CN109040027B - Active prediction method of network vulnerability node based on gray model - Google Patents
Active prediction method of network vulnerability node based on gray model Download PDFInfo
- Publication number
- CN109040027B CN109040027B CN201810763946.1A CN201810763946A CN109040027B CN 109040027 B CN109040027 B CN 109040027B CN 201810763946 A CN201810763946 A CN 201810763946A CN 109040027 B CN109040027 B CN 109040027B
- Authority
- CN
- China
- Prior art keywords
- formula
- host
- situation
- network
- network system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an active prediction method of a network vulnerability node based on a grey model, and belongs to the technical field of information security. The method comprises the steps of determining the weight of the system in a network system by acquiring real-time host information, topology information, vulnerability information and other characteristics in the network and utilizing a gray correlation analysis method, completing unified calculation of observation data, inputting calculated state information into a gray prediction model, and determining a gray coefficient by utilizing a least square method to realize the prediction model; and finally, performing correlation analysis according to the situation increment of the network node which is not reached and a prediction model curve, and taking the node where the closest situation increment is as the next network vulnerability prediction node.
Description
Technical Field
The invention relates to an active prediction method of a network vulnerability node based on a grey model, and belongs to the technical field of information security.
Background
With the rapid development of computer networks, security holes and hidden dangers in network information systems are also in the endlessly, the types and the number of network attacks are multiplied, and the basic networks and the information systems face severe security threats. Traditional information security is limited by technology, and therefore, a passive defense mode is adopted more. However, with the advent of technologies such as big data analysis, SDN, security information collection, etc., the information system security monitoring technology is more and more accurate in analyzing security situations, and is more and more accurate in early warning of security events, and passive defense gradually changes to active defense. In this context, the study of active defenses is also becoming increasingly interesting.
In the invention, a CVE (Common Vulnerabilities & exposition) compatible database is used. The CVE is a dictionary table that gives a common name for widely recognized information security vulnerabilities or vulnerabilities that have been exposed. And the users are helped to share data in various independent vulnerability databases and vulnerability assessment tools. This makes the CVE a "key" for secure information sharing. Using the CVE name of the vulnerability, corresponding information can be quickly found in any other CVE-compatible database.
Disclosure of Invention
The invention combines network security situation perception with a gray model, aims to provide an active prediction method of a network vulnerability node based on the gray model, determines the weight of the node in a network system by acquiring the real-time characteristics of host information, topological information, vulnerability information and the like in the network and utilizing a gray correlation analysis method to complete the unified calculation of observation data, inputs the calculated state information into the gray prediction model, and determines a gray coefficient by utilizing a least square method to realize the prediction model; and finally, performing correlation analysis according to the situation increment of the network node which is not reached and a prediction model curve, and taking the node where the closest situation increment is as the next network vulnerability prediction node.
The purpose of the invention is realized by the following technical scheme, which comprises the following specific operations:
the invention provides an active prediction method of a network vulnerability node based on a gray model, which comprises the following specific operation steps:
step one, acquiring a network security situation characteristic item and calculating a network state. The method specifically comprises the following steps:
step 1.1: and determining the security situation characteristic items of the network system. The network security situation is described by dividing the network security situation into three dimensions from top to bottom, wherein the three dimensions are as follows: the operational situation dimension, the vulnerability situation dimension and the abnormal situation dimension. Wherein, the safety situation characteristic item describing the operation situation dimension comprises: CPU utilization, memory utilization and disk read rates. The security posture feature items used to describe the vulnerability posture dimension include: vulnerability type, vulnerability score, event type and identity authentication degree; the safety situation characteristic items used for describing the abnormal situation dimension comprise: the number of attack sources, attack time, attack frequency, and device presence. Therefore, the security posture feature items of the network system include 11 items, which are respectively: CPU utilization rate, memory utilization rate, disk reading rate, vulnerability type, vulnerability score, event type, identity authentication degree, attack source number, attack time, attack frequency and equipment online state.
Step 1.2: and periodically acquiring observation data of the security situation characteristic items of a single host in the network system at different moments as a research object. And calculating the mean value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment, and determining the expression value weight of each security situation characteristic item under the global action of the whole network system by using a grey correlation analysis method, thereby determining the influence weight of the network security characteristic item on the network global state expression. The method comprises the following specific steps:
step 1.2.1: and calculating the average value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment to obtain an observation matrix A, as shown in a formula (1).
Wherein t represents the tth time, and t is 1,2,3 …; f. oft(1),ft(2),…,ft(11) Respectively represent the observed data mean values corresponding to the 11 security situation feature items at the t-th moment.
Step 1.2.2: carrying out dimensionless processing on the observation matrix A by a formula (2) to obtain the dimensionless processed observation matrix A1As shown in equation (3).
Wherein i is 1,2, …, 11.
Step 1.2.3: setting a dimensionless processed observation matrix A1The first column vector of (1) is an observation vector and the other column vectors are comparison vectors. And (4) calculating the correlation coefficient of each subentry in each comparison vector through formula (4), and forming a correlation coefficient matrix M, as shown in formula (5).
Wherein j is 2,3, …, 11.
Step 1.2.4: and (4) obtaining the association degree between any two network security situation characteristic items through a formula (6).
Wherein k is 1,2, …, 11; gamma ray(f(i),f(k))Representing the relevance of the network security situation characteristic items f (i) and f (k); gamma ray(f(i),f(1))The value of (c) is calculated by formula (7); gamma ray(f(k),f(1))The value of (c) is calculated by the formula (8).
Wherein T is the total number of the taken time points.
Step 1.2.5: and (4) obtaining a correlation matrix M 'among the network security situation characteristic items according to the result of the step 1.2.4, wherein the correlation matrix M' is shown as a formula (9).
The relevance matrix M 'is a nonnegative symmetric matrix, and has a maximum module eigenvalue according to the property of the nonnegative symmetric matrix, and is represented by a symbol lambda, so that lambda C is equal to M' C, wherein lambda is a nonnegative value, and C is an eigenvector1,ω2,…,ω11]T,ωiAnd the influence weight of the ith network security feature item on the global state of the network is shown, wherein i is 1,2, … and 11.
Through the operation of the step, the influence weight of each network security feature item on the network global state is obtained.
Step 1.3: and (3) acquiring observation data of all network security feature items of all the hosts in the network system at different time points, acquiring the single host situation shown by each host at each time point according to the influence weight of each network security feature item on the network global state obtained in the step 1.2, and acquiring the importance ratio between the hosts in the network system by using a gray correlation analysis method.
Step 1.3.1: the host situation calculation matrix B is formed by host situation values of each host in the network system at different time points, as shown in formula (10).
Wherein h represents the h-th host, and h is 1,2,3 …; st(1),st(2),…,st(h) The host situation values respectively representing the 1 st, 2 nd, … th and h th hosts in the network system at the t-th time are calculated by the formula (11).
Wherein s ist(h) Indicating the host situation value of the h-th host at the t-th time; f. ofth(i) And the observed value of the ith network security situation characteristic item f (i) at the ith host at the moment t is represented.
Step 1.3.2: carrying out dimensionless processing on the single host situation matrix B as shown in formula (12) to obtain a dimensionless processed single host situation calculation matrix B1As shown in equation (13).
Step 1.3.3: setting single host situation matrix calculation B after dimensionless processing1The first column vector of (1) is an observation vector and the other column vectors are comparison vectors. By the formula (1)4) And calculating the correlation coefficient of each sub-item in each comparison vector, and forming a correlation coefficient matrix H, as shown in formula (15).
Wherein m is 1,2,3, ….
Step 1.3.4: the correlation between any two hosts is obtained by the formula (16).
Wherein q is 1,2,3, …; gamma ray(h(m),h(q))Representing the relevance of the network hosts h (m) and h (q); gamma ray(h(m),h(1))The value of (c) is calculated by formula (7); gamma ray(h(q),h(1))The value of (c) is calculated by the formula (8).
Step 1.3.5: according to the result of step 1.3.4, the correlation matrix H' between the network hosts is obtained as shown in formula (19).
Because the inter-host correlation matrix H ' is a non-negative symmetric matrix, according to the property of the non-negative symmetric matrix, the maximum mode eigenvalue exists in the correlation matrix M ', and is represented by the symbol λ ', so that λ ' C ' is H ' C '; wherein λ 'is a non-negative value, and C' is a feature vector. Extracting characteristic value and characteristic vector of relevance matrix H' by matlabThe eigenvalues and eigenvectors of the correlation matrix H ' are obtained by calculation, and the eigenvector corresponding to the maximum modulus eigenvalue λ ' is denoted by symbol E, E ∈ C ', E ═ E1,e2,…,eh]T,ehIndicating the importance of the h-th host in the network, h is 1,2,3, ….
Through the operation of the step, the importance weight of each network host in the network global is obtained.
Step 1.4: obtaining the overall situation history data of the network system at different moments through a formula (20) according to the influence weight of each network security feature item on the global state of the network obtained in the step 1.2 and the importance weight of each host in the network system obtained in the step 1.3, wherein the overall situation history data is represented by a symbol S, and S is (S is)1,S2,…,St)。
St=∑heh×st(h) (20)
And step two, establishing a grey prediction model of the network system based on the overall situation historical data of the network system, and predicting the situation of the network system at the next moment. The method specifically comprises the following steps:
step 2.1: by the symbol X(0)Representing the initial sequence of the gray model, X(0)=(x(0)(1),x(0)(2),…,x(0)(t)); wherein x is(0)(1),x(0)(2),…,x(0)(t) represents the overall network situation values at time 1, time 2, …, and time t, respectively. Taking the overall situation historical data S of the network system obtained in the step one as an initial sequence X(0),x(0)(1)=S1,x(0)(2)=S2,…,x(0)(t)=St。
Step 2.2: calculating an initial sequence X by equation (21)(0)By a first order accumulation of the symbols X(1)And (4) showing. X(1)={x(1)(1),x(1)(2),…,x(1)(t) }, in which x(1)(1),x(1)(2),…,x(1)(t) denotes networks from 1 st to 1 st, from 1 st to 2 nd, …, and from 1 st to tThe overall situation is sum.
x(1)(t)=∑tx(0)(t) (21)
The purpose of calculating the first-order accumulation generation sequence is to weaken the randomness and relevance of the original data items, model the overall trend from the global perspective, and facilitate the formation of a trend model, understanding and predicting situation changes.
Step 2.3: generating a sequence X due to first order accumulation(1)The system adds up irregular historical data sequence to make it become ascending shape sequence with exponential growth rule. The process of calculating the first order accumulation generation sequence is similar to the gray differential equation form of the first order model. Thus generating a sequence X for a first order accumulation(1)The first order differential equation is established as shown in equation (22).
And a and b are parameters to be determined by the system respectively, and the value ranges of the a and the b are real numbers.
The formula (22) is integrated by the formula (23) and discretized.
Wherein t' is 1,2, …, t-1.
From the formula (21), the relationship shown in the formula (24) can be obtained.
x(1)(t′+1)-x(1)(t′)=x(0)(t′+1)。 (24)
The general formula of the gray prediction model is obtained from formula (23) to formula (24), as shown in formula (25).
The integral term in equation (25) is solved to obtain equation (26).
By the symbol z(1)(t' +1) represents the solution of the integral term of equation (25) to obtain equation (27).
Substituting equation (27) into equation (25) yields equation (28).
x(0)(t′+1)=-az(1)(t′+1)+b (28)
Generating a sequence X by adding the first order(1)And the initial sequence X(0)The term (2) is brought into the formula (28) and is shown as the expression (29) by the term shifting processing.
Step 2.4: and (3) confirming the values of the parameters a and b in the formula (29) by using a least square method, and establishing a prediction model of the network security situation. The method specifically comprises the following steps:
step 2.4.1: setting 3 alternative parameter vectors, respectively using symbolsYtAnd G represents a group represented by,Ytand the value of G is shown in equation (30).
Step 2.4.2: substituting equation (30) into equation (29) yields equation (31).
Step 2.4.3: and solving the formula (31) by a least square method to obtain the parameter estimation of the gray prediction model.
Step 2.5: and predicting the security situation of the network system at the next moment by using a grey prediction model, namely predicting the security situation prediction value of the network system. The method specifically comprises the following steps:
step 2.5.1: by symbolsAnd the predicted value of the grey prediction model for the first-order accumulation generation sequence at the t-th moment is shown.
When t >1, the parameter estimates of the gray prediction model obtained in step 2.4.3 are substituted into equation (22) and the gray differential equation is solved to obtain equation (33).
The predicted values of the gray prediction model at time t for the first-order accumulation generation sequence, which is formed by equations (32) and (33), are shown in equation set (34).
For the set of equations (34) according to the formula (24)Andthe difference is calculated to obtain an equation set (35).
Wherein the content of the first and second substances,representing the initial sequence X of the grey prediction model at time t(0)The predicted value of (2).
Through the operation of step 2.5, a gray prediction model as shown in equation (35) is obtained.
Step 2.6: the accuracy of the gray prediction model is checked. The method specifically comprises the following steps:
To evaluate the accuracy of the gray prediction model, the prediction sequence is aligned using equation (36)With the initial sequence X(0)The comparison is carried out to obtain the accuracy of the prediction model, which is represented by the symbol rel.
If rel >0.9, the prediction result of the gray prediction model is considered to be credible.
And step three, determining the vulnerability node in the network system.
And predicting the situation of the network system by using the grey prediction model obtained in the step two to obtain the predicted values of the situation of the network system at different time points. And analyzing the vulnerability nodes in the network system in real time according to the situation predicted value of the network system to finally obtain the vulnerability nodes of the network system. The method comprises the following specific steps:
step 3.1: and obtaining a host set which is attacked at the t-th moment (the current moment) and a host set which can be attacked at the t + 1-th moment (the next moment) but is not attacked. The method specifically comprises the following steps:
step 3.1.1: the symbol O denotes the set of all hosts in the network system, O ═ O1,o2,…,oh);ohIs the h host in the network system.
Step 3.1.2: and acquiring the reachable relation between the hosts in the network system according to the topological structure of the network system and the network routing table, and establishing a reachable information table between the hosts. The inter-host reachable information table includes a source host and a destination host.
Step 3.1.3: the symbol D denotes the set of attacked hosts in the network system at time t, where D ═ D1,d2,…,dy),1≤y≤h,dyIs the y th host computer of which the network system is attacked.
Step 3.1.4: the symbol P represents a set of hosts that may be attacked but have not yet been attacked in the network system at time t + 1, where P ═ P1,p2,…,pz),z=1,2,…,z′,z′≤h-y。
Step 3.1.5: and acquiring the request access rate of each host relative to the whole network system according to the network system log, and representing the request access rate by using a symbol P (h). Then, according to the formula (37), it is calculated that the host d is attacked at the t +1 th timeyAttack the host p under the condition ofzWith the symbol P (P) as the conditional probability of (2)z|dy) And (4) showing.
Wherein, P (d)y|pz) Representing a known host pzAttacked host dyConditional probability of being attacked; p (P)z) Represents a host pzA priori probability of being attacked; p (d)y|~pz) Representing a known host pzHost d when not being attackedyConditional probability of being attacked; p (. about.p)z) Represents a host pzA priori probability of not being attacked.
Step 3.2: the host p is obtained according to the formula (38)zThe resulting increase in the network system situation at time t +1 compared to time t is denoted by the symbol Δ.
Δ=St+1-St(38)
Wherein S ist+1Representing the network security situation at the t +1 th moment; stRepresenting the network security situation at time t.
Step 3.3: increment predicted value with host pzThe host situation of (2) performs correlation analysis to obtain PzThe method comprises the following steps of:
step 3.3.1: and obtaining a host security situation matrix which can be attacked at the t +1 th moment and is represented by a symbol SP, as shown in formula (39).
Wherein s ist(1)、st(2)…st(z) represents situation values of the 1 st host, the 2 nd host, and the … th host, respectively.
Step 3.3.2: and calculating the relevance of the formula (38) and the formula (39).
Taking Δ obtained by equation (38) as the reference sequence, equation (39) obtains the term s of SPt(z) is a comparison sequence. According to the formula (40), the correlation degree of the comparison sequence SP with respect to the reference sequence delta is obtained.
Wherein r (z) represents a host pzIs related to delta.
By the symbol R ═ R1,r2,…,rz]TUnmarked host p as an attackzIs associated with the delta. Obtained R ═ R1,r2,…,rz]TIndicating the possibility that the host which is not marked by the attack at the time t +1 causes the change delta of the network situation, rzThe magnitude of (d) indicates the intensity of the situation change delta possibility caused by the host computer, rzA larger value indicates a greater probability that the host will cause a delta. Will be the largest rzAnd the corresponding host is used as the node which is most vulnerable at the t +1 th moment, so that the prediction from the overall continuous time-based network situation to the discrete space-based vulnerability host node is realized.
Step 3.3: the conditional probability is calculated for the hosts in the set P according to equation (37), and the conditional probability ranking result is represented by the symbol U as shown in equation (41).
U=(u1,u2,…,uz) (41)
The ranking result of equation (41) is compared with the result R ═ R of the vulnerability node prediction of the set P1,r2,…,rz]TThe comparison is performed with the symbol l indicating the number of correspondence rankings that are consistent with the conditional probability order.
The accuracy of the mapping method, denoted by the symbol ul, can be verified according to equation (42).
Advantageous effects
Compared with the prior art, the active prediction method of the network vulnerability node based on the gray model has the advantage that the network vulnerability node can be more accurately predicted.
Drawings
FIG. 1 is a diagram of a network system architecture in accordance with an embodiment of the present invention;
FIG. 2 is a diagram of eigenvalues and eigenvectors of matrix B in an embodiment of the present invention;
FIG. 3 is a diagram of the results of a network security situation gray model determined using the least squares method in an embodiment of the present invention;
FIG. 4 is a block diagram of an overall system of network security situation impact characteristic indicators in accordance with an embodiment of the present invention;
fig. 5 is a diagram of eigenvalues and eigenvectors for matrix B in an embodiment of the present invention.
Detailed Description
The following embodiments are described in detail with reference to the above technical solutions.
In this embodiment, there are 6 hosts in the network system, and the network structure is shown in fig. 1. Fig. 1 depicts a topology of a simulated network system environment, which is mainly composed of two parts: a network main body and a backup node. The part connected by the solid line is a device reachability network formed by an external network to an internal network of the network system. The environment sets a proxy server as a system boundary to isolate the internal network and the external network, and the proxy server becomes a first barrier for controlling external access. Two web servers and database servers are then respectively provided for providing simple web requests and data support thereof. The part from the dotted frame in the figure is the hot backup node of the corresponding device, and the dotted connection indicates that the dotted connection is used as the hot backup node of the corresponding device to serve as the security policy transfer. The description of each host node in the figure is shown in table 1.
Table 1 network system node description table
The method provided by the invention is used for predicting the vulnerability node in the network, and the specific implementation steps are as follows:
step one, acquiring a network security situation characteristic item and calculating a network state. The method specifically comprises the following steps:
step 1.1: and determining the security situation characteristic items of the network system. The network security situation is described by dividing the network security situation into three dimensions from top to bottom, wherein the three dimensions are as follows: the operational situation dimension, the vulnerability situation dimension and the abnormal situation dimension. Wherein, the safety situation characteristic item describing the operation situation dimension comprises: CPU utilization, memory utilization and disk read rates. The security posture feature items used to describe the vulnerability posture dimension include: vulnerability type, vulnerability score, event type and identity authentication degree; the safety situation characteristic items used for describing the abnormal situation dimension comprise: the number of attack sources, attack time, attack frequency, and device presence. Therefore, the security posture feature items of the network system include 11 items, which are respectively: CPU utilization rate, memory utilization rate, disk reading rate, vulnerability type, vulnerability score, event type, identity authentication degree, attack source number, attack time, attack frequency and equipment online state.
Step 1.2: and periodically acquiring observation data of the security situation characteristic items of a single host in the network system at different moments as a research object. And calculating the mean value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment, and determining the expression value weight of each security situation characteristic item under the global action of the whole network system by using a grey correlation analysis method, thereby determining the influence weight of the network security characteristic item on the network global state expression. The method comprises the following specific steps:
step 1.2.1: and calculating the mean value of the observation data of each security situation characteristic item of all the hosts in the network system at each moment to obtain an observation matrix A, as shown in a formula (43).
Step 1.2.2: carrying out dimensionless processing on the observation matrix A by a formula (2) to obtain the dimensionless processed observation matrix A1As shown in equation (3).
Wherein i is 1,2, …, 11; t is 6.
Step 1.2.3: setting a dimensionless processed observation matrix A1The first column vector of (1) is an observation vector and the other column vectors are comparison vectors. And (4) calculating the correlation coefficient of each subentry in each comparison vector through formula (4), and forming a correlation coefficient matrix M, as shown in formula (5).
Wherein j is 2,3, …, 11.
Step 1.2.4: and (4) obtaining the association degree between any two network security situation characteristic items through a formula (6).
Wherein k is 1,2, …, 11; gamma ray(f(i),f(k))Representing the relevance of the network security situation characteristic items f (i) and f (k); gamma ray(f(i),f(1))The value of (c) is calculated by formula (7); gamma ray(f(k),f(1))The value of (c) is calculated by the formula (8).
Wherein T is the total number of the taken time points.
Step 1.2.5: and (4) obtaining a correlation matrix M 'among the network security situation characteristic items according to the result of the step 1.2.4, wherein the correlation matrix M' is shown as a formula (9).
The relevance matrix M 'is a nonnegative symmetric matrix, and has a maximum module eigenvalue according to the property of the nonnegative symmetric matrix, and is represented by a symbol lambda, so that lambda C is equal to M' C, wherein lambda is a nonnegative value, and C is an eigenvector1,ω2,…,ω11]T,ωiAnd the influence weight of the ith network security feature item on the global state of the network is shown, wherein i is 1,2, … and 11.
Through the operation of the step, the influence weight of each network security feature item on the network global state is obtained.
Step 1.3: and (3) acquiring observation data of all network security feature items of all the hosts in the network system at different time points, acquiring the single host situation shown by each host at each time point according to the influence weight of each network security feature item on the network global state obtained in the step 1.2, and acquiring the importance ratio between the hosts in the network system by using a gray correlation analysis method.
Step 1.3.1: the host situation calculation matrix B is formed by host situation values of each host in the network system at different time points, as shown in formula (44).
The eigenvalues and eigenvectors for matrix B are shown in fig. 2, respectively.
Step 1.3.2: carrying out dimensionless processing on the single host situation matrix B as shown in formula (12) to obtain a dimensionless processed single host situation calculation matrix B1As shown in equation (13).
Step 1.3.3: setting single host situation matrix calculation B after dimensionless processing1The first column vector of (1) is an observation vector and the other column vectors are comparison vectors. The correlation coefficient of each sub-term in each comparison vector is calculated by equation (14), and a correlation coefficient matrix H is constructed as shown in equation (15).
Wherein m is 1,2,3, ….
Step 1.3.4: the correlation between any two hosts is obtained by the formula (16).
Wherein q is 1,2,3, …; gamma ray(h(m),h(q))Representing the relevance of the network hosts h (m) and h (q); gamma ray(h(m),h(1))The value of (c) is calculated by formula (7); gamma ray(h(q),h(1))The value of (c) is calculated by the formula (8).
Step 1.3.5: according to the result of step 1.3.4, the correlation matrix H' between the network hosts is obtained as shown in formula (19).
The correlation matrix H ' between the hosts is a nonnegative symmetric matrix, and according to the property of the nonnegative symmetric matrix, the maximum module eigenvalue exists in the correlation matrix M ', and is represented by a symbol lambda ', so that lambda ' C ' is equal to H ' C ', wherein lambda ' is a nonnegative value, C ' is an eigenvector, the correlation matrix H ' is subjected to eigenvalue and eigenvector extraction calculation by utilizing matlab, the eigenvalue and the eigenvector of the correlation matrix H ' are obtained, the eigenvector corresponding to the maximum module eigenvalue lambda ' is represented by a symbol E, and E ∈ C ', E is equal to [ E ]1,e2,…,eh]T,ehIndicating the importance of the h-th host in the network, h is 1,2,3, … 6.
Through the operation of the step, the importance weight of each network host in the network global is obtained.
Step 1.4: obtaining the overall situation history data of the network system at different moments through a formula (20) according to the influence weight of each network security feature item on the global state of the network obtained in the step 1.2 and the importance weight of each host in the network system obtained in the step 1.3, wherein the overall situation history data is represented by a symbol S, and S is (S is)1,S2,…,St)。
St=∑heh×st(h) (20)
And step two, establishing a grey prediction model of the network system based on the overall situation historical data of the network system, and predicting the situation of the network system at the next moment. The method specifically comprises the following steps:
step 2.1: by the symbol X(0)Representing the initial sequence of the gray model, X(0)=(x(0)(1),x(0)(2),…,x(0)(t)); wherein x is(0)(1),x(0)(2),…,x(0)(t) represents the overall network situation values at time 1, time 2, …, and time t, respectively. Taking the overall situation historical data S of the network system obtained in the step one as an initial sequence X(0),x(0)(1)=S1,x(0)(2)=S2,…,x(0)(t)=St。
Step 2.2: calculating an initial sequence X by equation (21)(0)By a first order accumulation of the symbols X(1)And (4) showing. X(1)={x(1)(1),x(1)(2),…,x(1)(t) }, in which x(1)(1),x(1)(2),…,x(1)(t) represents the overall situation sum of the network from the 1 st time to the 1 st time, from the 1 st time to the 2 nd time, …, and from the 1 st time to the t-th time, respectively.
x(1)(t)=∑tx(0)(t) (21)
The purpose of calculating the first-order accumulation generation sequence is to weaken the randomness and relevance of the original data items, model the overall trend from the global perspective, and facilitate the formation of a trend model, understanding and predicting situation changes.
Step 2.3: generating a sequence X due to first order accumulation(1)The system adds up irregular historical data sequence to make it become ascending shape sequence with exponential growth rule. The process of calculating the first order accumulation generation sequence is similar to the gray differential equation form of the first order model. Thus generating a sequence X for a first order accumulation(1)The first order differential equation is established as shown in equation (22).
And a and b are parameters to be determined by the system respectively, and the value ranges of the a and the b are real numbers.
The formula (22) is integrated by the formula (23) and discretized.
Wherein t' is 1,2, …, t-1.
From the formula (21), the relationship shown in the formula (24) can be obtained.
x(1)(t′+1)-x(1)(t′)=x(0)(t′+1)。 (24)
The general formula of the gray prediction model is obtained from formula (23) to formula (24), as shown in formula (25).
The integral term in equation (25) is solved to obtain equation (26).
By the symbol z(1)(t' +1) represents the solution of the integral term of equation (25) to obtain equation (27).
Substituting equation (27) into equation (25) yields equation (28).
x(0)(t′+1)=-az(1)(t′+1)+b(28)
Generating a sequence X by adding the first order(1)And the initial sequence X(0)The term (2) is brought into the formula (28) and is shown as the expression (29) by the term shifting processing.
In this embodiment, an expression shown in formula (45) is obtained.
Step 2.4: and (3) confirming the values of the parameters a and b in the formula (29) by using a least square method, and establishing a prediction model of the network security situation. The method specifically comprises the following steps:
step 2.4.1: setting 3 alternative parameter vectors, respectively using symbolsYtAnd G represents a group represented by,Ytand the value of G is shown in equation (30).
Step 2.4.2: substituting equation (30) into equation (29) yields equation (31).
Step 2.4.3: and solving the formula (31) by a least square method to obtain the parameter estimation of the gray prediction model. The result of determining the gray model of the network security situation by using the least square method is shown in fig. 3.
Step 2.5: and predicting the security situation of the network system at the next moment by using a grey prediction model, namely predicting the security situation prediction value of the network system. The method specifically comprises the following steps:
step 2.5.1: by symbolsAnd the predicted value of the grey prediction model for the first-order accumulation generation sequence at the t-th moment is shown.
When t >1, the parameter estimates of the gray prediction model obtained in step 2.4.3 are substituted into equation (22) and the gray differential equation is solved to obtain equation (33).
The predicted values of the gray prediction model at time t for the first-order accumulation generation sequence, which is formed by equations (32) and (33), are shown in equation set (34).
For the set of equations (34) according to the formula (24)Andthe difference is calculated to obtain an equation set (35).
Wherein the content of the first and second substances,representing the initial sequence X of the grey prediction model at time t(0)The predicted value of (2).
Through the operation of step 2.5, a gray prediction model as shown in equation (35) is obtained.
Step 2.6: the accuracy of the gray prediction model is checked. The method specifically comprises the following steps:
To evaluate the accuracy of the gray prediction model, the prediction sequence is aligned using equation (36)With the initial sequence X(0)The comparison is carried out to obtain the accuracy of the prediction model, which is represented by the symbol rel.
If rel >0.9, the prediction result of the gray prediction model is considered to be credible.
And step three, determining the vulnerability node in the network system.
And predicting the situation of the network system by using the grey prediction model obtained in the step two to obtain the predicted values of the situation of the network system at different time points. And analyzing the vulnerability nodes in the network system in real time according to the situation predicted value of the network system to finally obtain the vulnerability nodes of the network system. The method comprises the following specific steps:
step 3.1: and obtaining a host set which is attacked at the t-th moment (the current moment) and a host set which can be attacked at the t + 1-th moment (the next moment) but is not attacked. The method specifically comprises the following steps:
step 3.1.1: the symbol O denotes the set of all hosts in the network system, O ═ O1,o2,…,oh);ohIs the h host in the network system.
Step 3.1.2: and acquiring the reachable relation between the hosts in the network system according to the topological structure of the network system and the network routing table, and establishing a reachable information table between the hosts. The inter-host reachable information table includes a source host and a destination host.
Step 3.1.3: the symbol D denotes the set of attacked hosts in the network system at time t, where D ═ D1,d2,…,dy),1≤y≤h,dyIs the y th host computer of which the network system is attacked.
Step 3.1.4: the symbol P represents a set of hosts that may be attacked but have not yet been attacked in the network system at time t + 1, where P ═ P1,p2,…,pz),z=1,2,…,z′,z′≤h-y。
Step 3.1.5: and acquiring the request access rate of each host relative to the whole network system according to the network system log, and representing the request access rate by using a symbol P (h). Then, according to the formula (37), it is calculated that the host d is attacked at the t +1 th timeyAttack the host p under the condition ofzWith the symbol P (P) as the conditional probability of (2)z|dy) And (4) showing.
Wherein, P (d)y|pz) Representing a known host pzAttacked host dyConditional probability of being attacked; p (P)z) Represents a host pzA priori probability of being attacked; p (d)y|~pz) Representing a known host pzHost d when not being attackedyConditional probability of being attacked; p (. about.p)z) Represents a host pzA priori probability of not being attacked.
Step 3.2: the host p is obtained according to the formula (38)zThe resulting increase in the network system situation at time t +1 compared to time t is denoted by the symbol Δ.
Δ=St+1-St(38)
Wherein S ist+1Representing the network security situation at the t +1 th moment; stRepresenting the network security situation at time t.
Step 3.3: increment predicted value with host pzThe host situation of (2) performs correlation analysis to obtain PzThe method comprises the following steps of:
step 3.3.1: and obtaining a host security situation matrix which can be attacked at the t +1 th moment and is represented by a symbol SP, as shown in formula (39).
Wherein s ist(1)、st(2)…st(z) denotes a 1 st host, a 2 nd host, and … th z station, respectivelyThe situation value of the host.
Step 3.3.2: and calculating the relevance of the formula (38) and the formula (39).
Taking Δ obtained by equation (38) as the reference sequence, equation (39) obtains the term s of SPt(z) is a comparison sequence. According to the formula (40), the correlation degree of the comparison sequence SP with respect to the reference sequence delta is obtained.
Wherein r (z) represents a host pzIs related to delta.
By the symbol R ═ R1,r2,…,rz]TUnmarked host p as an attackzIs associated with the delta. Obtained R ═ R1,r2,…,rz]TIndicating the possibility that the host which is not marked by the attack at the time t +1 causes the change delta of the network situation, rzThe magnitude of (d) indicates the intensity of the situation change delta possibility caused by the host computer, rzA larger value indicates a greater probability that the host will cause a delta. Will be the largest rzAnd the corresponding host is used as the node which is most vulnerable at the t +1 th moment, so that the prediction from the overall continuous time-based network situation to the discrete space-based vulnerability host node is realized.
Step 3.3: the conditional probability is calculated for the hosts in the set P according to equation (37), and the conditional probability ranking result is represented by the symbol U as shown in equation (41).
U=(u1,u2,…,uz) (41)
The ranking result of equation (41) is compared with the result R ═ R of the vulnerability node prediction of the set P1,r2,…,rz]TThe comparison is performed with the symbol l indicating the number of correspondence rankings that are consistent with the conditional probability order.
The accuracy of the mapping method is verified according to equation (42), denoted by the symbol ul.
Through the operations of the above steps, the present embodiment is completed.
Step one, generating a network model, and obtaining the filtering of the network model and a service list. The method specifically comprises the following steps:
step 1.1: security posture features of the known network system are defined. The simulated network structure of the network system is shown in fig. 1.
Fig. 1 depicts a topology of a simulated network system environment, which is mainly composed of two parts: a network main body and a backup node. The part connected by the solid line is a device reachability network formed by an external network to an internal network of the network system. The environment sets a proxy server as a system boundary to isolate the internal network and the external network, and the proxy server becomes a first barrier for controlling external access. Two web servers and database servers are then respectively provided for providing simple web requests and data support thereof. The part from the dotted frame in the figure is the hot backup node of the corresponding device, and the dotted connection indicates that the dotted connection is used as the hot backup node of the corresponding device to serve as the security policy transfer. The description of each host node in the figure is shown in table 1.
Table 1 network system node description table
Defining a three-dimensional vector S ═ W, V and R >, wherein W represents an operation dimension index when the network operates and represents the condition of system operation within a certain time; v represents the vulnerability dimension index of the network and represents the vulnerability condition of the system scanned by the scanning tool; r represents the abnormal dimension index of the network, and represents the abnormal behaviors of various network attacks and misoperation in the network within a certain time. A block diagram of the overall system of network security situation impact characteristic indicators is shown in fig. 4.
Step 1.2: the observation matrix A for obtaining the characteristic mean value of the network system is shown as an expression (3.1).
The correlation degree of the features with respect to the feature 1 obtained by processing the matrix a is shown in expression (3.2):
ωf=[1 0.451 0.516 0.445 0.759 0.446 0.446 0.748 0.746 0.631 0.685]T
(3.2)
firstly, the reference system is converted from the system security feature 1 to the system global, and then the feature value and the feature vector extracted for each index are shown in fig. 2 as follows.
Therefore, the relevance of the system security features under the global scope is as follows:
ωf
=[0.245 0.288 0.311 0.304 0.307 0.304 0.304 0.309 0.309 0.315 0.314]T
step 1.3: similarly, a single host situation matrix B formed by the single host situation of the system host at a single time at different observation times is obtained as shown in an expression (3.3):
the eigenvalues and eigenvectors for matrix B are shown in figure 5, respectively.
Fig. 5 shows the result of the eigenvalues and eigenvectors extracted from the matrix B. Selecting the eigenvector corresponding to the maximum eigenvalue to obtain the vector omegakAs shown in expression (3.4).
ωk=[0.346 0.424 0.390 0.425 0.428 0.430]T(3.4)
Step 1.4: and according to the weight between the network security features determined in the step 1.2 and the weight between the host nodes of the network system determined in the step 1.3, finishing data fusion of the observed values of the sub-situation features scattered in each dimension at a plurality of moments.
The network system obtained by the calculationSumming the historical observation data and results, and obtaining the historical data of the network at the observation time as Sj=(0.1541,0.1902,0.2119,0.2227,0.204,0.2334)。
And step two, establishing a grey prediction model of the system based on the historical situation value of the network system, and finishing obtaining the situation trend of the system at the next unknown moment.
Step 2.1: initial sequence X for defining a gray model(0)Inputting the historical calculation results of the step one according to a time sequence to obtain X(0)(0.1541,0.1902,0.2119,0.2227,0.204,0.2334), where n is the number of observations in history.
Step 2.2: for the initial sequence X(0)Accumulating item by item (0.1541,0.1902,0.2119,0.2227,0.204 and 0.2334) to form a generating sequence X(1)=(0.1541,0.3443,0.5562,0.7789,0.9829,1.2163)。
Step 2.3: for generating sequence X(1)A first-order gray differential equation is established,
x(0)(k+1)=-az(1)(k+1)+b,k=1,2,…,n-1
and corresponding the value X of the initial sequence(0)(0.1541,0.1902,0.2119,0.2227,0.204,0.2334) and z of the generation sequence processing(1)The gray differential equation is substituted with (0.24920,0.45025,0.66755,0.88090, -1.0996), and a gray differential equation system is obtained and expressed as a matrix equation as shown in expression (3.15).
Step 2.4: and confirming parameters in the model by using a least square method, and establishing a prediction model of the network security situation. The result of determining the gray model of the network security situation by using the least square method is shown in fig. 3.
Order toObtaining the resultPredicting the value of the situation accumulation at the 7 th moment to be
And (5) restoring to original data to obtain a predicted value:
Step 2.5: and gray prediction precision detection: after the fitting parameters are confirmed by the least square method, the results including the historical time period can be calculated by using a grey prediction model of the network security situation. The prediction sequence given by the prediction model can be obtained:
to evaluate the accuracy of fitting a prediction model, it is necessary to predict the sequenceWith the original sequence X(0)A comparison is made. Using Euclidean formula to observe original sequenceAnd the predicted sequence X(0)Making a comparison, i.e. usingAnd X(0)Squared difference of subentries:
Step three, space mapping of the network space vulnerability nodes: mapping rules predicted by the time-based prediction model to the spatial network device nodes are implemented.
Step 3.1: and acquiring the reachability extension condition of the network equipment. Definition Pm=(p1,p2,…,pb) In a simulation environment, it is assumed that the currently simulated attack request has marked all services before the DB server, corresponding to the network topology, pmCorresponding host, host p1(10.1.112.124) and host p1(10.1.112.125) and corresponding backup node [ p ]3(10.1.112.126) and p4(10.1.112.127)]None of the nodes are accessed and may serve as the content to be accessed next. At this time, the hosts P4Is shown in table 2.
Table 2 observation table for security feature of node system accessing host
Step 3.2: and comparing the situation, and performing calculation analysis on situation changes generated by all reachable equipment nodes in the next period and the predicted situation values one by using correlation analysis to obtain the correlation analysis result of the predicted nodes and the current network situation, which is shown in table 3.
TABLE 3 correlation analysis table of prediction node and current network situation
Through situation calculation
Are respectively obtained
Ri=(r1,r2,r3,r4)=(0.6854,0.6617,0.5226,0.5773)
The result reflects the incidence relation between the network security situation which is represented by the host node and corresponds to the network security situation change at the next moment and the whole network security situation change. As can be seen from the results, p1、p2、p3、p4The correlation degrees of the corresponding host and the network security situation change under the predicted network environment are respectively as follows: ri(0.6854,0.6617,0.5226, 0.5773). According to the association rule, p1(10.1.112.124) the host has a high degree of influence on the network security situation, so that the node is predicted as a network device to be accessed next.
The verification of the result can be judged by the prior probability value deduced by the Bayesian network as shown in Table 4.
TABLE 4 attack request Bayesian network inference probability
The conditional probability of the table is calculated through a Bayesian network according to the predecessor probability of the unexpanded node. The results are consistent with the predictions. The Bayesian conditional probability calculation sequence (p1> p2> p4> p3) of the method is consistent with the predicted vulnerability node possibility ranking (r1> r2> r4> r3), so the effectiveness r of the method is 100%.
Claims (1)
1. The active prediction method of the network vulnerability node based on the gray model is characterized in that: the specific operation steps are as follows:
firstly, acquiring a network security situation characteristic item and calculating a network state; the method specifically comprises the following steps:
step 1.1: determining a security situation characteristic item of a network system; the network security situation is described by dividing the network security situation into three dimensions from top to bottom, wherein the three dimensions are as follows: operating situation dimension, vulnerability situation dimension and abnormal situation dimension; the safety situation characteristic items used for describing the operation situation dimension comprise: CPU utilization rate, memory utilization rate and disk reading rate; the security posture feature items used to describe the vulnerability posture dimension include: vulnerability type, vulnerability score, event type and identity authentication degree; the safety situation characteristic items used for describing the abnormal situation dimension comprise: attack source number, attack time, attack frequency and equipment online state; therefore, the security posture feature items of the network system include 11 items, which are respectively: CPU utilization rate, memory utilization rate, disk reading rate, vulnerability type, vulnerability score, event type, identity authentication degree, attack source number, attack time, attack frequency and equipment online state;
step 1.2: periodically acquiring observation data of security situation characteristic items of a single host in a network system at different moments as a research object; calculating the mean value of observation data of each security situation characteristic item of all hosts in the network system at each moment, and determining the expression value weight of each security situation characteristic item under the global action of the whole network system by using a grey correlation analysis method so as to determine the influence weight of the network security characteristic item on the network global state expression; the method comprises the following specific steps:
step 1.2.1: calculating the mean value of the observation data of each safety situation characteristic item of all the hosts in the network system at each moment to obtain an observation matrix A, wherein the observation matrix A is shown in a formula (1);
wherein t represents the tth time, and t is 1,2,3 …; f. oft(1),ft(2),…,ft(11) Respectively representing the observed data mean values respectively corresponding to the 11 security situation characteristic items at the t-th moment;
step 1.2.2: carrying out dimensionless processing on the observation matrix A by a formula (2) to obtain the dimensionless processed observation matrix A1Such asFormula (3);
wherein i is 1,2, …, 11;
step 1.2.3: setting a dimensionless processed observation matrix A1The first column vector of (1) is an observation vector, and the other column vectors are comparison vectors; calculating to obtain the correlation coefficient of each subentry in each comparison vector through a formula (4), and forming a correlation coefficient matrix M as shown in a formula (5);
wherein j is 2,3, …, 11;
step 1.2.4: obtaining the association degree between any two network security situation characteristic items through a formula (6);
wherein k is 1,2, …, 11; gamma ray(f(i),f(k))Representing the relevance of the network security situation characteristic items f (i) and f (k); gamma ray(f(i),f(1))The value of (c) is calculated by formula (7); gamma ray(f(k),f(1))The value of (c) is calculated by formula (8);
wherein T is the total number of the taken time points;
step 1.2.5: obtaining a correlation matrix M 'among all network security situation characteristic items according to the result of the step 1.2.4, wherein the correlation matrix M' is shown as a formula (9);
the relevance matrix M ' is a nonnegative symmetric matrix, and has a maximum module characteristic value according to the property of the nonnegative symmetric matrix, and is represented by a symbol lambda, so that lambda C is M ' C, wherein lambda is a nonnegative value, and C is a characteristic vector, the characteristic value and the characteristic vector of the relevance matrix M ' are obtained by utilizing the nonnegative symmetric matrix characteristic value and the characteristic vector extraction tool of matlab, the characteristic vector corresponding to the maximum module characteristic value lambda is represented by a symbol W, W ∈ C, and W is [ omega ] omega ═1,ω2,…,ω11]T,ωiRepresenting the influence weight of the ith network security feature item on the global state of the network, wherein i is 1,2, …, 11;
through the operation of the step, the influence weight of each network security feature item on the network global state is obtained;
step 1.3: acquiring observation data of all network security feature items of all hosts in the network system at different time points, acquiring a single host situation shown by each host at each time point according to the influence weight of each network security feature item on the global state of the network obtained in the step 1.2, and acquiring importance proportions among the hosts in the network system by using a gray correlation analysis method;
step 1.3.1: the host situation calculation matrix B is formed by host situation values of all hosts in the network system at different time points, as shown in a formula (10);
wherein h represents the h-th host, and h is 1,2,3 …; st(1),st(2),…,st(h) Respectively representing host situation values of the 1 st, 2 nd, … th and h th hosts in the network system at the t-th moment, and obtaining the host situation values through calculation of a formula (11);
wherein s ist(h) Indicating the host situation value of the h-th host at the t-th time; f. ofth(i) The observed value of the ith network security situation characteristic item f (i) at the moment t of the h host is represented;
step 1.3.2: carrying out dimensionless processing on the single host situation matrix B as shown in formula (12) to obtain a dimensionless processed single host situation calculation matrix B1As shown in equation (13);
step 1.3.3: setting single host situation matrix calculation B after dimensionless processing1The first column vector of (1) is an observation vector, and the other column vectors are comparison vectors; calculating the correlation coefficient of each subentry in each comparison vector through formula (14), and forming a correlation coefficient matrix H, as shown in formula (15);
wherein m is 1,2,3, …;
step 1.3.4: obtaining the association degree between any two hosts through a formula (16);
wherein q is 1,2,3, …; gamma ray(h(m),h(q))Representing the relevance of the network hosts h (m) and h (q); gamma ray(h(m),h(1))The value of (c) is calculated by equation (17); gamma ray(h(q),h(1))The value of (c) is calculated by formula (18);
step 1.3.5: obtaining a correlation matrix H 'among the network hosts according to the result of the step 1.3.4, wherein the correlation matrix H' is shown in a formula (19);
the correlation matrix H ' between the hosts is a nonnegative symmetric matrix, and according to the property of the nonnegative symmetric matrix, the maximum module eigenvalue of the correlation matrix M ' exists, and is represented by a symbol lambda ', so that lambda ' C ' is equal to H ' C ', wherein lambda ' is a nonnegative value, C ' is an eigenvector, the correlation matrix H ' is subjected to extraction calculation of the eigenvalue and the eigenvector by matlab, the eigenvalue and the eigenvector of the correlation matrix H ' are obtained, the eigenvector corresponding to the maximum module eigenvalue lambda ' is represented by a symbol E, and E ∈ C ', E is equal to [ E ]1,e2,…,eh]T,ehRepresents the importance of the h-th host in the network, h is 1,2,3, …;
through the operation of the step, the importance weight of each network host in the network overall situation is obtained;
step 1.4: obtaining the influence weight of each network security feature item on the network global state obtained in the step 1.2 and the importance weight of each host in the network system obtained in the step 1.3 according to a formula (20)The history data of the overall situation of the system is represented by symbol S (S ═ S)1,S2,…,St);
St=∑heh×st(h) (20)
Establishing a grey prediction model of the network system based on the overall situation historical data of the network system, wherein the grey prediction model is used for predicting the situation of the network system at the next moment; the method specifically comprises the following steps:
step 2.1: by the symbol X(0)Representing the initial sequence of the gray model, X(0)=(x(0)(1),x(0)(2),...,x(0)(t)); wherein x is(0)(1),x(0)(2),...,x(0)(t) represents the overall situation values of the network at the 1 st time, the 2 nd time, … and the t th time respectively; taking the overall situation historical data S of the network system obtained in the step one as an initial sequence X(0),x(0)(1)=S1,x(0)(2)=S2,...,x(0)(t)=St;
Step 2.2: calculating an initial sequence X by equation (21)(0)By a first order accumulation of the symbols X(1)Represents; x(1)={x(1)(1),x(1)(2),...,x(1)(t) }, in which x(1)(1),x(1)(2),...,x(1)(t) represents the overall situation sum of the network from the 1 st time to the 1 st time, from the 1 st time to the 2 nd time, …, and from the 1 st time to the t-th time, respectively;
x(1)(t)=∑tx(0)(t) (21)
calculating a first-order accumulation generation sequence to weaken the randomness and relevance of original data items, and modeling the overall trend from the global perspective so as to form a trend model and understand and predict situation changes;
step 2.3: generating a sequence X due to first order accumulation(1)The system carries out accumulation processing on an irregular historical data sequence to change the irregular historical data sequence into a rising shape sequence with an exponential growth rule; process for calculating first order accumulation generating sequence and grey differential power of first order modelThe process forms are similar; thus generating a sequence X for a first order accumulation(1)Establishing a first order differential equation as shown in formula (22);
wherein, a and b are parameters to be determined by the system respectively, and the value ranges of a and b are real numbers;
integrating the formula (22) through a formula (23) and carrying out discretization processing;
wherein, t' is 1,2, 1, t-1;
the relationship shown in formula (24) can be obtained from formula (21);
x(1)(t′+1)-x(1)(t′)=x(0)(t′+1); (24)
obtaining a general formula of the gray prediction model from formula (23) to formula (24), as shown in formula (25);
solving the integral term in the formula (25) to obtain a formula (26);
by the symbol z(1)(t' +1) represents the solution of the integral term of equation (25) to obtain equation (27);
substituting the formula (27) into the formula (25) to obtain a formula (28);
x(0)(t′+1)=-az(1)(t′+1)+b (28)
adding the first order to give birthIn sequence X(1)And the initial sequence X(0)The term (2) is brought into the formula (28) and is shown as an expression (29) through term shifting processing;
step 2.4: confirming the values of the parameters a and b in the formula (29) by using a least square method, and establishing a prediction model of the network security situation; the method specifically comprises the following steps:
step 2.4.1: setting 3 alternative parameter vectors, respectively using symbolsYtAnd G represents a group represented by,Ytand the value of G is shown in formula (30);
step 2.4.2: substituting formula (30) into formula (29) to obtain formula (31);
step 2.4.3: solving a formula (31) through a least square method to obtain parameter estimation of a gray prediction model;
step 2.5: predicting the security situation of the network system at the next moment by using a grey prediction model, namely predicting the security situation prediction value of the network system; the method specifically comprises the following steps:
step 2.5.1: by symbolsRepresenting the predicted value of the first-order accumulation generation sequence of the grey prediction model at the t-th moment;
when t is more than 1, substituting the parameter estimation of the gray prediction model obtained in the step 2.4.3 into a formula (22), and solving a gray differential equation to obtain a formula (33);
the predicted value of the gray prediction model at the time t, which is formed by the formula (32) and the formula (33), on the first-order accumulation generation sequence is shown as an equation set (34);
for the set of equations (34) according to the formula (24)Andcarrying out difference solving to obtain an equation set (35);
wherein the content of the first and second substances,representing the initial sequence X of the grey prediction model at time t(0)The predicted value of (2);
obtaining a gray prediction model shown as a formula (35) through the operation of the step 2.5;
step 2.6: detecting the precision of the grey prediction model; the method specifically comprises the following steps:
to evaluate the accuracy of the gray prediction model, the prediction sequence is aligned using equation (36)With the initial sequence X(0)Comparing to obtain the accuracy of the prediction model, and expressing the accuracy by a symbol rel;
if rel is greater than 0.9, the prediction result of the gray prediction model is considered to be credible;
step three, determining a vulnerability node in the network system;
predicting the situation of the network system by using the gray prediction model obtained in the step two to obtain the predicted values of the situation of the network system at different time points; analyzing vulnerability nodes in the network system in real time according to the situation predicted value of the network system to finally obtain the vulnerability nodes of the network system; the method comprises the following specific steps:
step 3.1: obtaining a t-th moment, namely a host set which is attacked at the current moment and a host set which is attacked at the t +1 th moment but is not attacked; the method specifically comprises the following steps:
step 3.1.1: the symbol O denotes the set of all hosts in the network system, O ═ O1,o2,…,oh);ohIs the h host in the network system;
step 3.1.2: acquiring reachable relations among all hosts in the network system according to the topological structure of the network system and the network routing table, and establishing a reachable information table among the hosts; the inter-host reachable information table comprises a source host and a destination host;
step 3.1.3: the symbol D represents the set of attacked hosts in the network system at time t,dyis the y-th host computer of which the network system is attacked;
step 3.1.4: the symbol P represents the set of hosts that may be attacked but have not yet been attacked in the network system at time t +1,
step 3.1.5: according to the network system log, acquiring the request access rate of each host relative to the whole network system, and expressing the request access rate by a symbol P (h); then, according to the formula (37), it is calculated that the host d is attacked at the t +1 th timeyAttack the host p under the condition ofzWith the symbol P (P) as the conditional probability of (2)z|dy) Represents;
wherein, P (d)y|pz) Representing a known host pzAttacked host dyConditional probability of being attacked; p (P)z) Represents a host pzA priori probability of being attacked; p (d)y|~pz) Representing a known host pzHost d when not being attackedyConditional probability of being attacked; p (. about.p)z) Represents a host pzA priori probability of not being attacked;
step 3.2: the host p is obtained according to the formula (38)zThe resulting increment of the network system situation at the time t +1 compared to the time t is denoted by the symbol Δ;
Δ=St+1-St(38)
wherein S ist+1Representing the network security situation at the t +1 th moment; stRepresenting the network security situation at the t-th moment;
step 3.3: increment predicted value with host pzThe host situation of (2) performs correlation analysis to obtain PzThe method comprises the following steps of:
step 3.3.1: obtaining a host security situation matrix which can be attacked at the t +1 th moment, and expressing the matrix by using a symbol SP, as shown in a formula (39);
wherein s ist(1)、st(2)…st(z) state values of the No. 1 host, the No. 2 host and the No. … z host respectively;
step 3.3.2: calculating the association degree of the formula (38) and the formula (39);
taking Δ obtained by equation (38) as the reference sequence, equation (39) obtains the term s of SPt(z) is a comparison sequence; obtaining the correlation degree of the comparison sequence SP to the reference sequence delta according to a formula (40);
wherein r (z) represents a host pzThe degree of association of the situation of (1) with delta;
by the symbol R ═ R1,r2,...,rz]TUnmarked host p as an attackzA set of association degrees of the situation of (1) and delta; obtained R ═ R1,r2,...,rz]TIndicating the possibility that the host which is not marked by the attack at the time t +1 causes the change delta of the network situation, rzThe magnitude of (d) indicates the intensity of the situation change delta possibility caused by the host computer, rzLarger indicates a greater likelihood that the host will cause a delta; will be the largest rzThe corresponding host is used as the node which is most vulnerable at the t +1 th moment, and the prediction from the overall continuous time-based network situation to the discrete space-based vulnerability host node is realized;
step 3.3: calculating conditional probability for the hosts in the set P according to the formula (37), and expressing the conditional probability ordering result by using a symbol U, wherein the conditional probability ordering result is shown in a formula (41);
U=(u1,u2,...,uz) (41)
the ranking result of equation (41) is compared with the result R ═ R of the vulnerability node prediction of the set P1,r2,...,rz]TComparing, and representing the number of the relevance ranking consistent with the conditional probability sequence by a symbol l;
the accuracy of the vulnerability node confirmation result can be verified according to the formula (42) and is expressed by a symbol ul;
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810763946.1A CN109040027B (en) | 2018-07-12 | 2018-07-12 | Active prediction method of network vulnerability node based on gray model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810763946.1A CN109040027B (en) | 2018-07-12 | 2018-07-12 | Active prediction method of network vulnerability node based on gray model |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040027A CN109040027A (en) | 2018-12-18 |
CN109040027B true CN109040027B (en) | 2020-08-18 |
Family
ID=64641906
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810763946.1A Active CN109040027B (en) | 2018-07-12 | 2018-07-12 | Active prediction method of network vulnerability node based on gray model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040027B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3966699A4 (en) * | 2019-05-10 | 2023-01-11 | Cybeta, LLC | System and method for cyber security threat assessment |
CN111080074B (en) * | 2019-11-21 | 2022-07-12 | 西安交通大学 | System service security situation element obtaining method based on network multi-feature association |
CN111045845B (en) * | 2019-11-29 | 2021-09-17 | 苏州浪潮智能科技有限公司 | Data returning method, device, equipment and computer readable storage medium |
CN111510332A (en) * | 2020-04-14 | 2020-08-07 | 杭州练链科技有限公司 | Network security state prediction system |
CN112637207A (en) * | 2020-12-23 | 2021-04-09 | 中国信息安全测评中心 | Network security situation prediction method and device |
CN113139586B (en) * | 2021-03-31 | 2022-09-23 | 同济大学 | Model training method, device abnormality diagnosis method, electronic device, and medium |
CN114565196B (en) * | 2022-04-28 | 2022-07-29 | 北京零点远景网络科技有限公司 | Multi-event trend prejudging method, device, equipment and medium based on government affair hotline |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW200933517A (en) * | 2008-01-22 | 2009-08-01 | Univ Nat Pingtung Sci & Tech | Calculating method of systematic risk |
CN102340485B (en) * | 2010-07-19 | 2015-01-21 | 中国科学院计算技术研究所 | Network security situation awareness system and method based on information correlation |
CN104219091A (en) * | 2014-08-27 | 2014-12-17 | 中国科学院计算技术研究所 | System and method for network operation fault detection |
CN105809578A (en) * | 2016-05-30 | 2016-07-27 | 北京师范大学 | Regional water environment risk evaluating and region dividing method |
CN106411896B (en) * | 2016-09-30 | 2019-04-23 | 重庆邮电大学 | Network security situation prediction method based on APDE-RBF neural network |
CN106789214B (en) * | 2016-12-12 | 2019-10-11 | 广东工业大学 | A kind of network situation awareness method and device based on just remaining double string algorithms |
-
2018
- 2018-07-12 CN CN201810763946.1A patent/CN109040027B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN109040027A (en) | 2018-12-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109040027B (en) | Active prediction method of network vulnerability node based on gray model | |
Reddy et al. | Deep neural network based anomaly detection in Internet of Things network traffic tracking for the applications of future smart cities | |
JP7010641B2 (en) | Abnormality diagnosis method and abnormality diagnosis device | |
CN108494810B (en) | Attack-oriented network security situation prediction method, device and system | |
Naik et al. | Dynamic fuzzy rule interpolation and its application to intrusion detection | |
Nagarajan et al. | IADF-CPS: Intelligent anomaly detection framework towards cyber physical systems | |
CN106060008B (en) | A kind of network intrusions method for detecting abnormality | |
CN103870751A (en) | Method and system for intrusion detection | |
CN104869126A (en) | Network intrusion anomaly detection method | |
CN111709022B (en) | Hybrid alarm association method based on AP clustering and causal relationship | |
Bajtoš et al. | Network intrusion detection with threat agent profiling | |
Shakya | Process mining error detection for securing the IoT system | |
Xu et al. | Tdfl: Truth discovery based byzantine robust federated learning | |
Awad et al. | Addressing imbalanced classes problem of intrusion detection system using weighted extreme learning machine | |
Meryem et al. | A novel approach in detecting intrusions using NSLKDD database and MapReduce programming | |
Li et al. | Symbolization‐based differential evolution strategy for identification of structural parameters | |
CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
Sun et al. | Sensitive task assignments in crowdsourcing markets with colluding workers | |
CN114039837B (en) | Alarm data processing method, device, system, equipment and storage medium | |
Laksono et al. | DDoS detection using CURE clustering algorithm with outlier removal clustering for handling outliers | |
CN114298245A (en) | Anomaly detection method and device, storage medium and computer equipment | |
CN110197066B (en) | Virtual machine monitoring method and system in cloud computing environment | |
CN102611714A (en) | Link discovery technique based network intrusion prediction method | |
Gurumurthy et al. | Hybrid pigeon inspired optimizer-gray wolf optimization for network intrusion detection | |
Dada et al. | An investigation into the effectiveness of machine learning techniques for intrusion detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |