CN109120646B - Network optimal defense system construction method based on Monte Carlo graph search algorithm - Google Patents
Network optimal defense system construction method based on Monte Carlo graph search algorithm Download PDFInfo
- Publication number
- CN109120646B CN109120646B CN201811259465.3A CN201811259465A CN109120646B CN 109120646 B CN109120646 B CN 109120646B CN 201811259465 A CN201811259465 A CN 201811259465A CN 109120646 B CN109120646 B CN 109120646B
- Authority
- CN
- China
- Prior art keywords
- host
- priority
- network system
- attacked
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a network optimal defense system construction method based on a Monte Carlo graph search algorithm, and belongs to the technical field of information security. The specific operation steps are as follows: step one, initialization. And step two, constructing a network system defense system through a Monte Carlo graph search algorithm. Compared with the prior art, the optimal defense system construction method based on the Monte Carlo graph search algorithm provided by the invention has the following advantages: the method is suitable for a plurality of attackers and a defender; secondly, the construction speed of the optimal defense system is high; and the construction of the optimal defense system is not influenced by the network structure.
Description
Technical Field
The invention relates to a network optimal defense system construction method based on a Monte Carlo graph search algorithm, and belongs to the technical field of information security.
Background
In the case of network defense, defenders are often faced with attacks from multiple attackers from around the world. Therefore, it is crucial to establish an optimal defense system based on the network where defenders are located. The optimal defense system is a defense system constructed to effectively defend against an attack of an attacker. At present, the construction method of the optimal defense system is mainly to dynamically adjust the defense strategy according to multiple attacks of an attacker, and finally construct the defense system.
Currently, the most popular methods are the ant colony optimization algorithm and the blocking attack graph algorithm. The ant colony optimization algorithm has the advantages that: based on the improvement of a heuristic algorithm, namely an ant colony optimization algorithm, the method inherits the advantages of the heuristic algorithm, namely, can obtain more ideal genetic offspring; but it has problems that: the original paper does not explicitly give a calculation method of key parameters in a formula; the blocking attack graph algorithm has the advantages that: establishing a double-layer game model, and taking a Nash equilibrium result as a game ending standard; it has the following problems: the application range is small, and the method is only suitable for the game process of an attacker and a defender; and the construction time is greatly influenced by the network structure.
The existing algorithm employed in the present invention is the monte carlo algorithm. The monte carlo algorithm is a process of gradually building an asymmetric search tree by randomly deriving a game. The method can be divided into four steps of selection, expansion, simulation and back propagation. The Monte Carlo algorithm is applied to the construction problem of the optimal defense system, the optimal defense system can be constructed by better combining the vulnerability risk degree, and the space complexity of the algorithm is reduced.
Disclosure of Invention
The invention aims to overcome the defects of the existing network defense system construction method and provides a network optimal defense system construction method based on a Monte Carlo graph search algorithm.
The purpose of the invention is realized by the following technical scheme.
The invention discloses a network optimal attack path planning method based on a Monte Carlo graph search algorithm, which comprises the following specific operation steps:
step one, acquiring network system state information.
Step 1.1: a network structure is obtained. Acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts.
The software application and host correspondence table comprises: a software application name and a host name.
Step 1.2: obtaining session links among all hosts in a network system, and establishing a session link table among the hosts. The inter-host session link table includes: a source hostname and a target hostname.
Step 1.3: the method comprises the steps of obtaining vulnerabilities existing in each host in a network system, establishing a host vulnerability state table, and setting priority for each host according to the host vulnerability state table. The host vulnerability status table includes: host name, vulnerability ID, and vulnerability category.
And step two, constructing a network system defense system through a Monte Carlo graph search algorithm. The method specifically comprises the following steps:
step 2.1: and establishing an optimal attack path sequence, wherein the optimal attack path sequence is represented by a symbol L, and the initial value of the optimal attack path sequence is null.
Step 2.2: and establishing a host right vector table. The host right vector table comprises initial values set by the priority of each host in the network system, the number of bugs on each host, the attacked times of each host and the attacked success times of each host.
The initial value of the priority of each host in the network system is the sum of the CVSS score values corresponding to all the vulnerabilities on each host; the number of the vulnerabilities on each host computer is obtained through a vulnerability retrieval tool; the initial values of the number of times of attack of each host and the number of times of success of attack of each host are both 0. And inquiring and acquiring the CVSS score value corresponding to the vulnerability through a general vulnerability scoring system.
Step 2.3: and (5) electing. And according to the priority of each host, finding out a path with the highest sum of the priorities of the hosts as an optimal attack path through a depth priority strategy, and storing the optimal attack path sequence L.
Step 2.4: and (6) simulating. And (3) the attacker launches one attack to each host on the attack path in the step 2.3, and after the attack is finished, the attacked times and the attacked success times of all the nodes on the attack path are recorded.
Step 2.5: and is propagated in the reverse direction. For the node corresponding to the host attacked in step 2.4, adjusting its priority using equation (1); for the node corresponding to the host that was not attacked in step 2.4, its priority is adjusted using equation (2).
pua=ppre+δ (1)
Wherein p isuaIndicating the adjusted priority of the attacked host; p is a radical ofpreIndicating the priority of the attacked host before adjustment; δ is a parameter, and is calculated by formula (3).
psafe=ppr-δ (2)
Wherein p issafeIndicating the adjusted priority of the host which is not attacked; p is a radical ofprIndicating the priority of the host which is not attacked before adjustment; δ is the maximum value p of the priority of the host in the current network systemmaxWith minimum priority pminThe difference between the difference of the two phases,can be calculated by the formula (3).
δ=ξ(pmax-pmin) (3)
Wherein p ismaxThe maximum value of the host priority in the current network system; p is a radical ofminThe minimum value of the host priority in the current network system; xi is an adjusting parameter, and xi belongs to [0.1,10 ]]。
Step 2.6: the operations of step 2.3 to step 2.6 are repeated until no feasible attack path exists in the network system. At this time, the construction of the defense system is completed, and the operation is finished.
And completing the construction of the optimal defense system of the network system through the operation of the steps.
Compared with the prior art, the network optimal defense system construction method based on the Monte Carlo graph search algorithm provided by the invention has the following advantages:
the method is suitable for a plurality of attackers and a defender;
secondly, the construction speed of the optimal defense system is high;
and the construction of the optimal defense system is not influenced by the network structure.
Drawings
FIG. 1 is a flowchart illustrating the operation of a method for constructing a network defense system based on a Monte Carlo graph search algorithm according to an embodiment of the present invention;
fig. 2 is a network topology diagram in an embodiment of the present invention.
Detailed Description
According to the technical scheme, the invention is described in detail by combining the drawings and the implementation examples.
The optimal defense system in the network system is obtained by using the method for constructing the optimal defense system based on the Monte Carlo graph search algorithm, the operation flow is shown as figure 1, and the specific operation steps are as follows:
the invention discloses an optimal attack path planning method based on a Monte Carlo graph search algorithm, which comprises the following specific operation steps:
step one, acquiring network system state information.
Step 1.1: a network structure is obtained and a network topology is shown in fig. 2. Acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts, as shown in table 1. The software application and host correspondence table comprises: a software application name and a host name.
TABLE 1 software application to host mapping table
Software application name | Host name |
IIS7.0 | H2,H3 |
BIND 9 | H1,H2,H5 |
Sendmail 8.13 | H3,H4,H5,H7 |
MySQL 5.7 | H1,H3,H5,H6,H7 |
Serv-U 10.5 | H3,H4,H6,H7 |
IE6.0 | H3,H4 |
Step 1.2: session links between hosts in a network system are obtained, and an inter-host session link table is established, as shown in table 2. The inter-host session link table includes: a source hostname and a target hostname.
Table 2 inter-host session link table
Wherein, 1 represents that two hosts are directly communicated, and 0 represents that two hosts are not directly communicated.
Step 1.3: the method comprises the steps of obtaining bugs existing in each host in a network system, establishing a host bug state table as shown in table 3, and setting priority for each host according to the host bug state table. The host vulnerability status table includes: host name, vulnerability ID, and vulnerability category.
TABLE 3 host vulnerability State Table
And step two, constructing a network system defense system through a Monte Carlo graph search algorithm. The method specifically comprises the following steps:
step 2.1: and establishing an optimal attack path sequence, wherein the optimal attack path sequence is represented by a symbol L, and the initial value of the optimal attack path sequence is null.
Step 2.2: and establishing a host right vector table. The host right vector table comprises initial values set by the priority of each host in the network system, the number of bugs on each host, the attacked times of each host and the attacked success times of each host. The initial host weight vector table is shown in table 4.
Table 4 initial host rights vector table
H1 | H2 | H3 | H4 | H5 | H6 | H7 | |
Priority level | 9.4 | 15.0 | 11.4 | 17.2 | 10.2 | 18.4 | 20.1 |
Number of holes | 2 | 2 | 4 | 2 | 2 | 3 | 4 |
Number of attacks | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Number of successful attacks | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
The initial value of the priority of each host in the network system is the sum of the CVSS score values corresponding to all the vulnerabilities on each host; the number of the vulnerabilities on each host computer is obtained through a vulnerability retrieval tool; the initial values of the number of times of attack of each host and the number of times of success of attack of each host are both 0. And inquiring and acquiring the CVSS score value corresponding to the vulnerability through a general vulnerability scoring system.
Step 2.3: and (5) electing. And according to the priority of each host, finding out a path with the highest sum of the priorities of the hosts as an optimal attack path through a depth priority strategy, and storing the optimal attack path sequence L. The optimal attack path currently obtained is H1→H2→H5→H3→H6→H7The overall priority is 102.3.
Step 2.4: and (6) simulating. The attacker launches one attack to each host on the attack path in the step 2.3, and after the attack is finished, the attack of all nodes on the attack path is recordedAttack times and attack success times. The host currently under attack has H1、H2、H5、H3、H6、H7Therefore, the number of attacks and the number of attack successes of these hosts are respectively increased by 1.
Step 2.5: and is propagated in the reverse direction. For the node corresponding to the host attacked in step 2.4, adjusting its priority using equation (1); for the node corresponding to the host that was not attacked in step 2.4, its priority is adjusted using equation (2).
pua=ppre+δ (1)
Wherein p isuaIndicating the adjusted priority of the attacked host; p is a radical ofpreIndicating the priority of the attacked host before adjustment; δ is a parameter, and is calculated by formula (3).
psafe=ppr-δ (2)
Wherein p issafeIndicating the adjusted priority of the host which is not attacked; p is a radical ofprIndicating the priority of the host which is not attacked before adjustment; δ is the maximum value p of the priority of the host in the current network systemmaxWith minimum priority pminThe difference can be calculated by the formula (3).
δ=ξ(pmax-pmin) (3)
Wherein p ismaxThe maximum value of the host priority in the current network system; p is a radical ofminThe minimum value of the host priority in the current network system; xi is an adjustment parameter, and in the embodiment, xi is 1.
Currently, the host under attack is H1、H2、H3、H5、H6、H7The table of the adjusted host right vector is shown in table 5.
Table 5 adjusted host rights vector table
H1 | H2 | H3 | H4 | H5 | H6 | H7 | |
Priority level | 12.74 | 18.34 | 14.74 | 13.86 | 14.14 | 21.74 | 23.44 |
Number of holes | 2 | 2 | 4 | 2 | 2 | 3 | 4 |
Number of attacks | 1 | 1 | 1 | 0 | 1 | 1 | 1 |
Number of successful attacks | 1 | 1 | 1 | 0 | 1 | 1 | 1 |
Step 2.6: repeating the operations from the step 2.3 to the step 2.6 until no feasible attack path exists in the network system; and at the moment, the construction of the network system defense system is finished, and the operation is finished.
In this embodiment, the defense strategy implemented is shown in table 6.
TABLE 6 defensive policies Table
Optimal attack path | Host computer adopting defensive measures | Repaired vulnerability |
H1→H2→H5→H3→H6→H7 | H6 | CVE-2007-6388 |
H1→H2→H5→H3→H6→H7 | H6 | CVE-2006-3747 |
H1→H2→H5→H3→H6→H7 | H6 | CVE-2007-6304 |
H1→H2→H5→H3→H6→H7 | H2 | CVE-2017-3221 |
H1→H2→H5→H3→H6→H7 | H2 | CVE-2015-5533 |
H1→H3→H5→H7 | H3 | CVE-2008-3234 |
H1→H3→H5→H7 | H3 | CVE-2016-8355 |
H1→H3→H5→H7 | H3 | CVE-2015-5533 |
H1→H3→H5→H7 | H3 | CVE-2014-2023 |
And completing the construction of the optimal defense system of the network system through the operation of the steps.
Claims (1)
1. The network optimal attack path planning method based on the Monte Carlo graph search algorithm is characterized by comprising the following steps of: the specific operation steps are as follows:
step one, acquiring network system state information;
step 1.1: acquiring a network structure; acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts;
the software application and host correspondence table comprises: a software application name and a host name;
step 1.2: acquiring session links among hosts in a network system, and establishing a session link table among the hosts; the inter-host session link table includes: a source hostname and a target hostname;
step 1.3: acquiring vulnerabilities existing in each host in a network system, establishing a host vulnerability state table, and setting a priority for each host according to the host vulnerability state table; the host vulnerability status table includes: host name, vulnerability ID and vulnerability category;
step two, constructing a network system defense system through a Monte Carlo graph search algorithm; the method specifically comprises the following steps:
step 2.1: establishing an optimal attack path sequence, which is represented by a symbol L, wherein the initial value of the optimal attack path sequence is null;
step 2.2: establishing a host right vector table; the host weight vector table comprises an initial value of the priority of each host in the set network system, an initial value of the number of vulnerabilities on each host, an initial value of the number of times of attack of each host and an initial value of the number of successful times of attack of each host;
the initial value of the priority of each host in the network system is the sum of the CVSS score values corresponding to all the vulnerabilities on each host; the number of the vulnerabilities on each host computer is obtained through a vulnerability retrieval tool; the initial values of the attacked times of each host and the attacked success times of each host are both 0; the CVSS score value corresponding to the vulnerability is obtained through query of a general vulnerability scoring system;
step 2.3: electing; according to the priority of each host, finding out a path with the highest sum of the priorities of the hosts as an optimal attack path through a Monte Carlo graph search algorithm, and storing the optimal attack path sequence L;
step 2.4: simulating; an attacker launches an attack to each host on the optimal attack path in the step 2.3, and after the attack is finished, the attacked times and the attacked success times of all the nodes on the attack path are recorded;
step 2.5: backward propagation; for the node corresponding to the host attacked in step 2.4, adjusting its priority using equation (1); for the node corresponding to the host which is not attacked in step 2.4, adjusting the priority thereof by using formula (2);
pua=pre+δ (1)
wherein p isuaIndicating the adjusted priority of the attacked host; p is a radical ofpreIndicating the priority of the attacked host before adjustment; delta is a parameter and is calculated by formula (3);
psafe=ppr-δ (2)
wherein p issafeIndicating the adjusted priority of the host which is not attacked; p is a radical ofprIndicating the priority of the host which is not attacked before adjustment; δ is the maximum value p of the priority of the host in the current network systemmaxAnd take precedence ofMinimum value p of a stageminThe difference can be calculated by formula (3);
δ=ξ(pmax-pmin) (3)
wherein p ismaxThe maximum value of the host priority in the current network system; p is a radical ofminThe minimum value of the host priority in the current network system; xi is an adjusting parameter, and xi belongs to [0.1,10 ]];
Step 2.6: repeating the operations from the step 2.3 to the step 2.6 until no feasible attack path exists in the network system; and at the moment, the construction of the network system defense system is finished, and the operation is finished.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2018107925904 | 2018-07-18 | ||
CN201810792590 | 2018-07-18 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109120646A CN109120646A (en) | 2019-01-01 |
CN109120646B true CN109120646B (en) | 2021-02-02 |
Family
ID=64855637
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811259465.3A Active CN109120646B (en) | 2018-07-18 | 2018-10-26 | Network optimal defense system construction method based on Monte Carlo graph search algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109120646B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109873826B (en) * | 2019-02-28 | 2022-05-27 | 中国人民解放军战略支援部队信息工程大学 | Penetration path planning method and system based on dynamic feedback |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103152345A (en) * | 2013-03-07 | 2013-06-12 | 南京理工大学常熟研究院有限公司 | Network safety optimum attacking and defending decision method for attacking and defending game |
CN107147670A (en) * | 2017-06-16 | 2017-09-08 | 福建中信网安信息科技有限公司 | APT defence methods based on game system |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107196955A (en) * | 2017-06-15 | 2017-09-22 | 北京理工大学 | The network system active defense method analyzed based on vulnerability correlation |
CN107948137A (en) * | 2017-11-01 | 2018-04-20 | 北京理工大学 | A kind of optimal attack paths planning method based on improved Q study |
CN108111535A (en) * | 2018-01-12 | 2018-06-01 | 北京理工大学 | A kind of optimal attack path planing method based on improved Monte carlo algorithm |
-
2018
- 2018-10-26 CN CN201811259465.3A patent/CN109120646B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103152345A (en) * | 2013-03-07 | 2013-06-12 | 南京理工大学常熟研究院有限公司 | Network safety optimum attacking and defending decision method for attacking and defending game |
CN107147670A (en) * | 2017-06-16 | 2017-09-08 | 福建中信网安信息科技有限公司 | APT defence methods based on game system |
Also Published As
Publication number | Publication date |
---|---|
CN109120646A (en) | 2019-01-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107566387B (en) | Network defense action decision method based on attack and defense evolution game analysis | |
Gupta et al. | Bandwidth spoofing and intrusion detection system for multistage 5G wireless communication network | |
CN107147670B (en) | APT (android Package) defense method based on game system | |
Zhang et al. | Attack-defense differential game model for network defense strategy selection | |
Hosseini et al. | Malware propagation modeling considering software diversity and immunization | |
CN115348064B (en) | Dynamic game-based power distribution network defense strategy design method under network attack | |
CN109064348B (en) | Method for locking rumor community and inhibiting rumor propagation in social network | |
CN109120646B (en) | Network optimal defense system construction method based on Monte Carlo graph search algorithm | |
CN111245828A (en) | Defense strategy generation method based on three-party dynamic game | |
CN112039914A (en) | Network attack chain efficiency modeling method | |
CN112003854B (en) | Network security dynamic defense decision method based on space-time game | |
Jin et al. | Evolutionary game decision-making method for network attack and defense based on regret minimization algorithm | |
Figetakis et al. | Evolved prevention strategies for 6g networks through stochastic games and reinforcement learning | |
Li et al. | Efficient computation of discounted asymmetric information zero-sum stochastic games | |
CN110784487B (en) | SDN node defense method based on data packet sampling inspection model | |
Olanrewaju et al. | Behaviour visualization for malicious-attacker node collusion in MANET based on probabilistic approach | |
CN108111535A (en) | A kind of optimal attack path planing method based on improved Monte carlo algorithm | |
Wang et al. | Modeling the side-channel attacks in data deduplication with game theory | |
CN107888588B (en) | K maximum probability attack path solving method for specified target node set | |
CN115473677A (en) | Penetration attack defense method and device based on reinforcement learning and electronic equipment | |
CN113315763B (en) | Network security defense method based on heterogeneous group evolution game | |
KR101807389B1 (en) | Method of enemy`s cyber attack modeling using attack elements combination | |
CN109995593B (en) | IOBT key node setting and diffuseness balancing method | |
Safar et al. | Modeling worm propagation and insider threat in air-gapped network using modified SEIQV model | |
Almutairi et al. | Security analysis of multiple SDN controllers based on Stochastic Petri Nets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB03 | Change of inventor or designer information | ||
CB03 | Change of inventor or designer information |
Inventor after: Hu Changzhen Inventor after: Lv Kun Inventor after: Zhang Zhengyuan Inventor before: Hu Changzhen Inventor before: Lv Kun Inventor before: Zhang Zhengyuan |
|
GR01 | Patent grant | ||
GR01 | Patent grant |