CN109120646B - Network optimal defense system construction method based on Monte Carlo graph search algorithm - Google Patents

Network optimal defense system construction method based on Monte Carlo graph search algorithm Download PDF

Info

Publication number
CN109120646B
CN109120646B CN201811259465.3A CN201811259465A CN109120646B CN 109120646 B CN109120646 B CN 109120646B CN 201811259465 A CN201811259465 A CN 201811259465A CN 109120646 B CN109120646 B CN 109120646B
Authority
CN
China
Prior art keywords
host
priority
network system
attacked
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811259465.3A
Other languages
Chinese (zh)
Other versions
CN109120646A (en
Inventor
胡昌振
吕坤
张正原
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Publication of CN109120646A publication Critical patent/CN109120646A/en
Application granted granted Critical
Publication of CN109120646B publication Critical patent/CN109120646B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a network optimal defense system construction method based on a Monte Carlo graph search algorithm, and belongs to the technical field of information security. The specific operation steps are as follows: step one, initialization. And step two, constructing a network system defense system through a Monte Carlo graph search algorithm. Compared with the prior art, the optimal defense system construction method based on the Monte Carlo graph search algorithm provided by the invention has the following advantages: the method is suitable for a plurality of attackers and a defender; secondly, the construction speed of the optimal defense system is high; and the construction of the optimal defense system is not influenced by the network structure.

Description

Network optimal defense system construction method based on Monte Carlo graph search algorithm
Technical Field
The invention relates to a network optimal defense system construction method based on a Monte Carlo graph search algorithm, and belongs to the technical field of information security.
Background
In the case of network defense, defenders are often faced with attacks from multiple attackers from around the world. Therefore, it is crucial to establish an optimal defense system based on the network where defenders are located. The optimal defense system is a defense system constructed to effectively defend against an attack of an attacker. At present, the construction method of the optimal defense system is mainly to dynamically adjust the defense strategy according to multiple attacks of an attacker, and finally construct the defense system.
Currently, the most popular methods are the ant colony optimization algorithm and the blocking attack graph algorithm. The ant colony optimization algorithm has the advantages that: based on the improvement of a heuristic algorithm, namely an ant colony optimization algorithm, the method inherits the advantages of the heuristic algorithm, namely, can obtain more ideal genetic offspring; but it has problems that: the original paper does not explicitly give a calculation method of key parameters in a formula; the blocking attack graph algorithm has the advantages that: establishing a double-layer game model, and taking a Nash equilibrium result as a game ending standard; it has the following problems: the application range is small, and the method is only suitable for the game process of an attacker and a defender; and the construction time is greatly influenced by the network structure.
The existing algorithm employed in the present invention is the monte carlo algorithm. The monte carlo algorithm is a process of gradually building an asymmetric search tree by randomly deriving a game. The method can be divided into four steps of selection, expansion, simulation and back propagation. The Monte Carlo algorithm is applied to the construction problem of the optimal defense system, the optimal defense system can be constructed by better combining the vulnerability risk degree, and the space complexity of the algorithm is reduced.
Disclosure of Invention
The invention aims to overcome the defects of the existing network defense system construction method and provides a network optimal defense system construction method based on a Monte Carlo graph search algorithm.
The purpose of the invention is realized by the following technical scheme.
The invention discloses a network optimal attack path planning method based on a Monte Carlo graph search algorithm, which comprises the following specific operation steps:
step one, acquiring network system state information.
Step 1.1: a network structure is obtained. Acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts.
The software application and host correspondence table comprises: a software application name and a host name.
Step 1.2: obtaining session links among all hosts in a network system, and establishing a session link table among the hosts. The inter-host session link table includes: a source hostname and a target hostname.
Step 1.3: the method comprises the steps of obtaining vulnerabilities existing in each host in a network system, establishing a host vulnerability state table, and setting priority for each host according to the host vulnerability state table. The host vulnerability status table includes: host name, vulnerability ID, and vulnerability category.
And step two, constructing a network system defense system through a Monte Carlo graph search algorithm. The method specifically comprises the following steps:
step 2.1: and establishing an optimal attack path sequence, wherein the optimal attack path sequence is represented by a symbol L, and the initial value of the optimal attack path sequence is null.
Step 2.2: and establishing a host right vector table. The host right vector table comprises initial values set by the priority of each host in the network system, the number of bugs on each host, the attacked times of each host and the attacked success times of each host.
The initial value of the priority of each host in the network system is the sum of the CVSS score values corresponding to all the vulnerabilities on each host; the number of the vulnerabilities on each host computer is obtained through a vulnerability retrieval tool; the initial values of the number of times of attack of each host and the number of times of success of attack of each host are both 0. And inquiring and acquiring the CVSS score value corresponding to the vulnerability through a general vulnerability scoring system.
Step 2.3: and (5) electing. And according to the priority of each host, finding out a path with the highest sum of the priorities of the hosts as an optimal attack path through a depth priority strategy, and storing the optimal attack path sequence L.
Step 2.4: and (6) simulating. And (3) the attacker launches one attack to each host on the attack path in the step 2.3, and after the attack is finished, the attacked times and the attacked success times of all the nodes on the attack path are recorded.
Step 2.5: and is propagated in the reverse direction. For the node corresponding to the host attacked in step 2.4, adjusting its priority using equation (1); for the node corresponding to the host that was not attacked in step 2.4, its priority is adjusted using equation (2).
pua=ppre+δ (1)
Wherein p isuaIndicating the adjusted priority of the attacked host; p is a radical ofpreIndicating the priority of the attacked host before adjustment; δ is a parameter, and is calculated by formula (3).
psafe=ppr-δ (2)
Wherein p issafeIndicating the adjusted priority of the host which is not attacked; p is a radical ofprIndicating the priority of the host which is not attacked before adjustment; δ is the maximum value p of the priority of the host in the current network systemmaxWith minimum priority pminThe difference between the difference of the two phases,can be calculated by the formula (3).
δ=ξ(pmax-pmin) (3)
Wherein p ismaxThe maximum value of the host priority in the current network system; p is a radical ofminThe minimum value of the host priority in the current network system; xi is an adjusting parameter, and xi belongs to [0.1,10 ]]。
Step 2.6: the operations of step 2.3 to step 2.6 are repeated until no feasible attack path exists in the network system. At this time, the construction of the defense system is completed, and the operation is finished.
And completing the construction of the optimal defense system of the network system through the operation of the steps.
Compared with the prior art, the network optimal defense system construction method based on the Monte Carlo graph search algorithm provided by the invention has the following advantages:
the method is suitable for a plurality of attackers and a defender;
secondly, the construction speed of the optimal defense system is high;
and the construction of the optimal defense system is not influenced by the network structure.
Drawings
FIG. 1 is a flowchart illustrating the operation of a method for constructing a network defense system based on a Monte Carlo graph search algorithm according to an embodiment of the present invention;
fig. 2 is a network topology diagram in an embodiment of the present invention.
Detailed Description
According to the technical scheme, the invention is described in detail by combining the drawings and the implementation examples.
The optimal defense system in the network system is obtained by using the method for constructing the optimal defense system based on the Monte Carlo graph search algorithm, the operation flow is shown as figure 1, and the specific operation steps are as follows:
the invention discloses an optimal attack path planning method based on a Monte Carlo graph search algorithm, which comprises the following specific operation steps:
step one, acquiring network system state information.
Step 1.1: a network structure is obtained and a network topology is shown in fig. 2. Acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts, as shown in table 1. The software application and host correspondence table comprises: a software application name and a host name.
TABLE 1 software application to host mapping table
Software application name Host name
IIS7.0 H2,H3
BIND 9 H1,H2,H5
Sendmail 8.13 H3,H4,H5,H7
MySQL 5.7 H1,H3,H5,H6,H7
Serv-U 10.5 H3,H4,H6,H7
IE6.0 H3,H4
Step 1.2: session links between hosts in a network system are obtained, and an inter-host session link table is established, as shown in table 2. The inter-host session link table includes: a source hostname and a target hostname.
Table 2 inter-host session link table
Figure BDA0001843562220000041
Wherein, 1 represents that two hosts are directly communicated, and 0 represents that two hosts are not directly communicated.
Step 1.3: the method comprises the steps of obtaining bugs existing in each host in a network system, establishing a host bug state table as shown in table 3, and setting priority for each host according to the host bug state table. The host vulnerability status table includes: host name, vulnerability ID, and vulnerability category.
TABLE 3 host vulnerability State Table
Figure BDA0001843562220000042
Figure BDA0001843562220000051
And step two, constructing a network system defense system through a Monte Carlo graph search algorithm. The method specifically comprises the following steps:
step 2.1: and establishing an optimal attack path sequence, wherein the optimal attack path sequence is represented by a symbol L, and the initial value of the optimal attack path sequence is null.
Step 2.2: and establishing a host right vector table. The host right vector table comprises initial values set by the priority of each host in the network system, the number of bugs on each host, the attacked times of each host and the attacked success times of each host. The initial host weight vector table is shown in table 4.
Table 4 initial host rights vector table
H1 H2 H3 H4 H5 H6 H7
Priority level 9.4 15.0 11.4 17.2 10.2 18.4 20.1
Number of holes 2 2 4 2 2 3 4
Number of attacks 0 0 0 0 0 0 0
Number of successful attacks 0 0 0 0 0 0 0
The initial value of the priority of each host in the network system is the sum of the CVSS score values corresponding to all the vulnerabilities on each host; the number of the vulnerabilities on each host computer is obtained through a vulnerability retrieval tool; the initial values of the number of times of attack of each host and the number of times of success of attack of each host are both 0. And inquiring and acquiring the CVSS score value corresponding to the vulnerability through a general vulnerability scoring system.
Step 2.3: and (5) electing. And according to the priority of each host, finding out a path with the highest sum of the priorities of the hosts as an optimal attack path through a depth priority strategy, and storing the optimal attack path sequence L. The optimal attack path currently obtained is H1→H2→H5→H3→H6→H7The overall priority is 102.3.
Step 2.4: and (6) simulating. The attacker launches one attack to each host on the attack path in the step 2.3, and after the attack is finished, the attack of all nodes on the attack path is recordedAttack times and attack success times. The host currently under attack has H1、H2、H5、H3、H6、H7Therefore, the number of attacks and the number of attack successes of these hosts are respectively increased by 1.
Step 2.5: and is propagated in the reverse direction. For the node corresponding to the host attacked in step 2.4, adjusting its priority using equation (1); for the node corresponding to the host that was not attacked in step 2.4, its priority is adjusted using equation (2).
pua=ppre+δ (1)
Wherein p isuaIndicating the adjusted priority of the attacked host; p is a radical ofpreIndicating the priority of the attacked host before adjustment; δ is a parameter, and is calculated by formula (3).
psafe=ppr-δ (2)
Wherein p issafeIndicating the adjusted priority of the host which is not attacked; p is a radical ofprIndicating the priority of the host which is not attacked before adjustment; δ is the maximum value p of the priority of the host in the current network systemmaxWith minimum priority pminThe difference can be calculated by the formula (3).
δ=ξ(pmax-pmin) (3)
Wherein p ismaxThe maximum value of the host priority in the current network system; p is a radical ofminThe minimum value of the host priority in the current network system; xi is an adjustment parameter, and in the embodiment, xi is 1.
Currently, the host under attack is H1、H2、H3、H5、H6、H7The table of the adjusted host right vector is shown in table 5.
Table 5 adjusted host rights vector table
H1 H2 H3 H4 H5 H6 H7
Priority level 12.74 18.34 14.74 13.86 14.14 21.74 23.44
Number of holes 2 2 4 2 2 3 4
Number of attacks 1 1 1 0 1 1 1
Number of successful attacks 1 1 1 0 1 1 1
Step 2.6: repeating the operations from the step 2.3 to the step 2.6 until no feasible attack path exists in the network system; and at the moment, the construction of the network system defense system is finished, and the operation is finished.
In this embodiment, the defense strategy implemented is shown in table 6.
TABLE 6 defensive policies Table
Optimal attack path Host computer adopting defensive measures Repaired vulnerability
H1→H2→H5→H3→H6→H7 H6 CVE-2007-6388
H1→H2→H5→H3→H6→H7 H6 CVE-2006-3747
H1→H2→H5→H3→H6→H7 H6 CVE-2007-6304
H1→H2→H5→H3→H6→H7 H2 CVE-2017-3221
H1→H2→H5→H3→H6→H7 H2 CVE-2015-5533
H1→H3→H5→H7 H3 CVE-2008-3234
H1→H3→H5→H7 H3 CVE-2016-8355
H1→H3→H5→H7 H3 CVE-2015-5533
H1→H3→H5→H7 H3 CVE-2014-2023
And completing the construction of the optimal defense system of the network system through the operation of the steps.

Claims (1)

1. The network optimal attack path planning method based on the Monte Carlo graph search algorithm is characterized by comprising the following steps of: the specific operation steps are as follows:
step one, acquiring network system state information;
step 1.1: acquiring a network structure; acquiring software applications of all hosts in a network system, and establishing a corresponding table of the software applications and the hosts;
the software application and host correspondence table comprises: a software application name and a host name;
step 1.2: acquiring session links among hosts in a network system, and establishing a session link table among the hosts; the inter-host session link table includes: a source hostname and a target hostname;
step 1.3: acquiring vulnerabilities existing in each host in a network system, establishing a host vulnerability state table, and setting a priority for each host according to the host vulnerability state table; the host vulnerability status table includes: host name, vulnerability ID and vulnerability category;
step two, constructing a network system defense system through a Monte Carlo graph search algorithm; the method specifically comprises the following steps:
step 2.1: establishing an optimal attack path sequence, which is represented by a symbol L, wherein the initial value of the optimal attack path sequence is null;
step 2.2: establishing a host right vector table; the host weight vector table comprises an initial value of the priority of each host in the set network system, an initial value of the number of vulnerabilities on each host, an initial value of the number of times of attack of each host and an initial value of the number of successful times of attack of each host;
the initial value of the priority of each host in the network system is the sum of the CVSS score values corresponding to all the vulnerabilities on each host; the number of the vulnerabilities on each host computer is obtained through a vulnerability retrieval tool; the initial values of the attacked times of each host and the attacked success times of each host are both 0; the CVSS score value corresponding to the vulnerability is obtained through query of a general vulnerability scoring system;
step 2.3: electing; according to the priority of each host, finding out a path with the highest sum of the priorities of the hosts as an optimal attack path through a Monte Carlo graph search algorithm, and storing the optimal attack path sequence L;
step 2.4: simulating; an attacker launches an attack to each host on the optimal attack path in the step 2.3, and after the attack is finished, the attacked times and the attacked success times of all the nodes on the attack path are recorded;
step 2.5: backward propagation; for the node corresponding to the host attacked in step 2.4, adjusting its priority using equation (1); for the node corresponding to the host which is not attacked in step 2.4, adjusting the priority thereof by using formula (2);
pua=pre+δ (1)
wherein p isuaIndicating the adjusted priority of the attacked host; p is a radical ofpreIndicating the priority of the attacked host before adjustment; delta is a parameter and is calculated by formula (3);
psafe=ppr-δ (2)
wherein p issafeIndicating the adjusted priority of the host which is not attacked; p is a radical ofprIndicating the priority of the host which is not attacked before adjustment; δ is the maximum value p of the priority of the host in the current network systemmaxAnd take precedence ofMinimum value p of a stageminThe difference can be calculated by formula (3);
δ=ξ(pmax-pmin) (3)
wherein p ismaxThe maximum value of the host priority in the current network system; p is a radical ofminThe minimum value of the host priority in the current network system; xi is an adjusting parameter, and xi belongs to [0.1,10 ]];
Step 2.6: repeating the operations from the step 2.3 to the step 2.6 until no feasible attack path exists in the network system; and at the moment, the construction of the network system defense system is finished, and the operation is finished.
CN201811259465.3A 2018-07-18 2018-10-26 Network optimal defense system construction method based on Monte Carlo graph search algorithm Active CN109120646B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2018107925904 2018-07-18
CN201810792590 2018-07-18

Publications (2)

Publication Number Publication Date
CN109120646A CN109120646A (en) 2019-01-01
CN109120646B true CN109120646B (en) 2021-02-02

Family

ID=64855637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811259465.3A Active CN109120646B (en) 2018-07-18 2018-10-26 Network optimal defense system construction method based on Monte Carlo graph search algorithm

Country Status (1)

Country Link
CN (1) CN109120646B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109873826B (en) * 2019-02-28 2022-05-27 中国人民解放军战略支援部队信息工程大学 Penetration path planning method and system based on dynamic feedback

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game
CN107147670A (en) * 2017-06-16 2017-09-08 福建中信网安信息科技有限公司 APT defence methods based on game system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196955A (en) * 2017-06-15 2017-09-22 北京理工大学 The network system active defense method analyzed based on vulnerability correlation
CN107948137A (en) * 2017-11-01 2018-04-20 北京理工大学 A kind of optimal attack paths planning method based on improved Q study
CN108111535A (en) * 2018-01-12 2018-06-01 北京理工大学 A kind of optimal attack path planing method based on improved Monte carlo algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game
CN107147670A (en) * 2017-06-16 2017-09-08 福建中信网安信息科技有限公司 APT defence methods based on game system

Also Published As

Publication number Publication date
CN109120646A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
CN107566387B (en) Network defense action decision method based on attack and defense evolution game analysis
Gupta et al. Bandwidth spoofing and intrusion detection system for multistage 5G wireless communication network
CN107147670B (en) APT (android Package) defense method based on game system
Zhang et al. Attack-defense differential game model for network defense strategy selection
Hosseini et al. Malware propagation modeling considering software diversity and immunization
CN115348064B (en) Dynamic game-based power distribution network defense strategy design method under network attack
CN109064348B (en) Method for locking rumor community and inhibiting rumor propagation in social network
CN109120646B (en) Network optimal defense system construction method based on Monte Carlo graph search algorithm
CN111245828A (en) Defense strategy generation method based on three-party dynamic game
CN112039914A (en) Network attack chain efficiency modeling method
CN112003854B (en) Network security dynamic defense decision method based on space-time game
Jin et al. Evolutionary game decision-making method for network attack and defense based on regret minimization algorithm
Figetakis et al. Evolved prevention strategies for 6g networks through stochastic games and reinforcement learning
Li et al. Efficient computation of discounted asymmetric information zero-sum stochastic games
CN110784487B (en) SDN node defense method based on data packet sampling inspection model
Olanrewaju et al. Behaviour visualization for malicious-attacker node collusion in MANET based on probabilistic approach
CN108111535A (en) A kind of optimal attack path planing method based on improved Monte carlo algorithm
Wang et al. Modeling the side-channel attacks in data deduplication with game theory
CN107888588B (en) K maximum probability attack path solving method for specified target node set
CN115473677A (en) Penetration attack defense method and device based on reinforcement learning and electronic equipment
CN113315763B (en) Network security defense method based on heterogeneous group evolution game
KR101807389B1 (en) Method of enemy`s cyber attack modeling using attack elements combination
CN109995593B (en) IOBT key node setting and diffuseness balancing method
Safar et al. Modeling worm propagation and insider threat in air-gapped network using modified SEIQV model
Almutairi et al. Security analysis of multiple SDN controllers based on Stochastic Petri Nets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Hu Changzhen

Inventor after: Lv Kun

Inventor after: Zhang Zhengyuan

Inventor before: Hu Changzhen

Inventor before: Lv Kun

Inventor before: Zhang Zhengyuan

GR01 Patent grant
GR01 Patent grant