CN108965035B - Attack path prediction method based on attack gain - Google Patents

Attack path prediction method based on attack gain Download PDF

Info

Publication number
CN108965035B
CN108965035B CN201811113102.9A CN201811113102A CN108965035B CN 108965035 B CN108965035 B CN 108965035B CN 201811113102 A CN201811113102 A CN 201811113102A CN 108965035 B CN108965035 B CN 108965035B
Authority
CN
China
Prior art keywords
attack
node
gain
resource
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811113102.9A
Other languages
Chinese (zh)
Other versions
CN108965035A (en
Inventor
王坤福
王辉
茹鑫鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Information Science and Technology
Henan University of Technology
Original Assignee
Nanjing University of Information Science and Technology
Henan University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Information Science and Technology, Henan University of Technology filed Critical Nanjing University of Information Science and Technology
Priority to CN201811113102.9A priority Critical patent/CN108965035B/en
Publication of CN108965035A publication Critical patent/CN108965035A/en
Application granted granted Critical
Publication of CN108965035B publication Critical patent/CN108965035B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Abstract

The invention provides an attack path prediction method based on attack gain, which comprises the following steps: a Bayesian attack graph is obtained by adopting a vulnerability scanning tool and is used as a network to be evaluated; acquiring all resource nodes and all attack nodes in a network to be evaluated; traversing the whole network to be evaluated, and acquiring all possible attack paths from the initial resource node to the target resource node; for each resource node on each possible attack path, acquiring attack gain and attack time of each attack node directly connected with the resource node to the resource node, and correspondingly generating an initial attack gain matrix, an attack time matrix and a probability attack gain matrix; according to the probability attack gain matrix, eliminating redundant attack paths in the possible attack paths to obtain attack gain paths; and traversing the attack gain paths, and determining the optimal gain path in the attack gain paths according to the principle that the path probability attack gain rate is maximum. The invention has the characteristics of high accuracy and the like, and can be widely applied to the field of network security.

Description

Attack path prediction method based on attack gain
Technical Field
The invention relates to a prediction technology, in particular to an attack path prediction method based on attack gain.
Background
As is well known, the research on the network attack path prediction method has been a hot problem in the scientific research field, and various prediction methods have been developed for this purpose. In recent years, researchers have applied attack graphs to network attack behavior prediction, which makes predictive evaluations based on vulnerabilities. At present, the attack path prediction method generally determines possible attack paths according to factors such as attack complexity, operation cost and the like, and does not consider subjective factors of attackers, so that the prediction accuracy is still low.
Therefore, in the prior art, the network attack path prediction method has the problem of poor prediction accuracy.
Disclosure of Invention
In view of the above, the main objective of the present invention is to provide an attack path prediction method based on attack gain with high prediction accuracy.
In order to achieve the purpose, the technical scheme provided by the invention is as follows:
an attack path prediction method based on attack gain comprises the following steps:
step 1, a Bayesian attack graph is obtained by adopting a vulnerability scanning tool and is used as a network to be evaluated.
Step 2, acquiring all resource nodes R ═ { R in the network to be evaluatedjI j ═ 1, 2.. M } and all attack nodes a ═ a ·i1, 2., N }; the resource nodes comprise an initial resource node serving as a network attack initial point, a target resource node serving as a network attack target point and an intermediate resource node positioned between the initial node and the target node on a network path, the attack nodes are connected with more than one front-drive resource node and more than one rear-drive resource node, the rear of the initial resource node is connected with more than one attack node, and the front of the target resource node is connected with more than one attack node; according to the attack sequence, the resource nodes which are arranged in front of the attack nodes and directly connected with the attack nodes are used as precursor resource nodes, and the resource nodes which are arranged behind the attack nodes and directly connected with the attack nodes are used as back-drive resource nodes; the attack node which is arranged in front of the attacked resource node and is directly connected with the attacked resource node is used as a precursor attack node, and the attack node which is arranged behind the attacked resource node and is directly connected with the attacked resource node is used as a back-drive attack node; m represents the total number of all resource nodes, N represents the total number of all attack nodes, and M, N, i and j are all natural numbers.
And 3, traversing the whole network to be evaluated, and acquiring all possible attack paths from the initial resource node to the target resource node.
Step 4, for each resource node on each possible attack path, acquiring attack gain and attack time of each attack node directly connected with the resource node to the resource node, and correspondingly generating an initial attack gain matrix and an attack time matrix of each possible attack path, and further generating a probability attack gain matrix of each possible attack path; wherein the attack gain is the difference between the attack income and the attack cost.
And 5, eliminating redundant attack paths in the possible attack paths according to the probability attack gain matrix to obtain attack gain paths.
And 6, traversing the attack gain paths obtained in the step 5, and determining the optimal gain path in the attack gain paths according to the principle that the path probability attack gain rate is maximum.
In summary, after the attack path prediction method based on the attack gain obtains the network to be evaluated, all possible attack paths from the initial resource node to the target resource node are obtained from the subjective angle of the attacker according to the relationship between various resource nodes and the attack nodes in the network to be evaluated. In all possible attack paths, a part of the possible attack paths contain an AND relationship, wherein the AND relationship means that more than two precursor attack nodes are connected with one resource node, and the more than two precursor attack nodes are in an AND relationship; the other part of the possible attack paths do not contain the AND relation, that is, the resource node on each possible attack path only has one precursor attack node. And for each resource node on each possible attack path, acquiring the time spent by each resource node being attacked successfully and the probability attack gain obtained after the attack is successful, and eliminating redundant paths in all possible attack paths according to the size of the probability attack gain to obtain an attack gain path. In the attack gain path, according to the path probability attack gain rate of each attack gain path, the attack gain path most likely selected by an attacker, namely the optimal attack gain path, is finally predicted and determined. According to the optimal prediction, precautionary measures can be taken in advance more accurately, and the network security is ensured.
Drawings
Fig. 1 is a general flowchart of an attack path prediction method based on attack gain according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a general flowchart of an attack path prediction method based on attack gain according to the present invention. As shown in fig. 1, the attack path prediction method based on attack gain according to the present invention includes the following steps:
step 1, a Bayesian attack graph is obtained by adopting a vulnerability scanning tool and is used as a network to be evaluated.
Step 2, acquiring all resource nodes R ═ { R in the network to be evaluatedjI j ═ 1, 2.. M } and all attack nodes a ═ a ·i1, 2., N }; the resource nodes comprise an initial resource node serving as a network attack initial point, a target resource node serving as a network attack target point and an intermediate resource node positioned between the initial node and the target node on a network path, the attack nodes are connected with more than one front-drive resource node and more than one rear-drive resource node, the rear of the initial resource node is connected with more than one attack node, and the front of the target resource node is connected with more than one attack node; according to the attack sequence, the resource nodes which are arranged in front of the attack nodes and directly connected with the attack nodes are used as precursor resource nodes, and the resource nodes which are arranged behind the attack nodes and directly connected with the attack nodes are used as back-drive resource nodes; the attack node which is arranged in front of the attacked resource node and is directly connected with the attacked resource node is used as a precursor attack node, and the attack node which is arranged behind the attacked resource node and is directly connected with the attacked resource node is used as a back-drive attack node; m represents the total number of all resource nodes, N represents the total number of all attack nodes, and M, N, i and j are all natural numbers.
And 3, traversing the whole network to be evaluated, and acquiring all possible attack paths from the initial resource node to the target resource node.
Step 4, for each resource node on each possible attack path, acquiring attack gain and attack time of each attack node directly connected with the resource node to the resource node, and correspondingly generating an initial attack gain matrix and an attack time matrix of each possible attack path, and further generating a probability attack gain matrix of each possible attack path; wherein the attack gain is the difference between the attack income and the attack cost.
And 5, eliminating redundant attack paths in the possible attack paths according to the probability attack gain matrix to obtain attack gain paths.
And 6, traversing the attack gain paths obtained in the step 5, and determining the optimal gain path in the attack gain paths according to the principle that the path probability attack gain rate is maximum.
In summary, after the attack path prediction method based on the attack gain obtains the network to be evaluated, all possible attack paths from the initial resource node to the target resource node are obtained from the subjective angle of an attacker according to the relationship between various resource nodes and the attack nodes in the network to be evaluated. In all possible attack paths, a part of the possible attack paths contain an AND relationship, wherein the AND relationship means that more than two precursor attack nodes are connected with one resource node, and the more than two precursor attack nodes are in an AND relationship; the other part of the possible attack paths do not contain the AND relation, that is, the resource node on each possible attack path only has one precursor attack node. And for each resource node on each possible attack path, acquiring the time spent by each resource node being attacked successfully and the probability attack gain obtained after the attack is successful, and eliminating redundant paths in all possible attack paths according to the size of the probability attack gain to obtain an attack gain path. In the attack gain path, according to the path probability attack gain rate of each attack gain path, the attack gain path most likely selected by an attacker, namely the optimal attack gain path, is finally predicted and determined. According to the optimal prediction, precautionary measures can be taken in advance more accurately, and the network security is ensured.
In the method of the present invention, the initial attack gain matrix is:
Figure GSB0000191666390000051
wherein the attack gain qijRepresenting an attacking node aiFor resource node rjAttack gain of (a), and qij=grain(ai,rj)-cost(ai,rj) (ii) a When q isijWhen the value is less than or equal to 0, the node a is shown to be attackediFor resource node rjNo attack behavior or no attack gain; the ith row of the attack gain matrix and the attack node aiCorrespondingly, the j column of the attack gain matrix and the resource node rjCorresponding; grain (a)i,rj) Representing an attacking node aiFor resource node rjAttack income of (a)i,rj) Representing an attacking node aiFor resource node rjThe cost of the attack.
In the method of the present invention, the attack time matrix is:
Figure GSB0000191666390000052
wherein, tijRepresenting an attacking node aiNode r successfully occupying resourcejThe attack time of (a); when t isijWhen the value is less than or equal to 0, the node a is shown to be attackediFor resource node rjDoes not exist; the ith row of the attack time matrix and the attack node aiCorrespondingly, the j column of the attack time matrix and the resource node rjAnd (7) corresponding.
In the method of the present invention, the revenue gain (a) is attackedi,rj)=wjβijuj,wjRepresenting a resource node rjResource value of betaijRepresenting a resource node rjAttack node a after successful attackiThe obtained weight, u, of the control permission leveljRepresents a resource node rjThe attack profit impact coefficient. Here, the control authority level is the prior art, and the weight of the control authority level may be determined by itself according to actual needs, which is not described herein again.
In the method of the invention, the cost (a) of the attacki,rj)=αij1Hijij2Sij(ii) a Wherein HijRepresenting an attacking node aiFor resource node rjComplexity of attack, SijRepresenting an attacking node aiFor resource node rjRisk of attack of alphaij1Representing the complexity weight, αij2Represents a risk measure weight, and alphaij1ij2=1。αij1、αij2The specific value of (A) can be determined according to the actual requirement.
Here, the attack complexity quantization scale is shown in table 1 below. The quantitative criteria for risk of attack are shown in table 2.
TABLE 1 administration impact complexity quantification Standard
Figure GSB0000191666390000061
TABLE 2 quantification of risk of attack
Figure GSB0000191666390000062
In the method of the present invention, the probability attack gain matrix is:
Figure GSB0000191666390000063
wherein the probability attack gain wij=ψ(ai,rj)×qij(ii) a When w isijWhen the value is less than or equal to 0, the node a is shown to be attackediFor resource node rjNo attack behavior or no attack gain; ith row of probability attack gain matrix and attack node aiCorrespondingly, j column of the probability attack gain matrix and the resource node rjCorresponding; psi (a)i,rj) Representing an attacking node aiFor resource node rjThe probability of attack.
Hair brushIn the plain method, the attack probability psi (a)i,rj)=P1(ai,rj)×P2(ai,rj) Representing a resource node rjAttacked node aiProbability of aggression; wherein, P1(ai,rj) Representing an attacking node aiAttack node a after the front-driving resource node is occupiediFor resource node rjProbability of launching an attack, and P1(ai,rj)=P(γ(ai,rj)|Ω(Rj-1));P2(ai,rj) Representing an attacking node aiFor resource node rjProbability of successful occupation, and P2(ai,rj)=P(Ω(rj)|γ(ai,rj));γ(ai,rj) Representing an attacking node aiFor resource node rjAn initiated attack behavior; omega (R)j-1) Representing an attacking node aiThe behavior of the predecessor resource node of (c) being successfully occupied, omega (r)j) Representing an attacking node aiNode r successfully occupying resourcejThe behavior of (c); rj-1Representing an attacking node aiA set of predecessor resource nodes of, and Rj-1={rj-1,1,rj-1,2,…,rj-1,gG is a natural number; p (| ·) represents the conditional probability.
In the method of the invention, the attack node a is treatediPrecursor resource node set R ofj-1={rj-1,1,rj-1,2,…,rj-1,gIndicating the attack node a when g is 1iHas only one precursor resource node, and omega (R)j-1)=Ω(rj-1,1) (ii) a When g is more than 1, the attack node a is indicatediMore than one precursor resource node with AND relation is directly connected to the front surface, and omega (R)j-1)=Ω(rj-1,1)×Ω(rj-1,2)×…×Ω(rj-1,g)。
In the method of the present invention, step 5 specifically comprises:
and step 51, numbering all the possible attack paths from the starting resource node to the target resource node obtained in the step 3.
Step 52, according to the sequence of the possible attack path sequence numbers from small to large, judging whether each possible attack path is redundant:
according to the probability attack gain matrix corresponding to the current possible attack path, if one and only one probability attack gain element in each column of the probability attack gain matrix is greater than 0, the fact that the AND relation does not exist on the current possible attack path is indicated, and the current possible attack path is not redundant;
according to the probability attack gain matrix corresponding to the current possible attack path, if more than one probability attack gain element which is not equal to 0 exists in each column, for the columns with more than two probability attack gain elements which are not equal to 0, more than two precursor attack nodes with an AND relationship exist in the corresponding resource nodes on the current possible attack path, and the probability attack gain of the corresponding resource nodes is the sum of the probability attack gain elements in the column: when the sum of the probability attack gain elements in each column is greater than 0, the current possible attack path is not redundant; otherwise, the current possible attack path redundancy is described;
and according to the probability attack gain matrix corresponding to the current possible attack path, if the column exists in which each probability attack gain element is less than 0 or equal to 0, indicating that the current possible attack path is redundant.
And step 53, deleting the redundant attack path to obtain an attack gain path.
In the invention, the attack gain of the resource node is the difference value between the attack income and the attack cost. From the attacker's perspective, if the attack does not yield a benefit, then the attacker is not doing a network attack. Therefore, considering the attack gain of the current attacked resource node and the probability of successful attack of the precursor resource node on the possible attack path where the attacked resource node is located, the probability attack gain of the current resource node is determined, and thus the probability attack gain matrix of the whole possible attack path is determined. For each possible attack gain path, if a certain resource node on the path is in, the probability attack gain is less than 0 or equal to 0; then, the attack on the resource node will not generate income, and even will lose the cost; therefore, the attacker will not attack the resource node, that is, the attacker will not select the possible attack path to attack, and the possible attack path is redundant.
In the invention, if an attacker does not attack the resource node, the state value of the attack node is false. If the attacker attacks the resource node, the state value of the attacking node is "true".
In the method of the present invention, the method for obtaining the optimal gain path specifically includes:
step 61, calculating the probability attack gain rate of each attack gain path for all attack gain paths obtained in step 53
Figure GSB0000191666390000091
Wherein PathW represents the probabilistic attack gain of the attack gain path, PathT represents the time it takes for the attack gain path to be attacked successfully.
And step 62, finding out the maximum value of the probability attack gain rate from the probability attack gain rates of all attack gain paths.
And step 63, taking the attack gain path corresponding to the maximum value of the probability attack gain rate as an optimal attack path.
In step 61, the probabilistic attack gain rate of the attack gain path is calculated
Figure GSB0000191666390000092
The method specifically comprises the following steps:
if there is no AND relationship in the attack gain path, then
Figure GSB0000191666390000093
Figure GSB0000191666390000094
Wherein the content of the first and second substances,
Figure GSB0000191666390000095
representing the sum of all elements in the kth column of the probability attack gain matrix;
Figure GSB0000191666390000096
representing the sum of all attack time elements in the kth column in the attack time matrix; x and k are both natural numbers;
if an AND relationship exists in the attack gain path, then
Figure GSB0000191666390000097
Figure GSB0000191666390000098
Wherein the content of the first and second substances,
Figure GSB0000191666390000099
representing that the sum of attack time elements of each corresponding column of resource nodes with only one precursor attack node on the attack gain path in the attack time matrix;
Figure GSB00001916663900000910
representing the sum of attack times of attacking resource node rd with more than two precursor attack nodes on the attack gain path,
Figure GSB00001916663900000911
representing a resource node r having more than two predecessor attack nodesdThe maximum synchronization attack time when attacked,
Figure GSB00001916663900000912
representing a resource node r having more than two predecessor attack nodesdAsynchronous attack time when attacked; s, d, E, F are all natural numbers, and E + F is M.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. An attack path prediction method based on attack gain is characterized by comprising the following steps:
step 1, a Bayesian attack graph is obtained by adopting a vulnerability scanning tool and is used as a network to be evaluated;
step 2, acquiring all resource nodes R ═ { R in the network to be evaluatedjI j ═ 1, 2.. M } and all attack nodes a ═ a ·i1, 2., N }; the resource nodes comprise an initial resource node serving as a network attack initial point, a target resource node serving as a network attack target point and an intermediate resource node positioned between the initial node and the target node on a network path, the attack nodes are connected with more than one front-drive resource node and more than one rear-drive resource node, the rear of the initial resource node is connected with more than one attack node, and the front of the target resource node is connected with more than one attack node; according to the attack sequence, the resource nodes which are arranged in front of the attack nodes and directly connected with the attack nodes are used as precursor resource nodes, and the resource nodes which are arranged behind the attack nodes and directly connected with the attack nodes are used as back-drive resource nodes; the attack node which is arranged in front of the attacked resource node and is directly connected with the attacked resource node is used as a precursor attack node, and the attack node which is arranged behind the attacked resource node and is directly connected with the attacked resource node is used as a back-drive attack node; m represents the total number of all resource nodes, N represents the total number of all attack nodes, and M, N, i and j are all natural numbers;
step 3, traversing the whole network to be evaluated, and acquiring all possible attack paths from the initial resource node to the target resource node;
step 4, for each resource node on each possible attack path, acquiring attack gain and attack time of each attack node directly connected with the resource node to the resource node, and correspondingly generating an initial attack gain matrix and an attack time matrix of each possible attack path, and further generating a probability attack gain matrix of each possible attack path; wherein the attack gain is the difference between the attack income and the attack cost;
step 5, eliminating redundant attack paths in the possible attack paths according to the probability attack gain matrix to obtain attack gain paths;
and 6, traversing the attack gain paths obtained in the step 5, and determining the optimal gain path in the attack gain paths according to the principle that the path probability attack gain rate is maximum.
2. The attack gain-based attack path prediction method according to claim 1,
the initial attack gain matrix
Figure FSB0000191666380000021
Wherein the attack gain qijRepresenting an attacking node aiFor resource node rjAttack gain of (a), and qij=grain(ai,rj)-cost(ai,rj) (ii) a When q isijWhen the value is less than or equal to 0, the node a is shown to be attackediFor resource node rjNo attack behavior or no attack gain; the ith row of the attack gain matrix and the attack node aiCorrespondingly, the j column of the attack gain matrix and the resource node rjCorresponding; grain (a)i,rj) Representing an attacking node aiFor resource node rjAttack income of (a)i,rj) Representing an attacking node aiFor resource node rjThe cost of the attack;
the attack time matrix
Figure FSB0000191666380000022
Wherein, tijRepresenting an attacking node aiNode r successfully occupying resourcejThe attack time of (a); when t isijWhen the value is less than or equal to 0, the node a is shown to be attackediFor resource node rjDoes not exist; the ith row of the attack time matrix and the attack node aiCorrespondingly, the j column of the attack time matrix and the resource node rjCorresponding; wherein the content of the first and second substances,
attack revenue gain (a)i,rj)=wjβijuj,wjRepresenting a resource node rjResource value of betaijRepresenting a resource node rjAttack node a after successful attackiThe obtained weight, u, of the control permission leveljRepresents a resource node rjThe attack gain impact coefficient of (1);
cost of attack cost (a)i,rj)=αij1Hijij2Sij(ii) a Wherein HijRepresenting an attacking node aiFor resource node rjComplexity of attack, SijRepresenting an attacking node aiFor resource node rjRisk of attack of alphaij1Representing the complexity weight, αij2Represents a risk measure weight, and alphaij1ij2=1。
3. The attack path prediction method based on attack gain according to claim 2, wherein the probabilistic attack gain matrix is:
Figure FSB0000191666380000031
wherein the probability attack gain wij=ψ(ai,rj)×qij(ii) a When w isijWhen the value is less than or equal to 0, the node a is shown to be attackediFor resource node rjNo attack behavior or no attack gain; ith row of probability attack gain matrix and attack node aiCorrespondingly, j column of the probability attack gain matrix and the resource node rjCorresponding; psi (a)i,rj) Representing an attacking node aiFor resource node rjThe probability of attack.
4. The attack gain-based attack path prediction method according to claim 3, wherein the attack probability ψ (a)i,rj)=P1(ai,rj)×P2(ai,rj) Representing a resource node rjAttacked node aiProbability of aggression; wherein, P1(ai,rj) Representing an attacking node aiAttack node a after the front-driving resource node is occupiediFor resource node rjProbability of launching an attack, and P1(ai,rj)=P(γ(ai,rj)|Ω(Rj-1));P2(ai,rj) Representing an attacking node aiFor resource node rjProbability of successful occupation, and P2(ai,rj)=P(Ω(rj)|γ(ai,rj));γ(ai,rj) Representing an attacking node aiFor resource node rjAn initiated attack behavior; omega (R)j-1) Representing an attacking node aiThe behavior of the predecessor resource node of (c) being successfully occupied, omega (r)j) Representing an attacking node aiNode r successfully occupying resourcejThe behavior of (c); rj-1Representing an attacking node aiA set of predecessor resource nodes of, and Rj-1={rj-1,1,rj-1,2,…,rj-1,gG is a natural number; p (| ·) represents the conditional probability.
5. The attack gain-based attack path prediction method according to claim 4, wherein a is the attack nodeiPrecursor resource node set R ofj-1={rj-1,1,rj-1,2,…,rj-1,gIndicating the attack node a when g is 1iHas only one precursor resource node, and omega (R)j-1)=Ω(rj-1,1) (ii) a When g is more than 1, the attack node a is indicatediMore than one precursor resource node with AND relation is directly connected to the front surface, and omega (R)j-1)=Ω(rj-1,1)×Ω(rj-1,2)×…×Ω(rj-1,g)。
6. The attack path prediction method based on attack gain according to claim 3, 4 or 5, wherein the step 5 specifically comprises:
step 51, numbering all possible attack paths from the starting resource node to the target resource node obtained in the step 3;
step 52, according to the sequence of the possible attack path sequence numbers from small to large, judging whether each possible attack path is redundant:
according to the probability attack gain matrix corresponding to the current possible attack path, if one and only one probability attack gain element in each column of the probability attack gain matrix is greater than 0, the fact that the AND relation does not exist on the current possible attack path is indicated, and the current possible attack path is not redundant;
according to the probability attack gain matrix corresponding to the current possible attack path, if more than one probability attack gain element which is not equal to 0 exists in each column, for the columns with more than two probability attack gain elements which are not equal to 0, more than two precursor attack nodes with an AND relationship exist in the corresponding resource nodes on the current possible attack path, and the probability attack gain of the corresponding resource nodes is the sum of the probability attack gain elements in the column: when the sum of the probability attack gain elements in each column is greater than 0, the current possible attack path is not redundant; otherwise, the current possible attack path redundancy is described;
according to the probability attack gain matrix corresponding to the current possible attack path, if the probability attack gain matrix has a column with each probability attack gain element being less than 0 or equal to 0, the current possible attack path is indicated to be redundant;
and step 53, deleting the redundant attack path to obtain an attack gain path.
7. The attack path prediction method based on attack gain according to claim 6, wherein the optimal gain path obtaining method specifically includes:
step 61, calculating the probability attack gain rate of each attack gain path for all attack gain paths obtained in step 53
Figure FSB0000191666380000041
Wherein PathW represents the probabilistic attack gain of the attack gain path, PathT represents the time taken for the attack gain path to be attacked successfully;
step 62, finding out the maximum value of the probability attack gain rate from the probability attack gain rates of all attack gain paths;
and step 63, taking the attack gain path corresponding to the maximum value of the probability attack gain rate as an optimal attack path.
8. The attack gain-based attack path prediction method according to claim 7, wherein in step 61, the probability attack gain rate of the attack gain path is calculated
Figure FSB0000191666380000051
The method specifically comprises the following steps:
if there is no AND relationship in the attack gain path, then
Figure FSB0000191666380000052
Figure FSB0000191666380000053
Wherein the content of the first and second substances,
Figure FSB0000191666380000054
representing the sum of all elements in the kth column of the probability attack gain matrix;
Figure FSB0000191666380000055
representing the sum of all attack time elements in the kth column in the attack time matrix; x and k are both natural numbers;
if an AND relationship exists in the attack gain path, then
Figure FSB0000191666380000056
Figure FSB0000191666380000057
Wherein the content of the first and second substances,
Figure FSB0000191666380000058
representing that the sum of attack time elements of each corresponding column of resource nodes with only one precursor attack node on the attack gain path in the attack time matrix;
Figure FSB0000191666380000059
representing a resource node r with more than two precursor attack nodes on the attack gain pathdThe sum of the attack times of the attacks,
Figure FSB00001916663800000510
representing a resource node r having more than two predecessor attack nodesdThe maximum synchronization attack time when attacked,
Figure FSB00001916663800000511
representing a resource node r having more than two predecessor attack nodesdAsynchronous attack time when attacked; s, d, E, F are all natural numbers, and E + F is M.
CN201811113102.9A 2018-09-13 2018-09-13 Attack path prediction method based on attack gain Active CN108965035B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811113102.9A CN108965035B (en) 2018-09-13 2018-09-13 Attack path prediction method based on attack gain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811113102.9A CN108965035B (en) 2018-09-13 2018-09-13 Attack path prediction method based on attack gain

Publications (2)

Publication Number Publication Date
CN108965035A CN108965035A (en) 2018-12-07
CN108965035B true CN108965035B (en) 2021-06-29

Family

ID=64471740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811113102.9A Active CN108965035B (en) 2018-09-13 2018-09-13 Attack path prediction method based on attack gain

Country Status (1)

Country Link
CN (1) CN108965035B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131257B (en) * 2019-12-26 2022-03-18 哈尔滨工程大学 Bayesian attack graph-based attack path derivation method for adding singular nodes
CN113890764B (en) * 2021-10-08 2023-05-09 中国电子科技集团公司第三十研究所 Time synchronization system with prediction function and safety monitoring method and device thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game
CN106453217A (en) * 2016-04-13 2017-02-22 河南理工大学 Network attack path behavior prediction method based on path revenue calculation
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN108429728A (en) * 2017-09-05 2018-08-21 河南理工大学 A kind of attack path prediction technique based on time gain compensation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9160761B2 (en) * 2013-07-31 2015-10-13 Hewlett-Packard Development Company, L.P. Selection of a countermeasure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game
CN106453217A (en) * 2016-04-13 2017-02-22 河南理工大学 Network attack path behavior prediction method based on path revenue calculation
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN108429728A (en) * 2017-09-05 2018-08-21 河南理工大学 A kind of attack path prediction technique based on time gain compensation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Optimal security hardening on attack tree models of networks: a cost-benefit analysis;Rinku Dewri等;《Springer Int. J. Inf. Secur. (2012)》;20121231;第167-188页 *
基于路径收益计算的网络攻击路径行为分析方法;王辉等;《吉林大学学报(理学版)》;20170331;第55卷(第2期);第311-321页 *

Also Published As

Publication number Publication date
CN108965035A (en) 2018-12-07

Similar Documents

Publication Publication Date Title
CN109948663B (en) Step-length self-adaptive attack resisting method based on model extraction
CN108965035B (en) Attack path prediction method based on attack gain
Scott et al. A combined re-analysis of existing blank-field SCUBA surveys: comparative 850-μm source lists, combined number counts, and evidence for strong clustering of the bright submillimetre galaxy population on arcminute scales
US20160065621A1 (en) Generating Accurate Preemptive Security Device Policy Tuning Recommendations
Kooperberg et al. Significance testing for small microarray experiments
US6405186B1 (en) Method of planning satellite requests by constrained simulated annealing
US9459861B1 (en) Systems and methods for detecting copied computer code using fingerprints
CN112381428B (en) Service distribution method, device, equipment and storage medium based on reinforcement learning
CN106453217A (en) Network attack path behavior prediction method based on path revenue calculation
KR20180072793A (en) Push Information Approximate Selection Alignment Method, Device and Computer Storage Medium
WO2023124364A1 (en) Anti-fraud secret sharing methods and apparatuses
KR20180068268A (en) Method and apparatus for security investment based on evaluating security risks
JP5014637B2 (en) Multi-target tracking device
GB2578430A (en) Data communication
CN109544347B (en) Tail difference distribution method, computer readable storage medium and tail difference distribution system
CN113342418B (en) Distributed machine learning task unloading method based on block chain
Škulj Finite discrete time Markov chains with interval probabilities
EP3274820B1 (en) Systems and methods for detecting copied computer code using fingerprints
CN115277250A (en) Vehicle-end attack path identification method, equipment and storage medium
CN113783853A (en) Dynamic heterogeneous redundancy system security analysis method and device for black box condition
CN107210005B (en) Matrix/key generation device, matrix/key generation system, matrix combination device, matrix/key generation method, and program
CN114244550A (en) Method and system for block chain FAW attack protection based on node consensus behavior
CN110705593B (en) Method and device for training relational network embedded model and determining use probability
CN108429728B (en) Attack path prediction method based on time gain compensation
KR20240063383A (en) A method for calculating the vulnerability probability of a trap using the method of selecting equal-spaced shooting positions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant