CN110099045B - Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming - Google Patents

Abstract

The invention belongs to the technical field of network security, and particularly relates to a network security threat early warning method and device based on qualitative differential game and evolutionary game, wherein the method comprises the following steps: combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space; introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model; and acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary barrier. The method solves the problems of time discontinuity and completeness of the threat analysis method based on the traditional game theory, performs network security analysis closer to the attack and defense practice, improves the early warning timeliness, objectivity and accuracy, and has important guiding significance for the development of network security technology.

Description

Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a network security threat early warning method and device based on qualitative differential game and evolutionary game.

Background

With the rapid development of network technology and the increasing popularization of service functions, network systems have become infrastructure for maintaining the orderly and efficient operation of social life; accompanying with this, network security events are endlessly layered, the current network security state is accurately judged and the evolution trend of the current network security state is predicted, timely and accurate security threat early warning is realized, and the method has very important values for enhancing the security prevention and control capability and improving the network security defense decision level. The essence of network security lies in attack and defense opposition, so that comprehensive, accurate and safety threat early warning analysis can be achieved on the basis of modeling deduction and quantitative analysis of attack and defense opposition behaviors and mutual influence thereof. The game theory is quite consistent with the target oppositivity, relationship non-cooperation and strategy dependency of network attack and defense. The game theory is adopted to analyze the network attack and defense behaviors, and then the early warning method for network security threat is researched and proposed, so that the method has reference significance and theoretical value, and partial achievements are obtained at present. On one hand, the existing network security game analysis research is mostly established under the assumption condition of the complete rationality of a game player, the assumption is often difficult to satisfy in the actual confrontation process, and the rationality of both the attacking and defending parties is limited rather than complete; on the other hand, the analysis method adopting the multi-stage dynamic game model can only research the time discrete and discontinuous network attack and defense behaviors, and cannot meet the characteristics of continuity, real-time performance and high frequency performance in the actual network attack and defense process, so that the objectivity, the practicability and the effectiveness of the network security threat analysis and early warning method are greatly weakened.

Disclosure of Invention

Therefore, the invention provides the network security threat early warning method and device based on the qualitative differential game and the evolutionary game, which are closer to the actual attack and defense to carry out network security analysis, improve the timeliness, objectivity and accuracy of early warning and have strong engineering application prospect.

According to the design scheme provided by the invention, the network security threat early warning method based on the qualitative differential game and the evolutionary game comprises the following contents:

combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space;

introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;

and acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary barrier.

The network security threat transmission process is described by using an infectious disease dynamics model, the network node security state is divided into a normal state and an interference state, and the transmission diffusion change process of the network security threat is reflected by the density change of infected nodes in the network; dividing the network boundary into a plurality of functional sub-networks according to the network function and the topological structure to form a multi-dimensional network security state space, and analyzing the density state of the infected nodes of each sub-network by utilizing the network security threat propagation process.

In the above, from the perspective of continuous dynamic countermeasure, a qualitative differential game is introduced, an attack and defense qualitative differential game model is constructed and solved, and the attack and defense boundary grid is used as a measurement reference for evaluating the threat degree of the network security state, wherein the attack and defense qualitative differential game model NSDG is represented by an octave (N, B, S, t, X, P, f, G), wherein N represents a participant space, B represents an attack and defense action space, S represents a subnetwork set divided according to network functions and a topological structure, t represents a network attack and defense qualitative differential game moment, X represents a network security state variable at the network attack and defense qualitative differential game moment, P represents a control strategy of both attack and defense parties at the network attack and defense qualitative differential game moment, f represents a network security state transition function, and G represents an attack target set.

Preferably, in the process of solving the attacking and defending qualitative differential game model, the multidimensional network security space is divided into a capturing area and a hiding area, the network security state track corresponding to the optimal control strategies of the attacking and defending party is solved, the network security state track is used as an attacking and defending boundary bar in the network attacking and defending qualitative differential game model, and the boundary line between the capturing area and the hiding area is determined.

Furthermore, the solution process of the attack and defense qualitative differential game model comprises the following contents: constructing a Hamiltonian for representing the change rate of the network security state; acquiring optimal control strategies of both attacking and defending parties according to a bilateral extreme value theorem; constructing an attack and defense game target boundary set and acquiring a unit normal vector of the attack and defense game target boundary set; acquiring an optimal attack and defense strategy and an attack and defense boundary grid initial state position set on an attack and defense game target boundary set according to a Hamiltonian, optimal control strategies of both attack and defense parties, the attack and defense game target boundary set and a unit normal vector; and acquiring a network security optimal track, namely a network attack and defense boundary grid, according to the optimal attack and defense strategy and the initial state position set of the attack and defense boundary grid on the attack and defense game target boundary set.

The method comprises the steps of introducing an evolutionary game theory from the perspective of limited authority of attack and defense participants, constructing an attack and defense evolutionary game model, and obtaining a network security state evolution track through solving, wherein the AEGM of the attack and defense evolutionary game model is represented by octaves (N, B, S, t, Y, Q, f, U), wherein N represents a participant space, B represents an attack and defense action space, S represents a subnetwork set divided according to network functions and a topological structure, t represents attack and defense game time, Y represents a network security state variable at the network attack and defense game time, Q represents strategy selection probabilities of both attack and defense parties at the network game time, f represents a network security state transition function, and U represents a game income function set.

Preferably, in the solving process of the attack and defense evolution game model, an evolution stable equilibrium strategy is obtained by combining a replication dynamic learning mechanism, and a network security state evolution track for quantitatively describing the network security state change condition is obtained.

As described above, according to the network security state evolution trajectory, the security state set on the evolution trajectory at the time t is obtained, and the network security threat degree is expressed as an euclidean distance between the security state set and the attack and defense fence network security state, if the euclidean distance is a negative value, the security threat degree is set to be in a low-level controllable state, and if the euclidean distance is a positive value, the security threat degree is in a high-level uncontrollable state.

Preferably, the security threat degree is graded according to the obtained Euclidean distance value range by combining historical data and expert experience so as to judge the threat degree of the current network security state.

A network security threat early warning device based on qualitative differential game and evolutionary game comprises: a space building module, a model building module, and a threat analysis module, wherein,

the space construction module is used for constructing a multi-dimensional network security state space by combining the network system function and the topological structure thereof;

the model construction module is used for introducing a qualitative differential game, constructing an attack and defense qualitative differential game model and acquiring an attack and defense boundary grid according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;

and the threat analysis module is used for acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary gate.

The invention has the beneficial effects that:

the method adopts a qualitative differential game model to analyze the change trend of the security threat, acquires an attack and defense boundary grid, divides a network security state space into a capture area and an avoidance area on the basis of the attack and defense boundary grid, and establishes a measurement benchmark of the security threat degree; meanwhile, assuming attack and defense game players in different sub-networks as limited entities, introducing an evolutionary game, constructing a network security attack and defense evolutionary game model from the limited perspective, and solving a network security state evolution track; and then according to the multi-dimensional space Euclidean distance between the state evolution track and the attack and defense boundary grid, threat degrees of different safety states are obtained, a threat early warning method with higher objectivity and practicability is realized, the problems of time discontinuity and completeness of a threat analysis method based on the traditional game theory are solved, and the method has important guiding significance for the development of network safety technology.

Description of the drawings:

FIG. 1 is a schematic flow chart of a network security threat early warning method in an embodiment;

FIG. 2 is a random conversion diagram of the network attack and defense game state in the embodiment;

FIG. 3 illustrates an embodiment of a dynamic pre-warning of cyber-security threats;

FIG. 4 is a schematic diagram of an embodiment of a network security threat early warning apparatus

The specific implementation mode is as follows:

in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.

Network Security Threat Warning (Network Security thread Warning): on the basis of analyzing the network security event information, the dynamic change of the current network security threat is macroscopically and accurately researched and the evolution trend of the current network security threat is predicted, and effective and accurate security threat alarm is carried out before the security threat does not cause loss. Game (Games): under a certain environmental condition, some individuals or organizations select and implement respective strategies from respective selectable strategy sets under a certain rule, simultaneously or sequentially one or more times, and finally obtain respective corresponding results. Nash Equilibrium (Nash Equilibrium): in the game, in a certain strategy combination formed by one strategy of each game party, the strategy of any game party meets the following conditions: if any is true, then it is called a Nash equilibrium for the game. Qualitative Differential gaming (Qualitative Differential Games): the method is a theoretical method for describing the continuous control process in the conflict countermeasure under the condition of time real-time change, researches whether the ending of a certain target can be realized in the continuous countermeasure process or not by describing and analyzing the dynamic evolution process of a game system, and has stronger pertinence and applicability when being applied to the network security threat early warning research. Avoidance and Capture zones (Evade Area and Capture Area): in the qualitative differential game, a system state space is divided into two partial areas, namely an avoiding area and a capturing area. When the evacuee enters the evacuee area, no matter what strategy is adopted by the chaser, the evacuee can always evacue the capture under the condition that the evacuee selects an 'appropriate' strategy; in contrast, when an evacuee is within the capture zone, regardless of the escape strategy it takes, the chaser can always successfully capture the evacuee by selecting the "appropriate" strategy. In network defense, the attacking party acts as a "chaser" and the defending party acts as an "evacuee". Attack-Defense Barrier (Attack-Defense Barrier): the interface between the avoiding area and the capturing area is the evolution track of the state of the attacking and defending system under the action of the optimal strategy adopted by both attacking and defending parties. Evolutionary Games (Evolutionary Games): the biological evolution theory originated from Darwin inherits the theoretical explanation of biology on species evolution, starts from individual limited rational condition, takes group behaviors as research objects, and explains the evolution game process of biological behaviors in the explanation of the development process and evolution selection of biological species. Through long-term trial and error, simulation and improvement, all game parties tend to a certain stable strategy which is possibly stabilized in group organizations for a long time, and the stable strategy balance is very similar to the evolutionary stable strategy of biological evolution so as to achieve a relatively harmonious game balance state. Replication dynamics (Replicator dynamics): in a group consisting of limited rational game parties, game players gradually adopt more game parties than a strategy with a good average level by continuously trial and error, learning and improving own strategies, so that the proportion of the game parties adopting various strategies in the group can be changed. Network Security State evolution Trajectory (Network Security State evolution Trajectory): the method is based on the limited rational condition, utilizes the evolutionary game theory to analyze the network security attack and defense process, researches strategies of attack and defense parties through copying a dynamic learning mechanism to select the evolutionary situation, and quantificationally calculates the corresponding network security state, thereby forming the evolutionary track on the network security state space. Infectious disease Model (SEM, Simple Epidemic Model): the method is an important mathematical model for quantitatively analyzing the transmission process and predicting the change trend of a population within the epidemic range of the infectious disease by dividing the population into two states of a Susceptible person (Susceptible) and an infected person (infectious), wherein the number of individuals in different states changes along with time.

At present, the network space confrontation is increasingly violent, and the research and exploration of the network security state analysis method have important practical significance. However, the security threat analysis method based on the traditional dynamic game can not meet the practical requirement. The existing network security threat early warning analysis method has the following defects: (1) currently, attack and defense analysis based on game theory mostly assumes that two attack and defense parties only carry out one-time confrontation, even if a dynamic attack and defense game model is adopted, the network attack and defense are processed into a discrete multi-stage process, and in a real network attack and defense scene, the attack and defense process is carried out in real time in continuous time, the traditional dynamic game analysis can not meet the practical requirement, and the real-time performance and the accuracy of the early warning method are greatly reduced. (2) The network security threat analysis method based on the classical game model is based on the premise that an agent is completely rational, models, deduces and quantificationally analyzes the attack and defense countermeasures, and researches and evaluates the dynamic change process of the network security threat degree by constructing the attack and defense game model. However, in an actual network countermeasure scene, since both the attacking and defending parties only have limited rationality, the accuracy of the behavior analysis method is insufficient, and the objectivity and the practicability of the threat early warning result are greatly reduced.

Therefore, in the embodiment of the present invention, referring to fig. 1, a network security threat early warning method based on a qualitative differential game and an evolutionary game is provided, which includes the following contents:

s101, combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space;

s102, introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary grid according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;

s103, obtaining threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary barrier.

Random gaming can be viewed as a state machine that allows a gaming system to jump from one state to another under the combined actions of people in various offices. The network system can also be regarded as a state machine with a constantly changing system state, the attacking and defending parties carry out attacking and defending countermeasures by selecting respective strategies, and the random process of state jump is described in a probabilistic mode due to uncertainty of the system state change.

Definition 1 Attack-Defense random Game model (ADSG) can be expressed as a seven-tuple ADSG ═ N, S, a, D, P, U_a,U_d) Wherein

And (c) the game player receives the game information, wherein the game information comprises a plurality of game players, and the game players are connected with the game players. Only the case of two gaming parties is considered herein;

②S＝{S₁,S₂,…,S_krepresenting a state set in the attack and defense random game;

③A＝{a₁,a₂,…,a_mrepresents an optional set of policies of an attacker;

④D＝{d₁,d₂,…,d_nrepresents an optional set of policies for the defenders;

p, the S multiplied by A multiplied by D multiplied by S → [0,1] represents the probability function of the state transition of the attack and defense random game;

⑥

denotes k as a_i,d_jSet of revenues for people in the local, where U_ijRepresenting a value of revenue.

In the network attack and defense game process, the relationship between the attack and defense parties belongs to non-cooperative and antagonistic, namely the model belongs to a non-cooperative network attack and defense random game model.

Taking the network security state as a random state set in the game model, and mainly using an attack and defense strategy pair (a)_i,d_j) And (3) causing the attack and defense state transition process to be represented by a directed graph G ═ S, E, wherein S is a node set of the graph and represents the network security state, and E is an edge set of the graph and represents the attack and defense state transition process. Specifically, as shown in fig. 2, there are three states in the figure, and there is a certain transition probability between the states, but the transition probability may be 0.

And (3) a theorem 1. Nash equilibrium exists, a zero and attack and defense random game model ADSG is given, and if a game state set S and attack and defense selectable strategy sets A and D belong to a limited set, a stable Nash equilibrium exists. (slight proof)

And 2, determining the existence of the attack and defense game value, giving an attack and defense random game model ADSG, and giving a game state S of any K equal to 1, … and K_kValue v of_kMust be the only solution for equation (1):

v_k＝Val(S_k) (1)

wherein Val (S)_k) Representing a matrix type game S_kValue of (1), matrix S_kThe elements of (A) are:

by calculating the attack and defense income values of both network attack and defense parties, the network attack and defense game stable state can be finally obtained and can be used for network security behavior analysis.

The infectious disease kinetic model can describe the kinetic process of infection and outbreak of a disease in a population. In network countermeasure, the security threat takes advantage of the vulnerability of the network system to infiltrate, infect and spread from individual network nodes to other nodes in the system, the process of which has similarities with the process of spreading and destroying infectious diseases, and is also a dynamic process that changes constantly. On one hand, the security state of the nodes forming the network system is constantly migrated and changed; on the other hand, the number of nodes in different security states changes dynamically. In another embodiment of the invention, an infectious disease dynamics model is used for describing a network security threat transmission process, the network node security state is divided into a normal state and an interference state, and the density change of an infected node in a network reflects the network security threat transmission diffusion change process; dividing the network boundary into a plurality of functional sub-networks according to the network function and the topological structure to form a multi-dimensional network security state space, and analyzing the density state of the infected nodes of each sub-network by utilizing the network security threat propagation process. By taking the theory of infectious disease dynamics as reference, the safety state of the network node is divided into a normal state N and an infection state I, and N (t) and I (t) are used for respectively representing the number of the normal nodes and the number of the infection nodes in the network at the time t. Meanwhile, the network security threat propagation process is described by taking the infectious disease model SEM as a reference, for convenience of analysis, the total number Q of nodes in the network is assumed to be kept unchanged, the density of infected nodes in the network at the time t is represented by rho (t), the density of normal nodes is represented by 1-rho (t), and rho (t) is I (t)/Q. Using v_a(t) and v_d(t) respectively representing the infection rate of the normal node converted into the infected node and the restoration rate of the infected node successfully restored into the normal state in the attack and defense countermeasure, and according to the infectious disease model theory, the method can be obtained as follows:

where θ (t) represents the probability that a normal node is connected to an infected node at time t. If the number of network nodes is large and the infected nodes are far away from each other, neglecting the overlapping effect of the influence ranges of the infected nodes, the theta (t) is 1- (1-rho (t))^βAnd beta is the node connectivity.

According to the theory of infectious disease dynamics, the method combines the actual knowledge of attack and defense of the network, and the change process of the infection node density in the network directly reflects the transmission diffusion and the change process of the severity of the security threat, and the transformation of the node security state is determined by the interaction of the attack and defense strategies. Thus, the infection rate v_a(t) the repair rate v is expressed by the attack utility a (t)_d(t) is represented by the defense utility d (t). Briefly described with an attack and defense example, suppose an attacker can take three types of attack behaviors of high intensity, medium intensity and low intensity, and use the three types of attack behaviors

Respectively representing average attack strength; similarly, the average defense strength of the defenders is expressed as

The attack and defense utilities at time t can be expressed as

And

using probability vectors

And

and the hybrid strategies of the two attacking and defending parties at the time t can be respectively expressed.

From the above analysis, a network security threat propagation equation can be obtained:

in the embodiment of the invention, the boundary is divided into a plurality of functional sub-networks according to the network function and the topological structure, and the density state of each sub-network infected node is analyzed by using an equation (4), so that the overall security threat situation is characterized and the dynamic change process of the network security threat is predicted.

From the perspective of continuous dynamic countermeasure, a qualitative differential game is introduced, an attack and defense qualitative differential game model is constructed and solved, the attack and defense boundary grid is used as a measurement standard for evaluating the threat degree of the network security state, wherein the attack and defense qualitative differential game model NSDG is represented by an octave group (N, B, S, t, X, P, f and G), wherein N represents a participant space, B represents an attack and defense action space, S represents a subnetwork set divided according to network functions and a topological structure, t represents the network attack and defense qualitative differential game moment, X represents a network security state variable at the network attack and defense qualitative differential game moment, P represents a control strategy of two parties at the network attack and defense qualitative differential game moment, f represents a network security state transition function, and G represents an attack target set. N ═ N (N)_D,N_A) Is the participant space of the network attack and defense qualitative differential game, N_DFor defense, N_AIs an attacker. B ═ DS (AS) is the attack and defense action space. Wherein DS ═ { DS ═ DS_j|1≤j≤n}，DS_jAn optional defense policy representing a defensive party. S ═ S _k1, …, K is the sub-network set divided by the network system according to function and topology, where K is the number of sub-networks and S is the number of sub-networks_kDenotes the kth sub-network and is denoted by beta_kRepresents a subnetwork S_kAverage connectivity of (c). t e [ t ∈ ]_bin,t_end]And the time of the network attack and defense qualitative differential game is represented. X (t) { (ρ)₁(t),···,ρ_k(t),···,ρ_K(t))|0≤ρ_k(t is less than or equal to 1, K is 1, …, K) represents the network security at the time of tThe state variable being the density of nodes p infected by the respective sub-network_k(t) a K-dimensional state space. Due to rho_k(t) is determined by the number of infected nodes in the network, so the security states are discretely distributed in the K-dimensional state space. P ═ P_D(t),P_AAnd (t) is a control strategy of the attacking and defending parties at the time t, and is a control track with time as a variable.

Represents the mixed strategy selected by the defender at the moment t,

is a hybrid strategy chosen by the attacker at time t,

f＝{f_kl K1, K represents the network security state migration function, which is the infection node density p of each sub-network_k(t) a function of change over time, i.e., a cyber-security threat propagation equation, wherein,

representing an attack target set and also being a network security risk high-risk area. In network countermeasure, an attacker tries to make a series of attack actions to make the network security state migrate to the target set, so as to achieve the attack target, and a defending party takes defensive measures to avoid the occurrence of the result.

Based on game model definition and analysis, considering the difference of the functional topology of each sub-network, defining the boundary function of an attack and defense game target set in the NSDG model as follows:

wherein, theta represents the total number of infected nodes when the threshold value of network functional paralysis is reached, e_kAs a subnetwork S_kNumber of nodes and e₁+e₂+···+e_K＝Q，ρ_k' (t) represents the subnet S when the paralysis threshold is reached_kThe density of infected nodes of (a). Because the factors influencing the network function in the actual network security problem are various in form and have certain complexity, for convenient analysis, the completeness degree of the network function is measured by the density of infected nodes.

In the process of solving the attacking and defending qualitative differential game model, in another embodiment of the invention, a multi-dimensional network security space is divided into a capturing area and an avoiding area, a network security state track corresponding to the optimal control strategies of both attacking and defending parties is solved, the network security state track is used as an attacking and defending boundary grid in the network attacking and defending qualitative differential game model, and a boundary between the capturing area and the avoiding area is determined. According to the qualitative differential game theory, the network security multidimensional state space can be divided into a capture area and an avoidance area. If the current network security state X is located in the capture area, the attacker always enables the security state to reach the target set by adopting a proper attack strategy to realize an expected target; if the target is located in the avoidance area, the defense party takes appropriate defense measures to always resist further propagation of the threat and prevent the safety state from migrating to the target set. And the interface of the capture area and the avoidance area is called as an attack and defense interface grid of the attack and defense qualitative differential game.

And 4, defining an attack and defense boundary fence. In the network attack and defense qualitative differential game NSDG, an attack and defense boundary grid is an optimal control strategy for both attack and defense parties

Corresponding network security status trace X^*(t) is a boundary line for distinguishing the capture area A (attacker-dominant region) from the evasion area D (defender-dominant region).

Solving the network attack and defense qualitative differential game problem is essentially to calculate a network attack and defense boundary grid X (t) and divide a multidimensional state space to determine a capture area A and an avoidance area D. The solution process of the attack and defense qualitative differential game model comprises the following contents: constructing a Hamiltonian for representing the change rate of the network security state; acquiring optimal control strategies of both attacking and defending parties according to a bilateral extreme value theorem; constructing an attack and defense game target boundary set and acquiring a unit normal vector of the attack and defense game target boundary set; acquiring an optimal attack and defense strategy and an attack and defense boundary grid initial state position set on an attack and defense game target boundary set according to a Hamiltonian, optimal control strategies of both attack and defense parties, the attack and defense game target boundary set and a unit normal vector; and acquiring a network security optimal track, namely a network attack and defense boundary grid, according to the optimal attack and defense strategy and the initial state position set of the attack and defense boundary grid on the attack and defense game target boundary set. Through the analysis and the definition of the attack and defense qualitative differential game model and the combination of the qualitative differential game theory, the specific process and the steps for solving the network attack and defense qualitative differential game problem can be designed as follows:

(1) let vector lambda^T＝(λ₁,λ₂,···,λ_K)^T∈R^KConstruction of Hamilton function H (X, P)_D(t),P_A(t, λ) represents the rate of change of the network security state:

(2) according to the bilateral extreme value theorem, the optimal control strategy is solved

Make it satisfy

Wherein X (t) represents the optimal control strategy

The determined optimal trajectory.

(3) Calculating a system of adjoint equations

For the

Where ρ k (t) is the sub-network S_kThe density of infected nodes of (a).

(4) Constructing attack and defense game target boundary set

Wherein, c₁,c₂,···,c_k-2In order to assist in the parameters of the device,

corresponding set of boundaries

Upper rho_k(t) is a parameter expression.

(5) According to the specific definition of unit normal vector, the following equation set is calculated to determine the boundary set of the attack and defense game target

Upper unit normal vector

(6) According to the necessary condition of semi-permeable curved surface

Solving optimal attack and defense strategies on attack and defense game target boundary set G

And

and available partial boundary BUP (part of H ═ 0 on the target boundary set) on the target set, namely the initial state position set of the attack and defense boundary grid

(7) By a point on the BUP

And as an initial point, the optimal network safety track X (t) can be obtained by the backward integral adjoint equation set and the network safety state transition equation set, and the optimal network safety track X (t) is the network attack and defense boundary grid. United (7-9), calculating the following equation set:

when the adjoint equation set is subjected to inverse integration, the initial value is a unit normal vector on the boundary set of the attack and defense game target

And when the inverse integration is carried out on the safety state transition equation set, the initial value is the safety state variable on the BUP.

From the perspective of limited rationality of attack and defense participants, in a further embodiment of the invention, an evolutionary game theory is introduced, an attack and defense evolutionary game model is constructed, and a network security state evolution track is obtained by solving, wherein the attack and defense evolutionary game model AEGM is represented by octave groups (N, B, S, t, Y, Q, f, U), wherein N represents a participant space, B represents an attack and defense action space, S represents a sub-network set divided according to network functions and a topological structure, t represents an attack and defense game moment, Y represents a network security state variable at the network attack and defense game moment, Q represents a policy selection probability of attack and defense parties at the network game moment, and f represents network securityAnd a full-state transition function, wherein U represents a game income function set. N ═ N (N)_D,N_A) Is the participant space of the qualitative differential game of attack and defense, N_DFor defense, N_AIs an attacker. B ═ DS (AS) is the attack and defense action space. Wherein DS ═ { DS ═ DS_j|1≤j≤n}，DS_jAn optional policy representing a defensive party; AS ═ AS_i|1≤i≤m}，AS_iAn optional policy representing an attacker. S ═ S _k1, …, K represents the sub-network set divided by the network system according to function and topology; k is the number of subnetworks, S_kRepresents the kth sub-network and is represented by beta_kRepresents a subnetwork S_kAverage connectivity of (c). t e [ t ∈ ]_bin,t_end]Indicating the moment of the attack and defense game. Y (t) { (ρ)₁(t),···,ρ_k(t),···,ρ_K(t))|0≤ρ _k1, K is equal to 1, …, K represents the network security state variable at the time t in the attack and defense evolution game, and is defined in the node density rho infected by the sub network_kComposed finite discrete K-dimensional state space V_KThe method is used for describing the evolution track of the safety state. Q ═ Q_D(t),Q_AAnd (t) is the strategy selection probability of the attacking and defending parties at the moment t.

Representing the probability of the defender selecting different defense strategies at time t,

in the same way, the method for preparing the composite material,

it is the probability of the attack strategy selection,

f＝{f_kl K1, K represents the network security state migration function, which is the sub-network infected node density ρ_k(t) a function of the variation with time,

U＝(U_A,U_D) Is a game ofSet of revenue functions, U_AAnd U_DRepresenting the game profit of the attacker and the defender respectively. Expected revenue of different defense strategies of defenders

And average profit

The calculation method of (2) is as follows.

Wherein,

representing attack strategy AS_iAnd defense strategy DS_jThe defense income during the confrontation is that i is more than or equal to 1 and less than or equal to m, and j is more than or equal to 1 and less than or equal to n.

Similarly, expected gains of different attack strategies of an attacker can be calculated

And average profit

And 5, defining a network security state evolution track. Evolution stable equilibrium strategy for attack and defense parties

And the corresponding set of the network security states Y x (t) is the evolution track of the network security states.

In order to improve the objectivity of network security state analysis and enhance the practical value of a prediction result, an evolution stable equilibrium strategy can be calculated by starting from the practical situation that both attacking and defending parties have limited rationality in the real society and combining a replication dynamic learning mechanism based on an evolution game theory

And further solving a security threat propagation equation to obtain an evolution track Y (t) quantitatively describing the network security state change condition. The track is reliable prediction of the network safety state from the point of rationality, and has better objectivity and practical guiding significance.

Based on the network attack and defense reality, from the limited rational condition, it is assumed that attack and defense decision makers of different sub-networks belong to different individuals and do not have complete rational capability. According to the evolutionary game theory, because different decision makers select different strategies, the obtained benefits have differences; through a learning mechanism, decision makers with low profit learn the strategy selection mode of decision makers with high profit, the behavior mode of the decision makers with low profit is improved, the strategy selection probability changes along with the change of the strategy selection mode, and the attack and defense confrontation situation and the network security state are dynamically changed.

Is provided with

And

respectively representing attack and defense strategies AS_iAnd DS_jThe probability of selection of (a) is,

and

respectively corresponding attack and defense strategies AS_iAnd DS_jThe game income is defined according to the AEGM model, the attack and defense strategy selection probability change is analyzed by adopting a copy dynamic learning mechanism, and then the evolution track of the network security state is deduced, and the specific calculation process can be designed as follows:

establishing probabilistic inference Q (Q) on optional strategy sets of both attacking and defending parties_D(t),Q_A(t) } and initial probability

And

secondly, calculating a copy dynamic equation of an attacker;

probability selection by policy

And policy revenue value

Calculating expected benefits of different attack strategies

And average profit

Further obtaining the replication dynamic equation of the attacker as

Thirdly, calculating a copy dynamic equation of the defensive party in the same way;

fourthly, calculating the evolution track of the network security state;

based on the evolutionary game theory, the replication dynamic equation and the threat propagation equation of the attacking and defending parties are combined to obtain the following equation set:

for the

And solving the equation set to obtain the evolution track Y (t) of the network security state. The calculation process relates to differential equation solution, and numerical solutions meeting the required precision can be obtained by means of MATLAB scientific calculation software and a multi-order Runge-Kutta method.

And constructing a network security state space according to the infection density of the sub-networks, and analyzing the density state of each sub-network infection node by using a security threat propagation equation so as to depict the influence range and the severity of the security threat in the whole network. On the basis, an attack and defense boundary grid is solved by a qualitative differential game model, and a measurement reference for evaluating the threat degree is provided; calculating the evolution track of the network security state according to the evolutionary game theory to realize reliable prediction of the actual security state; the two are combined, the Euclidean distance is introduced, and the threat degree of the network security state at different moments is described. For ease of understanding, it is assumed that the network system is divided into sub-networks S₁And S₂The dynamic early warning process of the network security threat is shown in FIG. 3, wherein the coordinate axis t of 3 in the graph represents time, and t is selected₀、t₁、t₂、t₃The moments form a "security threat analysis snapshot" of the network system. Where ρ is₁And ρ₂Representing a subnetwork S₁And S₂The density of infected nodes is shown in the specification, G is an attack target set, D is an avoidance area, A is a capture area, a red line represents an attack and defense boundary grid, and a black dotted line represents a network security state evolution track Y^*(t), the red real point represents the safety state y predicted from the evolution trajectory at time t^*(t) of (d). By calculating the security status y^*The Euclidean distance between (t) and the attack and defense boundary grid can quantitatively evaluate the safety state y^*(t) threat severity.

A network security threat level T is defined 6. If the boundary fence of attack and defense is

The network security status is respectively expressed as

And

at time t, the trajectory Y evolves^*Safety State on (t)

The network security threat degree is T (y)^*(t)), abbreviated as

Wherein,

indicating a safe state

The Euclidean distance between the security threat degree and the attack and defense boundary grid X when the security threat degree is in the avoidance area D

Taking a negative value, indicating that the security threat is small and controllable; when in the presence of the capture zone a,

positive values indicate that the security threat is severe and difficult to control.

For ease of analysis, the threat level T is divided into five levels, as shown in table 1, in conjunction with historical data and expert experience.

TABLE 1 threat early warning rankings criteria

Wherein, the first to second-stage early warning represents that the network security state is in the avoidance area, the security threat is still in a controllable state, and the defense party has great advantages in attack and defense countermeasures. The three-level early warning means that the security state is in the vicinity of the attack and defense boundary fence, which indicates that network attack poses a large threat to the system, and the defense party needs to deal with the security event as much as possible, so that the security state is prevented from being transferred to the capture area, and the security threat is further worsened. The four-to-five-level early warning means that the security state is in the capture area, the security threat degree is severe and the development is difficult to control, and at the moment, a defender needs to adjust a defense strategy according to the actual situation and carry out emergency treatment so as to reduce the loss as much as possible. The five-stage early warning shows that the current safety state is in extremely critical degree, and a defense party is required to compare defense cost and return and selectively defend related network assets.

Based on the above, the network security threat dynamic early warning algorithm based on the attack and defense boundary barrier and the evolution track in the invention can be designed as follows:

the model and the method provided by the invention can realize the analysis of the continuous and real-time attack and defense process and the prediction of the dynamic change of the threat from the point of view of the limited rationality, more accord with the actual attack and defense scene, and effectively improve the objectivity and the practicability of the model and the method.

Based on the above method, the present invention further provides a network security threat early warning device based on qualitative differential game and evolutionary game, as shown in fig. 4, including: a space building module 101, a model building module 102, and a threat analysis module 103, wherein,

the space construction module 101 is used for constructing a multi-dimensional network security state space by combining network system functions and a topological structure thereof;

the model construction module 102 is used for introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;

a threat analysis module 103, configured to obtain threat degrees of different security states according to a multi-dimensional space Euclidean distance between a network security state evolution trajectory and an attack and defense boundary barrier

Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.

According to the traditional network security threat analysis method, the degree and influence of security threats are ignored and determined by the combined action of the behaviors of the attacking party and the defense party, and the method has the defects of comprehensiveness and accuracy. The game theory is introduced to develop the research of the network security threat early warning method, and the reference significance and the theoretical value are realized. On the one hand, the network security analysis method based on the single-stage or multi-stage dynamic game model is difficult to analyze the real-time changing and continuous confronting attack and defense process. Aiming at the problems, the network attack and defense process in continuous time is researched and analyzed, an infectious disease dynamics model is adopted to depict a threat propagation process aiming at threat early warning requirements, a network attack and defense qualitative differential game model is provided, an attack and defense boundary grid is constructed to divide a capture area and a dodge area, and the attack and defense boundary grid is used as a measurement standard for threat assessment; on the other hand, the network security analysis method based on the classic game model is based on the premise that the agent is completely rational, and is not in accordance with the actual attack and defense conditions. Aiming at the problems, the network countermeasure attack and defense behavior is researched and analyzed from the point of limited rationality, a network attack and defense evolution game model is provided according to threat early warning requirements, a game party learning process is described by utilizing a duplicate dynamic learning mechanism, a network security threat state evolution track is calculated, Euclidean distances between the security state evolution track and an attack and defense boundary grid are calculated by taking the attack and defense boundary grid as a measurement reference, security threat early warning levels at different moments and different Euclidean distances are judged, and the early warning method has comprehensiveness, objectivity and practicability. In the establishment of the network attack and defense qualitative differential game model and the network attack and defense evolution game model, the establishment of a network functional topological structure and a network security state space is a preparation step. By analyzing and calculating the threat propagation process under the continuous attack and defense game effect, an attack and defense boundary grid is solved, a capture area and an avoidance area are defined, and a measurement reference is provided for threat early warning; the attack and defense early warning method is characterized in that an evolution mode is selected through the research of countermeasure strategies by an evolutionary game learning mechanism, the threat propagation process under the action of a dynamic attack and defense game is analyzed and calculated, the evolution track of the network security state in a multi-dimensional space is further solved, the distance between the evolution track of the security state and an attack and defense boundary grid is solved by utilizing the Euclidean distance, and therefore threat early warning levels are divided. In the data analysis process, the selectable strategy sets of the two attacking and defending parties refer to data in an attacking and defending behavior database of the US MIT, the construction of the attacking and defending strategy sets and the income quantification of the attacking and defending strategy sets are also preparation steps aiming at the network attacking and defending process, and the attacking and defending strategy sets are selected and mainly used for analysis and solution of the later attacking and defending process. Meanwhile, the specific classification of the threat early warning grade is obtained by carrying out statistical analysis according to the combination of historical data and expert experience. In addition, in the embodiment of the invention, a network security threat early warning algorithm based on qualitative differential gaming and evolutionary gaming is designed, threat early warning levels of security states at different moments are determined, a targeted suggestion is provided for network security risk prevention and control according to the early warning levels, and the effectiveness of the model and the algorithm is verified through a simulation experiment. The method provides an effective model method for analyzing and predicting the network security threat state closer to the actual network security problem and realizing objective and comprehensive security threat early warning, and can provide guidance for a network security manager to formulate a targeted security prevention and control scheme.

Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.

Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.

The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. A network security threat early warning method based on qualitative differential game and evolutionary game is characterized by comprising the following contents: combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space;

introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;

acquiring threat degrees of different security states according to a multidimensional space Euclidean distance between a network security state evolution track and an attack and defense boundary gate;

from the perspective of limited rationality of attack and defense participants, introducing an evolutionary game theory, constructing an attack and defense evolutionary game model, and obtaining a network security state evolution track by solving, wherein the attack and defense evolutionary game model AEGM is represented by an octave group (N, B, S, t, Y, Q, f, U), wherein N represents a participant space, B represents an attack and defense action space, S represents a sub-network set divided according to network functions and a topological structure, t represents attack and defense game time, Y represents a network security state variable at the network attack and defense game time, Q represents strategy selection probabilities of both attack and defense parties at the network game time, f represents a network security state transition function, and U represents a game profit function set;

based on the evolutionary game theory, a replication dynamic equation and a threat propagation equation of the attacking party and the defending party are combined to obtain an equation set:

obtaining a network security state evolution track Y by solving an equation set^*(t); wherein, A (Q)_A) A replication dynamic equation representing the aggressor,

choosing probability of attack strategy for attacker at time t, D (Q)_D) A replication dynamic equation representing the defender,

the probability of the defense strategy is selected for the defenders at the moment t,

and

respectively representing attack and defense strategies AS_iAnd DS_jThe probability of selection of (a) is,

and

respectively corresponding attack and defense strategies AS_iAnd DS_jThe game outcome of (a) is,

represents the expected yield of the attack strategy and,

represents the expected yield of the defense strategy, beta_kRepresents a subnetwork S_kAverage degree of connectivity, p_kRepresenting the density of infected nodes in a subnetwork, a (t) representing attack utility, d (t) representing defense utility, theta (t) representing the probability of connecting normal nodes with the infected nodes at the time t, and rho (t) representing the density of the infected nodes in the network at the time t;

respectively representing attack intensity of an attacking party and defense intensity of a defending party, and m and n respectively representing the total number of the selectable strategies of the attacking party and the defending party;

according to the network security state evolution track, acquiring a security state set on the evolution track at the moment t, wherein the network security threat degree is expressed as an Euclidean distance between the security state set and the attack and defense fence network security state, if the Euclidean distance is a negative value, the security threat degree is set to be in a low-level controllable state, and if the Euclidean distance is a positive value, the security threat degree is in a high-level uncontrollable state.

2. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming according to claim 1, characterized in that an infectious disease dynamics model is used to describe a network security threat propagation process, the network node security state is divided into a normal state and an interference state, and the network security threat propagation diffusion change process is reflected by the density change of the infected nodes in the network; dividing the network boundary into a plurality of functional sub-networks according to the network function and the topological structure to form a multi-dimensional network security state space, and analyzing the density state of the infected nodes of each sub-network by utilizing the network security threat propagation process.

3. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming of claim 1, characterized in that from the continuous dynamic countermeasure point of view, a qualitative differential gaming is introduced, an attack and defense qualitative differential gaming model is constructed and an attack and defense boundary grid is solved, the attack and defense boundary grid is taken as a measurement reference for evaluating the threat degree of the network security state, wherein, the attack and defense qualitative differential gaming model NSDG is expressed by octave (N, B, S, t, X, P, f, G), wherein, N represents a participant space, B represents an attack and defense action space, S represents a sub-network set divided according to network functions and topological structures, t represents the network attack and defense qualitative differential gaming time, X represents a network security state variable at the network attack and defense qualitative differential gaming time, P represents a control strategy of both attack and defense at the network attack and defense qualitative differential gaming time, f represents a network security state transition function, and G represents an attack target set.

4. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming as claimed in claim 1 or 3, characterized in that in the process of solving the attacking and defending qualitative differential gaming model, the multidimensional network security space is divided into a capturing area and a hiding area, the network security state track corresponding to the optimal control strategy of both attacking and defending parties is solved, and the network security state track is used as an attacking and defending boundary grid in the network attacking and defending qualitative differential gaming model to determine the boundary between the capturing area and the hiding area.

5. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming according to claim 4, wherein the solution process of the attack-defense qualitative differential gaming model comprises the following contents: constructing a Hamiltonian for representing the change rate of the network security state; acquiring optimal control strategies of both attacking and defending parties according to a bilateral extreme value theorem; constructing an attack and defense game target boundary set and acquiring a unit normal vector of the attack and defense game target boundary set; acquiring an optimal attack and defense strategy and an attack and defense boundary grid initial state position set on an attack and defense game target boundary set according to a Hamiltonian, optimal control strategies of both attack and defense parties, the attack and defense game target boundary set and a unit normal vector; and acquiring a network security optimal track, namely a network attack and defense boundary grid, according to the optimal attack and defense strategy and the initial state position set of the attack and defense boundary grid on the attack and defense game target boundary set.

6. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming as claimed in claim 1, wherein in the solving process of the attack and defense evolutionary gaming model, an evolutionary stable equilibrium strategy is obtained by combining with a replicated dynamic learning mechanism, so as to obtain a network security state evolution track which quantificationally describes the network security state change condition.

7. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming as claimed in claim 1, wherein the security threat degree is graded according to the obtained Euclidean distance value range by combining historical data and expert experience to determine the threat degree of the current network security state.

8. A network security threat early warning device based on qualitative differential game and evolutionary game, which is realized based on the method of claim 1, and comprises: a space building module, a model building module, and a threat analysis module, wherein,

the space construction module is used for constructing a multi-dimensional network security state space by combining the network system function and the topological structure thereof;

the model construction module is used for introducing a qualitative differential game, constructing an attack and defense qualitative differential game model and acquiring an attack and defense boundary grid according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;

and the threat analysis module is used for acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary gate.

Images