodes of the attack graph; and drawing a directed edge from the precondition set of the available vulnerability to the vulnerability ID, and drawing an attack graph from the vulnerability ID of the available vulnerability to the directed edge of the postcondition set.
And obtaining the network attack graph with the known network and the reachable authority through the operation of the steps.
Advantageous effects
Compared with the prior art, the method for generating the attack graph by utilizing the Spark to realize the BFS algorithm has the following advantages that:
① the invention adopts a Breadth First Search (BFS) algorithm to reduce the time needed to traverse the nodes;
② each BFS node performs distributed computation, reducing the size of data to be transferred for distribution, resulting in a reduction in the time complexity of the algorithm.
③ the invention uses Spark engine multi-cluster to process distributed operation to improve several times speed;
④ the method of the invention does not need to split the network structure, and the generated attack path is more comprehensive and has no omission.
Drawings
FIG. 1 is a diagram of a network system architecture in accordance with an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating an operation flow of a method for generating an attack graph by using Spark to implement a BFS algorithm according to an embodiment of the present invention;
fig. 3 is a network attack diagram according to an embodiment of the present invention.
Detailed Description
According to the technical scheme, the invention is described in detail by combining the drawings and the implementation examples.
In this embodiment, the network system structure is shown in fig. 1, and includes 8 hosts H1-H8. H1 can access H2 and H6, H2 can access H3 and H4, H4 and H5 can access each other, H5 and H6 can access each other, H5 and H7 can access each other, and H5 and H8 can access each other; h6 and H7 can be mutually accessed, H6 and H8 can be mutually accessed, and H7 and H8 can be mutually accessed.
The method for generating the attack graph by using the BFS algorithm by using Spark provided by the invention has the operation flow as shown in FIG. 2, and comprises the following specific operation steps:
step one, acquiring a network structure.
Step 1.1: acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts, as shown in table 1.
TABLE 1 software application to host mapping table
Host name Software name
H1 Win10 Microsoft Office
H2 IE. Fast thunder
H3 Win7、IE6.0
H4 MS Outlook change
H5 IE6.0
H6 Apache HTTP Server
H7 Win7、MS IIS6.0
H8 Win10、MySQL
Step 1.2: session links between hosts in a network system are obtained, and an inter-host session link table is established, as shown in table 2.
Table 2 inter-host session link table
H1 H2 H3 H4 H5 H6 H7 H8
H1 0 1 1 0 0 1 0 0
H2 0 0 1 1 0 0 0 0
H3 0 0 1 0 0 0 0 0
H4 0 0 0 1 1 0 0 0
H5 0 0 0 0 1 1 1 1
H6 0 0 0 0 1 1 1 1
H7 0 0 0 0 1 1 1 1
H8 0 0 0 0 1 1 1 1
Step 1.3: and establishing a host authority table for storing the authority owned by each host in the network system. The host authority table includes: host name and host permissions.
The initial state of the host permission table is null.
And step two, acquiring the vulnerabilities existing in each host in the network system, and establishing a host vulnerability information table as shown in table 3.
TABLE 3 host vulnerability information Table
Figure BDA0001553562530000051
Figure BDA0001553562530000061
And step three, updating the host authority through a Breadth First Search (BFS) algorithm.
And updating the host authority through a breadth-first search (BFS) algorithm on the basis of the operations of the first step and the second step. The specific operation is as follows:
step 3.1: set host H1 as the initiating host. A host having a session link with an originating host is referred to as a reachable host. The rights of the origin host H1 are obtained and added to the host rights table.
Step 3.2: establishing an available vulnerability information table, wherein the available vulnerability information table comprises: host name, vulnerability ID, pre-condition set and post-condition set.
The initial state of the available vulnerability information table is null.
Step 3.3: using the distributed functionality of the Spark computation engine to: and distributing a plurality of pieces of initial host information to different Spark clusters respectively on each Spark cluster. And judging whether the vulnerability existing in the reachable host is an available vulnerability or not according to the authority owned by the starting host and the precondition of the vulnerability existing in the reachable host. And when the precondition of a certain vulnerability in the reachable host is all satisfied by the authority owned by the starting host, the vulnerability is regarded as an available vulnerability, and the information of the available vulnerability is returned to the Spark host. Adding the available vulnerabilities into an available vulnerability information table on a Spark host; meanwhile, the post-condition of the available loopholes is used as the newly added authority of the reachable host, and the newly added authority is added into the host authority table.
For example: the authority of the host H1 is File Access, and the reachable hosts of the host H1 are H2 and H6. The precondition of the loopholes CVE-2017 and 3004 in H2 is File Access, so that the authority of the starting host meets the precondition of the loopholes CVE-2017 and 3004 in H2, the loopholes CVE-2017 and 3004 are regarded as available loopholes, and the information of the available loopholes CVE-2017 and 3004 is returned to the Spark host. Adding the available vulnerabilities CVE-2017 and 3004 into an available vulnerability information table on a Spark host; meanwhile, the post condition File/MemoryAccess which can utilize the vulnerabilities CVE-2017-3004 is taken as the authority which can reach the host H2, and the new limit is added into the host authority table.
The precondition of the loophole CVE-2003-0352 in H6 is File Access, so that the permission of the starting host meets the precondition of the loophole CVE-2003-0352 in H6, the loophole CVE-2003-0352 is regarded as an available loophole, and the information of the available loophole CVE-2003-0352 is returned to the Spark host. Adding the available vulnerabilities CVE-2003-0352 into an available vulnerability information table on a Spark host; meanwhile, the post condition Root Right of the available vulnerability CVE-2003-0352 is used as the authority of the accessible host H6, and the new limit is added into the host authority table.
Step 3.4: and traversing the reachable hosts, taking the current reachable hosts as initial hosts, and repeating the operations from the step 3.3 to the step 3.4 until all reachable hosts have no available bugs, and ending the operation.
For example: when step 3.4 is executed for the 1 st time, the reachable hosts H2 and H6 are traversed, the current reachable hosts H2 and H6 are used as starting hosts, and then the operations from step 3.3 to step 3.4 are repeated until all reachable hosts have no available vulnerabilities, and the operation is ended.
Obtaining a host permission table through the operation of the third step, as shown in table 4; an available vulnerability information table is obtained, as shown in table 5.
Table 4 host authority table
Host name Authority
H1 File Access
H2 File Access
H2 Memory Access
H3 Authorization
H4 User Right
H5 Root Right
H6 Root Right
H7 File Access
H8 File Access
TABLE 5 available vulnerability information Table
Figure BDA0001553562530000071
Figure BDA0001553562530000081
And step four, drawing an attack graph.
And drawing an attack graph on the basis of the operation of the step three. The method specifically comprises the following steps:
all vulnerability IDs, pre-condition sets and post-condition sets in the available vulnerability information table are used as nodes of the attack graph; and drawing a directed edge from the precondition set of the available vulnerability to the vulnerability ID, and drawing an attack graph from the vulnerability ID of the available vulnerability to the directed edge of the postcondition set.
Through the operations of the above steps, the network attack graph shown in fig. 3 is obtained.

Claims (1)

1. A method for generating an attack graph by using Spark to realize a breadth-first search BFS algorithm is characterized in that: the specific operation steps are as follows:
step one, acquiring a network structure;
step 1.1: acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts;
the software application and host correspondence table comprises: host name and software application name;
step 1.2: acquiring session links among hosts in a network system, and establishing a session link table among the hosts; the inter-host session link table includes: a source host name and target host name set;
step 1.3: establishing a host authority table for storing the authority owned by each host in the network system; the host authority table includes: host name and host authority;
the initial state of the host permission table is null;
step two, acquiring vulnerabilities existing in each host in the network system, and establishing a host vulnerability information table; the host vulnerability information table includes: host name, vulnerability ID, pre-condition set and post-condition set;
step three, updating the host authority through a breadth-first search BFS algorithm;
updating the host authority through a breadth-first search BFS algorithm on the basis of the operations in the first step and the second step; the specific operation is as follows:
step 3.1: setting more than one host as an initial host; a host having a session link with an initiating host is called a reachable host;
step 3.2: establishing an available vulnerability information table, wherein the available vulnerability information table comprises: host name, vulnerability ID, pre-condition set and post-condition set;
the initial state of the available vulnerability information table is null;
step 3.3: judging whether the vulnerability existing in the reachable host is a usable vulnerability or not according to the authority owned by the starting host and the precondition of the vulnerability existing in the reachable host, specifically: using the distributed functionality of the Spark computation engine to: distributing a plurality of pieces of initial host information to different Spark hosts respectively, and judging whether the vulnerability existing in the reachable host is an available vulnerability or not on each Spark host according to the authority owned by the initial host and the precondition of the vulnerability existing in the reachable host; when the precondition of a certain bug in the reachable host is all satisfied by the authority owned by the starting host, the bug is regarded as an available bug, and the information of the available bug is returned to the Spark host; adding the available vulnerabilities into an available vulnerability information table on a Spark host; meanwhile, the post-condition of the available vulnerability is used as the authority of the reachable host, and the authority of the reachable host is added into the host authority table;
step 3.4: traversing the reachable hosts, taking the current reachable hosts as initial hosts, and then repeating the operations from the step 3.3 to the step 3.4 until all reachable hosts do not find new available vulnerabilities, and ending the operation in the step three;
step four, drawing an attack graph; the method specifically comprises the following steps:
all vulnerability IDs, pre-condition sets and post-condition sets in the available vulnerability information table are used as nodes of the attack graph; drawing a leading condition set of the available vulnerabilities to a directed edge of a vulnerability ID, and drawing a vulnerability ID of the available vulnerabilities to a directed edge of a trailing condition set to finish drawing an attack graph;
and obtaining the network attack graph of the known network through the operations of the first step to the fourth step.
CN201810055240.XA 2018-01-19 2018-01-19 Method for generating BFS algorithm to attack graph by utilizing Spark Active CN108123962B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810055240.XA CN108123962B (en) 2018-01-19 2018-01-19 Method for generating BFS algorithm to attack graph by utilizing Spark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810055240.XA CN108123962B (en) 2018-01-19 2018-01-19 Method for generating BFS algorithm to attack graph by utilizing Spark

Publications (2)

Publication Number Publication Date
CN108123962A CN108123962A (en) 2018-06-05
CN108123962B true CN108123962B (en) 2020-07-10

Family

ID=62234042

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810055240.XA Active CN108123962B (en) 2018-01-19 2018-01-19 Method for generating BFS algorithm to attack graph by utilizing Spark

Country Status (1)

Country Link
CN (1) CN108123962B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11729222B2 (en) * 2019-07-12 2023-08-15 Palo Alto Research Center Incorporated System and method for extracting configuration-related information for reasoning about the security and functionality of a composed internet of things system
CN110572409B (en) * 2019-09-16 2021-10-12 国家计算机网络与信息安全管理中心 Industrial Internet security risk prediction method, device, equipment and storage medium
CN112804231B (en) * 2021-01-13 2021-09-24 广州大学 Distributed construction method, system and medium for attack graph of large-scale network
US11765195B2 (en) 2021-02-16 2023-09-19 Icf International Distributed network-level probabilistic attack graph generation
US11930046B2 (en) 2021-06-17 2024-03-12 Xerox Corporation System and method for determining vulnerability metrics for graph-based configuration security

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107347069A (en) * 2017-07-10 2017-11-14 北京理工大学 A kind of optimal attack paths planning method based on Kohonen neutral nets
CN107317756A (en) * 2017-07-10 2017-11-03 北京理工大学 A kind of optimal attack paths planning method learnt based on Q

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于攻击期望的双模攻击图生成算法;赵毅寰等;《航空兵器》;20111231;全文 *

Also Published As

Publication number Publication date
CN108123962A (en) 2018-06-05

Similar Documents

Publication Publication Date Title
CN108123962B (en) Method for generating BFS algorithm to attack graph by utilizing Spark
US11487772B2 (en) Multi-party data joint query method, device, server and storage medium
CN107193731B (en) Fuzzy test coverage improvement method using control variation
US10313370B2 (en) Generating malware signatures based on developer fingerprints in debug information
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
De Carli et al. Botnet protocol inference in the presence of encrypted traffic
Zuo et al. Pavfuzz: State-sensitive fuzz testing of protocols in autonomous vehicles
CN108733528B (en) Constraint-based system fault injection method
Xuewei et al. An approach of discovering causal knowledge for alert correlating based on data mining
CN111193640B (en) Stateful data plane fault detection method using policy decomposition and symbolic execution
CN112422513A (en) Anomaly detection and attack initiator analysis system based on network traffic message
Zhao et al. An invocation chain test and evaluation method for fog computing
Hu et al. A systematic review of network protocol fuzzing techniques
Zhang et al. B-cache: A behavior-level caching framework for the programmable data plane
Xue et al. Applied research on data mining algorithm in network intrusion detection
Sun et al. Maskfuzzer: A maskgan-based industrial control protocol fuzz testing framework
CN117938469A (en) Industrial control protocol-oriented high-efficiency gray box fuzzy test method and system
Wang et al. Web anomaly detection based on frequent closed episode rules
Han et al. Heterogeneous Data-Aware Federated Learning for Intrusion Detection Systems via Meta-sampling in Artificial Intelligence of Things
Miao et al. Deep learning in fuzzing: A literature survey
CN110995747A (en) Distributed storage security analysis method
Xu et al. FIoTFuzzer: Response-based black-box fuzzing for IoT devices
Li et al. A dynamic taint tracking optimized fuzz testing method based on multi-modal sensor data fusion
CN115391787A (en) AFL seed optimization method and system based on generation countermeasure network
Aditham et al. A novel control-flow based intrusion detection technique for big data systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant