CN110099045B - Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming - Google Patents
Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming Download PDFInfo
- Publication number
- CN110099045B CN110099045B CN201910275813.4A CN201910275813A CN110099045B CN 110099045 B CN110099045 B CN 110099045B CN 201910275813 A CN201910275813 A CN 201910275813A CN 110099045 B CN110099045 B CN 110099045B
- Authority
- CN
- China
- Prior art keywords
- attack
- defense
- network security
- network
- game
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 230000007123 defense Effects 0.000 claims abstract description 254
- 230000006870 function Effects 0.000 claims abstract description 43
- 238000004458 analytical method Methods 0.000 claims abstract description 35
- 230000008569 process Effects 0.000 claims description 54
- 230000008859 change Effects 0.000 claims description 26
- 208000015181 infectious disease Diseases 0.000 claims description 21
- 238000011217 control strategy Methods 0.000 claims description 16
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 15
- 230000009471 action Effects 0.000 claims description 13
- 230000007704 transition Effects 0.000 claims description 13
- 208000035473 Communicable disease Diseases 0.000 claims description 12
- 239000013598 vector Substances 0.000 claims description 11
- 238000010276 construction Methods 0.000 claims description 8
- 238000005259 measurement Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 8
- 230000010076 replication Effects 0.000 claims description 8
- 230000002146 bilateral effect Effects 0.000 claims description 4
- 238000009792 diffusion process Methods 0.000 claims description 4
- 230000004888 barrier function Effects 0.000 abstract description 7
- 238000011161 development Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 11
- 238000011160 research Methods 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000003042 antagnostic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000004791 biological behavior Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the technical field of network security, and particularly relates to a network security threat early warning method and device based on qualitative differential game and evolutionary game, wherein the method comprises the following steps: combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space; introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model; and acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary barrier. The method solves the problems of time discontinuity and completeness of the threat analysis method based on the traditional game theory, performs network security analysis closer to the attack and defense practice, improves the early warning timeliness, objectivity and accuracy, and has important guiding significance for the development of network security technology.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network security threat early warning method and device based on qualitative differential game and evolutionary game.
Background
With the rapid development of network technology and the increasing popularization of service functions, network systems have become infrastructure for maintaining the orderly and efficient operation of social life; accompanying with this, network security events are endlessly layered, the current network security state is accurately judged and the evolution trend of the current network security state is predicted, timely and accurate security threat early warning is realized, and the method has very important values for enhancing the security prevention and control capability and improving the network security defense decision level. The essence of network security lies in attack and defense opposition, so that comprehensive, accurate and safety threat early warning analysis can be achieved on the basis of modeling deduction and quantitative analysis of attack and defense opposition behaviors and mutual influence thereof. The game theory is quite consistent with the target oppositivity, relationship non-cooperation and strategy dependency of network attack and defense. The game theory is adopted to analyze the network attack and defense behaviors, and then the early warning method for network security threat is researched and proposed, so that the method has reference significance and theoretical value, and partial achievements are obtained at present. On one hand, the existing network security game analysis research is mostly established under the assumption condition of the complete rationality of a game player, the assumption is often difficult to satisfy in the actual confrontation process, and the rationality of both the attacking and defending parties is limited rather than complete; on the other hand, the analysis method adopting the multi-stage dynamic game model can only research the time discrete and discontinuous network attack and defense behaviors, and cannot meet the characteristics of continuity, real-time performance and high frequency performance in the actual network attack and defense process, so that the objectivity, the practicability and the effectiveness of the network security threat analysis and early warning method are greatly weakened.
Disclosure of Invention
Therefore, the invention provides the network security threat early warning method and device based on the qualitative differential game and the evolutionary game, which are closer to the actual attack and defense to carry out network security analysis, improve the timeliness, objectivity and accuracy of early warning and have strong engineering application prospect.
According to the design scheme provided by the invention, the network security threat early warning method based on the qualitative differential game and the evolutionary game comprises the following contents:
combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space;
introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;
and acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary barrier.
The network security threat transmission process is described by using an infectious disease dynamics model, the network node security state is divided into a normal state and an interference state, and the transmission diffusion change process of the network security threat is reflected by the density change of infected nodes in the network; dividing the network boundary into a plurality of functional sub-networks according to the network function and the topological structure to form a multi-dimensional network security state space, and analyzing the density state of the infected nodes of each sub-network by utilizing the network security threat propagation process.
In the above, from the perspective of continuous dynamic countermeasure, a qualitative differential game is introduced, an attack and defense qualitative differential game model is constructed and solved, and the attack and defense boundary grid is used as a measurement reference for evaluating the threat degree of the network security state, wherein the attack and defense qualitative differential game model NSDG is represented by an octave (N, B, S, t, X, P, f, G), wherein N represents a participant space, B represents an attack and defense action space, S represents a subnetwork set divided according to network functions and a topological structure, t represents a network attack and defense qualitative differential game moment, X represents a network security state variable at the network attack and defense qualitative differential game moment, P represents a control strategy of both attack and defense parties at the network attack and defense qualitative differential game moment, f represents a network security state transition function, and G represents an attack target set.
Preferably, in the process of solving the attacking and defending qualitative differential game model, the multidimensional network security space is divided into a capturing area and a hiding area, the network security state track corresponding to the optimal control strategies of the attacking and defending party is solved, the network security state track is used as an attacking and defending boundary bar in the network attacking and defending qualitative differential game model, and the boundary line between the capturing area and the hiding area is determined.
Furthermore, the solution process of the attack and defense qualitative differential game model comprises the following contents: constructing a Hamiltonian for representing the change rate of the network security state; acquiring optimal control strategies of both attacking and defending parties according to a bilateral extreme value theorem; constructing an attack and defense game target boundary set and acquiring a unit normal vector of the attack and defense game target boundary set; acquiring an optimal attack and defense strategy and an attack and defense boundary grid initial state position set on an attack and defense game target boundary set according to a Hamiltonian, optimal control strategies of both attack and defense parties, the attack and defense game target boundary set and a unit normal vector; and acquiring a network security optimal track, namely a network attack and defense boundary grid, according to the optimal attack and defense strategy and the initial state position set of the attack and defense boundary grid on the attack and defense game target boundary set.
The method comprises the steps of introducing an evolutionary game theory from the perspective of limited authority of attack and defense participants, constructing an attack and defense evolutionary game model, and obtaining a network security state evolution track through solving, wherein the AEGM of the attack and defense evolutionary game model is represented by octaves (N, B, S, t, Y, Q, f, U), wherein N represents a participant space, B represents an attack and defense action space, S represents a subnetwork set divided according to network functions and a topological structure, t represents attack and defense game time, Y represents a network security state variable at the network attack and defense game time, Q represents strategy selection probabilities of both attack and defense parties at the network game time, f represents a network security state transition function, and U represents a game income function set.
Preferably, in the solving process of the attack and defense evolution game model, an evolution stable equilibrium strategy is obtained by combining a replication dynamic learning mechanism, and a network security state evolution track for quantitatively describing the network security state change condition is obtained.
As described above, according to the network security state evolution trajectory, the security state set on the evolution trajectory at the time t is obtained, and the network security threat degree is expressed as an euclidean distance between the security state set and the attack and defense fence network security state, if the euclidean distance is a negative value, the security threat degree is set to be in a low-level controllable state, and if the euclidean distance is a positive value, the security threat degree is in a high-level uncontrollable state.
Preferably, the security threat degree is graded according to the obtained Euclidean distance value range by combining historical data and expert experience so as to judge the threat degree of the current network security state.
A network security threat early warning device based on qualitative differential game and evolutionary game comprises: a space building module, a model building module, and a threat analysis module, wherein,
the space construction module is used for constructing a multi-dimensional network security state space by combining the network system function and the topological structure thereof;
the model construction module is used for introducing a qualitative differential game, constructing an attack and defense qualitative differential game model and acquiring an attack and defense boundary grid according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;
and the threat analysis module is used for acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary gate.
The invention has the beneficial effects that:
the method adopts a qualitative differential game model to analyze the change trend of the security threat, acquires an attack and defense boundary grid, divides a network security state space into a capture area and an avoidance area on the basis of the attack and defense boundary grid, and establishes a measurement benchmark of the security threat degree; meanwhile, assuming attack and defense game players in different sub-networks as limited entities, introducing an evolutionary game, constructing a network security attack and defense evolutionary game model from the limited perspective, and solving a network security state evolution track; and then according to the multi-dimensional space Euclidean distance between the state evolution track and the attack and defense boundary grid, threat degrees of different safety states are obtained, a threat early warning method with higher objectivity and practicability is realized, the problems of time discontinuity and completeness of a threat analysis method based on the traditional game theory are solved, and the method has important guiding significance for the development of network safety technology.
Description of the drawings:
FIG. 1 is a schematic flow chart of a network security threat early warning method in an embodiment;
FIG. 2 is a random conversion diagram of the network attack and defense game state in the embodiment;
FIG. 3 illustrates an embodiment of a dynamic pre-warning of cyber-security threats;
FIG. 4 is a schematic diagram of an embodiment of a network security threat early warning apparatus
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
Network Security Threat Warning (Network Security thread Warning): on the basis of analyzing the network security event information, the dynamic change of the current network security threat is macroscopically and accurately researched and the evolution trend of the current network security threat is predicted, and effective and accurate security threat alarm is carried out before the security threat does not cause loss. Game (Games): under a certain environmental condition, some individuals or organizations select and implement respective strategies from respective selectable strategy sets under a certain rule, simultaneously or sequentially one or more times, and finally obtain respective corresponding results. Nash Equilibrium (Nash Equilibrium): in the game, in a certain strategy combination formed by one strategy of each game party, the strategy of any game party meets the following conditions: if any is true, then it is called a Nash equilibrium for the game. Qualitative Differential gaming (Qualitative Differential Games): the method is a theoretical method for describing the continuous control process in the conflict countermeasure under the condition of time real-time change, researches whether the ending of a certain target can be realized in the continuous countermeasure process or not by describing and analyzing the dynamic evolution process of a game system, and has stronger pertinence and applicability when being applied to the network security threat early warning research. Avoidance and Capture zones (Evade Area and Capture Area): in the qualitative differential game, a system state space is divided into two partial areas, namely an avoiding area and a capturing area. When the evacuee enters the evacuee area, no matter what strategy is adopted by the chaser, the evacuee can always evacue the capture under the condition that the evacuee selects an 'appropriate' strategy; in contrast, when an evacuee is within the capture zone, regardless of the escape strategy it takes, the chaser can always successfully capture the evacuee by selecting the "appropriate" strategy. In network defense, the attacking party acts as a "chaser" and the defending party acts as an "evacuee". Attack-Defense Barrier (Attack-Defense Barrier): the interface between the avoiding area and the capturing area is the evolution track of the state of the attacking and defending system under the action of the optimal strategy adopted by both attacking and defending parties. Evolutionary Games (Evolutionary Games): the biological evolution theory originated from Darwin inherits the theoretical explanation of biology on species evolution, starts from individual limited rational condition, takes group behaviors as research objects, and explains the evolution game process of biological behaviors in the explanation of the development process and evolution selection of biological species. Through long-term trial and error, simulation and improvement, all game parties tend to a certain stable strategy which is possibly stabilized in group organizations for a long time, and the stable strategy balance is very similar to the evolutionary stable strategy of biological evolution so as to achieve a relatively harmonious game balance state. Replication dynamics (Replicator dynamics): in a group consisting of limited rational game parties, game players gradually adopt more game parties than a strategy with a good average level by continuously trial and error, learning and improving own strategies, so that the proportion of the game parties adopting various strategies in the group can be changed. Network Security State evolution Trajectory (Network Security State evolution Trajectory): the method is based on the limited rational condition, utilizes the evolutionary game theory to analyze the network security attack and defense process, researches strategies of attack and defense parties through copying a dynamic learning mechanism to select the evolutionary situation, and quantificationally calculates the corresponding network security state, thereby forming the evolutionary track on the network security state space. Infectious disease Model (SEM, Simple Epidemic Model): the method is an important mathematical model for quantitatively analyzing the transmission process and predicting the change trend of a population within the epidemic range of the infectious disease by dividing the population into two states of a Susceptible person (Susceptible) and an infected person (infectious), wherein the number of individuals in different states changes along with time.
At present, the network space confrontation is increasingly violent, and the research and exploration of the network security state analysis method have important practical significance. However, the security threat analysis method based on the traditional dynamic game can not meet the practical requirement. The existing network security threat early warning analysis method has the following defects: (1) currently, attack and defense analysis based on game theory mostly assumes that two attack and defense parties only carry out one-time confrontation, even if a dynamic attack and defense game model is adopted, the network attack and defense are processed into a discrete multi-stage process, and in a real network attack and defense scene, the attack and defense process is carried out in real time in continuous time, the traditional dynamic game analysis can not meet the practical requirement, and the real-time performance and the accuracy of the early warning method are greatly reduced. (2) The network security threat analysis method based on the classical game model is based on the premise that an agent is completely rational, models, deduces and quantificationally analyzes the attack and defense countermeasures, and researches and evaluates the dynamic change process of the network security threat degree by constructing the attack and defense game model. However, in an actual network countermeasure scene, since both the attacking and defending parties only have limited rationality, the accuracy of the behavior analysis method is insufficient, and the objectivity and the practicability of the threat early warning result are greatly reduced.
Therefore, in the embodiment of the present invention, referring to fig. 1, a network security threat early warning method based on a qualitative differential game and an evolutionary game is provided, which includes the following contents:
s101, combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space;
s102, introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary grid according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;
s103, obtaining threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary barrier.
Random gaming can be viewed as a state machine that allows a gaming system to jump from one state to another under the combined actions of people in various offices. The network system can also be regarded as a state machine with a constantly changing system state, the attacking and defending parties carry out attacking and defending countermeasures by selecting respective strategies, and the random process of state jump is described in a probabilistic mode due to uncertainty of the system state change.
And (c) the game player receives the game information, wherein the game information comprises a plurality of game players, and the game players are connected with the game players. Only the case of two gaming parties is considered herein;
②S={S1,S2,…,Skrepresenting a state set in the attack and defense random game;
③A={a1,a2,…,amrepresents an optional set of policies of an attacker;
④D={d1,d2,…,dnrepresents an optional set of policies for the defenders;
p, the S multiplied by A multiplied by D multiplied by S → [0,1] represents the probability function of the state transition of the attack and defense random game;
⑥denotes k as ai,djSet of revenues for people in the local, where UijRepresenting a value of revenue.
In the network attack and defense game process, the relationship between the attack and defense parties belongs to non-cooperative and antagonistic, namely the model belongs to a non-cooperative network attack and defense random game model.
Taking the network security state as a random state set in the game model, and mainly using an attack and defense strategy pair (a)i,dj) And (3) causing the attack and defense state transition process to be represented by a directed graph G ═ S, E, wherein S is a node set of the graph and represents the network security state, and E is an edge set of the graph and represents the attack and defense state transition process. Specifically, as shown in fig. 2, there are three states in the figure, and there is a certain transition probability between the states, but the transition probability may be 0.
And (3) a theorem 1. Nash equilibrium exists, a zero and attack and defense random game model ADSG is given, and if a game state set S and attack and defense selectable strategy sets A and D belong to a limited set, a stable Nash equilibrium exists. (slight proof)
And 2, determining the existence of the attack and defense game value, giving an attack and defense random game model ADSG, and giving a game state S of any K equal to 1, … and KkValue v ofkMust be the only solution for equation (1):
vk=Val(Sk) (1)
wherein Val (S)k) Representing a matrix type game SkValue of (1), matrix SkThe elements of (A) are:
by calculating the attack and defense income values of both network attack and defense parties, the network attack and defense game stable state can be finally obtained and can be used for network security behavior analysis.
The infectious disease kinetic model can describe the kinetic process of infection and outbreak of a disease in a population. In network countermeasure, the security threat takes advantage of the vulnerability of the network system to infiltrate, infect and spread from individual network nodes to other nodes in the system, the process of which has similarities with the process of spreading and destroying infectious diseases, and is also a dynamic process that changes constantly. On one hand, the security state of the nodes forming the network system is constantly migrated and changed; on the other hand, the number of nodes in different security states changes dynamically. In another embodiment of the invention, an infectious disease dynamics model is used for describing a network security threat transmission process, the network node security state is divided into a normal state and an interference state, and the density change of an infected node in a network reflects the network security threat transmission diffusion change process; dividing the network boundary into a plurality of functional sub-networks according to the network function and the topological structure to form a multi-dimensional network security state space, and analyzing the density state of the infected nodes of each sub-network by utilizing the network security threat propagation process. By taking the theory of infectious disease dynamics as reference, the safety state of the network node is divided into a normal state N and an infection state I, and N (t) and I (t) are used for respectively representing the number of the normal nodes and the number of the infection nodes in the network at the time t. Meanwhile, the network security threat propagation process is described by taking the infectious disease model SEM as a reference, for convenience of analysis, the total number Q of nodes in the network is assumed to be kept unchanged, the density of infected nodes in the network at the time t is represented by rho (t), the density of normal nodes is represented by 1-rho (t), and rho (t) is I (t)/Q. Using va(t) and vd(t) respectively representing the infection rate of the normal node converted into the infected node and the restoration rate of the infected node successfully restored into the normal state in the attack and defense countermeasure, and according to the infectious disease model theory, the method can be obtained as follows:
where θ (t) represents the probability that a normal node is connected to an infected node at time t. If the number of network nodes is large and the infected nodes are far away from each other, neglecting the overlapping effect of the influence ranges of the infected nodes, the theta (t) is 1- (1-rho (t))βAnd beta is the node connectivity.
According to the theory of infectious disease dynamics, the method combines the actual knowledge of attack and defense of the network, and the change process of the infection node density in the network directly reflects the transmission diffusion and the change process of the severity of the security threat, and the transformation of the node security state is determined by the interaction of the attack and defense strategies. Thus, the infection rate va(t) the repair rate v is expressed by the attack utility a (t)d(t) is represented by the defense utility d (t). Briefly described with an attack and defense example, suppose an attacker can take three types of attack behaviors of high intensity, medium intensity and low intensity, and use the three types of attack behaviorsRespectively representing average attack strength; similarly, the average defense strength of the defenders is expressed asThe attack and defense utilities at time t can be expressed asAndusing probability vectorsAndand the hybrid strategies of the two attacking and defending parties at the time t can be respectively expressed.
From the above analysis, a network security threat propagation equation can be obtained:
in the embodiment of the invention, the boundary is divided into a plurality of functional sub-networks according to the network function and the topological structure, and the density state of each sub-network infected node is analyzed by using an equation (4), so that the overall security threat situation is characterized and the dynamic change process of the network security threat is predicted.
From the perspective of continuous dynamic countermeasure, a qualitative differential game is introduced, an attack and defense qualitative differential game model is constructed and solved, the attack and defense boundary grid is used as a measurement standard for evaluating the threat degree of the network security state, wherein the attack and defense qualitative differential game model NSDG is represented by an octave group (N, B, S, t, X, P, f and G), wherein N represents a participant space, B represents an attack and defense action space, S represents a subnetwork set divided according to network functions and a topological structure, t represents the network attack and defense qualitative differential game moment, X represents a network security state variable at the network attack and defense qualitative differential game moment, P represents a control strategy of two parties at the network attack and defense qualitative differential game moment, f represents a network security state transition function, and G represents an attack target set. N ═ N (N)D,NA) Is the participant space of the network attack and defense qualitative differential game, NDFor defense, NAIs an attacker. B ═ DS (AS) is the attack and defense action space. Wherein DS ═ { DS ═ DSj|1≤j≤n},DSjAn optional defense policy representing a defensive party. S ═ S k1, …, K is the sub-network set divided by the network system according to function and topology, where K is the number of sub-networks and S is the number of sub-networkskDenotes the kth sub-network and is denoted by betakRepresents a subnetwork SkAverage connectivity of (c). t e [ t ∈ ]bin,tend]And the time of the network attack and defense qualitative differential game is represented. X (t) { (ρ)1(t),···,ρk(t),···,ρK(t))|0≤ρk(t is less than or equal to 1, K is 1, …, K) represents the network security at the time of tThe state variable being the density of nodes p infected by the respective sub-networkk(t) a K-dimensional state space. Due to rhok(t) is determined by the number of infected nodes in the network, so the security states are discretely distributed in the K-dimensional state space. P ═ PD(t),PAAnd (t) is a control strategy of the attacking and defending parties at the time t, and is a control track with time as a variable.Represents the mixed strategy selected by the defender at the moment t, is a hybrid strategy chosen by the attacker at time t,f={fkl K1, K represents the network security state migration function, which is the infection node density p of each sub-networkk(t) a function of change over time, i.e., a cyber-security threat propagation equation, wherein, representing an attack target set and also being a network security risk high-risk area. In network countermeasure, an attacker tries to make a series of attack actions to make the network security state migrate to the target set, so as to achieve the attack target, and a defending party takes defensive measures to avoid the occurrence of the result.
Based on game model definition and analysis, considering the difference of the functional topology of each sub-network, defining the boundary function of an attack and defense game target set in the NSDG model as follows:
wherein, theta represents the total number of infected nodes when the threshold value of network functional paralysis is reached, ekAs a subnetwork SkNumber of nodes and e1+e2+···+eK=Q,ρk' (t) represents the subnet S when the paralysis threshold is reachedkThe density of infected nodes of (a). Because the factors influencing the network function in the actual network security problem are various in form and have certain complexity, for convenient analysis, the completeness degree of the network function is measured by the density of infected nodes.
In the process of solving the attacking and defending qualitative differential game model, in another embodiment of the invention, a multi-dimensional network security space is divided into a capturing area and an avoiding area, a network security state track corresponding to the optimal control strategies of both attacking and defending parties is solved, the network security state track is used as an attacking and defending boundary grid in the network attacking and defending qualitative differential game model, and a boundary between the capturing area and the avoiding area is determined. According to the qualitative differential game theory, the network security multidimensional state space can be divided into a capture area and an avoidance area. If the current network security state X is located in the capture area, the attacker always enables the security state to reach the target set by adopting a proper attack strategy to realize an expected target; if the target is located in the avoidance area, the defense party takes appropriate defense measures to always resist further propagation of the threat and prevent the safety state from migrating to the target set. And the interface of the capture area and the avoidance area is called as an attack and defense interface grid of the attack and defense qualitative differential game.
And 4, defining an attack and defense boundary fence. In the network attack and defense qualitative differential game NSDG, an attack and defense boundary grid is an optimal control strategy for both attack and defense partiesCorresponding network security status trace X*(t) is a boundary line for distinguishing the capture area A (attacker-dominant region) from the evasion area D (defender-dominant region).
Solving the network attack and defense qualitative differential game problem is essentially to calculate a network attack and defense boundary grid X (t) and divide a multidimensional state space to determine a capture area A and an avoidance area D. The solution process of the attack and defense qualitative differential game model comprises the following contents: constructing a Hamiltonian for representing the change rate of the network security state; acquiring optimal control strategies of both attacking and defending parties according to a bilateral extreme value theorem; constructing an attack and defense game target boundary set and acquiring a unit normal vector of the attack and defense game target boundary set; acquiring an optimal attack and defense strategy and an attack and defense boundary grid initial state position set on an attack and defense game target boundary set according to a Hamiltonian, optimal control strategies of both attack and defense parties, the attack and defense game target boundary set and a unit normal vector; and acquiring a network security optimal track, namely a network attack and defense boundary grid, according to the optimal attack and defense strategy and the initial state position set of the attack and defense boundary grid on the attack and defense game target boundary set. Through the analysis and the definition of the attack and defense qualitative differential game model and the combination of the qualitative differential game theory, the specific process and the steps for solving the network attack and defense qualitative differential game problem can be designed as follows:
(1) let vector lambdaT=(λ1,λ2,···,λK)T∈RKConstruction of Hamilton function H (X, P)D(t),PA(t, λ) represents the rate of change of the network security state:
(2) according to the bilateral extreme value theorem, the optimal control strategy is solvedMake it satisfy
(3) Calculating a system of adjoint equationsFor the Where ρ k (t) is the sub-network SkThe density of infected nodes of (a).
Wherein, c1,c2,···,ck-2In order to assist in the parameters of the device,corresponding set of boundariesUpper rhok(t) is a parameter expression.
(5) According to the specific definition of unit normal vector, the following equation set is calculated to determine the boundary set of the attack and defense game targetUpper unit normal vector
(6) According to the necessary condition of semi-permeable curved surfaceSolving optimal attack and defense strategies on attack and defense game target boundary set GAndand available partial boundary BUP (part of H ═ 0 on the target boundary set) on the target set, namely the initial state position set of the attack and defense boundary grid
(7) By a point on the BUPAnd as an initial point, the optimal network safety track X (t) can be obtained by the backward integral adjoint equation set and the network safety state transition equation set, and the optimal network safety track X (t) is the network attack and defense boundary grid. United (7-9), calculating the following equation set:
when the adjoint equation set is subjected to inverse integration, the initial value is a unit normal vector on the boundary set of the attack and defense game targetAnd when the inverse integration is carried out on the safety state transition equation set, the initial value is the safety state variable on the BUP.
From the perspective of limited rationality of attack and defense participants, in a further embodiment of the invention, an evolutionary game theory is introduced, an attack and defense evolutionary game model is constructed, and a network security state evolution track is obtained by solving, wherein the attack and defense evolutionary game model AEGM is represented by octave groups (N, B, S, t, Y, Q, f, U), wherein N represents a participant space, B represents an attack and defense action space, S represents a sub-network set divided according to network functions and a topological structure, t represents an attack and defense game moment, Y represents a network security state variable at the network attack and defense game moment, Q represents a policy selection probability of attack and defense parties at the network game moment, and f represents network securityAnd a full-state transition function, wherein U represents a game income function set. N ═ N (N)D,NA) Is the participant space of the qualitative differential game of attack and defense, NDFor defense, NAIs an attacker. B ═ DS (AS) is the attack and defense action space. Wherein DS ═ { DS ═ DSj|1≤j≤n},DSjAn optional policy representing a defensive party; AS ═ ASi|1≤i≤m},ASiAn optional policy representing an attacker. S ═ S k1, …, K represents the sub-network set divided by the network system according to function and topology; k is the number of subnetworks, SkRepresents the kth sub-network and is represented by betakRepresents a subnetwork SkAverage connectivity of (c). t e [ t ∈ ]bin,tend]Indicating the moment of the attack and defense game. Y (t) { (ρ)1(t),···,ρk(t),···,ρK(t))|0≤ρ k1, K is equal to 1, …, K represents the network security state variable at the time t in the attack and defense evolution game, and is defined in the node density rho infected by the sub networkkComposed finite discrete K-dimensional state space VKThe method is used for describing the evolution track of the safety state. Q ═ QD(t),QAAnd (t) is the strategy selection probability of the attacking and defending parties at the moment t.Representing the probability of the defender selecting different defense strategies at time t,in the same way, the method for preparing the composite material,it is the probability of the attack strategy selection,f={fkl K1, K represents the network security state migration function, which is the sub-network infected node density ρk(t) a function of the variation with time,U=(UA,UD) Is a game ofSet of revenue functions, UAAnd UDRepresenting the game profit of the attacker and the defender respectively. Expected revenue of different defense strategies of defendersAnd average profitThe calculation method of (2) is as follows.
Wherein,representing attack strategy ASiAnd defense strategy DSjThe defense income during the confrontation is that i is more than or equal to 1 and less than or equal to m, and j is more than or equal to 1 and less than or equal to n.
Similarly, expected gains of different attack strategies of an attacker can be calculatedAnd average profit
And 5, defining a network security state evolution track. Evolution stable equilibrium strategy for attack and defense partiesAnd the corresponding set of the network security states Y x (t) is the evolution track of the network security states.
In order to improve the objectivity of network security state analysis and enhance the practical value of a prediction result, an evolution stable equilibrium strategy can be calculated by starting from the practical situation that both attacking and defending parties have limited rationality in the real society and combining a replication dynamic learning mechanism based on an evolution game theoryAnd further solving a security threat propagation equation to obtain an evolution track Y (t) quantitatively describing the network security state change condition. The track is reliable prediction of the network safety state from the point of rationality, and has better objectivity and practical guiding significance.
Based on the network attack and defense reality, from the limited rational condition, it is assumed that attack and defense decision makers of different sub-networks belong to different individuals and do not have complete rational capability. According to the evolutionary game theory, because different decision makers select different strategies, the obtained benefits have differences; through a learning mechanism, decision makers with low profit learn the strategy selection mode of decision makers with high profit, the behavior mode of the decision makers with low profit is improved, the strategy selection probability changes along with the change of the strategy selection mode, and the attack and defense confrontation situation and the network security state are dynamically changed.
Is provided withAndrespectively representing attack and defense strategies ASiAnd DSjThe probability of selection of (a) is,andrespectively corresponding attack and defense strategies ASiAnd DSjThe game income is defined according to the AEGM model, the attack and defense strategy selection probability change is analyzed by adopting a copy dynamic learning mechanism, and then the evolution track of the network security state is deduced, and the specific calculation process can be designed as follows:
establishing probabilistic inference Q (Q) on optional strategy sets of both attacking and defending partiesD(t),QA(t) } and initial probabilityAnd
secondly, calculating a copy dynamic equation of an attacker;
probability selection by policyAnd policy revenue valueCalculating expected benefits of different attack strategiesAnd average profit
Further obtaining the replication dynamic equation of the attacker as
Thirdly, calculating a copy dynamic equation of the defensive party in the same way;
fourthly, calculating the evolution track of the network security state;
based on the evolutionary game theory, the replication dynamic equation and the threat propagation equation of the attacking and defending parties are combined to obtain the following equation set:
And solving the equation set to obtain the evolution track Y (t) of the network security state. The calculation process relates to differential equation solution, and numerical solutions meeting the required precision can be obtained by means of MATLAB scientific calculation software and a multi-order Runge-Kutta method.
And constructing a network security state space according to the infection density of the sub-networks, and analyzing the density state of each sub-network infection node by using a security threat propagation equation so as to depict the influence range and the severity of the security threat in the whole network. On the basis, an attack and defense boundary grid is solved by a qualitative differential game model, and a measurement reference for evaluating the threat degree is provided; calculating the evolution track of the network security state according to the evolutionary game theory to realize reliable prediction of the actual security state; the two are combined, the Euclidean distance is introduced, and the threat degree of the network security state at different moments is described. For ease of understanding, it is assumed that the network system is divided into sub-networks S1And S2The dynamic early warning process of the network security threat is shown in FIG. 3, wherein the coordinate axis t of 3 in the graph represents time, and t is selected0、t1、t2、t3The moments form a "security threat analysis snapshot" of the network system. Where ρ is1And ρ2Representing a subnetwork S1And S2The density of infected nodes is shown in the specification, G is an attack target set, D is an avoidance area, A is a capture area, a red line represents an attack and defense boundary grid, and a black dotted line represents a network security state evolution track Y*(t), the red real point represents the safety state y predicted from the evolution trajectory at time t*(t) of (d). By calculating the security status y*The Euclidean distance between (t) and the attack and defense boundary grid can quantitatively evaluate the safety state y*(t) threat severity.
A network security threat level T is defined 6. If the boundary fence of attack and defense isThe network security status is respectively expressed asAndat time t, the trajectory Y evolves*Safety State on (t)The network security threat degree is T (y)*(t)), abbreviated as
Wherein,indicating a safe stateThe Euclidean distance between the security threat degree and the attack and defense boundary grid X when the security threat degree is in the avoidance area DTaking a negative value, indicating that the security threat is small and controllable; when in the presence of the capture zone a,positive values indicate that the security threat is severe and difficult to control.
For ease of analysis, the threat level T is divided into five levels, as shown in table 1, in conjunction with historical data and expert experience.
TABLE 1 threat early warning rankings criteria
Wherein, the first to second-stage early warning represents that the network security state is in the avoidance area, the security threat is still in a controllable state, and the defense party has great advantages in attack and defense countermeasures. The three-level early warning means that the security state is in the vicinity of the attack and defense boundary fence, which indicates that network attack poses a large threat to the system, and the defense party needs to deal with the security event as much as possible, so that the security state is prevented from being transferred to the capture area, and the security threat is further worsened. The four-to-five-level early warning means that the security state is in the capture area, the security threat degree is severe and the development is difficult to control, and at the moment, a defender needs to adjust a defense strategy according to the actual situation and carry out emergency treatment so as to reduce the loss as much as possible. The five-stage early warning shows that the current safety state is in extremely critical degree, and a defense party is required to compare defense cost and return and selectively defend related network assets.
Based on the above, the network security threat dynamic early warning algorithm based on the attack and defense boundary barrier and the evolution track in the invention can be designed as follows:
the model and the method provided by the invention can realize the analysis of the continuous and real-time attack and defense process and the prediction of the dynamic change of the threat from the point of view of the limited rationality, more accord with the actual attack and defense scene, and effectively improve the objectivity and the practicability of the model and the method.
Based on the above method, the present invention further provides a network security threat early warning device based on qualitative differential game and evolutionary game, as shown in fig. 4, including: a space building module 101, a model building module 102, and a threat analysis module 103, wherein,
the space construction module 101 is used for constructing a multi-dimensional network security state space by combining network system functions and a topological structure thereof;
the model construction module 102 is used for introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;
a threat analysis module 103, configured to obtain threat degrees of different security states according to a multi-dimensional space Euclidean distance between a network security state evolution trajectory and an attack and defense boundary barrier
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
According to the traditional network security threat analysis method, the degree and influence of security threats are ignored and determined by the combined action of the behaviors of the attacking party and the defense party, and the method has the defects of comprehensiveness and accuracy. The game theory is introduced to develop the research of the network security threat early warning method, and the reference significance and the theoretical value are realized. On the one hand, the network security analysis method based on the single-stage or multi-stage dynamic game model is difficult to analyze the real-time changing and continuous confronting attack and defense process. Aiming at the problems, the network attack and defense process in continuous time is researched and analyzed, an infectious disease dynamics model is adopted to depict a threat propagation process aiming at threat early warning requirements, a network attack and defense qualitative differential game model is provided, an attack and defense boundary grid is constructed to divide a capture area and a dodge area, and the attack and defense boundary grid is used as a measurement standard for threat assessment; on the other hand, the network security analysis method based on the classic game model is based on the premise that the agent is completely rational, and is not in accordance with the actual attack and defense conditions. Aiming at the problems, the network countermeasure attack and defense behavior is researched and analyzed from the point of limited rationality, a network attack and defense evolution game model is provided according to threat early warning requirements, a game party learning process is described by utilizing a duplicate dynamic learning mechanism, a network security threat state evolution track is calculated, Euclidean distances between the security state evolution track and an attack and defense boundary grid are calculated by taking the attack and defense boundary grid as a measurement reference, security threat early warning levels at different moments and different Euclidean distances are judged, and the early warning method has comprehensiveness, objectivity and practicability. In the establishment of the network attack and defense qualitative differential game model and the network attack and defense evolution game model, the establishment of a network functional topological structure and a network security state space is a preparation step. By analyzing and calculating the threat propagation process under the continuous attack and defense game effect, an attack and defense boundary grid is solved, a capture area and an avoidance area are defined, and a measurement reference is provided for threat early warning; the attack and defense early warning method is characterized in that an evolution mode is selected through the research of countermeasure strategies by an evolutionary game learning mechanism, the threat propagation process under the action of a dynamic attack and defense game is analyzed and calculated, the evolution track of the network security state in a multi-dimensional space is further solved, the distance between the evolution track of the security state and an attack and defense boundary grid is solved by utilizing the Euclidean distance, and therefore threat early warning levels are divided. In the data analysis process, the selectable strategy sets of the two attacking and defending parties refer to data in an attacking and defending behavior database of the US MIT, the construction of the attacking and defending strategy sets and the income quantification of the attacking and defending strategy sets are also preparation steps aiming at the network attacking and defending process, and the attacking and defending strategy sets are selected and mainly used for analysis and solution of the later attacking and defending process. Meanwhile, the specific classification of the threat early warning grade is obtained by carrying out statistical analysis according to the combination of historical data and expert experience. In addition, in the embodiment of the invention, a network security threat early warning algorithm based on qualitative differential gaming and evolutionary gaming is designed, threat early warning levels of security states at different moments are determined, a targeted suggestion is provided for network security risk prevention and control according to the early warning levels, and the effectiveness of the model and the algorithm is verified through a simulation experiment. The method provides an effective model method for analyzing and predicting the network security threat state closer to the actual network security problem and realizing objective and comprehensive security threat early warning, and can provide guidance for a network security manager to formulate a targeted security prevention and control scheme.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A network security threat early warning method based on qualitative differential game and evolutionary game is characterized by comprising the following contents: combining network system functions and a topological structure thereof to construct a multi-dimensional network security state space;
introducing a qualitative differential game, constructing an attack and defense qualitative differential game model, and acquiring an attack and defense boundary gate according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;
acquiring threat degrees of different security states according to a multidimensional space Euclidean distance between a network security state evolution track and an attack and defense boundary gate;
from the perspective of limited rationality of attack and defense participants, introducing an evolutionary game theory, constructing an attack and defense evolutionary game model, and obtaining a network security state evolution track by solving, wherein the attack and defense evolutionary game model AEGM is represented by an octave group (N, B, S, t, Y, Q, f, U), wherein N represents a participant space, B represents an attack and defense action space, S represents a sub-network set divided according to network functions and a topological structure, t represents attack and defense game time, Y represents a network security state variable at the network attack and defense game time, Q represents strategy selection probabilities of both attack and defense parties at the network game time, f represents a network security state transition function, and U represents a game profit function set;
based on the evolutionary game theory, a replication dynamic equation and a threat propagation equation of the attacking party and the defending party are combined to obtain an equation set:
obtaining a network security state evolution track Y by solving an equation set*(t); wherein, A (Q)A) A replication dynamic equation representing the aggressor,choosing probability of attack strategy for attacker at time t, D (Q)D) A replication dynamic equation representing the defender,the probability of the defense strategy is selected for the defenders at the moment t,andrespectively representing attack and defense strategies ASiAnd DSjThe probability of selection of (a) is,andrespectively corresponding attack and defense strategies ASiAnd DSjThe game outcome of (a) is,represents the expected yield of the attack strategy and,represents the expected yield of the defense strategy, betakRepresents a subnetwork SkAverage degree of connectivity, pkRepresenting the density of infected nodes in a subnetwork, a (t) representing attack utility, d (t) representing defense utility, theta (t) representing the probability of connecting normal nodes with the infected nodes at the time t, and rho (t) representing the density of the infected nodes in the network at the time t;respectively representing attack intensity of an attacking party and defense intensity of a defending party, and m and n respectively representing the total number of the selectable strategies of the attacking party and the defending party;
according to the network security state evolution track, acquiring a security state set on the evolution track at the moment t, wherein the network security threat degree is expressed as an Euclidean distance between the security state set and the attack and defense fence network security state, if the Euclidean distance is a negative value, the security threat degree is set to be in a low-level controllable state, and if the Euclidean distance is a positive value, the security threat degree is in a high-level uncontrollable state.
2. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming according to claim 1, characterized in that an infectious disease dynamics model is used to describe a network security threat propagation process, the network node security state is divided into a normal state and an interference state, and the network security threat propagation diffusion change process is reflected by the density change of the infected nodes in the network; dividing the network boundary into a plurality of functional sub-networks according to the network function and the topological structure to form a multi-dimensional network security state space, and analyzing the density state of the infected nodes of each sub-network by utilizing the network security threat propagation process.
3. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming of claim 1, characterized in that from the continuous dynamic countermeasure point of view, a qualitative differential gaming is introduced, an attack and defense qualitative differential gaming model is constructed and an attack and defense boundary grid is solved, the attack and defense boundary grid is taken as a measurement reference for evaluating the threat degree of the network security state, wherein, the attack and defense qualitative differential gaming model NSDG is expressed by octave (N, B, S, t, X, P, f, G), wherein, N represents a participant space, B represents an attack and defense action space, S represents a sub-network set divided according to network functions and topological structures, t represents the network attack and defense qualitative differential gaming time, X represents a network security state variable at the network attack and defense qualitative differential gaming time, P represents a control strategy of both attack and defense at the network attack and defense qualitative differential gaming time, f represents a network security state transition function, and G represents an attack target set.
4. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming as claimed in claim 1 or 3, characterized in that in the process of solving the attacking and defending qualitative differential gaming model, the multidimensional network security space is divided into a capturing area and a hiding area, the network security state track corresponding to the optimal control strategy of both attacking and defending parties is solved, and the network security state track is used as an attacking and defending boundary grid in the network attacking and defending qualitative differential gaming model to determine the boundary between the capturing area and the hiding area.
5. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming according to claim 4, wherein the solution process of the attack-defense qualitative differential gaming model comprises the following contents: constructing a Hamiltonian for representing the change rate of the network security state; acquiring optimal control strategies of both attacking and defending parties according to a bilateral extreme value theorem; constructing an attack and defense game target boundary set and acquiring a unit normal vector of the attack and defense game target boundary set; acquiring an optimal attack and defense strategy and an attack and defense boundary grid initial state position set on an attack and defense game target boundary set according to a Hamiltonian, optimal control strategies of both attack and defense parties, the attack and defense game target boundary set and a unit normal vector; and acquiring a network security optimal track, namely a network attack and defense boundary grid, according to the optimal attack and defense strategy and the initial state position set of the attack and defense boundary grid on the attack and defense game target boundary set.
6. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming as claimed in claim 1, wherein in the solving process of the attack and defense evolutionary gaming model, an evolutionary stable equilibrium strategy is obtained by combining with a replicated dynamic learning mechanism, so as to obtain a network security state evolution track which quantificationally describes the network security state change condition.
7. The network security threat early warning method based on the qualitative differential gaming and the evolutionary gaming as claimed in claim 1, wherein the security threat degree is graded according to the obtained Euclidean distance value range by combining historical data and expert experience to determine the threat degree of the current network security state.
8. A network security threat early warning device based on qualitative differential game and evolutionary game, which is realized based on the method of claim 1, and comprises: a space building module, a model building module, and a threat analysis module, wherein,
the space construction module is used for constructing a multi-dimensional network security state space by combining the network system function and the topological structure thereof;
the model construction module is used for introducing a qualitative differential game, constructing an attack and defense qualitative differential game model and acquiring an attack and defense boundary grid according to the attack and defense qualitative differential game model; introducing an evolutionary game, constructing an attack and defense evolutionary game model, and acquiring a network security state evolution track according to the attack and defense evolutionary game model;
and the threat analysis module is used for acquiring the threat degrees of different security states according to the multi-dimensional space Euclidean distance between the network security state evolution track and the attack and defense boundary gate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910275813.4A CN110099045B (en) | 2019-04-08 | 2019-04-08 | Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910275813.4A CN110099045B (en) | 2019-04-08 | 2019-04-08 | Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110099045A CN110099045A (en) | 2019-08-06 |
CN110099045B true CN110099045B (en) | 2021-09-10 |
Family
ID=67444457
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910275813.4A Active CN110099045B (en) | 2019-04-08 | 2019-04-08 | Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110099045B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110909351B (en) * | 2019-11-23 | 2021-11-12 | 中国人民解放军战略支援部队信息工程大学 | Hardware-assisted control structure invariant mining method |
CN112434922B (en) * | 2020-11-13 | 2021-08-24 | 北方工业大学 | Urban power grid system security control method and device based on zero sum game |
CN113435000B (en) * | 2021-04-30 | 2023-10-31 | 北京理工大学 | Boundary grid construction and battle situation judgment method based on geometric isomerism 2-to-1 game problem |
CN114157478B (en) * | 2021-12-01 | 2022-10-18 | 浙江大学 | False data injection attack defense method based on differential game |
CN115348064B (en) * | 2022-07-28 | 2023-09-26 | 南京邮电大学 | Dynamic game-based power distribution network defense strategy design method under network attack |
CN116859745B (en) * | 2023-08-03 | 2024-05-31 | 江南大学 | Design method of jump system model-free game control based on deviation evaluation mechanism |
CN117150738B (en) * | 2023-08-10 | 2024-05-10 | 中国船舶集团有限公司第七〇九研究所 | Action direction pre-judging method under complex scene |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656571A (en) * | 2016-11-09 | 2017-05-10 | 天津大学 | Clustering wireless sensor network malicious program propagation model based on evolution game |
CN108696534A (en) * | 2018-06-26 | 2018-10-23 | 中国人民解放军战略支援部队信息工程大学 | Real-time network security threat early warning analysis method and its device |
CN108833401A (en) * | 2018-06-11 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Network active defensive strategy choosing method and device based on Bayes's evolutionary Game |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9674267B2 (en) * | 2013-01-29 | 2017-06-06 | Sony Interactive Entertainment America, LLC | Methods and apparatus for hiding latency in network multiplayer games |
-
2019
- 2019-04-08 CN CN201910275813.4A patent/CN110099045B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656571A (en) * | 2016-11-09 | 2017-05-10 | 天津大学 | Clustering wireless sensor network malicious program propagation model based on evolution game |
CN108833401A (en) * | 2018-06-11 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Network active defensive strategy choosing method and device based on Bayes's evolutionary Game |
CN108696534A (en) * | 2018-06-26 | 2018-10-23 | 中国人民解放军战略支援部队信息工程大学 | Real-time network security threat early warning analysis method and its device |
Also Published As
Publication number | Publication date |
---|---|
CN110099045A (en) | 2019-08-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110099045B (en) | Network security threat early warning method and device based on qualitative differential gaming and evolutionary gaming | |
CN110191083B (en) | Security defense method and device for advanced persistent threat and electronic equipment | |
Wang et al. | A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model | |
CN106936855B (en) | Network security defense decision-making determination method and device based on attack and defense differential game | |
CN108696534B (en) | Real-time network security threat early warning analysis method and device | |
CN107566387B (en) | Network defense action decision method based on attack and defense evolution game analysis | |
CN108319779B (en) | Method for establishing command control network cascade failure model based on m-order adjacency matrix | |
CN111224966B (en) | Optimal defense strategy selection method based on evolutionary network game | |
Anwar et al. | Anomaly detection in electric network database of smart grid: Graph matching approach | |
Wu et al. | Equilibrium analysis of bitcoin block withholding attack: A generalized model | |
Huang et al. | Markov differential game for network defense decision-making method | |
Hu et al. | Decentralized consensus decision-making for cybersecurity protection in multimicrogrid systems | |
CN111245828A (en) | Defense strategy generation method based on three-party dynamic game | |
Chen et al. | Dynamics stability in wireless sensor networks active defense model | |
CN114519190A (en) | Multi-target network security dynamic evaluation method based on Bayesian network attack graph | |
Song et al. | Network security situation prediction of improved lanchester equation based on time action factor | |
Zhang et al. | Cybersecurity threat assessment integrating qualitative differential and evolutionary games | |
CN116582349A (en) | Attack path prediction model generation method and device based on network attack graph | |
CN112003854A (en) | Network security dynamic defense decision method based on space-time game | |
CN110334134B (en) | Heterogeneous information network capability node importance degree evaluation method based on meta-path | |
Şeker | Use of Artificial Intelligence Techniques/Applications in Cyber Defense | |
Tang et al. | A method of network attack-defense game and collaborative defense decision-making based on hierarchical multi-agent reinforcement learning | |
Peng et al. | Sensing network security prevention measures of BIM smart operation and maintenance system | |
Luo et al. | A fictitious play‐based response strategy for multistage intrusion defense systems | |
Dehghan et al. | Proapt: Projection of apt threats with deep reinforcement learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |