CN110138778A - A kind of network attack risk control method and system based on game theory - Google Patents

A kind of network attack risk control method and system based on game theory Download PDF

Info

Publication number
CN110138778A
CN110138778A CN201910403448.0A CN201910403448A CN110138778A CN 110138778 A CN110138778 A CN 110138778A CN 201910403448 A CN201910403448 A CN 201910403448A CN 110138778 A CN110138778 A CN 110138778A
Authority
CN
China
Prior art keywords
node
attack
loophole
host
income
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910403448.0A
Other languages
Chinese (zh)
Other versions
CN110138778B (en
Inventor
刘延华
邱彦彬
吴克栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou University
Original Assignee
Fuzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuzhou University filed Critical Fuzhou University
Priority to CN201910403448.0A priority Critical patent/CN110138778B/en
Publication of CN110138778A publication Critical patent/CN110138778A/en
Application granted granted Critical
Publication of CN110138778B publication Critical patent/CN110138778B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of network attack risk control method and system based on game theory, based on game theory thought and model, for each vulnerability information of the loophole on each host, attack income and defence income are calculated by the topological correlation information between attack information and each host, it recycles game to refer to minimum risk algorithm and show that crucial defence node control security risk is propagated, and optimum defense strategy is proposed to key node for environment, to help safety manager that can quickly control network attack Risk of Communication, to which preferably protection critical asset reduces loss.

Description

A kind of network attack risk control method and system based on game theory
Technical field
The present invention relates to technical field of network security, especially a kind of network attack risk control method based on game theory And system.
Background technique
Since " hacker ", computer virus, information spy etc. generate safety wind as main starting point using network attack Danger, increasingly severe threat is constituted to network security.Safety becomes the required means of network application, network attack Prevention-Security It is particularly important, to protect the safety and integrality of the data of network transmission.And for information complicated in bulk information network The security risk scene of numerous information processings such as the attack information of network, vulnerability information, topological environmental, introduces the side of intelligence computation Formula, can intelligent selection its threaten great node to carry out preferential defense and obtain defence policies.
However, most of risk control mode is all used in finance and engineering field now, it is not used in network sky Between or network security in terms of security risk control method, it is rarer for attack this concept propose security risk control, The reduction and loss of critical asset will be will lead to.
Summary of the invention
In view of this, the network attack risk control method that the purpose of the present invention is to propose to a kind of based on game theory and being System, can effectively analyze and sensing network risk of attacks and its diffusion path, find optimal defence node, provide effective Safe disposal strategy set, to realize that network attack risk control provides the support of important technology method.
The present invention is realized using following scheme: a kind of network attack risk control method based on game theory specifically includes Following steps:
Step S1: numeralization assets information and CVE standard information;
Step S2: according to network topological information and vulnerability information, using each loophole as point, with the utilization condition of each loophole Relationship with the effect condition after attack loophole is to generate side, generates the loophole figure of potential attack diffusion path;
Step S3: raw using relationship associated between loophole as side using host ip relationship as point according to the loophole figure of generation At the risk of attacks scatter diagram of host ip layer;
Step S4: it according to the host machine attack risk diffusion figure, assets information and standard CVE vulnerability information of generation, counts respectively Calculate the attack income of each host node, the defence income of each host node;
Step S5: according to node under fire information, the defence income of the attack income of node and node, each node is calculated Game defend income;
Step S6: income is defendd according to the game of node, N node sequencing, obtains before carrying out the case where according to minimum cost Preceding N optimum defense node, the preceding N of most critical defends node as in current network;
Step S7: its optimum defense strategy is calculated according to a certain optimum defense node of selection, as the defence node Current environment under optimum defense strategy.
Further, step S1 specifically includes the following steps:
Step S11: all assets informations for each IP node that quantizes, wherein cpiFor the secret letter for belonging to i-th of node It ceases, wherein upiFor the availability for belonging to i-th of node, wherein itpiFor the integrality for belonging to i-th of node, wherein sfiTo belong to In the assets importance of i-th of node;
Step S12: quantize each CVE loophole standard information, wherein cvjIndicate the CVSS scoring of j-th of loophole, wherein acpjIndicate the attack complexity of j-th of loophole, wherein cfjIndicate that j-th of CVE loophole influences host confidentiality, wherein itj Indicate that j-th of CVE loophole influences host integrity, wherein ubjIndicate that j-th of loophole influences host availability, wherein acdj Network environment needed for indicating the attack of j-th of loophole, wherein irjIndicate j-th of loophole whether can in operating status reparation, Middle rtjIndicate the reboot time of j-th of loophole of reparation.
Further, in step S11, the standard on dataization of each parameter is as follows:
Assets importance rate: its numberical range is one behind decimal point, and assets importance peak is 1, minimum 0;Usual 0.7-1 is special critical asset, and 0.4-0.69 is time critical asset, and 0-3.9 is general critical asset;
Assets confidentiality level: its numberical range is one behind decimal point, and assets confidentiality peak is 1, minimum 0;Usual 0.7-1 is especially secret assets, and 0.4-0.69 is time secret assets, and 0-3.9 is general secret assets;
Assets integrity levels: its numberical range is one behind decimal point, and assets confidentiality peak is 1, minimum 0;Usual 0.7-1 is the high assets of integrity demands, and 0.4-0.69 is the assets of time integrity demands, and 0-3.9 is general complete Property require assets;
Asset availability grade: its numberical range is one behind decimal point, and asset availability peak is 1, minimum 0.Usual 0.7-1 is the high assets of availability requirement, and 0.4-0.69 is the assets of time availability requirement, and 0-3.9 is to be generally available Property require assets.
Further, in step S12, the standard on dataization of each parameter is as follows:
The CVSS of loophole scores: its numberical range is one behind decimal point, and the final score of loophole is up to 10, minimum It is 0;The loophole of score 7-10 is typically considered to than more serious, score between 4-6.9 be in level vulnerability, 0-3.9's is then Rudimentary loophole;
The attack complexity of loophole: being divided into three kinds of numerical value indicates, 1 indicates that attack complexity is low, and 2 indicate in attack complexity Deng 3 expression attack complexities difficulties;
Loophole influences host confidentiality: there are three types of numerical value to indicate, 1 indicates on the confidentiality of system without influence, 2 expressions pair System confidentiality has some effects, and 3 indicate completely to influence confidentiality;
Influence on host integrity: there are three types of numerical value to indicate, 1 indicates to indicate to system the integrality of system without influence, 2 Integrality has some effects, and 3 indicate completely to influence integrality;
Loophole influences host availability: there are three types of numerical value to indicate, 1 indicates on the availability of system without influence, 2 expressions pair System availability has some effects, and 3 indicate completely to influence availability;
Loophole attacks required network environment: there are two kind numerical value to indicate, 1 expression is just not necessarily to only network interconnection other Unwanted mode, 2 indicate to need physical access permission or local account;
Whether loophole can be in operating status reparation: there are two data to indicate, 0 indicates to repair under operation, and 1 Indicating can be with;
The reboot time of patching bugs: using the second as meter digital, illustrate the time size for restarting needs.
Further, step S3 specifically includes the following steps:
Step S31: merging integration for the loophole of IP identical in loophole figure, and retains with the data loophole CVE number under IP Information, with the sequence of the successive order of connection;
Step S32: by the leaky associated host node between two difference IP, association obtains host layer from each other The linking layer of IP obtains host machine attack risk diffusion figure.
Further, in step S4, calculate the attack income of each host node specifically includes the following steps:
Step S4A1: for each assets information according to this host ip node and the leaky letter of institute in this node Breath calculates attack effect income, is denoted as ae';
Step SS4A2: according to all vulnerability informations in the assets information of this host ip node and this node, attack is calculated Response cost is denoted as ap';
Step S4A3: calculating main frame IP=k attack income aekTo attack effect income subtraction attack response cost, i.e., aek=ae'-ap'.
Preferably, after the normalised all data of given step S1, being done to attack effect income in step S4A1 It calculates below:
Ae'=(cpi+upi+itpi)*sfi
Preferably, after the normalised all data of given step S1, being done to attack effect income in step S4A2 It calculates below:
In formula, the number of nodes that variable ua is not attacked in the predecessor node of host ip node thus, variable pc is host The number of nodes of all predecessor nodes of IP node, the loophole quantity that variable n has in host ip thus.
Further, in step S4, calculate the defence income of each host node specifically includes the following steps:
Step S4B1: according to all vulnerability informations in the assets information of this host ip node and this node, defence is calculated Effect income, is denoted as de';
Step S4B2: according to all vulnerability informations in the assets information of this host ip node and this node, defence is calculated Response cost is denoted as dp';
Step S4B3: calculating main frame IP=k defence income dekDefence response cost is subtracted for defence effect income, i.e., dek=de'-dp'.
Preferably, after the normalised all data of given step S1, being done to defence effect income in step S4B1 It calculates below:
In formula, loophole quantity that variable n has in host ip thus.
Preferably, after the normalised all data of given step S1, being done to defence response cost in step S4B2 It calculates below:
In formula, variable dptime' it is defence response time cost, variable dpnegative' it is the negative cost of defence, it is specific to count It calculates as follows:
In formula, the CVE loophole quantity of variable n node thus having, variable ua is thus in the predecessor node of host ip node The number of nodes that do not attacked, the assets important level of variable sf node thus.
Further, step S5 specifically includes the following steps:
Step S51: all nodes in traversal risk of attacks scatter diagram obtain all not by attack node;
Step S52: traversal is obtained all not by attack node, is that starting point progress breadth traversal obtains using each node The node collection subsequent to its, wherein being denoted as ptn using the node collection that i-node is obtained as starting pointi
Step S53: the ptn obtained according under fire information, node attack income, node defence income and step S52i, It calculates and income is not each defendd by the game of attack node, be denoted as gti
Further, in step S53, income gt is not each defendd by the game of attack nodeiIt calculates as follows:
Wherein,
In formula, the number of nodes that variable n is, variable m is ptniAll predecessor nodes of calculate node are counted, wjTo calculate section All predecessor nodes of point and the connection weight of calculate node.
Further, step S7 specifically includes the following steps:
Step S71: for selected optimum defense node, judge that all of this node can be in the CVE of run mode reparation Whether the number of vulnerability information is greater than the sum of this node CVE vulnerability information, if so, notifying safety manager that can carry out Online loophole reparation, otherwise enters step S72;
Step S72: for selected optimum defense node, judging whether itself is critical asset, if so, entering step Rapid S73;If it is not, then judging whether the critical asset in node week mid-side node has remaining communication connection, if so, then closing this IP simultaneously reminds safety manager to carry out offline loophole reparation;If nothing, provides highest alarm and need to contact safety emergency people Member makes rapidly relevant treatment;
Step S73: judging whether periphery is had critical asset information in attack node, if without then cutting off all weeks Side by the connection of attack node and this node, and send notice, if there is critical asset information then notify administrator do into The processing of one step.
The present invention also provides a kind of based on a kind of network attack risk control method based on game theory described above System, including memory and processor are stored with the method instruction of step S1 to step S9, the processing in the memory Device executes the method instruction stored in memory at runtime.
Preferably, system of the invention can also include following functions module: the acquisition module of network and vulnerability information, letter Cease preprocessing module, potential path diffusion module, the association of host ip layer loophole and host machine attack risk diffusion figure generation module, list Node attacking and defending income calculation module, optimum defense node selecting module, optimum defense strategy reminding module.
Wherein, the acquisition module of network and vulnerability information, for extracting network topological information, network from affiliated network Host is by the standard CVE vulnerability information in attack condition information, networked asset information, every host;Information pre-processing module is used In the key message that will extract the networked asset information in data, vulnerability information, such as assets importance, the assets secret in assets Property, assets integrality etc., for another example the CVSS scoring in vulnerability information, attack complexity, host confidentiality is influenced etc., and will count High, medium and low turn in value is changed to 1,2,3 respectively;Potential path spreads module, according to the precondition of vulnerability information, successfully receives Benefit and network topological information generate the fragility figure of all possible attack path of loophole;The association of host ip layer loophole and attack Path profile generation module, it is crucial fusion that potential path, which spreads the fragility of module with host ip, potential using host ip as node Attack path is side, generates host ip figure;Single node attacking and defending income calculation module is used according to assets information and CVE vulnerability information It is calculated in the attack income and defence income, each node for calculating each host ip node;The selection of optimum defense node Module refers to minimum cost information based on game, according to every for selecting the host ip node of optimum defense in current network The attack condition and attack income and defence income of a node descendant node, it is anti-to obtain the highest preceding N of cost minimum yield to the end Imperial node;Optimum defense strategy reminding module, for proposing optimized protection strategy for some selected optimized protection node.
The present invention is based on game theory thought and model, for each vulnerability information of the loophole on each host, attacked Topological correlation information between information and each host calculates attack income and defence income, and game is recycled to refer to minimum risk Algorithm show that crucial defence node control security risk is propagated, and proposes optimum defense strategy to key node for environment, To help safety manager that can quickly control network attack Risk of Communication, so that preferably protection critical asset reduces Loss.
Compared with prior art, the invention has the following beneficial effects: the present invention uses game theory and minimum risk thought, structure The network attack security risk control method based on vulnerability information is made.System and method of the invention can rationally and effectively exist When network attack risk occurs, security attack optimum defense node and strategy are quickly found, provides reference to safety officer.
Detailed description of the invention
Fig. 1 is the schematic illustration of the embodiment of the present invention.
Fig. 2 is the method flow schematic diagram of the embodiment of the present invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawings and embodiments.
It is noted that described further below be all exemplary, it is intended to provide further instruction to the application.Unless another It indicates, all technical and scientific terms used herein has usual with the application person of an ordinary skill in the technical field The identical meanings of understanding.
It should be noted that term used herein above is merely to describe specific embodiment, and be not intended to restricted root According to the illustrative embodiments of the application.As used herein, unless the context clearly indicates otherwise, otherwise singular Also it is intended to include plural form, additionally, it should be understood that, when in the present specification using term "comprising" and/or " packet Include " when, indicate existing characteristics, step, operation, device, component and/or their combination.
As shown in Figure 1 and Figure 2, a kind of network attack risk control method based on game theory is present embodiments provided, Specifically includes the following steps:
Step S1: numeralization assets information and CVE standard information;
Step S2: according to network topological information and vulnerability information, using each loophole as point, with the utilization condition of each loophole Relationship with the effect condition after attack loophole is to generate side, generates the loophole figure of potential attack diffusion path;
Step S3: raw using relationship associated between loophole as side using host ip relationship as point according to the loophole figure of generation At the risk of attacks scatter diagram of host ip layer;
Step S4: it according to the host machine attack risk diffusion figure, assets information and standard CVE vulnerability information of generation, counts respectively Calculate the attack income of each host node, the defence income of each host node;
Step S5: according to node under fire information, the defence income of the attack income of node and node, each node is calculated Game defend income;
Step S6: income is defendd according to the game of node, N node sequencing, obtains before carrying out the case where according to minimum cost Preceding N optimum defense node, the preceding N of most critical defends node as in current network;
Step S7: its optimum defense strategy is calculated according to a certain optimum defense node of selection, as the defence node Current environment under optimum defense strategy.
In the present embodiment, step S1 specifically includes the following steps:
Step S11: all assets informations for each IP node that quantizes, wherein cpiFor the secret letter for belonging to i-th of node It ceases, wherein upiFor the availability for belonging to i-th of node, wherein itpiFor the integrality for belonging to i-th of node, wherein sfiTo belong to In the assets importance of i-th of node;
Step S12: quantize each CVE loophole standard information, wherein cvjIndicate the CVSS scoring of j-th of loophole, wherein acpjIndicate the attack complexity of j-th of loophole, wherein cfjIndicate that j-th of CVE loophole influences host confidentiality, wherein itj Indicate that j-th of CVE loophole influences host integrity, wherein ubjIndicate that j-th of loophole influences host availability, wherein acdj Network environment needed for indicating the attack of j-th of loophole, wherein irjIndicate j-th of loophole whether can in operating status reparation, Middle rtjIndicate the reboot time of j-th of loophole of reparation.
In the present embodiment, in step S11, the standard on dataization of each parameter is as follows:
Assets importance rate: its numberical range is one behind decimal point, and assets importance peak is 1, minimum 0;Usual 0.7-1 is special critical asset, and 0.4-0.69 is time critical asset, and 0-3.9 is general critical asset;
Assets confidentiality level: its numberical range is one behind decimal point, and assets confidentiality peak is 1, minimum 0;Usual 0.7-1 is especially secret assets, and 0.4-0.69 is time secret assets, and 0-3.9 is general secret assets;
Assets integrity levels: its numberical range is one behind decimal point, and assets confidentiality peak is 1, minimum 0;Usual 0.7-1 is the high assets of integrity demands, and 0.4-0.69 is the assets of time integrity demands, and 0-3.9 is general complete Property require assets;
Asset availability grade: its numberical range is one behind decimal point, and asset availability peak is 1, minimum 0.Usual 0.7-1 is the high assets of availability requirement, and 0.4-0.69 is the assets of time availability requirement, and 0-3.9 is to be generally available Property require assets.
In the present embodiment, in step S12, the standard on dataization of each parameter is as follows:
The CVSS of loophole scores: its numberical range is one behind decimal point, and the final score of loophole is up to 10, minimum It is 0;The loophole of score 7-10 is typically considered to than more serious, score between 4-6.9 be in level vulnerability, 0-3.9's is then Rudimentary loophole;
The attack complexity of loophole: being divided into three kinds of numerical value indicates, 1 indicates that attack complexity is low, and 2 indicate in attack complexity Deng 3 expression attack complexities difficulties;
Loophole influences host confidentiality: there are three types of numerical value to indicate, 1 indicates on the confidentiality of system without influence, 2 expressions pair System confidentiality has some effects, and 3 indicate completely to influence confidentiality;
Influence on host integrity: there are three types of numerical value to indicate, 1 indicates to indicate to system the integrality of system without influence, 2 Integrality has some effects, and 3 indicate completely to influence integrality;
Loophole influences host availability: there are three types of numerical value to indicate, 1 indicates on the availability of system without influence, 2 expressions pair System availability has some effects, and 3 indicate completely to influence availability;
Loophole attacks required network environment: there are two kind numerical value to indicate, 1 expression is just not necessarily to only network interconnection other Unwanted mode, 2 indicate to need physical access permission or local account;
Whether loophole can be in operating status reparation: there are two data to indicate, 0 indicates to repair under operation, and 1 Indicating can be with;
The reboot time of patching bugs: using the second as meter digital, illustrate the time size for restarting needs.
In the present embodiment, step S3 specifically includes the following steps:
Step S31: merging integration for the loophole of IP identical in loophole figure, and retains with the data loophole CVE number under IP Information, with the sequence of the successive order of connection;
Step S32: by the leaky associated host node between two difference IP, association obtains host layer from each other The linking layer of IP obtains host machine attack risk diffusion figure.
In the present embodiment, in step S4, calculate the attack income of each host node specifically includes the following steps:
Step S4A1: for each assets information according to this host ip node and the leaky letter of institute in this node Breath calculates attack effect income, is denoted as ae';
Step SS4A2: according to all vulnerability informations in the assets information of this host ip node and this node, attack is calculated Response cost is denoted as ap';
Step S4A3: calculating main frame IP=k attack income aekTo attack effect income subtraction attack response cost, i.e., aek=ae'-ap'.
Preferably, in the present embodiment, it is right after the normalised all data of given step S1 in step S4A1 Attack effect income does following calculating:
Ae'=(cpi+upi+itpi)*sfi
Preferably, in the present embodiment, it is right after the normalised all data of given step S1 in step S4A2 Attack effect income does following calculating:
In formula, the number of nodes that variable ua is not attacked in the predecessor node of host ip node thus, variable pc is host The number of nodes of all predecessor nodes of IP node, the loophole quantity that variable n has in host ip thus.
In the present embodiment, in step S4, calculate the defence income of each host node specifically includes the following steps:
Step S4B1: according to all vulnerability informations in the assets information of this host ip node and this node, defence is calculated Effect income, is denoted as de';
Step S4B2: according to all vulnerability informations in the assets information of this host ip node and this node, defence is calculated Response cost is denoted as dp';
Step S4B3: calculating main frame IP=k defence income dekDefence response cost is subtracted for defence effect income, i.e., dek=de'-dp'.
Preferably, in the present embodiment, it is right after the normalised all data of given step S1 in step S4B1 Defence effect income does following calculating:
In formula, loophole quantity that variable n has in host ip thus.
Preferably, in the present embodiment, it is right after the normalised all data of given step S1 in step S4B2 Defence response cost does following calculating:
In formula, variable dptime' it is defence response time cost, variable dpnegative' it is the negative cost of defence, it is specific to count It calculates as follows:
In formula, the CVE loophole quantity of variable n node thus having, variable ua is thus in the predecessor node of host ip node The number of nodes that do not attacked, the assets important level of variable sf node thus.
In the present embodiment, step S5 specifically includes the following steps:
Step S51: all nodes in traversal risk of attacks scatter diagram obtain all not by attack node;
Step S52: traversal is obtained all not by attack node, is that starting point progress breadth traversal obtains using each node The node collection subsequent to its, wherein being denoted as ptn using the node collection that i-node is obtained as starting pointi
Step S53: the ptn obtained according under fire information, node attack income, node defence income and step S52i, It calculates and income is not each defendd by the game of attack node, be denoted as gti
In the present embodiment, in step S53, income gt is not each defendd by the game of attack nodeiIt calculates as follows:
Wherein,
In formula, the number of nodes that variable n is, variable m is ptniAll predecessor nodes of calculate node are counted, wjTo calculate section All predecessor nodes of point and the connection weight of calculate node.
In the present embodiment, step S7 specifically includes the following steps:
Step S71: for selected optimum defense node, judge that all of this node can be in the CVE of run mode reparation Whether the number of vulnerability information is greater than the sum of this node CVE vulnerability information, if so, notifying safety manager that can carry out Online loophole reparation, otherwise enters step S72;
Step S72: for selected optimum defense node, judging whether itself is critical asset, if so, entering step Rapid S73;If it is not, then judging whether the critical asset in node week mid-side node has remaining communication connection, if so, then closing this IP simultaneously reminds safety manager to carry out offline loophole reparation;If nothing, provides highest alarm and need to contact safety emergency people Member makes rapidly relevant treatment;
Step S73: judging whether periphery is had critical asset information in attack node, if without then cutting off all weeks Side by the connection of attack node and this node, and send notice, if there is critical asset information then notify administrator do into The processing of one step.
The present embodiment additionally provides a kind of based on a kind of network attack risk control side based on game theory described above The system of method, including memory and processor are stored with the method instruction of step S1 to step S9, the place in the memory Reason device executes the method instruction stored in memory at runtime.
Preferably, the system of the present embodiment can also include following functions module: the acquisition module of network and vulnerability information, Information pre-processing module, potential path diffusion module, the association of host ip layer loophole and host machine attack risk diffusion figure generation module, Single node attacking and defending income calculation module, optimum defense node selecting module, optimum defense strategy reminding module.
Wherein, the acquisition module of network and vulnerability information, for extracting network topological information, network from affiliated network Host is by the standard CVE vulnerability information in attack condition information, networked asset information, every host;Information pre-processing module is used In the key message that will extract the networked asset information in data, vulnerability information, such as assets importance, the assets secret in assets Property, assets integrality etc., for another example the CVSS scoring in vulnerability information, attack complexity, host confidentiality is influenced etc., and will count High, medium and low turn in value is changed to 1,2,3 respectively;Potential path spreads module, according to the precondition of vulnerability information, successfully receives Benefit and network topological information generate the fragility figure of all possible attack path of loophole;The association of host ip layer loophole and attack Path profile generation module, it is crucial fusion that potential path, which spreads the fragility of module with host ip, potential using host ip as node Attack path is side, generates host ip figure;Single node attacking and defending income calculation module is used according to assets information and CVE vulnerability information It is calculated in the attack income and defence income, each node for calculating each host ip node;The selection of optimum defense node Module refers to minimum cost information based on game, according to every for selecting the host ip node of optimum defense in current network The attack condition and attack income and defence income of a node descendant node, it is anti-to obtain the highest preceding N of cost minimum yield to the end Imperial node;Optimum defense strategy reminding module, for proposing optimized protection strategy for some selected optimized protection node.
The present embodiment is based on game theory thought and model, for each vulnerability information of the loophole on each host, is attacked The topological correlation information hit between information and each host calculates attack income and defence income, and game is recycled to refer to minimum wind Dangerous algorithm show that crucial defence node control security risk is propagated, and proposes optimum defense plan to key node for environment Slightly, to help safety manager that can quickly control network attack Risk of Communication, to preferably protect critical asset Reduce loss.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The above described is only a preferred embodiment of the present invention, being not that the invention has other forms of limitations, appoint What those skilled in the art changed or be modified as possibly also with the technology contents of the disclosure above equivalent variations etc. Imitate embodiment.But without departing from the technical solutions of the present invention, according to the technical essence of the invention to above embodiments institute Any simple modification, equivalent variations and the remodeling made, still fall within the protection scope of technical solution of the present invention.

Claims (11)

1. a kind of network attack risk control method based on game theory, which comprises the following steps:
Step S1: numeralization assets information and CVE standard information;
Step S2: it according to network topological information and vulnerability information, using each loophole as point, with the utilization condition of each loophole and attacks The relationship of effect condition after hitting loophole is to generate side, generates the loophole figure of potential attack diffusion path;
Step S3: according to the loophole figure of generation, using host ip relationship as point, using relationship associated between loophole as side, master is generated IP layers of machine of risk of attacks scatter diagram;
Step S4: it according to the host machine attack risk diffusion figure, assets information and standard CVE vulnerability information of generation, calculates separately every Attack income, the defence income of each host node of one host node;
Step S5: according to node under fire information, the defence income of the attack income of node and node, the rich of each node is calculated Play chess defence income;
Step S6: defending income according to the game of node, N node sequencing before carrying out the case where according to minimum cost, and N is most before obtaining Good defence node, the preceding N of most critical defends node as in current network;
Step S7: according to selecting a certain optimum defense node to be calculated its optimum defense strategy, the as defence node is worked as Optimum defense strategy under preceding environment.
2. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step S1 specifically includes the following steps:
Step S11: all assets informations for each IP node that quantizes, wherein cpiFor the confidential information for belonging to i-th of node, Middle upiFor the availability for belonging to i-th of node, wherein itpiFor the integrality for belonging to i-th of node, wherein sfiTo belong to i-th The assets importance of a node;
Step S12: quantize each CVE loophole standard information, wherein cvjIndicate the CVSS scoring of j-th of loophole, wherein acpj Indicate the attack complexity of j-th of loophole, wherein cfjIndicate that j-th of CVE loophole influences host confidentiality, wherein itjIt indicates J-th of CVE loophole influences host integrity, wherein ubjIndicate that j-th of loophole influences host availability, wherein acdjIt indicates Network environment needed for the attack of j-th of loophole, wherein irjIndicate whether j-th of loophole can be in operating status reparation, wherein rtj Indicate the reboot time of j-th of loophole of reparation.
3. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step In S11, the standard on dataization of each parameter is as follows:
Assets importance rate: its numberical range is one behind decimal point, and assets importance peak is 1, minimum 0;
Assets confidentiality level: its numberical range is one behind decimal point, and assets confidentiality peak is 1, minimum 0;
Assets integrity levels: its numberical range is one behind decimal point, and assets confidentiality peak is 1, minimum 0;
Asset availability grade: its numberical range is one behind decimal point, and asset availability peak is 1, minimum 0.
4. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step In S12, the standard on dataization of each parameter is as follows:
The CVSS of loophole scores: its numberical range is one behind decimal point, and the final score of loophole is up to 10, minimum 0;
The attack complexity of loophole: being divided into three kinds of numerical value indicates, 1 indicates that attack complexity is low, and 2 indicate that attack complexity is medium, 3 Indicate that attack complexity is difficult;
Loophole influences host confidentiality: there are three types of numerical value to indicate, 1 indicates to indicate to system the confidentiality of system without influence, 2 Confidentiality has some effects, and 3 indicate completely to influence confidentiality;
Influence on host integrity: there are three types of numerical value to indicate, 1 indicates on the integrality of system without influence, and 2 indicate complete to system Property have a some effects, 3 indicate completely to influence integrality;
Loophole influences host availability: there are three types of numerical value to indicate, 1 indicates to indicate to system the availability of system without influence, 2 Availability has some effects, and 3 indicate completely to influence availability;
Loophole attacks required network environment: there are two kind numerical value to indicate, it is other extra that 1 expression is just not necessarily to only network interconnection Mode, 2 indicate to need physical access permission or local account;
Whether loophole can be in operating status reparation: there are two data to indicate, 0 indicates to repair under operation, and 1 indicates It can be with;
The reboot time of patching bugs: using the second as meter digital, illustrate the time size for restarting needs.
5. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step S3 specifically includes the following steps:
Step S31: merging integration for the loophole of IP identical in loophole figure, and retain with the data loophole CVE number information under IP, With the sequence of the successive order of connection;
Step S32: by the leaky associated host node between two difference IP, association obtains host layer IP's from each other Linking layer obtains host machine attack risk diffusion figure.
6. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step In S4, calculate the attack income of each host node specifically includes the following steps:
Step S4A1: for each assets information according to this host ip node and all vulnerability informations in this node, meter Attack effect income is calculated, ae' is denoted as;
Step SS4A2: according to all vulnerability informations in the assets information of this host ip node and this node, attack-response is calculated Cost is denoted as ap';
Step S4A3: calculating main frame IP=k attack income aekTo attack effect income subtraction attack response cost, i.e. aek= ae'-ap'。
7. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step In S4, calculate the defence income of each host node specifically includes the following steps:
Step S4B1: according to all vulnerability informations in the assets information of this host ip node and this node, defence effect is calculated Income is denoted as de';
Step S4B2: according to all vulnerability informations in the assets information of this host ip node and this node, defence response is calculated Cost is denoted as dp';
Step S4B3: calculating main frame IP=k defence income dekDefence response cost, i.e. de are subtracted for defence effect incomek= de'-dp'。
8. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step S5 specifically includes the following steps:
Step S51: all nodes in traversal risk of attacks scatter diagram obtain all not by attack node;
Step S52: traversal is obtained all not by attack node, is that starting point progress breadth traversal obtains it using each node Subsequent node collection, wherein being denoted as ptn using the node collection that i-node is obtained as starting pointi
Step S53: the ptn obtained according under fire information, node attack income, node defence income and step S52i, calculate every It is a that income is not defendd by the game of attack node, it is denoted as gti
9. a kind of network attack risk control method based on game theory according to claim 7, it is characterised in that: step In S53, income gt is not each defendd by the game of attack nodeiIt calculates as follows:
Wherein,
In formula, the number of nodes that variable n is, variable m is ptniAll predecessor nodes of calculate node are counted, wjFor calculate node The connection weight of all predecessor nodes and calculate node.
10. a kind of network attack risk control method based on game theory according to claim 1, it is characterised in that: step Rapid S7 specifically includes the following steps:
Step S71: for selected optimum defense node, judge that all of this node can be in the CVE loophole of run mode reparation Whether the number of information is greater than the sum of this node CVE vulnerability information, if so, notifying safety manager that can carry out online Loophole reparation, otherwise enters step S72;
Step S72: for selected optimum defense node, judge whether itself is critical asset, if so, entering step S73;If it is not, then judging whether the critical asset in node week mid-side node has remaining communication connection, if so, closing this IP And safety manager is reminded to carry out offline loophole reparation;If it is not, it is rapid to provide the highest alarm safe emergency worker of taken in conjunction Make relevant treatment;
Step S73: judging whether periphery is had critical asset information in attack node, if without then cutting off all peripheries By the connection of attack node and this node, and notice is sent, if there is critical asset information then notifies administrator to do further Processing.
11. a kind of based on a kind of described in any item network attack risk control methods based on game theory of claim 1-9 System, it is characterised in that: including memory and processor, the method for being stored with step S1 to step S9 in the memory refers to It enables, the processor executes the method instruction stored in memory at runtime.
CN201910403448.0A 2019-05-15 2019-05-15 Game theory-based network attack risk control method and system Active CN110138778B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910403448.0A CN110138778B (en) 2019-05-15 2019-05-15 Game theory-based network attack risk control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910403448.0A CN110138778B (en) 2019-05-15 2019-05-15 Game theory-based network attack risk control method and system

Publications (2)

Publication Number Publication Date
CN110138778A true CN110138778A (en) 2019-08-16
CN110138778B CN110138778B (en) 2020-05-08

Family

ID=67574292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910403448.0A Active CN110138778B (en) 2019-05-15 2019-05-15 Game theory-based network attack risk control method and system

Country Status (1)

Country Link
CN (1) CN110138778B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111162945A (en) * 2019-12-30 2020-05-15 中国移动通信集团江苏有限公司 Method, device, equipment and storage medium for determining alarm association relationship
CN112163753A (en) * 2020-09-22 2021-01-01 杭州安恒信息技术股份有限公司 Asset risk assessment method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420442A (en) * 2008-12-11 2009-04-29 北京航空航天大学 Network security risk evaluation system based on game theory
CN101808020A (en) * 2010-04-19 2010-08-18 吉林大学 Intrusion response decision-making method based on incomplete information dynamic game
CN101820413A (en) * 2010-01-08 2010-09-01 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN101834858A (en) * 2010-04-16 2010-09-15 北京工业大学 Trust and replacement-based privacy information protection method in data sharing
CN108512837A (en) * 2018-03-16 2018-09-07 西安电子科技大学 A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420442A (en) * 2008-12-11 2009-04-29 北京航空航天大学 Network security risk evaluation system based on game theory
CN101820413A (en) * 2010-01-08 2010-09-01 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN101834858A (en) * 2010-04-16 2010-09-15 北京工业大学 Trust and replacement-based privacy information protection method in data sharing
CN101808020A (en) * 2010-04-19 2010-08-18 吉林大学 Intrusion response decision-making method based on incomplete information dynamic game
CN108512837A (en) * 2018-03-16 2018-09-07 西安电子科技大学 A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
YEZEKAEL HAYEL等: "《Attack-Aware Cyber Insurance for Risk Sharing in Computer Network》", 《SPRINGER》 *
姜伟等: "《基于攻防随机博弈模型的防御策略选取研究》", 《计算机研究与发展》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111162945A (en) * 2019-12-30 2020-05-15 中国移动通信集团江苏有限公司 Method, device, equipment and storage medium for determining alarm association relationship
CN111162945B (en) * 2019-12-30 2022-08-12 中国移动通信集团江苏有限公司 Method, device, equipment and storage medium for determining alarm association relationship
CN112163753A (en) * 2020-09-22 2021-01-01 杭州安恒信息技术股份有限公司 Asset risk assessment method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN110138778B (en) 2020-05-08

Similar Documents

Publication Publication Date Title
CN106341414B (en) A kind of multi-step attack safety situation evaluation method based on Bayesian network
Kello The meaning of the cyber revolution: Perils to theory and statecraft
CN112073411B (en) Network security deduction method, device, equipment and storage medium
Antolin-Jenkins Defining the parameters of cyberwar operations: looking for law in all the wrong places
US20170257396A1 (en) Methods and systems providing cyber security
CN112700252B (en) Information security detection method and device, electronic equipment and storage medium
WO2006071985A3 (en) Threat scoring system and method for intrusion detection security networks
He et al. A game theoretical attack-defense model oriented to network security risk assessment
CN108574668A (en) A kind of ddos attack peak flow prediction technique based on machine learning
CN109981686A (en) A kind of network security situational awareness method and system based on circulation confrontation
CN110138778A (en) A kind of network attack risk control method and system based on game theory
CN108965210A (en) Safety test platform based on scene-type attacking and defending simulation
CN111368302A (en) Automatic threat detection method based on attacker attack strategy generation
CN108200095A (en) The Internet boundaries security strategy fragility determines method and device
CN109376537A (en) A kind of assets methods of marking and system based on multiple-factor fusion
Buchanan et al. Preparing the cyber battlefield: Assessing a novel escalation risk in a sino-American crisis (fall 2020)
Smith et al. Multidefender security games on networks
Wei et al. Defending mechanisms for protecting power systems against intelligent attacks
CN115694970A (en) Network security attack and defense drilling system, method and readable storage medium
Sree et al. Artificial intelligence based predictive threat hunting in the field of cyber security
Yadav et al. PatchRank: Ordering updates for SCADA systems
Ghaffarpour et al. Risk Assessment, Modeling, and Ranking for Power Network Facilities Regarding to Sabotage
Bian et al. Network security situational assessment model based on improved AHP_FCE
Bahareth et al. Constructing attack scenario using sequential pattern mining with correlated candidate sequences
Zhang et al. Multistage game theoretical approach for ransomware attack and defense

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant