CN109040027A - The active predicting method of network vulnerability node based on gray model - Google Patents

The active predicting method of network vulnerability node based on gray model Download PDF

Info

Publication number
CN109040027A
CN109040027A CN201810763946.1A CN201810763946A CN109040027A CN 109040027 A CN109040027 A CN 109040027A CN 201810763946 A CN201810763946 A CN 201810763946A CN 109040027 A CN109040027 A CN 109040027A
Authority
CN
China
Prior art keywords
formula
host
situation
network
network system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810763946.1A
Other languages
Chinese (zh)
Other versions
CN109040027B (en
Inventor
胡昌振
吕坤
高程昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201810763946.1A priority Critical patent/CN109040027B/en
Publication of CN109040027A publication Critical patent/CN109040027A/en
Application granted granted Critical
Publication of CN109040027B publication Critical patent/CN109040027B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The active predicting method of the present invention relates to a kind of network vulnerability node based on gray model, belongs to field of information security technology.By obtaining the features such as real-time host information, topology information, vulnerability information in network, its weight in network system is determined using the method for grey correlation analysis, the unified calculation of complete paired observations, and resulting status information will be calculated and be input to grey forecasting model, grey coefficients are determined using least square method, realize prediction model;Finally, predicting node using the node where immediate situation increment as next network vulnerability according to analysis is not associated up to the situation increment of network node and prediction model curve.

Description

Active prediction method of network vulnerability node based on gray model
Technical Field
The invention relates to an active prediction method of a network vulnerability node based on a gray model, and belongs to the technical field of information security.
Background
With the rapid development of computer networks, the security holes and hidden dangers in network information systems are also infinite, the types and number of network attacks are multiplied, and the basic networks and information systems face severe security threats. Traditional information security is limited by technology, and therefore, a passive defense mode is adopted more. However, with the advent of technologies such as big data analysis, SDN, security information collection, etc., the information system security monitoring technology is more and more accurate in analyzing security situations, and more accurate in early warning of security events, and passive defense gradually changes to active defense. In this context, the study of active defenses is also becoming increasingly interesting.
In the invention, a CVE (Common Vulnerabilities & exposition) compatible database is used. The CVE is a dictionary table that gives a common name for widely recognized information security vulnerabilities or vulnerabilities that have been exposed. And the users are helped to share data in various leakage hole databases and leakage hole assessment tools which are independent respectively. This makes the CVE a "key" for secure information sharing. Using the CVE name of the vulnerability, corresponding information can be quickly found in any other CVE-compatible database.
Disclosure of Invention
The invention combines network security situation perception with a gray model, aims to provide an active prediction method of a network vulnerability node based on the gray model, obtains the real-time characteristics of host information, topology information, vulnerability information and the like in a network, determines the weight of the vulnerability node in a network system by using a gray correlation analysis method, completes the unified calculation of observation data, inputs the calculated state information into the gray prediction model, and determines a gray coefficient by using a least square method to realize the prediction model; and finally, performing correlation analysis according to the situation increment of the unreached network node and a prediction model curve, and taking the node where the closest situation increment is as the next network vulnerability prediction node.
The purpose of the invention is realized by the following technical scheme, which comprises the following specific operations:
the invention provides an active prediction method of a network vulnerability node based on a gray model, which comprises the following specific operation steps:
step one, acquiring a network security situation characteristic item and calculating a network state. The method specifically comprises the following steps:
step 1.1: and determining the security situation characteristic items of the network system. The network security situation is described by dividing the network security situation into three dimensions from top to bottom, which are respectively as follows: the operation situation dimension, the vulnerability situation dimension and the abnormal situation dimension. Wherein, the safety situation characteristic item describing the operation situation dimension comprises: CPU utilization, memory utilization and disk read rates. The security posture feature items used to describe the vulnerability posture dimension include: vulnerability type, vulnerability score, event type and identity authentication degree; the safety situation characteristic items used for describing the abnormal situation dimension comprise: the number of attack sources, attack time, attack frequency, and device presence. Therefore, the security posture feature items of the network system include 11 items, which are respectively: CPU utilization rate, memory utilization rate, disk reading rate, vulnerability type, vulnerability score, event type, identity authentication degree, attack source number, attack time, attack frequency and equipment online state.
Step 1.2: and periodically acquiring observation data of the security situation characteristic items of a single host in the network system at different moments as a research object. And calculating the mean value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment, and determining the expression value weight of each security situation characteristic item under the global action of the whole network system by using a grey correlation analysis method, thereby determining the influence weight of the network security characteristic item on the network global state expression. The method comprises the following specific steps:
step 1.2.1: and calculating the average value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment to obtain an observation matrix A, as shown in a formula (1).
Wherein t represents the t-th time, and t is 1,2, 3; f. oft(1),ft(2),...,ft(11) Respectively represent the observed data mean values corresponding to the 11 security situation feature items at the t-th moment.
Step 1.2.2: carrying out dimensionless processing on the observation matrix A by a formula (2) to obtain the dimensionless processed observation matrix A1As shown in equation (3).
Wherein, i is 1, 2.
Step 1.2.3: setting a dimensionless processed observation matrix A1The first column vector of (1) is an observation vector and the other column vectors are comparison vectors. And (4) calculating the correlation coefficient of each subentry in each comparison vector through formula (4), and forming a correlation coefficient matrix M, as shown in formula (5).
Wherein j is 2,3.
Step 1.2.4: and (4) obtaining the association degree between any two network security situation characteristic items through a formula (6).
Wherein k is 1, 2.., 11; gamma ray(f(i),f(k))Representing the relevance of the network security situation characteristic items f (i) and f (k); gamma ray(f(i),f(1))The value of (c) is calculated by formula (7); gamma ray(f(k),f(1))The value of (c) is calculated by the formula (8).
Wherein T is the total number of the taken time points.
Step 1.2.5: and (4) obtaining a correlation matrix M 'among the characteristic items of the network security situation according to the result of the step 1.2.4, wherein the correlation matrix M' is shown as a formula (9).
Because the relevance matrix M ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the relevance matrix M ' has the maximum module characteristic value which is represented by a symbol gamma, so that lambda C is equal to M ' C; wherein λ is a non-negative value, and C is a feature vector. Obtaining the eigenvalue and the eigenvector of the correlation matrix M' by using an extraction tool of the eigenvalue and the eigenvector of the nonnegative symmetric matrix of matlab, representing the eigenvector corresponding to the maximum modulus eigenvalue lambda by using a symbol W, wherein W belongs to C, and W is [ omega ]12,...,ω11]T,ωiAnd the influence weight of the ith network security feature item on the global state of the network is represented, wherein i is 1, 2.
Through the operation of the step, the influence weight of each network security feature item on the network global state is obtained.
Step 1.3: and (3) acquiring observation data of all network security feature items of all the hosts in the network system at different time points, acquiring the single host situation shown by each host at each time point according to the influence weight of each network security feature item on the network global state obtained in the step 1.2, and acquiring the importance ratio between the hosts in the network system by using a grey correlation analysis method.
Step 1.3.1: the host situation calculation matrix B is formed by host situation values of each host in the network system at different time points, as shown in formula (10).
Wherein, h represents the h-th host, and h is 1,2, 3; st(1),st(2),...,st(h) The host situation values of the 1 st, 2 nd, and h th hosts in the network system at the t-th time are respectively calculated by formula (11).
Wherein s ist(h) Indicating the host situation value of the h-th host at the t-th time; f. ofth(i) And the observed value of the ith network security situation characteristic item f (i) at the moment t of the h host is shown.
Step 1.3.2: carrying out dimensionless processing on the single host situation matrix B as shown in formula (12) to obtain a dimensionless processed single host situation calculation matrix B1As shown in equation (13).
Step 1.3.3: setting single host situation matrix calculation B after dimensionless processing1The first column vector of (1) is the observation vector and the other column vectors are the comparison vectors. The correlation coefficient of each sub-term in each comparison vector is calculated by equation (14), and a correlation coefficient matrix H is constructed as shown in equation (15).
Wherein, m is 1,2,3.
Step 1.3.4: the correlation between any two hosts is obtained by the formula (16).
Wherein q is 1,2, 3.; gamma ray(h(m),h(q))Representing the relevance of the network hosts h (m) and h (q); gamma ray(h(m),h(1))The value of (c) is calculated by formula (7); gamma ray(h(q),h(1))The value of (c) is calculated by the formula (8).
Step 1.3.5: according to the result of step 1.3.4, the correlation matrix H' between the network hosts is obtained as shown in formula (19).
Because the inter-host correlation matrix H ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the maximum mode eigenvalue exists in the correlation matrix M ', and is represented by the symbol λ ', so that λ ' C ' is H ' C '; wherein λ 'is a non-negative value, and C' is a feature vector. Extracting and calculating the eigenvalue and the eigenvector of the relevance matrix H 'by utilizing matlab to obtain the eigenvalue and the eigenvector of the relevance matrix H', representing the eigenvector corresponding to the maximum modulus eigenvalue lambda 'by using a symbol E, wherein E belongs to C', and E is [ E [ [ E ]1,e2,...,eh]T,ehRepresents the importance of the h-th host in the network, h 1,2,3.
Through the operation of the step, the importance weight of each network host in the network global is obtained.
Step 1.4: obtaining the overall situation history data of the network system at different moments through a formula (20) according to the influence weight of each network security feature item on the network global state obtained in the step 1.2 and the importance weight of each host in the network system obtained in the step 1.3, wherein the overall situation history data is represented by a symbol S, and S is (S is)1,S2,...,St)。
St=∑heh×st(h) (20)
And step two, establishing a grey prediction model of the network system based on the overall situation historical data of the network system, and predicting the situation of the network system at the next moment. The method specifically comprises the following steps:
step 2.1: by the symbol X(0)Representing the initial sequence of the gray model, X(0)=(x(0)(1),x(0)(2),...,x(0)(t)); wherein x is(0)(1),x(0)(2),...,x(0)(t) represents the network overall situation value at the 1 st time, the 2 nd time. Taking the overall situation historical data S of the network system obtained in the step one as an initial sequence X(0),x(0)(1)=S1,x(0)(2)=S2,...,x(0)(t)= St
Step 2.2: calculating an initial sequence X by equation (21)(0)By a first order accumulation of the symbols X(1)And (4) showing. X(1)={x(1)(1),x(1)(2),...,x(1)(t) }, in which x(1)(1),x(1)(2),...,x(1)(t) represents the overall situation sum of the network from the 1 st moment to the 1 st moment, and from the 1 st moment to the 2 nd moment.
x(1)(t)=Σtx(0)(t) (21)
The purpose of calculating the first-order accumulation generation sequence is to weaken the randomness and relevance of the original data items, model the overall trend from the global perspective, and facilitate the formation of a trend model, understanding and predicting situation changes.
Step 2.3: generating a sequence X due to first order accumulation(1)The system adds up irregular historical data sequence to make it become ascending shape sequence with exponential growth rule. The process of calculating the first order accumulation generation sequence is similar to the gray differential equation form of the first order model. Thus generating a sequence X for a first order accumulation(1)The first order differential equation is established as shown in equation (22).
And a and b are parameters to be determined by the system respectively, and the value ranges of the a and the b are real numbers.
The formula (22) is integrated by the formula (23) and discretized.
Wherein, t' is 1, 2.
From the formula (21), the relationship shown in the formula (24) can be obtained.
x(1)(t′+1)-x(1)(t′)=x(0)(t′+1)。 (24)
The general formula of the gray prediction model is obtained from formula (23) to formula (24), as shown in formula (25).
The integral term in equation (25) is solved to obtain equation (26).
By the symbol z(1)(t' +1) represents the solution of the integral term of equation (25) to obtain equation (27).
Substituting equation (27) into equation (25) yields equation (28).
x(0)(t′+1)=-az(1)(t′+1)+b (28)
Generating a sequence X by adding the first order(1)And the initial sequence X(0)The term (2) is brought into the formula (28) and is shown as the expression (29) by the term shifting processing.
Step 2.4: and (3) confirming the values of the parameters a and b in the formula (29) by using a least square method, and establishing a prediction model of the network security situation. The method specifically comprises the following steps:
step 2.4.1: setting 3 alternative parameter vectors, respectively using symbolsYtAnd G represents a group represented by,Ytand G takes the value as shown in equation (30).
Step 2.4.2: substituting equation (30) into equation (29) yields equation (31).
Step 2.4.3: and solving the formula (31) by a least square method to obtain the parameter estimation of the gray prediction model.
Step 2.5: and predicting the security situation of the network system at the next moment by using a grey prediction model, namely predicting the security situation prediction value of the network system. The method specifically comprises the following steps:
step 2.5.1: by symbolsAnd the predicted value of the grey prediction model for the first-order accumulation generation sequence at the t-th moment is shown.
When t is equal to 1, the first step is carried out,the result of (2) is shown in equation (32).
When t > 1, the parameter estimates of the gray prediction model obtained in step 2.4.3 are substituted into equation (22) and the gray differential equation is solved to obtain equation (33).
The predicted value of the gray prediction model at time t, which is formed by equations (32) and (33), for the first order accumulation generation sequence is shown in equation set (34).
For the set of equations (34) according to the formula (24)Andand (5) obtaining a equation group (35) by calculating the difference.
Wherein,representing the initial sequence X of the grey prediction model at time t(0)The predicted value of (2).
Through the operation of step 2.5, a gray prediction model as shown in equation (35) is obtained.
Step 2.6: the accuracy of the gray prediction model is checked. The method specifically comprises the following steps:
obtaining an initial sequence X according to equation set (35)(0)By symbols ofAnd (4) showing.
To evaluate the accuracy of the gray prediction model, the prediction sequence is aligned using equation (36)And the initial sequence X(0)The comparison is carried out to obtain the accuracy of the prediction model, which is represented by the symbol rel.
If rel is greater than 0.9, the prediction result of the gray prediction model is considered to be credible.
And step three, determining the vulnerability node in the network system.
And predicting the situation of the network system by using the grey prediction model obtained in the step two to obtain the predicted values of the situation of the network system at different time points. And analyzing the vulnerability nodes in the network system in real time according to the situation predicted value of the network system to finally obtain the vulnerability nodes of the network system. The method comprises the following specific steps:
step 3.1: and obtaining a host set which is attacked at the t-th moment (the current moment) and a host set which can be attacked at the t + 1-th moment (the next moment) but is not attacked. The method specifically comprises the following steps:
step 3.1.1: the symbol O denotes the set of all hosts in the network system, O ═ O1,o2,...,oh);ohIs the h host in the network system.
Step 3.1.2: and acquiring the reachable relation among all hosts in the network system according to the topological structure of the network system and the network routing table, and establishing a reachable information table among the hosts. The inter-host reachable information table includes a source host and a destination host.
Step 3.1.3: the symbol D denotes the set of attacked hosts in the network system at time t, where D ═ D1,d2,...,dy),1≤y≤h,dyIs the y th host computer of which the network system is attacked.
Step 3.1.4: the symbol P represents a set of hosts that may be attacked but have not yet been attacked in the network system at time t +1, where P ═ P1,p2,...,pz),z=1,2,...,z′,z′≤h-y。
Step 3.1.5: and acquiring the request access rate of each host relative to the whole network system according to the network system log, wherein the symbol P (h) represents the request access rate. Then, according to the formula (37), it is calculated that the host d is attacked at the t +1 th timeyAttack the host p under the condition ofzWith the symbol P (P) as the conditional probability of (2)z|dy) And (4) showing.
Wherein, P (d)y|pz) Representing a known host pzAttacked host dyConditional probability of being attacked; p (P)z) Represents the host pzA priori probability of being attacked; p (d)y|~pz) Representing a known host pzHost d when not being attackedyThe conditional probability of being attacked; p (. about.p)z) Represents a host pzA priori probability of not being attacked.
Step 3.2: the host p is obtained according to the formula (38)zThe resulting increase in the network system situation at time t +1 compared to time t is denoted by the symbol Δ.
Δ=St+1-St(38)
Wherein S ist+1Representing the network security situation at the t +1 th moment; stIndicating the network security state at the time t.
Step 3.3: increment predicted value with host pzThe host situation of (2) performs correlation analysis to obtain PzThe method for collecting the nodes which are most likely to be attacked at the next moment comprises the following specific steps:
step 3.3.1: and obtaining a host security situation matrix which can be attacked at the t +1 th moment and is represented by a symbol SP, as shown in a formula (39).
Wherein s ist(1)、st(2)...stThe situation values of the No. 1 host computer, the No. 2 host computer and the No. z host computer are respectively shown.
Step 3.3.2: and calculating the relevance of the formula (38) and the formula (39).
Taking Δ obtained by equation (38) as the reference sequence, equation (39) obtains the term s of SPt(z) is a comparison sequence. According to the formula (40), the correlation degree of the comparison sequence SP with respect to the reference sequence delta is obtained.
Wherein r (z) represents the host pzIs related to delta.
By the symbol R ═ R1,r2,...,rz]TUnmarked host p as an attackzIs associated with the delta. Obtained R ═ R1,r2,...,rz]TIndicating the probability that a host not marked by an attack at time t +1 will cause a change in network posture Δ, rzThe magnitude of (d) indicates the intensity of the situation change delta possibility caused by the host computer, rzA larger value indicates a greater probability that the host will cause a delta. Will be the largest rzAnd the corresponding host is used as the node which is most vulnerable at the t +1 th moment, so that the prediction of the vulnerability host node based on space is dispersed from the overall continuous and time-based network situation.
Step 3.3: the conditional probability is calculated for the hosts in the set P according to equation (37), and the conditional probability ranking result is represented by the symbol U as shown in equation (41).
U=(u1,u2,...,uz) (41)
The ranking result of equation (41) is compared with the result R ═ R of the vulnerability node prediction of the set P1,r2,...,rz]TThe comparison is performed with the symbol l indicating the number of correspondence rankings that are consistent with the conditional probability order.
The accuracy of the mapping method, denoted by the symbol ul, can be verified according to equation (42).
Advantageous effects
Compared with the prior art, the active prediction method of the network vulnerability node based on the gray model has the advantage that the network vulnerability node can be more accurately predicted.
Drawings
FIG. 1 is a diagram of a network system architecture in accordance with an embodiment of the present invention;
FIG. 2 is a diagram of eigenvalues and eigenvectors of matrix B in an embodiment of the present invention;
FIG. 3 is a diagram illustrating the results of a network security situation gray model determined using least squares in an embodiment of the present invention;
FIG. 4 is a block diagram of an overall system of network security situation impact characteristic indicators in accordance with an embodiment of the present invention;
fig. 5 is a diagram of eigenvalues and eigenvectors for matrix B in an embodiment of the present invention.
Detailed Description
The following embodiments are described in detail with reference to the above technical solutions.
In this embodiment, there are 6 hosts in the network system, and the network structure is shown in fig. 1. Fig. 1 depicts a topology of a simulated network system environment, which is mainly composed of two parts: a network main body and a backup node. The part connected by the solid line is a device reachability network formed by an external network to an internal network of the network system. The environment is provided with a proxy server as a system boundary to isolate internal and external networks, and the proxy server becomes a first barrier for controlling external access. Two web servers and database servers are then respectively provided for providing simple web requests and data support thereof. The part from the dotted frame in the figure is the hot backup node of the corresponding device, and the dotted connection indicates that it is the hot backup node of the corresponding device to be used as the security policy transfer. The description of each host node in the figure is shown in table 1.
Table 1 network system node description table
The method provided by the invention is used for predicting the vulnerability node in the network, and the specific implementation steps are as follows:
step one, acquiring a network security situation characteristic item and calculating a network state. The method specifically comprises the following steps:
step 1.1: and determining the security situation characteristic items of the network system. The network security situation is described by dividing the network security situation into three dimensions from top to bottom, which are respectively as follows: the operation situation dimension, the vulnerability situation dimension and the abnormal situation dimension. Wherein, the safety situation characteristic item describing the operation situation dimension comprises: CPU utilization, memory utilization and disk read rates. The security posture feature items used to describe the vulnerability posture dimension include: vulnerability type, vulnerability score, event type and identity authentication degree; the safety situation characteristic items used for describing the abnormal situation dimension comprise: the number of attack sources, attack time, attack frequency, and device presence. Therefore, the security posture feature items of the network system include 11 items, which are respectively: CPU utilization rate, memory utilization rate, disk reading rate, vulnerability type, vulnerability score, event type, identity authentication degree, attack source number, attack time, attack frequency and equipment online state.
Step 1.2: and periodically acquiring observation data of the security situation characteristic items of a single host in the network system at different moments as a research object. And calculating the mean value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment, and determining the expression value weight of each security situation characteristic item under the global action of the whole network system by using a grey correlation analysis method, thereby determining the influence weight of the network security characteristic item on the network global state expression. The method comprises the following specific steps:
step 1.2.1: and calculating the mean value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment to obtain an observation matrix A, as shown in a formula (43).
Step 1.2.2: carrying out dimensionless processing on the observation matrix A by a formula (2) to obtain the dimensionless processed observation matrix A1As shown in equation (3).
Wherein, i is 1, 2.., 11; t is 6.
Step 1.2.3: setting a dimensionless processed observation matrix A1First ofThe column vector is an observation vector and the other column vectors are comparison vectors. And (4) calculating the correlation coefficient of each subentry in each comparison vector through formula (4), and forming a correlation coefficient matrix M, as shown in formula (5).
Wherein j is 2,3.
Step 1.2.4: and (4) obtaining the association degree between any two network security situation characteristic items through a formula (6).
Wherein k is 1, 2.., 11; gamma ray(f(i),f(k))Representing the relevance of the network security situation characteristic items f (i) and f (k); gamma ray(f(i),f(1))The value of (c) is calculated by formula (7); gamma ray(f(k),f(1))The value of (c) is calculated by the formula (8).
Wherein T is the total number of the taken time points.
Step 1.2.5: and (4) obtaining a correlation matrix M 'among the characteristic items of the network security situation according to the result of the step 1.2.4, wherein the correlation matrix M' is shown as a formula (9).
Because the relevance matrix M ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the relevance matrix M ' has the maximum module characteristic value and is represented by a symbol lambda, so that lambda C is equal to M ' C; wherein λ is a non-negative value, and C is a feature vector. Obtaining the eigenvalue and the eigenvector of the correlation matrix M' by using an extraction tool of the eigenvalue and the eigenvector of the nonnegative symmetric matrix of matlab, representing the eigenvector corresponding to the maximum modulus eigenvalue lambda by using a symbol W, wherein W belongs to C, and W is [ omega ]12,...,ω11]T,ωiAnd the influence weight of the ith network security feature item on the global state of the network is represented, wherein i is 1, 2.
Through the operation of the step, the influence weight of each network security feature item on the network global state is obtained.
Step 1.3: and (3) acquiring observation data of all network security feature items of all the hosts in the network system at different time points, acquiring the single host situation shown by each host at each time point according to the influence weight of each network security feature item on the network global state obtained in the step 1.2, and acquiring the importance ratio between the hosts in the network system by using a grey correlation analysis method.
Step 1.3.1: the host situation calculation matrix B is formed by host situation values of each host in the network system at different time points, as shown in formula (44).
The eigenvalues and eigenvectors for matrix B are shown in fig. 2, respectively.
Step 1.3.2: carrying out dimensionless processing on the single host situation matrix B as shown in formula (12) to obtain a dimensionless processed single host situation calculation matrix B1Such as formula(13) As shown.
Step 1.3.3: setting single host situation matrix calculation B after dimensionless processing1The first column vector of (1) is the observation vector and the other column vectors are the comparison vectors. The correlation coefficient of each sub-term in each comparison vector is calculated by equation (14), and a correlation coefficient matrix H is constructed as shown in equation (15).
Wherein, m is 1,2,3.
Step 1.3.4: the correlation between any two hosts is obtained by the formula (16).
Wherein q is 1,2, 3.; gamma ray(h(m),h(q))Representing the relevance of the network hosts h (m) and h (q); gamma ray(h(m),h(1))The value of (c) is calculated by formula (7); gamma ray(h(q),h(1))The value of (c) is calculated by the formula (8).
Step 1.3.5: according to the result of step 1.3.4, the correlation matrix H' between the network hosts is obtained as shown in formula (19).
Because the inter-host correlation matrix H ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the maximum mode eigenvalue exists in the correlation matrix M ', and is represented by the symbol λ ', so that λ ' C ' is H ' C '; wherein λ 'is a non-negative value, and C' is a feature vector. Extracting and calculating the eigenvalue and the eigenvector of the relevance matrix H 'by utilizing matlab to obtain the eigenvalue and the eigenvector of the relevance matrix H', representing the eigenvector corresponding to the maximum modulus eigenvalue lambda 'by using a symbol E, wherein E belongs to C', and E is [ E [ [ E ]1,e2,...,eh]T,ehRepresents the importance of the h-th host in the network, h 1,2,3.
Through the operation of the step, the importance weight of each network host in the network global is obtained.
Step 1.4: obtaining the overall situation history data of the network system at different moments through a formula (20) according to the influence weight of each network security feature item on the network global state obtained in the step 1.2 and the importance weight of each host in the network system obtained in the step 1.3, wherein the overall situation history data is represented by a symbol S, and S is (S is)1,S2,...,St)。
St=∑heh×st(h) (20)
And step two, establishing a grey prediction model of the network system based on the overall situation historical data of the network system, and predicting the situation of the network system at the next moment. The method specifically comprises the following steps:
step 2.1: by the symbol X(0)Representing the initial sequence of the gray model, X(0)=(x(0)(1),x(0)(2),...,x(0)(t)); wherein x is(0)(1),x(0)(2),...,x(0)(t) represents the overall situation value of the network at the 1 st moment, the 2 nd moment. Taking the overall situation historical data S of the network system obtained in the step one as an initial sequence X(0),x(0)(1)=S1,x(0)(2)=S2,...,x(0)(t)= St
Step 2.2: calculating an initial sequence X by equation (21)(0)By a first order accumulation of the symbols X(1)And (4) showing. X(1)={x(1)(1),x(1)(2),...,x(1)(t) }, in which x(1)(1),x(1)(2),...,x(1)(t) represents the overall situation sum of the network from the 1 st moment to the 1 st moment, and from the 1 st moment to the 2 nd moment.
x(1)(t)=Σtx(0)(t) (21)
The purpose of calculating the first-order accumulation generation sequence is to weaken the randomness and relevance of the original data items, model the overall trend from the global perspective, and facilitate the formation of a trend model, understanding and predicting situation changes.
Step 2.3: generating a sequence X due to first order accumulation(1)The system adds up irregular historical data sequence to make it become ascending shape sequence with exponential growth rule. The process of calculating the first order accumulation generation sequence is similar to the gray differential equation form of the first order model. Thus generating a sequence X for a first order accumulation(1)The first order differential equation is established as shown in equation (22).
And a and b are parameters to be determined by the system respectively, and the value ranges of the a and the b are real numbers.
The formula (22) is integrated by the formula (23) and discretized.
Wherein, t' is 1, 2.
From the formula (21), the relationship shown in the formula (24) can be obtained.
x(1)(t′+1)-x(1)(t′)=x(0)(t′+1)。 (24)
The general formula of the gray prediction model is obtained from formula (23) to formula (24), as shown in formula (25).
The integral term in equation (25) is solved to obtain equation (26).
By the symbol z(1)(t' +1) represents the solution of the integral term of equation (25) to obtain equation (27).
Substituting equation (27) into equation (25) yields equation (28).
x(0)(t′+1)=-az(1)(t′+1)+b (28)
Generating a sequence X by adding the first order(1)And the initial sequence X(0)The term (2) is brought into the formula (28) and is shown as the expression (29) by the term shifting processing.
In this embodiment, an expression shown in formula (45) is obtained.
Step 2.4: and (3) confirming the values of the parameters a and b in the formula (29) by using a least square method, and establishing a prediction model of the network security situation. The method specifically comprises the following steps:
step 2.4.1: setting 3 alternative parameter vectors, respectively using symbolsYtAnd G represents a group represented by,Ytand G takes the value as shown in equation (30).
Step 2.4.2: substituting equation (30) into equation (29) yields equation (31).
Step 2.4.3: and solving the formula (31) by a least square method to obtain the parameter estimation of the gray prediction model. The result of determining the gray model of the network security situation by using the least square method is shown in fig. 3.
Step 2.5: and predicting the security situation of the network system at the next moment by using a grey prediction model, namely predicting the security situation prediction value of the network system. The method specifically comprises the following steps:
step 2.5.1: by symbolsAnd the predicted value of the grey prediction model for the first-order accumulation generation sequence at the t-th moment is shown.
When t is equal to 1, the first step is carried out,the result of (2) is shown in equation (32).
When t > 1, the parameter estimates of the gray prediction model obtained in step 2.4.3 are substituted into equation (22) and the gray differential equation is solved to obtain equation (33).
The predicted value of the gray prediction model at time t, which is formed by equations (32) and (33), for the first order accumulation generation sequence is shown in equation set (34).
For the set of equations (34) according to the formula (24)Andand (5) obtaining a equation group (35) by calculating the difference.
Wherein,representing the initial sequence X of the grey prediction model at time t(0)The predicted value of (2).
Through the operation of step 2.5, a gray prediction model as shown in equation (35) is obtained.
Step 2.6: the accuracy of the gray prediction model is checked. The method specifically comprises the following steps:
obtaining an initial sequence X according to equation set (35)(0)By symbols ofAnd (4) showing.
To evaluate the accuracy of the gray prediction model, the prediction sequence is aligned using equation (36)And the initial sequence X(0)The comparison is carried out to obtain the accuracy of the prediction model, which is represented by the symbol rel.
If rel is greater than 0.9, the prediction result of the gray prediction model is considered to be credible.
And step three, determining the vulnerability node in the network system.
And predicting the situation of the network system by using the grey prediction model obtained in the step two to obtain the predicted values of the situation of the network system at different time points. And analyzing the vulnerability nodes in the network system in real time according to the situation predicted value of the network system to finally obtain the vulnerability nodes of the network system. The method comprises the following specific steps:
step 3.1: and obtaining a host set which is attacked at the t-th moment (the current moment) and a host set which can be attacked at the t + 1-th moment (the next moment) but is not attacked. The method specifically comprises the following steps:
step 3.1.1: the symbol O denotes the set of all hosts in the network system, O ═ O1,o2,...,oh);ohIs the h host in the network system.
Step 3.1.2: and acquiring the reachable relation among all hosts in the network system according to the topological structure of the network system and the network routing table, and establishing a reachable information table among the hosts. The inter-host reachable information table includes a source host and a destination host.
Step 3.1.3: the symbol D denotes the set of attacked hosts in the network system at time t, where D ═ D1,d2,...,dy),1≤y≤h,dyIs the y th host computer of which the network system is attacked.
Step 3.1.4: the symbol P represents a set of hosts that may be attacked but have not yet been attacked in the network system at time t +1, where P ═ P1,p2,...,pz),z=1,2,...,z′,z′≤h-y。
Step 3.1.5: and acquiring the request access rate of each host relative to the whole network system according to the network system log, wherein the symbol P (h) represents the request access rate. Then, according to the formula (37), it is calculated that the host d is attacked at the t +1 th timeyAttack the host p under the condition ofzWith the symbol P (P) as the conditional probability of (2)z|dy) And (4) showing.
Wherein, P (d)y|pz) Representing a known host pzAttacked host dyConditional probability of being attacked; p (P)z) Represents the host pzA priori probability of being attacked; p (d)y|~pz) Representing a known host pzHost d when not being attackedyThe conditional probability of being attacked; p (. about.p)z) Represents a host pzA priori probability of not being attacked.
Step 3.2: the host p is obtained according to the formula (38)zThe resulting increase in the network system situation at time t +1 compared to time t is denoted by the symbol Δ.
Δ=St+1-St(38)
Wherein S ist+1Representing the network security situation at the t +1 th moment; stIndicating the network security state at the time t.
Step 3.3: increment predicted value with host pzThe host situation of (2) performs correlation analysis to obtain PzThe method for collecting the nodes which are most likely to be attacked at the next moment comprises the following specific steps:
step 3.3.1: and obtaining a host security situation matrix which can be attacked at the t +1 th moment and is represented by a symbol SP, as shown in a formula (39).
Wherein s ist(1)、st(2)...stThe situation values of the No. 1 host computer, the No. 2 host computer and the No. z host computer are respectively shown.
Step 3.3.2: and calculating the relevance of the formula (38) and the formula (39).
The formula (38) is obtainedWith Δ as the reference sequence, equation (39) yields the term s for SPt(z) is a comparison sequence. According to the formula (40), the correlation degree of the comparison sequence SP with respect to the reference sequence delta is obtained.
Wherein r (z) represents the host pzIs related to delta.
By the symbol R ═ R1,r2,...,rz]TUnmarked host p as an attackzIs associated with the delta. Obtained R ═ R1,r2,...,rz]TIndicating the probability that a host not marked by an attack at time t +1 will cause a change in network posture Δ, rzThe magnitude of (d) indicates the intensity of the situation change delta possibility caused by the host computer, rzA larger value indicates a greater probability that the host will cause a delta. Will be the largest rzAnd the corresponding host is used as the node which is most vulnerable at the t +1 th moment, so that the prediction of the vulnerability host node based on space is dispersed from the overall continuous and time-based network situation.
Step 3.3: the conditional probability is calculated for the hosts in the set P according to equation (37), and the conditional probability ranking result is represented by the symbol U as shown in equation (41).
U=(u1,u2,...,uz) (41)
The ranking result of equation (41) is compared with the result R ═ R of the vulnerability node prediction of the set P1,r2,...,rz]TThe comparison is performed with the symbol l indicating the number of correspondence rankings that are consistent with the conditional probability order.
The accuracy of the mapping method is verified according to equation (42), denoted by the symbol ul.
Through the operations of the above steps, the present embodiment is completed.
Step one, generating a network model, and obtaining the filtering of the network model and a service list. The method specifically comprises the following steps:
step 1.1: security posture features of the known network system are defined. The simulated network structure of the network system is shown in fig. 1.
Fig. 1 depicts a topology of a simulated network system environment, which is mainly composed of two parts: a network main body and a backup node. The part connected by the solid line is a device reachability network formed by an external network to an internal network of the network system. The environment sets a proxy server as a system boundary to isolate the internal network and the external network, and the proxy server becomes a first barrier for controlling external access. Two web servers and database servers are then provided, respectively, to provide simple web requests and data support therefor, respectively. The part from the dotted frame in the figure is the hot backup node of the corresponding device, and the dotted connection indicates that the dotted connection is used as the hot backup node of the corresponding device for security policy transfer. The description of each host node in the figure is shown in table 1.
Table 1 network system node description table
Defining a three-dimensional vector S ═ W, V and R >, wherein W represents an operation dimension index when the network operates and represents the condition of system operation within a certain time; v represents the vulnerability dimension index of the network and represents the vulnerability condition of the system scanned by the scanning tool; r represents an abnormal dimension index of the network, and represents abnormal behaviors such as various network attacks and misoperation occurring in the network within a certain time. A general architecture diagram of the network security situation influence characteristic indicators is shown in fig. 4.
Step 1.2: the observation matrix A for obtaining the characteristic mean value of the network system is shown as an expression (3.1).
The correlation degree of the features with respect to the feature 1 obtained by processing the matrix a is shown in expression (3.2):
ωf=[1 0.451 0.516 0.445 0.759 0.446 0.446 0.748 0.746 0.631 0.685]T(3.2)
(3.2) firstly, converting the reference system from the system security feature 1 to the system global, and then extracting the characteristic value and the characteristic vector of each index as shown in the following figure 2.
Therefore, the relevance of the system security features under the global scope is as follows:
ωf=[0.245 0.288 0.311 0.304 0.307 0.304 0.304 0.309 0.309 0.3150.314]T
step 1.3: similarly, a single host situation matrix B formed by the single host situation of the system host at a single time at different observation times is obtained as shown in an expression (3.3):
the eigenvalues and eigenvectors for matrix B are shown in figure 5, respectively.
Fig. 5 shows the result of the eigenvalues and eigenvectors extracted from the matrix B. Selecting the eigenvector corresponding to the maximum eigenvalue to obtain the vector omegakAs shown in expression (3.4).
ωk=[0.346 0.424 0.390 0.425 0.428 0.430]T(3.4)
Step 1.4: and according to the weight between the network security features determined in the step 1.2 and the weight between the host nodes of the network system determined in the step 1.3, finishing data fusion of the observation values of the sub-situation features scattered in each dimension at a plurality of moments.
The historical observation data and the result of the network system obtained by the calculation are used for obtaining the historical data S of the network at the observation timej=(0.1541,0.1902,0.2119,0.2227,0.204,0.2334)。
And step two, establishing a grey prediction model of the system based on the historical situation value of the network system, and finishing obtaining the situation trend of the system at the next unknown moment.
Step 2.1: initial sequence X for defining a gray model(0)Inputting the historical calculation results of the step one according to a time sequence to obtain X(0)(0.1541,0.1902,0.2119,0.2227,0.204,0.2334), where n is the number of observations in history.
Step 2.2: for the initial sequence X(0)Accumulating item by item (0.1541,0.1902,0.2119,0.2227,0.204 and 0.2334) to form a generating sequence X(1)=(0.1541,0.3443,0.5562,0.7789,0.9829,1.2163)。
Step 2.3: for generating sequence X(1)A first-order gray differential equation is established,
x(0)(k+1)=-az(1)(k+1)+b,k=1,2,...,n-1
and corresponding the value X of the initial sequence(0)(0.1541,0.1902,0.2119,0.2227,0.204,0.2334) and z of the generation sequence processing(1)The gray differential equation is substituted with (0.24920,0.45025,0.66755,0.88090, -1.0996), and a gray differential equation system is obtained and expressed as a matrix equation as shown in expression (3.15).
Step 2.4: and confirming parameters in the model by using a least square method, and establishing a prediction model of the network security situation. The result of determining the gray model of the network security situation by using the least square method is shown in fig. 3.
Order toObtaining the resultPredicting the value of the situation accumulation at the 7 th moment to be
And (5) restoring to original data to obtain a predicted value:
and finding a predicted sequence
Step 2.5: and gray prediction precision detection: after the fitting parameters are confirmed by the least square method, the results including the historical time period can be calculated by using a grey prediction model of the network security situation. The prediction sequence given by the prediction model can be obtained:
to evaluate the accuracy of fitting a prediction model, it is necessary to predict the sequenceAnd the original sequenceA comparison is made. Using Euclidean formula to observe original sequenceAnd the predicted sequence X(0)Making a comparison, i.e. usingAnd X(0)Squared difference of subentries:
the accuracy of the model was found to be 94.6%.
Step three, space mapping of the network space vulnerability nodes: mapping rules predicted by the time-based prediction model to the spatial network device nodes are implemented.
Step 3.1: and acquiring the reachability extension condition of the network equipment. Definition Pm=(p1,p2,...,pb) In a simulation environment, it is assumed that the currently simulated attack request has marked all services before the DB server, corresponding to the network topology, pmCorresponding host, host p1(10.1.112.124) and host p1(10.1.112.125) and corresponding backup node [ p ]3(10.1.112.126) and p4(10.1.112.127)]None of the nodes are accessed and may serve as the content to be accessed next. At this time, the hosts P4Is shown in table 2.
Table 2 observation table for security feature of node system accessing host
Step 3.2: and comparing the situation, and performing calculation analysis on situation changes and predicted situation values generated by all reachable equipment nodes in the next period one by using correlation analysis to obtain the correlation analysis result of the predicted nodes and the current network situation, which is shown in table 3.
TABLE 3 correlation analysis table of prediction node and current network situation
Through situation calculation
Are respectively obtained
Ri=(r1,r2,r3,r4)=(0.6854,0.6617,0.5226,0.5773)
The result reflects the incidence relation between the network security situation which is represented by the host node and corresponds to the network security situation change at the next moment and the whole network security situation change. As can be seen from the results, p1、p2、p3、 p4The correlation degrees of the corresponding host and the network security situation change under the predicted network environment are respectively as follows: ri(0.6854,0.6617,0.5226, 0.5773). According to the association rule, p1(10.1.112.124) the host has a high degree of influence on the network security situation, so that the node is predicted as a network device to be accessed next.
The verification of the result can be judged by the prior probability value deduced by the Bayesian network as shown in Table 4.
TABLE 4 attack request Bayesian network inference probability
The conditional probability of the table is calculated through a Bayesian network according to the predecessor probability of the unexpanded node. The results are consistent with the predictions. The Bayesian conditional probability calculation sequence (p1 > p2 > p4 > p3) of the method is consistent with the predicted vulnerability node probability ranking (r1 > r2 > r4 > r3), so that the effectiveness r of the method is 100%.

Claims (1)

1. The active prediction method of the network vulnerability node based on the gray model is characterized in that: the specific operation steps are as follows:
firstly, acquiring a network security situation characteristic item and calculating a network state; the method specifically comprises the following steps:
step 1.1: determining a security situation characteristic item of a network system; the network security situation is described by dividing the network security situation into three dimensions from top to bottom, wherein the three dimensions are as follows: operating situation dimension, vulnerability situation dimension and abnormal situation dimension; wherein, the safety situation characteristic item describing the operation situation dimension comprises: CPU utilization rate, memory utilization rate and disk reading rate; the security posture feature items used to describe the vulnerability posture dimension include: vulnerability type, vulnerability score, event type and identity authentication degree; the safety situation characteristic items used for describing the abnormal situation dimension comprise: attack source number, attack time, attack frequency and equipment online state; therefore, the security posture feature items of the network system include 11 items, which are respectively: CPU utilization rate, memory utilization rate, disk reading rate, vulnerability type, vulnerability score, event type, identity authentication degree, attack source number, attack time, attack frequency and equipment online state;
step 1.2: periodically acquiring observation data of security situation characteristic items of a single host in a network system at different moments as a research object; calculating the mean value of observation data of each security situation characteristic item of all hosts in the network system at each moment, and determining the expression value weight of each security situation characteristic item under the global action of the whole network system by using a grey correlation analysis method so as to determine the influence weight of the network security characteristic item on the network global state expression; the method comprises the following specific steps:
step 1.2.1: calculating the mean value of the observation data of each safety situation characteristic item of all the hosts in the network system at each moment to obtain an observation matrix A, wherein the observation matrix A is shown in a formula (1);
wherein t represents the t-th time, and t is 1,2, 3; f. oft(1),ft(2),...,ft(11) Respectively representing the observed data mean values respectively corresponding to the 11 security situation characteristic items at the t-th moment;
step 1.2.2: carrying out dimensionless processing on the observation matrix A by a formula (2) to obtain the dimensionless processed observation matrix A1As shown in formula (3);
wherein, i is 1, 2.., 11;
step 1.2.3: setting a dimensionless processed observation matrix A1The first column vector of (1) is an observation vector, and the other column vectors are comparison vectors; calculating to obtain the correlation coefficient of each subentry in each comparison vector through a formula (4), and forming a correlation coefficient matrix M as shown in a formula (5);
wherein j is 2,3.., 11;
step 1.2.4: obtaining the association degree between any two network security situation characteristic items through a formula (6);
wherein k is 1, 2.., 11; gamma ray(f(i),f(k))Representing the relevance of the network security situation characteristic items f (i) and f (k); gamma ray(f(i),f(1))The value of (c) is calculated by formula (7); gamma ray(f(k),f(1))The value of (c) is calculated by formula (8);
wherein T is the total number of the taken time points;
step 1.2.5: obtaining a correlation matrix M 'among all network security situation characteristic items according to the result of the step 1.2.4, wherein the correlation matrix M' is shown as a formula (9);
because the relevance matrix M ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the relevance matrix M ' has the maximum module characteristic value and is represented by a symbol lambda, so that lambda C is equal to M ' C; wherein, λ is a non-negative value, and C is a feature vector; obtaining the eigenvalue and the eigenvector of the relevance matrix M' by using an extraction tool of the eigenvalue and the eigenvector of the nonnegative symmetric matrix of matlab, representing the eigenvector corresponding to the maximum modulus eigenvalue lambda by using a symbol W, wherein W belongs to C, and W is [ omega ]1,ω2,...,ω11]T,ωiRepresenting the influence weight of the ith network security feature item on the global state of the network, wherein i is 1, 2.
Through the operation of the step, the influence weight of each network security feature item on the network global state is obtained;
step 1.3: acquiring observation data of all network security feature items of all hosts in the network system at different time points, acquiring a single host situation shown by each host at each time point according to the influence weight of each network security feature item on the global state of the network obtained in the step 1.2, and acquiring importance proportions among the hosts in the network system by using a gray correlation analysis method;
step 1.3.1: the host situation calculation matrix B is formed by host situation values of all hosts in the network system at different time points, as shown in a formula (10);
wherein, h represents the h-th host, and h is 1,2, 3; st(1),st(2),...,st(h) Respectively representing host situation values of a 1 st host, a 2 nd host, a.th host and a h th host in the network system at the t-th moment, and calculating through a formula (11);
wherein s ist(h) Indicating the host situation value of the h-th host at the t-th time; f. ofth(i) The observed value of the characteristic item f (i) of the ith network security situation of the h host at the time t is represented;
step 1.3.2: carrying out dimensionless processing on the single host situation matrix B as shown in formula (12) to obtain a dimensionless processed single host situation calculation matrix B1As shown in equation (13);
step 1.3.3: setting single host situation matrix calculation B after dimensionless processing1The first column vector of (1) is an observation vector, and the other column vectors are comparison vectors; calculating the correlation coefficient of each subentry in each comparison vector through formula (14), and forming a correlation coefficient matrix H, as shown in formula (15);
wherein, m is 1,2, 3.;
step 1.3.4: obtaining the association degree between any two hosts through a formula (16);
wherein q is 1,2, 3.; gamma ray(h(m),h(q))Representing the relevance of the network hosts h (m) and h (q); gamma ray(h(m),h(1))The value of (c) is calculated by formula (7); gamma ray(h(q),h(1))The value of (c) is calculated by formula (8);
step 1.3.5: obtaining a correlation matrix H 'among the network hosts according to the result of the step 1.3.4, wherein the correlation matrix H' is shown in a formula (19);
because the inter-host correlation matrix H ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the maximum mode eigenvalue exists in the correlation matrix M ', and is represented by the symbol λ ', so that λ ' C ' is H ' C '; wherein λ 'is a non-negative value, and C' is a feature vector; extracting and calculating the eigenvalue and the eigenvector of the relevance matrix H 'by utilizing matlab to obtain the eigenvalue and the eigenvector of the relevance matrix H', representing the eigenvector corresponding to the maximum modulus eigenvalue lambda 'by using a symbol E, wherein E belongs to C', and E is [ E [ [ E ]1,e2,...,eh]T,ehRepresents the importance of the h host in the network, h 1,2, 3.;
through the operation of the step, the importance weight of each network host in the network overall situation is obtained;
step 1.4: obtaining the overall situation history data of the network system at different moments through a formula (20) according to the influence weight of each network security feature item on the global state of the network obtained in the step 1.2 and the importance weight of each host in the network system obtained in the step 1.3, wherein the overall situation history data is represented by a symbol S, and S is (S is)1,S2,...,St);
St=∑heh×st(h) (20)
Establishing a grey prediction model of the network system based on the overall situation historical data of the network system, wherein the grey prediction model is used for predicting the situation of the network system at the next moment; the method specifically comprises the following steps:
step 2.1: by the symbol X(0)Representing the initial sequence of the gray model, X(0)=(x(0)(1),x(0)(2),...,x(0)(t)); wherein x is(0)(1),x(0)(2),...,x(0)(t) respectively representing the network overall situation values at the 1 st moment, the 2 nd moment, and the t th moment; taking the overall situation historical data S of the network system obtained in the step one as an initial sequence X(0),x(0)(1)=S1,x(0)(2)=S2,...,x(0)(t)=St
Step 2.2: calculating an initial sequence X by equation (21)(0)By a first order accumulation of the symbols X(1)Represents; x(1)={x(1)(1),x(1)(2),...,x(1)(t) }, in which x(1)(1),x(1)(2),...,x(1)(t) represents the network overall situation sum from the 1 st moment to the 1 st moment, from the 1 st moment to the 2 nd moment, respectively;
x(1)(t)=∑tx(0)(t) (21)
calculating a first-order accumulation generation sequence to weaken the randomness and relevance of original data items, and modeling the overall trend from the global perspective so as to form a trend model and understand and predict situation changes;
step 2.3: generating a sequence X due to first order accumulation(1)The system carries out accumulation processing on an irregular historical data sequence to change the irregular historical data sequence into a rising shape sequence with an exponential growth rule; the process of calculating the first-order accumulation generation sequence is similar to the form of a gray differential equation of a first-order model; thus generating a sequence X for a first order accumulation(1)Establishing a first order differential equation as shown in formula (22);
wherein, a and b are parameters to be determined by the system respectively, and the value ranges of a and b are real numbers;
integrating the formula (22) through a formula (23) and carrying out discretization processing;
wherein, t' is 1,2, 1, t-1;
the relationship shown in formula (24) can be obtained from formula (21);
x(1)(t′+1)-x(1)(t′)=x(0)(t′+1); (24)
obtaining a general formula of the gray prediction model from formula (23) to formula (24), as shown in formula (25);
solving the integral term in the formula (25) to obtain a formula (26);
by the symbol z(1)(t' +1) represents the solution of the integral term of equation (25) to obtain equation (27);
substituting the formula (27) into the formula (25) to obtain a formula (28);
x(0)(t′+1)=-az(1)(t′+1)+b (28)
generating a sequence X by adding the first order(1)And the initial sequence X(0)The term (2) is brought into the formula (28) and is shown as an expression (29) through term shifting processing;
step 2.4: confirming the values of the parameters a and b in the formula (29) by using a least square method, and establishing a prediction model of the network security situation; the method specifically comprises the following steps:
step 2.4.1: setting 3 alternative parameter vectors, respectively using symbolsYtAnd G represents a group represented by,Ytand the value of G is shown in formula (30);
step 2.4.2: substituting formula (30) into formula (29) to obtain formula (31);
step 2.4.3: solving a formula (31) through a least square method to obtain parameter estimation of a gray prediction model;
step 2.5: predicting the security situation of the network system at the next moment by using a grey prediction model, namely predicting the security situation prediction value of the network system; the method specifically comprises the following steps:
step 2.5.1: by symbolsRepresenting the predicted value of the first-order accumulation generation sequence of the grey prediction model at the t-th moment;
when t is equal to 1, the first step is carried out,the result of (c) is shown in equation (32);
when t is more than 1, substituting the parameter estimation of the gray prediction model obtained in the step 2.4.3 into a formula (22), and solving a gray differential equation to obtain a formula (33);
the predicted value of the gray prediction model at the time t, which is formed by the formula (32) and the formula (33), on the first-order accumulation generation sequence is shown as an equation set (34);
for the set of equations (34) according to the formula (24)Andcarrying out difference solving to obtain an equation set (35);
wherein,representing the initial sequence X of the grey prediction model at time t(0)The predicted value of (2);
obtaining a gray prediction model shown as a formula (35) through the operation of the step 2.5;
step 2.6: detecting the precision of the grey prediction model; the method specifically comprises the following steps:
obtaining an initial sequence X according to equation set (35)(0)By symbols ofRepresents;
to evaluate the accuracy of the gray prediction model, the prediction sequence is aligned using equation (36)With the initial sequence X(0)Comparing to obtain the accuracy of the prediction model, and expressing the accuracy by a symbol rel;
if rel is greater than 0.9, the prediction result of the gray prediction model is considered to be credible;
step three, determining a vulnerability node in the network system;
predicting the situation of the network system by using the gray prediction model obtained in the step two to obtain the predicted values of the situation of the network system at different time points; analyzing vulnerability nodes in the network system in real time according to the situation predicted value of the network system to finally obtain the vulnerability nodes of the network system; the method comprises the following specific steps:
step 3.1: obtaining a t-th moment, namely a host set which is attacked at the current moment and a host set which is attacked at the t +1 th moment but is not attacked; the method specifically comprises the following steps:
step 3.1.1: the symbol O denotes the set of all hosts in the network system, O ═ O1,o2,...,oh);ohIs the h host in the network system;
step 3.1.2: acquiring reachable relations among all hosts in the network system according to the topological structure of the network system and the network routing table, and establishing a reachable information table among the hosts; the inter-host reachable information table comprises a source host and a destination host;
step 3.1.3: the symbol D denotes the set of attacked hosts in the network system at time t, where D ═ D1,d2,...,dy),1≤y≤h,dyIs the y-th host computer of which the network system is attacked;
step 3.1.4: the symbol P represents a set of hosts that may be attacked but have not yet been attacked in the network system at time t +1, where P ═ P1,p2,...,pz),z=1,2,...,z′,z′≤h-y;
Step 3.1.5: according to the network system log, acquiring the request access rate of each host relative to the whole network system, and expressing the request access rate by a symbol P (h); then, according to the formula (37), it is calculated that the host d is attacked at the t +1 th timeyAttack the host p under the condition ofzWith the symbol P (P) as the conditional probability of (2)z|dy) Represents;
wherein, P (d)y|pz) Representing a known host pzAttacked host dyConditional probability of being attacked; p (P)z) Represents a host pzA priori probability of being attacked; p (d)y|~pz) Representing a known host pzHost d when not being attackedyConditional probability of being attacked; p (. about.p)z) Represents a host pzA priori probability of not being attacked;
step 3.2: the host p is obtained according to the formula (38)zThe resulting increment of the network system situation at the time t +1 compared to the time t is denoted by the symbol Δ;
Δ=St+1-St(38)
wherein S ist+1Representing the network security situation at the t +1 th moment; stRepresenting the network security situation at the t-th moment;
step 3.3: increment predicted value with host pzThe host situation of (2) performs correlation analysis to obtain PzNodes in the set that are most likely to be attacked at the next moment in time, in particularThe method comprises the following steps:
step 3.3.1: obtaining a host security situation matrix which can be attacked at the t +1 th moment, and expressing the matrix by using a symbol SP, as shown in a formula (39);
wherein s ist(1)、st(2)...st(z) indicating situation values of a 1 st host machine, a 2 nd host machine and a.
Step 3.3.2: calculating the association degree of the formula (38) and the formula (39);
taking Δ obtained by equation (38) as the reference sequence, equation (39) obtains the term s of SPt(z) is a comparison sequence; obtaining the correlation degree of the comparison sequence SP to the reference sequence delta according to a formula (40);
wherein r (z) represents the host pzThe degree of association of the situation of (1) with delta;
by the symbol R ═ R1,r2,...,rz]TUnmarked host p as an attackzA set of association degrees of the situation of (1) and delta; obtained R ═ R1,r2,...,rz]TIndicating the possibility that the host which is not marked by the attack at the time t +1 causes the change delta of the network situation, rzThe magnitude of (d) indicates the intensity of the situation change delta possibility caused by the host computer, rzLarger indicates a greater likelihood that the host will cause a delta; will be the largest rzThe corresponding host is used as the node which is most vulnerable at the t +1 th moment, and the prediction from the overall continuous time-based network situation to the discrete space-based vulnerability host node is realized;
step 3.3: calculating conditional probability for the hosts in the set P according to the formula (37), and expressing the conditional probability ordering result by using a symbol U, wherein the conditional probability ordering result is shown in a formula (41);
U=(u1,u2,...,uz) (41)
the ranking result of equation (41) is compared with the result R ═ R of the vulnerability node prediction of the set P1,r2,...,rz]TComparing, and representing the number of the relevance ranking consistent with the conditional probability sequence by a symbol l;
the accuracy of the mapping method, expressed in ul, can be verified according to equation (42);
CN201810763946.1A 2018-07-12 2018-07-12 Active prediction method of network vulnerability node based on gray model Active CN109040027B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810763946.1A CN109040027B (en) 2018-07-12 2018-07-12 Active prediction method of network vulnerability node based on gray model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810763946.1A CN109040027B (en) 2018-07-12 2018-07-12 Active prediction method of network vulnerability node based on gray model

Publications (2)

Publication Number Publication Date
CN109040027A true CN109040027A (en) 2018-12-18
CN109040027B CN109040027B (en) 2020-08-18

Family

ID=64641906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810763946.1A Active CN109040027B (en) 2018-07-12 2018-07-12 Active prediction method of network vulnerability node based on gray model

Country Status (1)

Country Link
CN (1) CN109040027B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111045845A (en) * 2019-11-29 2020-04-21 苏州浪潮智能科技有限公司 Data returning method, device, equipment and computer readable storage medium
CN111080074A (en) * 2019-11-21 2020-04-28 西安交通大学 System service security situation element obtaining method based on network multi-feature association
CN111510332A (en) * 2020-04-14 2020-08-07 杭州练链科技有限公司 Network security state prediction system
US20200358807A1 (en) * 2019-05-10 2020-11-12 Cybeta, LLC System and method for cyber security threat assessment
CN112637207A (en) * 2020-12-23 2021-04-09 中国信息安全测评中心 Network security situation prediction method and device
CN113139586A (en) * 2021-03-31 2021-07-20 同济大学 Model training method, device abnormality diagnosis method, electronic device, and medium
CN114565196A (en) * 2022-04-28 2022-05-31 北京零点远景网络科技有限公司 Multi-event trend prejudging method, device, equipment and medium based on government affair hotline

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090187510A1 (en) * 2008-01-22 2009-07-23 Kung-Hsiung Chang Calculating Method for Systematic Risk
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network security situation awareness system and method based on information correlation
CN104219091A (en) * 2014-08-27 2014-12-17 中国科学院计算技术研究所 System and method for network operation fault detection
CN105809578A (en) * 2016-05-30 2016-07-27 北京师范大学 Regional water environment risk evaluating and region dividing method
CN106411896A (en) * 2016-09-30 2017-02-15 重庆邮电大学 APDE-RBF neural network based network security situation prediction method
CN106789214A (en) * 2016-12-12 2017-05-31 广东工业大学 It is a kind of based on the just remaining pair network situation awareness method and device of string algorithm

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090187510A1 (en) * 2008-01-22 2009-07-23 Kung-Hsiung Chang Calculating Method for Systematic Risk
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network security situation awareness system and method based on information correlation
CN104219091A (en) * 2014-08-27 2014-12-17 中国科学院计算技术研究所 System and method for network operation fault detection
CN105809578A (en) * 2016-05-30 2016-07-27 北京师范大学 Regional water environment risk evaluating and region dividing method
CN106411896A (en) * 2016-09-30 2017-02-15 重庆邮电大学 APDE-RBF neural network based network security situation prediction method
CN106789214A (en) * 2016-12-12 2017-05-31 广东工业大学 It is a kind of based on the just remaining pair network situation awareness method and device of string algorithm

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LONG WANG: "Analysis of Vulnerability Correlation Based on Data Fitting", 《CTCIS 2017: TRUSTED COMPUTING AND INFORMATION SECURITY》 *
周依希: "基于AHP-灰色关联度的复杂电网节点综合脆弱性评估", 《电力系统保护与控制》 *
陈雷: "基于改进自适应灰色模型的网络安全态势预测", 《计算机科学》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200358807A1 (en) * 2019-05-10 2020-11-12 Cybeta, LLC System and method for cyber security threat assessment
US11522900B2 (en) * 2019-05-10 2022-12-06 Cybeta, LLC System and method for cyber security threat assessment
CN111080074A (en) * 2019-11-21 2020-04-28 西安交通大学 System service security situation element obtaining method based on network multi-feature association
CN111080074B (en) * 2019-11-21 2022-07-12 西安交通大学 System service security situation element obtaining method based on network multi-feature association
CN111045845A (en) * 2019-11-29 2020-04-21 苏州浪潮智能科技有限公司 Data returning method, device, equipment and computer readable storage medium
CN111510332A (en) * 2020-04-14 2020-08-07 杭州练链科技有限公司 Network security state prediction system
CN112637207A (en) * 2020-12-23 2021-04-09 中国信息安全测评中心 Network security situation prediction method and device
CN113139586A (en) * 2021-03-31 2021-07-20 同济大学 Model training method, device abnormality diagnosis method, electronic device, and medium
CN113139586B (en) * 2021-03-31 2022-09-23 同济大学 Model training method, device abnormality diagnosis method, electronic device, and medium
CN114565196A (en) * 2022-04-28 2022-05-31 北京零点远景网络科技有限公司 Multi-event trend prejudging method, device, equipment and medium based on government affair hotline
CN114565196B (en) * 2022-04-28 2022-07-29 北京零点远景网络科技有限公司 Multi-event trend prejudging method, device, equipment and medium based on government affair hotline

Also Published As

Publication number Publication date
CN109040027B (en) 2020-08-18

Similar Documents

Publication Publication Date Title
CN109040027B (en) Active prediction method of network vulnerability node based on gray model
Reddy et al. Deep neural network based anomaly detection in Internet of Things network traffic tracking for the applications of future smart cities
JP7010641B2 (en) Abnormality diagnosis method and abnormality diagnosis device
CN108494810B (en) Attack-oriented network security situation prediction method, device and system
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
CN107493277B (en) Large data platform online anomaly detection method based on maximum information coefficient
US20150096026A1 (en) Cyber security
CN103870751A (en) Method and system for intrusion detection
Xu et al. Tdfl: Truth discovery based byzantine robust federated learning
Bajtoš et al. Network intrusion detection with threat agent profiling
CN113259399A (en) Domain name server security threat analysis method and device based on heterogeneous information network
Awad et al. Addressing imbalanced classes problem of intrusion detection system using weighted extreme learning machine
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
Li et al. Symbolization‐based differential evolution strategy for identification of structural parameters
Riad et al. Visualize network anomaly detection by using k-means clustering algorithm
CN114816964B (en) Risk model construction method, risk detection device and computer equipment
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN102611714B (en) Based on the network intrusions Forecasting Methodology of contact discovery technique
CN116668045A (en) Multi-dimensional network security comprehensive early warning method and system
CN114298245A (en) Anomaly detection method and device, storage medium and computer equipment
Yazdani et al. Intelligent Detection of Intrusion into Databases Using Extended Classifier System.
Dada et al. An investigation into the effectiveness of machine learning techniques for intrusion detection
Wang et al. Research on network behavior risk measurement method based on traffic analysis
Sharma Fuzzy clustering as an intrusion detection technique
JP7325557B2 (en) Abnormality diagnosis method and abnormality diagnosis device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant