CN110138788A - A kind of fragile sexual assault cost quantitative evaluating method based on depth index - Google Patents
A kind of fragile sexual assault cost quantitative evaluating method based on depth index Download PDFInfo
- Publication number
- CN110138788A CN110138788A CN201910417526.2A CN201910417526A CN110138788A CN 110138788 A CN110138788 A CN 110138788A CN 201910417526 A CN201910417526 A CN 201910417526A CN 110138788 A CN110138788 A CN 110138788A
- Authority
- CN
- China
- Prior art keywords
- attack
- path
- cost
- node
- fragility
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to fragility attack technology fields, provide a kind of fragile sexual assault cost quantitative evaluating method based on depth index, detailed process are as follows: generate network model, definition attack graph model for network to be attacked;According to network model and attack graph model, fragility attack graph is generated in conjunction with attack graph generating algorithm;In fragility attack graph, analyze the attack path from the start node launched a offensive to destination node, if attack path is multiple-limb path, when obtaining attacker to pathdepth between fragility node, consider alternative route and path is forced to bring the influence pe of fragile node attack cost, calculates the attack cost of fragility node;It finally calculates to the accumulation of destination node and attacks cost.The index of present invention combination attack path depth can more accurately assess the attack cost of the larger tender spots of depth in attack path, provide better foundation for analyzing actual attack process and attack means.
Description
Technical field
The present invention relates to a kind of fragile sexual assault cost quantitative evaluating method based on depth index, belongs to fragile sexual assault
Technical field.
Background technique
Based on Bayes's attack graph, Gao Ni et al. [1] proposes a kind of dynamic risk assessment based on Bayes's attack graph
Model.([2] element and condition of triggering loophole attack graph from the point of view of more macroscopical, proposes one kind and is based on Li et al. people
The sweep forward attack graph generating algorithm of hypergraph partitioning.Wang L et al. proposes a kind of network peace based on processing zero-day vulnerability
Full measurement method [3].Jia Wei et al. [8] proposes a kind of network hole appraisal procedure based on network center's property.Yang et al.
[4] network security situation evaluating method of a kind of multi-step characteristic based on network attack and security postures quantitative criteria is proposed,
It can effectively improve the accuracy of network security risk evaluation system identification attack and potential risk, but this method is ignored
Correlation analysis between multistep network attack.Because attacker can study for those still undisclosed loopholes, zero day
The safety challenge of attack will be a challenge always.Zhang et al. [5] proposes fragility crucial in zero-day vulnerability and network
Point.
In the research of the optimal attack path of attack graph, Dai Wenfang et al. [6] is in the network peace about attack graph theory
The pathfinding scheme for the max-flow attack path for proposing depth-first in full risk assessment technology research carries out analysis risk attack
Figure, wherein greateset risk stream calculation, route searching function and augmenting path ranking functions three parts, time overhead efficiency is utilized being
O(n2), wherein n is the interstitial content of attack graph.Yan Feng et al. [7] proposes a kind of concept of Best attack target subgraph, provides
The generating algorithm in correlation attack path and the generating algorithm of target attack subgraph, the generating algorithm time overhead efficiency of attack path
For O (K2L), wherein K is the number for calling function to execute, and L is attack path length.Jia Wei et al. [8] proposes a kind of new calculating
The method of the cost of attack path in attack graph, and combine the minimum attack cost road between traditional Floyd algorithm node pair
Diameter, the time overhead efficiency of total algorithm are O (n3), wherein n is the number of attack graph interior joint.
In order to obtain optimal attack path in attack graph, need to the tender spots or attack path progress weight in attack graph
Calculating, that is to say quantitative assessment, invention proposes a kind of new quantitative evaluating method based on depth, is mainly based upon leakage
The CVSS basic score in hole and same loophole attack the different thought of cost required for the different depth of attack path to mention
This method out.Be compared to it is previous based on count metric [9] and based on attack difficulty measurement [10] have the advantages that it is preferable.
Measure based on counting is mainly measured according to path number required for the length of attack path and attack,
The weight size that node is attacked in attack graph is not accounted for;Based on the measure of attack difficulty, primary concern is that attack
The measurement (different attackers attacks paid cost) of resistance, (loophole is by attacker so utilizing for the measurement of probabilistic safety
A possibility that), but this index of difficulty is main or qualitatively analyzes without very accurate quantitative evaluating method, mainly or ties
Expertise is closed, compares the traditional knowledge experience of dependence and is measured.
It was based on attack road mostly in the past for the technology that the tender spots in fragility attack graph is quantitatively evaluated
The length in path counts and attacks what difficulty was assessed in diameter, simple to be directed to for the attack distance length of attack path, does not have
There is the weight size in view of attacking node in attack graph, and in actual network system, for different loopholes, attacker
The cost for carrying out attack cost is entirely different, and the measure based on difficulty, and existing major defect is also all foundation mostly
Expertise, cannot be very quantitative assess, it is artificial that rely on element overweight.
For assets key in some network systems, it is equipped with optimal architecture and powerful peace mostly
Full strategy, therefore directly attack security centre region (such as: the center Militarized) using loophole and be difficult to be collected into progress directly
The related precondition (such as: user's interaction or necessary privilege) of attack.The appraisal procedure of proposition can be calculated effectively pair
In the attack cost computational problem that target of attack is deeper.For some utilizable loopholes, attacker first has to find network
In the loophole that can be utilized, it is studied in method the problem of be with the increase of the distance between attacker and attack loophole,
Required attack cost can be stepped up, and will not be a changeless value, that is to say that attacker needs more attacks
Cost completes deeper attack.For the node originated on attack path, as attacking for starting attack condition
Hit for loophole, required attack cost is relatively small, and as node deeper on attack path for, identical leakage
Hole attack cost required for attack is greater, can be more because completing precondition required for the attack,
Attack cost can also rise with it.
Summary of the invention
In view of this, the present invention provides a kind of fragile sexual assault cost quantitative evaluating method based on depth index, the party
Method quantitatively attacks the assessment of cost for the realization of the fragility node on attack path in fragility attack graph, and obtains optimal
Attack path.
Realize that technical scheme is as follows:
A kind of fragile sexual assault cost quantitative evaluating method based on depth index, detailed process are as follows:
Network model, definition attack graph model are generated for network to be attacked;
According to the network model and attack graph model, fragility attack graph is generated in conjunction with attack graph generating algorithm;
In fragility attack graph, the attack path from the start node launched a offensive to destination node is analyzed, if attack
When path is multiple-limb path, when obtaining attacker to pathdepth between fragility node, alternative route and by force is considered
Path processed brings the influence pe of fragile node attack cost, calculates attack cost De=de*pe, the de expression of fragility node
Pure attack difficulty in addition to the effect of depth locating for the tender spots;It finally calculates to the accumulation of destination node and attacks cost.
Further, alternative route of the present invention are as follows: if any one of mulitpath can be passed through in attack graph
Item can achieve the purpose that a certain fragility node of attack, then a minimum attack cost is certainly existed in these paths
Path, this minimum attack cost path and other attack paths are referred to as to attack the alternative route of the tender spots, these are attacked
Hitting is the relationship of extracting between path.
Further, pressure path of the present invention are as follows: if must all pass through a plurality of attack path in attack graph
It just can achieve the purpose for attacking a certain tender spots, then certainly exist the path of a highest attack cost in these paths,
This highest attack cost path and other attack paths are referred to as attacking the pressure path of the tender spots, these attack paths it
Between be conjunction relationship.
Further, for the present invention when fragile node is the burble point of alternative route, attacker is between fragility node
Pathdepth pe are as follows:
Wherein, pminIndicate distance value of the attacker along attack path from start node to the separate node, Dp_minIt indicates
In all alternative routes, the attack path value of the minimum attack cost of the separate node can be reached, n indicates to reach separation
The number of all alternative routes of node, Dp_iIndicate the attack cost of different alternative routes.
Further, for the present invention when fragile node is to force the tie point in path, attacker is between fragility node
Pathdepth pe are as follows:
Wherein, pmaxIndicate distance value of the attacker along attack path from start node to the tie point, Dp_maxIt indicates
In all pressure paths, the attack path value of the maximum attack cost of the tie point, D can be reachedp_iIndicate different pressures
The attack cost in path;N indicates to reach all numbers for forcing path of the tie point.
Further, de of the present invention return each tender spots by the general loophole points-scoring system of CVSS
One changes scoring,BS is the basic score in CVSS vulnerability assessment system for the loophole;
It is as follows for the attack cost evaluation formula of the fragility node of the alternative route for the relationship of extracting:
It is as follows for the attack cost evaluation formula of the fragility node in the pressure path of conjunction relationship:
Further, the present invention for the tender spots that relationship alternative route converges of extracting accumulated costs calculation formula such as
Under:
The accumulated costs calculation formula of tender spots for forcing path to be converged conjunction relationship is as follows:
For the attack path comprising relationship alternative route of extracting, attack path attacks cost:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_dis;
For forcing the attack path in path comprising conjunction relationship, the attack cost of attack path:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_con。
Further, if the present invention path is no individual path, the attack cost of attack path is from attacker
Start offensive attack up to the attack cost summation of all fragility nodes attacked of target of attack nodeDe_iIt is to attack cost on the path required for each fragility node;
Wherein, BS is the basic score in CVSS vulnerability assessment system for the loophole, pe by the path by
The number for attacking loophole is calculated using iterative manner.
Beneficial effect
The fragility quantitative evaluating method assess attack graph in tender spots attack cost when have meet it is actual
Attack Scenarios can more accurately assess the attack of the larger tender spots of depth in attack path in conjunction with the index of attack path depth
Cost provides better foundation for analyzing actual attack process and attack means.
Detailed description of the invention
Fig. 1 is mininet system topological figure example;
Fig. 2 is the comparative analysis schematic diagram of two kinds of situations, and the situation of a A>B, b is the situation of A<B;
Fig. 3 is the line chart of the assessment result of the appraisal procedure based on shortest path;
Fig. 4 is the line chart of the assessment result of the appraisal procedure based on attack probability;
Fig. 5 is the line chart of the assessment result of the appraisal procedure hindered based on attack;
Fig. 6 is the line chart of the assessment result of appraisal procedure of the present embodiment based on depth index;
Fig. 7 is to hinder appraisal procedure calculated result change rate to compare line chart based on attack;
Fig. 8 is appraisal procedure calculated result change rate comparison line chart of the present embodiment based on depth index.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, the technical scheme in the embodiment of the invention is clearly and completely described.
The present invention mainly describes used network model, and gives network model topological structure and network model
Literal definition description.Secondly during being generated according to network model to attack graph, attack graph model is defined, is proposed
A kind of attack graph generating algorithm based on matching relationship, algorithm have higher time efficiency O (m*n), and m, n are attack artwork respectively
The number of the number of attack example and generation attack fragility node in As in type.Propose the portion innovated in invention
Point, the fragility nodal information in attack graph is quantitatively evaluated using the method based on depth index, is divided into simple nothing point
The measurement of fragility node attack cost and fragility node attack on complicated multiple branch attack path on branch type attack path
The measurement of cost proposes in the problem of handling the fragility node attack cost metric on complicated multiple branch attack path
Extract relationship and conjunction relationship between attack path, propose the burble point of alternative route, force the concepts such as the tie point in path,
It is proposed that two different formula are calculated for the attack path of different relationship types, and combine example to the calculation method into
The detailed description of row.
The generation of network model
For different network environments, network structure all complicated diversification mostly, in order to subsequent to fragile sexual assault
Qualitative assessment more accurateization of node can be contained in invention when carrying out building model to network system on attack path in figure
The major key information in the network system is covered, wherein mainly including: communication information, system between host information, host
Present in vulnerability information and the attack contents such as information.The description that these network informations are modeled is fragility
It attacks map generalization and the parameter of input is provided, that is to say that network element modelling indicates that part is that subsequent fragility attack graph generates
Basis, the basis of attack path cost evaluation even more in attack graph.
As shown in Figure 1, there are three the mininet systems of different hosts and firewall for a band, in this small-sized network
In system topology figure, different service and software are separately operable on these hosts, wherein running on host H2 has
HTTP service, Apache service and MySQL database service, wherein MySQL database is the key of whole network system
Assets, an attacker want to invade in the network system by extraneous Internet, and attempt to obtain the power of the root on Host2
Limit, so as to smoothly operate to MySQL database, the connection relationship in the network system is as shown in the table, wherein
Connected reference policy control is primarily limited to firewall Firewall.
Wherein, on attack plane, there are attackers, it is intended to it is invaded in the mininet system by external network, it is main
The service run on machine H0 is IIS Web service, and by the access restriction strategy of firewall, H, H1, H2 can be by IIS Web
The access to H0 is realized in service;The service run on host H2 is SSH service, similarly passes through the access restriction strategy of firewall,
H0 and H1 can service the access realized to H2 by SSH, and for attack plane H, the port not opened may be implemented H and arrive
The access of H2;The service run on host H2 is SSH service, MySQL DB service, and similarly, H0 and H2 pass through HTTP/Apache
The access to host H1 may be implemented in service, and for attack plane H, the access of H to H1 is may be implemented in the port not opened;
For attack host H, H0, H1, H2 can realize access to attack plane H by open any port, but for
For attacker, this access will not generate help to attack.
Network model in the present invention includes: 1. host H, services S, the set of permission P.2. a host H can be transported
The one or more services of row or software, possess multiple user rights and an administrator right.3. connecting between host H and host H
Clearance system indicates which includes the hierarchical relationships between host with Conn, also includes the semantic connection relationship between host.
Attack the generation of graph model
Fragility attack graph model in invention is described as five-tuple, is that: G=(V, E, As, N, Vs) is attacked in fragility
It hits in the model of figure, wherein what V was indicated is the set of all fragility nodes in fragility attack graph, and initial value is empty set, E table
What is shown is oriented line set in the oriented attack graph of building, includes the connection in attack graph between all fragility nodes, just
Initial value is also empty set, and that N is indicated is network model, N=(H, C), wherein what H was indicated is host complexes, the master in network system
The potential loophole that can be utilized in the service and service run on machine, host, can be indicated with triple hid,
Svc, vid }, wherein what hid was indicated is number i.e. its identification presentation of host, and what svc was indicated is installed on host or host
The service that is run of software, what vid was indicated is the mark of fragility present in respective service, and what C was indicated is host in network
Connected relation between host includes the semantic connection relationship between the hierarchical relationship host between host.What As was indicated is to attack
Behavior to be hit, a ∈ As is attacked for each, each attack can be described with one hexa-atomic group, a=(id, h, v,
Pro, post, cost), wherein what id was indicated is the mark of each attack, and h indicates to mobilize the attack host of the attack, v
Indicate that vulnerability attribute node, pro indicate the premise of attack a, post indicates attack a's as a result, cost table
Show the attack cost spent required for attack fragility node v, due to carrying out attack cost evaluation, the attack generation of attack
Valence is set as 0.What Vs was indicated is the set of fragility in network system, can mainly be utilized by attacker in the network system
The loophole attacked.
Fragility attacks map generalization
According to mininet system model and attack graph model, associated vulnerabilities attack graph is generated.Generate fragile sexual assault
The premise of figure prepares to be to obtain the relevant vulnerability that exists in the network system and can be utilized by attacker, is deposited into Vs
In, it is that conventional scanning tools are scanned its tender spots to the host in network system that invention, which uses, the usual energy of these tools
The information such as security breaches and open port in the presence of enough quick scanning whole network systems of automation.It is such commonly to sweep
The tool of retouching contains following a few classes: Nessus, AWVS, ISS, Nmap, followed by includes the master of fragility in acquisition network system
Connected relation between machine and host, attack mode is instantiated, and generates that may be present in the network system all attack
Example is hit, is saved it in As.
Loophole present in the service of the network system host operation indicated in the following table 1, which includes deposit in network
The service name run in the title of host, host, the loophole in the presence of service, loophole type and loophole title,
And the CVSS basic score of these loopholes.
The existing service of 1 network system host of table and loophole
According to loophole present in the service run on network system host and loophole type, in conjunction with host in network system
Between connected relation As can be carried out instantiating it is following<a1, h0, n1, User_0, CVE-2010-2370, Root_0,0>;<
a2,h0,n2,Root_0,CVE-2018-17153,Root_1,0>;<a3,h0,n3,Root_0,CVE-2008-3234,User_
2,0>;<a4,h1,n4,Root_1,CVE-2006-3368,User_2,0>;<a5,h2,n5,User_2,CVE-2007-5616,
Root_2,0 > } algorithm has main steps that: the matching of attack instance and tender spots attribute node in As, attack graph attack node and
The generation on side.
The time complexity that the algorithm executes is O (m*n), and wherein m refers to the number of the attack example in As, and n is
Refer to the number for generating attack fragility node, newly-generated fragility node can call function according to the execution of algorithm
GenerateGraph () function n times, the whole time complexity for generating attack nomography is O (m*n), and size depends on As
The number of the number of middle attack example and newly-generated fragility node has higher compared to traditional attack graph generating algorithm
Efficiency.
The assessment of cost is attacked in attack graph
(1) simply without individual path
Firstly, based on attack depth index for individually attacking the measurement of node in an attack path, the present invention is real
Applying example and defining it to attack cost is De.De depends primarily on two related factors, and first point is except effect of depth locating for tender spots
Outer pure attack difficulty de, second point are in attacker in this attack path to the pathdepth pe between fragility node.
Wherein de uses the pure attack difficulty for assess based on CVSS standard loophole points-scoring system the loophole, for pe, uses
The thought of iteration is calculated, by being calculated by the number e of attack loophole on the path, wherein including the e fragility
Property node, be in whole attack path attacker start offensive attack and attack always to all of tender spots e to be attacked
Loophole number.Assuming that the location of attacker is except internal network environment, here for fragile in attack path
Property node attack cost De for, De is limited to the value of de and pe, with de and pe value increase and increase, set De here
=de*pe is that De and de and pe are presented with positive correlation.De is carried out crisp to each by the general loophole points-scoring system of CVSS
Scoring is normalized in weakness,Wherein BS is the basic score in CVSS vulnerability assessment system for the loophole.
The score of the CVSS of cvss description corresponds to loophole e, increases the scoring of CVSS, it is meant that loophole is more dangerous, is utilized to attack
Possibility it is bigger, the difficulty of attack is lower, therefore when calculating De,For whole attack path
It attacks for cost calculating, is calculated using the thought that iteration adds up, i.e.,Wherein Dp_nIt is attack road
Attacker starts offensive attack until all loopholes attacked of target of attack node attack the summation of costs, D in diametere_iIt is
Cost is attacked on the path required for each fragility node.
(2) complicated multiple-limb path
A fragile node may can be arrived by attack in turn along different attack paths in attack graph, a fragility
Node attacks the destination node, the purpose if there is more and more substitution attack paths can reach with the increase of state diagram
The safety of node can be lower and lower.But it, should similarly if a fragile node need to be after a plurality of pressure path be attacked
Fragile node can just be attacked, then these paths passed through are more, and the safety of the fragility node is higher.The fragility node
Safety is limited to the node present position with a distance from attacker, in invention by the above alternative route and force path bring it is crisp
Weak bus attack cost influences be added in the calculating of pe, that is to say using calculated based on depth index attack the state section
The size of the attack cost of point.
Alternative route: a certain crisp if attack can be reached by any one of mulitpath in attack graph
The purpose of weak property node then certainly exists the path of a minimum attack cost in these paths, this minimum attack cost
Path and other attack paths are referred to as to attack the alternative route of the tender spots, are the relationships of extracting between these attack paths.
Force path: if a certain fragility of attack all must just can achieve by a plurality of attack path in attack graph
The purpose of point, then certainly exist the path of highest attack cost in these paths, this highest attack cost path and
Other attack paths are referred to as attacking the pressure path of the tender spots, are conjunction relationships between these attack paths.
When following equation indicates that the state node is the burble point of alternative route, the numerical value of pe is calculated.
When calculating the pe value of the attacked fragility node of alternative route of this relationship of extracting, before all relying on this node
The result calculated.P in formulaminIndicate distance value of the attacker along attack path from start node to the separate node;
Dp_minIt indicates in all alternative routes, the attack path value of the minimum attack cost of the separate node can be reached.
Ave in formulaminIt is determined by lower formula:
Wherein, Dp_iIndicate the attack cost of different alternative routes;Indicate attacking for institute's substitution attack path
Hit the sum of cost.Dp_min/AveminThe smallest attack path D of cost is attacked in alternative routep_minDivided by other alternative routes
Attack cost mean value, in order to determine influence degree of other substitution attack paths relative to minimum attack cost path,
If the value of the mean value in other obtained substitution attack paths and minimum attack cost path is not much different, the proportion expression that is to say
Value then shows have more attack lesser paths of cost to can achieve the separate node, that is to say and show the tender spots close to 1
Safe coefficient it is lower and lower, the attack cost for attacking the tender spots will reduce, similarly on the contrary, if the value of the proportion expression is got over
Small, then the value of the mean value and minimum attack cost path that show other substitution attack paths differs greatly, the safety of the tender spots
Relatively high, the attack cost for attacking the tender spots will improve.In formulaTo Dp_min/Avemin
It is deformed, expression is the probability attacked relative to other paths, the minimum attack path of selection.
Following equation indicates that the state node is when forcing the tie point in path, to calculate the numerical value of pe.
In formula in the pe value of pressure the attacked fragility node in path for calculating this conjunction relationship, this is also all relied on
The result calculated before node.P in formulamaxIndicate attacker along attack path from start node to the tie point
Distance value, here because being conjunction relationship, then the attack depth of next node must be (pmax+ 1) it carries out calculating partially again on
Difference;Dp_maxIt indicates in all pressure paths, the attack path value of the maximum attack cost of the tie point can be reached.
Calculation formula is as follows in formula:
Wherein, Dp_iFor different i, the attack cost in different pressure paths is respectively indicated;∑ Dp_i indicates institute
Force the sum of the attack cost of attack path.It forces to attack the maximum attack path D of cost in pathp_maxRoad is forced divided by other
The attack cost mean value of diameter, in order to determine other influence journeys for forcing attack path relative to maximum attack cost path
Degree that is to say the ratio if other obtained force the mean value of attack path and the value of maximum attack cost path to be not much different
The value of formula then shows that reaching the tie point others forces the value of the attack cost in path to connect with maximum attack cost value close to 1
Closely, it that is to say and show that the safe coefficient of the tender spots is higher and higher, the attack cost for attacking the tender spots will be promoted, and on the contrary should
The value of proportion expression is smaller, then shows that other force attack path smaller relative to the influence degree of maximum attack cost path, attack
The difficulty for hitting the tender spots is easier to relatively.In formulaTo Dp_max/AvemaxIt is deformed, is indicated
Be relative to other paths, selection is most difficult to the probability that attack path is attacked.
Therefore it obtains as follows for the attack cost evaluation formula of the fragility node of the alternative route for the relationship of extracting:
Therefore show that the attack cost evaluation formula of the fragility node in the pressure path for conjunction relationship is as follows:
It is as follows for the accumulated costs calculation formula for the tender spots that relationship alternative route converges of extracting:
The accumulated costs calculation formula of tender spots for forcing path to be converged conjunction relationship is as follows:
Therefore, it when seeking the attack probability of a certain attack path, carries out calculating attack path using cumulative thought
Cost is attacked, for the attack path comprising relationship alternative route of extracting, it is as follows to calculate attack path attack cost formula:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_dis, for forcing the attack path in path comprising conjunction relationship, calculate attack
The attack cost formula in path is: Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_con。
The embodiment of the present invention is applied in network model based on the fragility node evaluation method of depth index, in generation
In fragility attack graph, the attack cost value that each tender spots has in attack graph different location is obtained, is that node is attached
There is the attack graph of weight, to lay a good foundation subsequently with respect to the research for finding optimal attack path.
Example
It is different firstly, for attack cost under identical loophole attack depth conditions different in an attack path
, in the case where without loss of generality, the present embodiment is using simply experiment is compared without individual path, here by a paths
The number of upper loophole is set as n, wherein the CVSS score value of (n-1) a loophole is set as A, the CVSS of a remaining loophole is commented
Score value is set as B, and two kinds of situations of A>B and A<B are only discussed here, the case where for A=B, regardless of the location of B,
The attack cost based on depth index is not influenced to calculate.
Following schemes respectively indicate, and four kinds of different appraisal procedures are under same path length (path length is 5)
Loophole is in the assessment result of the attack cost of different depth generation, illustrates respectively to the difference of loophole AB basic score size
Relationship carries out analysis comparative experiments, is divided into A > B (A=5;B=2), A < B (A=5;B=8), two kinds of situations compare, as a result
It is as shown in Figure 2:
What the ordinate of figure middle polyline figure indicated is the attack cost obtained using different evaluation measures, the horizontal seat of line chart
Mark indicate be attack path at B loophole different depth position (conveniently and fast observing, use path length for 5 attack
Path is shown).It can be clearly seen that from line chart, it is fragile on the attack path based on depth index that the present embodiment proposes
The method that point is quantitatively evaluated can be very good to solve same loophole and be located at different attack depth to attack the different reality of cost
Border problem provides good reference for fragility protection in network system.
Secondly, the present embodiment is obtained by changing different path lengths on attack path for each of different path lengths
As a result, the data of experiment are as shown in the table caused by appraisal procedure:
Index and calculation method in different appraisal procedures is respectively adopted in data calculation process, as Fig. 3-6 respectively indicates this
The result that four kinds of appraisal procedures obtain carries out line chart description, as follows:
Can be seen that the appraisal procedure based on shortest path by four kinds of different appraisal procedures, attack cost only with
The length in path is related, and is positive correlation, does not account for loophole itself and attacks the influence of cost bring;Based on attack probability
Appraisal procedure, obtained the increase with attack path upper pathway length, the probability of target of attack node can be smaller and smaller,
It is to be more difficult to attack, but the dependence expertise that this method is excessive;Based on the appraisal procedure that attack hinders, show that attack hinders
Increase along with the path length of attack path and increase, is consistent with actual conditions, but be compared to based on depth index
It attacks for cost evaluation method, is not bound with depth index locating for attack node, the slope of the broken line by comparing two figures
Degree relationship can be seen that the appraisal procedure hindered based on attack as the variation of attack depth is not based on depth index method pair
Attack influences obviously caused by cost, according to actual attack process it is found that in the attack cost of short path, the increasing of path length
Add influences smaller caused by attack cost, and in the attack cost in long path, attack cost is made in the increase of path length
At be affected, be expressed as in broken line diagram, the front portion gradient of broken line is smaller, with the increase of path length, folding
The gradient of line is in comparison increasing, and the appraisal procedure based on depth index can embody actual attack cost well
It is influenced by pathdepth, and can not be embodied well in actual attack process based on the method that attack hinders and attack cost
By the influence degree of node depth.From the diagram 7,8 in experiment can detailed analysis can obtain.
In conclusion the above is merely preferred embodiments of the present invention, being not intended to limit the scope of the present invention.
All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in of the invention
Within protection scope.
Claims (8)
1. a kind of fragile sexual assault cost quantitative evaluating method based on depth index, which is characterized in that detailed process are as follows:
Network model, definition attack graph model are generated for network to be attacked;
According to the network model and attack graph model, fragility attack graph is generated in conjunction with attack graph generating algorithm;
In fragility attack graph, the attack path from the start node launched a offensive to destination node is analyzed, if attack path
When for multiple-limb path, when obtaining attacker to pathdepth between fragility node, alternative route and pressure road are considered
Diameter brings the influence pe of fragile node attack cost, and attack the cost De=de*pe, de for calculating fragility node indicate to remove crisp
Pure attack difficulty outside effect of depth locating for weakness;It finally calculates to the accumulation of destination node and attacks cost.
2. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 1, which is characterized in that institute
State alternative route are as follows: if a certain fragility of attack can be reached by any one of mulitpath in attack graph
The purpose of node then certainly exists the path of a minimum attack cost in these paths, this minimum attack cost path
It is referred to as to attack the alternative route of the tender spots with other attack paths, is the relationship of extracting between these attack paths.
3. the fragile sexual assault cost quantitative evaluating method according to claim 1 or claim 2 based on depth index, feature exist
In the pressure path are as follows: a certain crisp if attack all just must can achieve by a plurality of attack path in attack graph
The purpose of weakness, then certainly exist the path of a highest attack cost in these paths, this highest attacks cost path
It is referred to as attacking the pressure path of the tender spots with other attack paths, is conjunction relationship between these attack paths.
4. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 2, which is characterized in that when
When fragile node is the burble point of alternative route, attacker to the pathdepth pe between fragility node are as follows:
Wherein, pminIndicate distance value of the attacker along attack path from start node to the separate node, Dp_minIt indicates in institute
In some alternative routes, the attack path value of the minimum attack cost of the separate node can be reached, n indicates to reach separate node
The number of all alternative routes, Dp_iIndicate the attack cost of different alternative routes.
5. the fragile sexual assault cost quantitative evaluating method according to claim 3 or 4 based on depth index, feature exist
In, when fragile node is to force the tie point in path, attacker to the pathdepth pe between fragility node are as follows:
Wherein, pmaxIndicate distance value of the attacker along attack path from start node to the tie point, Dp_maxIt indicates all
Pressure path in, the attack path value of the maximum attack cost of the tie point, D can be reachedp_iIndicate different pressure paths
Attack cost;N indicates to reach all numbers for forcing path of the tie point.
6. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 5, which is characterized in that institute
De is stated by the general loophole points-scoring system of CVSS to carry out that scoring is normalized to each tender spots,BS is
For the basic score of the loophole in CVSS vulnerability assessment system;
It is as follows for the attack cost evaluation formula of the fragility node of the alternative route for the relationship of extracting:
It is as follows for the attack cost evaluation formula of the fragility node in the pressure path of conjunction relationship:
7. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 6, which is characterized in that right
It is as follows in the accumulated costs calculation formula for the tender spots that the relationship alternative route of extracting converges:
The accumulated costs calculation formula of tender spots for forcing path to be converged conjunction relationship is as follows:
For the attack path comprising relationship alternative route of extracting, attack path attacks cost:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_dis;
For forcing the attack path in path comprising conjunction relationship, the attack cost of attack path:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_con。
8. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 1, which is characterized in that if
When no individual path is in the path, the attack cost of attack path be since attacker offensive attack until target of attack
The attack cost summation of all fragility nodes attacked of nodeDe_iIt is each fragility on the path
Property node required for attack cost;
Wherein, BS is the basic score in CVSS vulnerability assessment system for the loophole, and pe on the path by being attacked
The number of loophole is calculated using iterative manner.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910417526.2A CN110138788B (en) | 2019-05-20 | 2019-05-20 | Vulnerability attack cost quantitative evaluation method based on depth index |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910417526.2A CN110138788B (en) | 2019-05-20 | 2019-05-20 | Vulnerability attack cost quantitative evaluation method based on depth index |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110138788A true CN110138788A (en) | 2019-08-16 |
CN110138788B CN110138788B (en) | 2020-07-10 |
Family
ID=67571443
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910417526.2A Active CN110138788B (en) | 2019-05-20 | 2019-05-20 | Vulnerability attack cost quantitative evaluation method based on depth index |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110138788B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110889117A (en) * | 2019-11-28 | 2020-03-17 | 支付宝(杭州)信息技术有限公司 | Method and device for defending model attack |
CN110930005A (en) * | 2019-11-14 | 2020-03-27 | 华东师范大学 | Automatic driving expected function safety hazard assessment method based on zero-day loophole |
CN111262878A (en) * | 2020-02-12 | 2020-06-09 | 华北电力大学 | Vulnerability analysis method for safety-level digital instrument control system of nuclear power plant |
US20210012012A1 (en) * | 2019-07-12 | 2021-01-14 | Palo Alto Research Center Incorporated | System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system |
CN113179241A (en) * | 2021-03-01 | 2021-07-27 | 西安理工大学 | Multi-step attack characterization method based on time sequence correlation analysis |
CN113836679A (en) * | 2021-10-14 | 2021-12-24 | 国网湖南省电力有限公司 | Method and device for identifying fragile line combination in N-K attack mode |
CN114048487A (en) * | 2021-11-29 | 2022-02-15 | 北京永信至诚科技股份有限公司 | Attack process evaluation method and device for network target range, storage medium and equipment |
CN114428962A (en) * | 2022-01-28 | 2022-05-03 | 北京灰度科技有限公司 | Vulnerability risk priority processing method and device |
US11930046B2 (en) | 2021-06-17 | 2024-03-12 | Xerox Corporation | System and method for determining vulnerability metrics for graph-based configuration security |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
US9292695B1 (en) * | 2013-04-10 | 2016-03-22 | Gabriel Bassett | System and method for cyber security analysis and human behavior prediction |
CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
CN108683654A (en) * | 2018-05-08 | 2018-10-19 | 北京理工大学 | A kind of network vulnerability evaluation method based on zero-day attacks figure |
-
2019
- 2019-05-20 CN CN201910417526.2A patent/CN110138788B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
US9292695B1 (en) * | 2013-04-10 | 2016-03-22 | Gabriel Bassett | System and method for cyber security analysis and human behavior prediction |
CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
CN108683654A (en) * | 2018-05-08 | 2018-10-19 | 北京理工大学 | A kind of network vulnerability evaluation method based on zero-day attacks figure |
Non-Patent Citations (1)
Title |
---|
HUAN WANG等: "A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow", 《SPECIAL SECTION ON CONVERGENCE OF SENSOR NETWORKS, CLOUD COMPUTING AND BIG DATA IN INDUSTRIAL INTERNET OF THING》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210012012A1 (en) * | 2019-07-12 | 2021-01-14 | Palo Alto Research Center Incorporated | System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system |
CN110930005A (en) * | 2019-11-14 | 2020-03-27 | 华东师范大学 | Automatic driving expected function safety hazard assessment method based on zero-day loophole |
CN110889117A (en) * | 2019-11-28 | 2020-03-17 | 支付宝(杭州)信息技术有限公司 | Method and device for defending model attack |
CN111262878A (en) * | 2020-02-12 | 2020-06-09 | 华北电力大学 | Vulnerability analysis method for safety-level digital instrument control system of nuclear power plant |
CN113179241A (en) * | 2021-03-01 | 2021-07-27 | 西安理工大学 | Multi-step attack characterization method based on time sequence correlation analysis |
CN113179241B (en) * | 2021-03-01 | 2022-06-17 | 西安理工大学 | Multi-step attack characterization method based on time sequence correlation analysis |
US11930046B2 (en) | 2021-06-17 | 2024-03-12 | Xerox Corporation | System and method for determining vulnerability metrics for graph-based configuration security |
CN113836679A (en) * | 2021-10-14 | 2021-12-24 | 国网湖南省电力有限公司 | Method and device for identifying fragile line combination in N-K attack mode |
CN113836679B (en) * | 2021-10-14 | 2024-02-23 | 国网湖南省电力有限公司 | Method and device for identifying vulnerable line combination in N-K attack mode |
CN114048487A (en) * | 2021-11-29 | 2022-02-15 | 北京永信至诚科技股份有限公司 | Attack process evaluation method and device for network target range, storage medium and equipment |
CN114428962A (en) * | 2022-01-28 | 2022-05-03 | 北京灰度科技有限公司 | Vulnerability risk priority processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN110138788B (en) | 2020-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110138788A (en) | A kind of fragile sexual assault cost quantitative evaluating method based on depth index | |
CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
Hoque et al. | An implementation of intrusion detection system using genetic algorithm | |
Roschke et al. | A new alert correlation algorithm based on attack graph | |
Gogoi et al. | MLH-IDS: a multi-level hybrid intrusion detection method | |
US9787640B1 (en) | Using hypergraphs to determine suspicious user activities | |
CN103368976B (en) | Network security evaluation device based on attack graph adjacent matrix | |
CN110380896A (en) | Network security situation awareness model and method based on attack graph | |
CN105871882A (en) | Network-security-risk analysis method based on network node vulnerability and attack information | |
CN111586046B (en) | Network traffic analysis method and system combining threat intelligence and machine learning | |
Hu et al. | Security metric methods for network multistep attacks using AMC and big data correlation analysis | |
CN104394177A (en) | Calculating method of attack target accessibility based on global attack graph | |
CN110472419A (en) | A kind of network security risk evaluation method based on loss effect | |
CN114422224A (en) | Attack tracing-oriented threat information intelligent analysis method and system | |
Wang et al. | Noise-resistant statistical traffic classification | |
CN103001972A (en) | Identification method and identification device and firewall for DDOS (distributed denial of service) attack | |
Abraham et al. | Approximate string matching algorithm for phishing detection | |
Mathew et al. | Situation awareness of multistage cyber attacks by semantic event fusion | |
CN108683654A (en) | A kind of network vulnerability evaluation method based on zero-day attacks figure | |
CN103501302A (en) | Method and system for automatically extracting worm features | |
Liu et al. | Creating integrated evidence graphs for network forensics | |
CN108494791A (en) | A kind of DDOS attack detection method and device based on Netflow daily record datas | |
Ahmed et al. | A framework for phishing attack identification using rough set and formal concept analysis | |
Meng et al. | Adaptive character frequency-based exclusive signature matching scheme in distributed intrusion detection environment | |
Ionită et al. | Biologically inspired risk assessment in cyber security using neural networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |