CN110138788A - A kind of fragile sexual assault cost quantitative evaluating method based on depth index - Google Patents

A kind of fragile sexual assault cost quantitative evaluating method based on depth index Download PDF

Info

Publication number
CN110138788A
CN110138788A CN201910417526.2A CN201910417526A CN110138788A CN 110138788 A CN110138788 A CN 110138788A CN 201910417526 A CN201910417526 A CN 201910417526A CN 110138788 A CN110138788 A CN 110138788A
Authority
CN
China
Prior art keywords
attack
path
cost
node
fragility
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910417526.2A
Other languages
Chinese (zh)
Other versions
CN110138788B (en
Inventor
胡昌振
单纯
郭守坤
王可惟
周炎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201910417526.2A priority Critical patent/CN110138788B/en
Publication of CN110138788A publication Critical patent/CN110138788A/en
Application granted granted Critical
Publication of CN110138788B publication Critical patent/CN110138788B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to fragility attack technology fields, provide a kind of fragile sexual assault cost quantitative evaluating method based on depth index, detailed process are as follows: generate network model, definition attack graph model for network to be attacked;According to network model and attack graph model, fragility attack graph is generated in conjunction with attack graph generating algorithm;In fragility attack graph, analyze the attack path from the start node launched a offensive to destination node, if attack path is multiple-limb path, when obtaining attacker to pathdepth between fragility node, consider alternative route and path is forced to bring the influence pe of fragile node attack cost, calculates the attack cost of fragility node;It finally calculates to the accumulation of destination node and attacks cost.The index of present invention combination attack path depth can more accurately assess the attack cost of the larger tender spots of depth in attack path, provide better foundation for analyzing actual attack process and attack means.

Description

A kind of fragile sexual assault cost quantitative evaluating method based on depth index
Technical field
The present invention relates to a kind of fragile sexual assault cost quantitative evaluating method based on depth index, belongs to fragile sexual assault Technical field.
Background technique
Based on Bayes's attack graph, Gao Ni et al. [1] proposes a kind of dynamic risk assessment based on Bayes's attack graph Model.([2] element and condition of triggering loophole attack graph from the point of view of more macroscopical, proposes one kind and is based on Li et al. people The sweep forward attack graph generating algorithm of hypergraph partitioning.Wang L et al. proposes a kind of network peace based on processing zero-day vulnerability Full measurement method [3].Jia Wei et al. [8] proposes a kind of network hole appraisal procedure based on network center's property.Yang et al. [4] network security situation evaluating method of a kind of multi-step characteristic based on network attack and security postures quantitative criteria is proposed, It can effectively improve the accuracy of network security risk evaluation system identification attack and potential risk, but this method is ignored Correlation analysis between multistep network attack.Because attacker can study for those still undisclosed loopholes, zero day The safety challenge of attack will be a challenge always.Zhang et al. [5] proposes fragility crucial in zero-day vulnerability and network Point.
In the research of the optimal attack path of attack graph, Dai Wenfang et al. [6] is in the network peace about attack graph theory The pathfinding scheme for the max-flow attack path for proposing depth-first in full risk assessment technology research carries out analysis risk attack Figure, wherein greateset risk stream calculation, route searching function and augmenting path ranking functions three parts, time overhead efficiency is utilized being O(n2), wherein n is the interstitial content of attack graph.Yan Feng et al. [7] proposes a kind of concept of Best attack target subgraph, provides The generating algorithm in correlation attack path and the generating algorithm of target attack subgraph, the generating algorithm time overhead efficiency of attack path For O (K2L), wherein K is the number for calling function to execute, and L is attack path length.Jia Wei et al. [8] proposes a kind of new calculating The method of the cost of attack path in attack graph, and combine the minimum attack cost road between traditional Floyd algorithm node pair Diameter, the time overhead efficiency of total algorithm are O (n3), wherein n is the number of attack graph interior joint.
In order to obtain optimal attack path in attack graph, need to the tender spots or attack path progress weight in attack graph Calculating, that is to say quantitative assessment, invention proposes a kind of new quantitative evaluating method based on depth, is mainly based upon leakage The CVSS basic score in hole and same loophole attack the different thought of cost required for the different depth of attack path to mention This method out.Be compared to it is previous based on count metric [9] and based on attack difficulty measurement [10] have the advantages that it is preferable. Measure based on counting is mainly measured according to path number required for the length of attack path and attack, The weight size that node is attacked in attack graph is not accounted for;Based on the measure of attack difficulty, primary concern is that attack The measurement (different attackers attacks paid cost) of resistance, (loophole is by attacker so utilizing for the measurement of probabilistic safety A possibility that), but this index of difficulty is main or qualitatively analyzes without very accurate quantitative evaluating method, mainly or ties Expertise is closed, compares the traditional knowledge experience of dependence and is measured.
It was based on attack road mostly in the past for the technology that the tender spots in fragility attack graph is quantitatively evaluated The length in path counts and attacks what difficulty was assessed in diameter, simple to be directed to for the attack distance length of attack path, does not have There is the weight size in view of attacking node in attack graph, and in actual network system, for different loopholes, attacker The cost for carrying out attack cost is entirely different, and the measure based on difficulty, and existing major defect is also all foundation mostly Expertise, cannot be very quantitative assess, it is artificial that rely on element overweight.
For assets key in some network systems, it is equipped with optimal architecture and powerful peace mostly Full strategy, therefore directly attack security centre region (such as: the center Militarized) using loophole and be difficult to be collected into progress directly The related precondition (such as: user's interaction or necessary privilege) of attack.The appraisal procedure of proposition can be calculated effectively pair In the attack cost computational problem that target of attack is deeper.For some utilizable loopholes, attacker first has to find network In the loophole that can be utilized, it is studied in method the problem of be with the increase of the distance between attacker and attack loophole, Required attack cost can be stepped up, and will not be a changeless value, that is to say that attacker needs more attacks Cost completes deeper attack.For the node originated on attack path, as attacking for starting attack condition Hit for loophole, required attack cost is relatively small, and as node deeper on attack path for, identical leakage Hole attack cost required for attack is greater, can be more because completing precondition required for the attack, Attack cost can also rise with it.
Summary of the invention
In view of this, the present invention provides a kind of fragile sexual assault cost quantitative evaluating method based on depth index, the party Method quantitatively attacks the assessment of cost for the realization of the fragility node on attack path in fragility attack graph, and obtains optimal Attack path.
Realize that technical scheme is as follows:
A kind of fragile sexual assault cost quantitative evaluating method based on depth index, detailed process are as follows:
Network model, definition attack graph model are generated for network to be attacked;
According to the network model and attack graph model, fragility attack graph is generated in conjunction with attack graph generating algorithm;
In fragility attack graph, the attack path from the start node launched a offensive to destination node is analyzed, if attack When path is multiple-limb path, when obtaining attacker to pathdepth between fragility node, alternative route and by force is considered Path processed brings the influence pe of fragile node attack cost, calculates attack cost De=de*pe, the de expression of fragility node Pure attack difficulty in addition to the effect of depth locating for the tender spots;It finally calculates to the accumulation of destination node and attacks cost.
Further, alternative route of the present invention are as follows: if any one of mulitpath can be passed through in attack graph Item can achieve the purpose that a certain fragility node of attack, then a minimum attack cost is certainly existed in these paths Path, this minimum attack cost path and other attack paths are referred to as to attack the alternative route of the tender spots, these are attacked Hitting is the relationship of extracting between path.
Further, pressure path of the present invention are as follows: if must all pass through a plurality of attack path in attack graph It just can achieve the purpose for attacking a certain tender spots, then certainly exist the path of a highest attack cost in these paths, This highest attack cost path and other attack paths are referred to as attacking the pressure path of the tender spots, these attack paths it Between be conjunction relationship.
Further, for the present invention when fragile node is the burble point of alternative route, attacker is between fragility node Pathdepth pe are as follows:
Wherein, pminIndicate distance value of the attacker along attack path from start node to the separate node, Dp_minIt indicates In all alternative routes, the attack path value of the minimum attack cost of the separate node can be reached, n indicates to reach separation The number of all alternative routes of node, Dp_iIndicate the attack cost of different alternative routes.
Further, for the present invention when fragile node is to force the tie point in path, attacker is between fragility node Pathdepth pe are as follows:
Wherein, pmaxIndicate distance value of the attacker along attack path from start node to the tie point, Dp_maxIt indicates In all pressure paths, the attack path value of the maximum attack cost of the tie point, D can be reachedp_iIndicate different pressures The attack cost in path;N indicates to reach all numbers for forcing path of the tie point.
Further, de of the present invention return each tender spots by the general loophole points-scoring system of CVSS One changes scoring,BS is the basic score in CVSS vulnerability assessment system for the loophole;
It is as follows for the attack cost evaluation formula of the fragility node of the alternative route for the relationship of extracting:
It is as follows for the attack cost evaluation formula of the fragility node in the pressure path of conjunction relationship:
Further, the present invention for the tender spots that relationship alternative route converges of extracting accumulated costs calculation formula such as Under:
The accumulated costs calculation formula of tender spots for forcing path to be converged conjunction relationship is as follows:
For the attack path comprising relationship alternative route of extracting, attack path attacks cost:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_dis
For forcing the attack path in path comprising conjunction relationship, the attack cost of attack path:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_con
Further, if the present invention path is no individual path, the attack cost of attack path is from attacker Start offensive attack up to the attack cost summation of all fragility nodes attacked of target of attack nodeDe_iIt is to attack cost on the path required for each fragility node;
Wherein, BS is the basic score in CVSS vulnerability assessment system for the loophole, pe by the path by The number for attacking loophole is calculated using iterative manner.
Beneficial effect
The fragility quantitative evaluating method assess attack graph in tender spots attack cost when have meet it is actual Attack Scenarios can more accurately assess the attack of the larger tender spots of depth in attack path in conjunction with the index of attack path depth Cost provides better foundation for analyzing actual attack process and attack means.
Detailed description of the invention
Fig. 1 is mininet system topological figure example;
Fig. 2 is the comparative analysis schematic diagram of two kinds of situations, and the situation of a A>B, b is the situation of A<B;
Fig. 3 is the line chart of the assessment result of the appraisal procedure based on shortest path;
Fig. 4 is the line chart of the assessment result of the appraisal procedure based on attack probability;
Fig. 5 is the line chart of the assessment result of the appraisal procedure hindered based on attack;
Fig. 6 is the line chart of the assessment result of appraisal procedure of the present embodiment based on depth index;
Fig. 7 is to hinder appraisal procedure calculated result change rate to compare line chart based on attack;
Fig. 8 is appraisal procedure calculated result change rate comparison line chart of the present embodiment based on depth index.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical scheme in the embodiment of the invention is clearly and completely described.
The present invention mainly describes used network model, and gives network model topological structure and network model Literal definition description.Secondly during being generated according to network model to attack graph, attack graph model is defined, is proposed A kind of attack graph generating algorithm based on matching relationship, algorithm have higher time efficiency O (m*n), and m, n are attack artwork respectively The number of the number of attack example and generation attack fragility node in As in type.Propose the portion innovated in invention Point, the fragility nodal information in attack graph is quantitatively evaluated using the method based on depth index, is divided into simple nothing point The measurement of fragility node attack cost and fragility node attack on complicated multiple branch attack path on branch type attack path The measurement of cost proposes in the problem of handling the fragility node attack cost metric on complicated multiple branch attack path Extract relationship and conjunction relationship between attack path, propose the burble point of alternative route, force the concepts such as the tie point in path, It is proposed that two different formula are calculated for the attack path of different relationship types, and combine example to the calculation method into The detailed description of row.
The generation of network model
For different network environments, network structure all complicated diversification mostly, in order to subsequent to fragile sexual assault Qualitative assessment more accurateization of node can be contained in invention when carrying out building model to network system on attack path in figure The major key information in the network system is covered, wherein mainly including: communication information, system between host information, host Present in vulnerability information and the attack contents such as information.The description that these network informations are modeled is fragility It attacks map generalization and the parameter of input is provided, that is to say that network element modelling indicates that part is that subsequent fragility attack graph generates Basis, the basis of attack path cost evaluation even more in attack graph.
As shown in Figure 1, there are three the mininet systems of different hosts and firewall for a band, in this small-sized network In system topology figure, different service and software are separately operable on these hosts, wherein running on host H2 has HTTP service, Apache service and MySQL database service, wherein MySQL database is the key of whole network system Assets, an attacker want to invade in the network system by extraneous Internet, and attempt to obtain the power of the root on Host2 Limit, so as to smoothly operate to MySQL database, the connection relationship in the network system is as shown in the table, wherein Connected reference policy control is primarily limited to firewall Firewall.
Wherein, on attack plane, there are attackers, it is intended to it is invaded in the mininet system by external network, it is main The service run on machine H0 is IIS Web service, and by the access restriction strategy of firewall, H, H1, H2 can be by IIS Web The access to H0 is realized in service;The service run on host H2 is SSH service, similarly passes through the access restriction strategy of firewall, H0 and H1 can service the access realized to H2 by SSH, and for attack plane H, the port not opened may be implemented H and arrive The access of H2;The service run on host H2 is SSH service, MySQL DB service, and similarly, H0 and H2 pass through HTTP/Apache The access to host H1 may be implemented in service, and for attack plane H, the access of H to H1 is may be implemented in the port not opened; For attack host H, H0, H1, H2 can realize access to attack plane H by open any port, but for For attacker, this access will not generate help to attack.
Network model in the present invention includes: 1. host H, services S, the set of permission P.2. a host H can be transported The one or more services of row or software, possess multiple user rights and an administrator right.3. connecting between host H and host H Clearance system indicates which includes the hierarchical relationships between host with Conn, also includes the semantic connection relationship between host.
Attack the generation of graph model
Fragility attack graph model in invention is described as five-tuple, is that: G=(V, E, As, N, Vs) is attacked in fragility It hits in the model of figure, wherein what V was indicated is the set of all fragility nodes in fragility attack graph, and initial value is empty set, E table What is shown is oriented line set in the oriented attack graph of building, includes the connection in attack graph between all fragility nodes, just Initial value is also empty set, and that N is indicated is network model, N=(H, C), wherein what H was indicated is host complexes, the master in network system The potential loophole that can be utilized in the service and service run on machine, host, can be indicated with triple hid, Svc, vid }, wherein what hid was indicated is number i.e. its identification presentation of host, and what svc was indicated is installed on host or host The service that is run of software, what vid was indicated is the mark of fragility present in respective service, and what C was indicated is host in network Connected relation between host includes the semantic connection relationship between the hierarchical relationship host between host.What As was indicated is to attack Behavior to be hit, a ∈ As is attacked for each, each attack can be described with one hexa-atomic group, a=(id, h, v, Pro, post, cost), wherein what id was indicated is the mark of each attack, and h indicates to mobilize the attack host of the attack, v Indicate that vulnerability attribute node, pro indicate the premise of attack a, post indicates attack a's as a result, cost table Show the attack cost spent required for attack fragility node v, due to carrying out attack cost evaluation, the attack generation of attack Valence is set as 0.What Vs was indicated is the set of fragility in network system, can mainly be utilized by attacker in the network system The loophole attacked.
Fragility attacks map generalization
According to mininet system model and attack graph model, associated vulnerabilities attack graph is generated.Generate fragile sexual assault The premise of figure prepares to be to obtain the relevant vulnerability that exists in the network system and can be utilized by attacker, is deposited into Vs In, it is that conventional scanning tools are scanned its tender spots to the host in network system that invention, which uses, the usual energy of these tools The information such as security breaches and open port in the presence of enough quick scanning whole network systems of automation.It is such commonly to sweep The tool of retouching contains following a few classes: Nessus, AWVS, ISS, Nmap, followed by includes the master of fragility in acquisition network system Connected relation between machine and host, attack mode is instantiated, and generates that may be present in the network system all attack Example is hit, is saved it in As.
Loophole present in the service of the network system host operation indicated in the following table 1, which includes deposit in network The service name run in the title of host, host, the loophole in the presence of service, loophole type and loophole title, And the CVSS basic score of these loopholes.
The existing service of 1 network system host of table and loophole
According to loophole present in the service run on network system host and loophole type, in conjunction with host in network system Between connected relation As can be carried out instantiating it is following<a1, h0, n1, User_0, CVE-2010-2370, Root_0,0>;< a2,h0,n2,Root_0,CVE-2018-17153,Root_1,0>;<a3,h0,n3,Root_0,CVE-2008-3234,User_ 2,0>;<a4,h1,n4,Root_1,CVE-2006-3368,User_2,0>;<a5,h2,n5,User_2,CVE-2007-5616, Root_2,0 > } algorithm has main steps that: the matching of attack instance and tender spots attribute node in As, attack graph attack node and The generation on side.
The time complexity that the algorithm executes is O (m*n), and wherein m refers to the number of the attack example in As, and n is Refer to the number for generating attack fragility node, newly-generated fragility node can call function according to the execution of algorithm GenerateGraph () function n times, the whole time complexity for generating attack nomography is O (m*n), and size depends on As The number of the number of middle attack example and newly-generated fragility node has higher compared to traditional attack graph generating algorithm Efficiency.
The assessment of cost is attacked in attack graph
(1) simply without individual path
Firstly, based on attack depth index for individually attacking the measurement of node in an attack path, the present invention is real Applying example and defining it to attack cost is De.De depends primarily on two related factors, and first point is except effect of depth locating for tender spots Outer pure attack difficulty de, second point are in attacker in this attack path to the pathdepth pe between fragility node. Wherein de uses the pure attack difficulty for assess based on CVSS standard loophole points-scoring system the loophole, for pe, uses The thought of iteration is calculated, by being calculated by the number e of attack loophole on the path, wherein including the e fragility Property node, be in whole attack path attacker start offensive attack and attack always to all of tender spots e to be attacked Loophole number.Assuming that the location of attacker is except internal network environment, here for fragile in attack path Property node attack cost De for, De is limited to the value of de and pe, with de and pe value increase and increase, set De here =de*pe is that De and de and pe are presented with positive correlation.De is carried out crisp to each by the general loophole points-scoring system of CVSS Scoring is normalized in weakness,Wherein BS is the basic score in CVSS vulnerability assessment system for the loophole. The score of the CVSS of cvss description corresponds to loophole e, increases the scoring of CVSS, it is meant that loophole is more dangerous, is utilized to attack Possibility it is bigger, the difficulty of attack is lower, therefore when calculating De,For whole attack path It attacks for cost calculating, is calculated using the thought that iteration adds up, i.e.,Wherein Dp_nIt is attack road Attacker starts offensive attack until all loopholes attacked of target of attack node attack the summation of costs, D in diametere_iIt is Cost is attacked on the path required for each fragility node.
(2) complicated multiple-limb path
A fragile node may can be arrived by attack in turn along different attack paths in attack graph, a fragility Node attacks the destination node, the purpose if there is more and more substitution attack paths can reach with the increase of state diagram The safety of node can be lower and lower.But it, should similarly if a fragile node need to be after a plurality of pressure path be attacked Fragile node can just be attacked, then these paths passed through are more, and the safety of the fragility node is higher.The fragility node Safety is limited to the node present position with a distance from attacker, in invention by the above alternative route and force path bring it is crisp Weak bus attack cost influences be added in the calculating of pe, that is to say using calculated based on depth index attack the state section The size of the attack cost of point.
Alternative route: a certain crisp if attack can be reached by any one of mulitpath in attack graph The purpose of weak property node then certainly exists the path of a minimum attack cost in these paths, this minimum attack cost Path and other attack paths are referred to as to attack the alternative route of the tender spots, are the relationships of extracting between these attack paths.
Force path: if a certain fragility of attack all must just can achieve by a plurality of attack path in attack graph The purpose of point, then certainly exist the path of highest attack cost in these paths, this highest attack cost path and Other attack paths are referred to as attacking the pressure path of the tender spots, are conjunction relationships between these attack paths.
When following equation indicates that the state node is the burble point of alternative route, the numerical value of pe is calculated.
When calculating the pe value of the attacked fragility node of alternative route of this relationship of extracting, before all relying on this node The result calculated.P in formulaminIndicate distance value of the attacker along attack path from start node to the separate node; Dp_minIt indicates in all alternative routes, the attack path value of the minimum attack cost of the separate node can be reached.
Ave in formulaminIt is determined by lower formula:
Wherein, Dp_iIndicate the attack cost of different alternative routes;Indicate attacking for institute's substitution attack path Hit the sum of cost.Dp_min/AveminThe smallest attack path D of cost is attacked in alternative routep_minDivided by other alternative routes Attack cost mean value, in order to determine influence degree of other substitution attack paths relative to minimum attack cost path, If the value of the mean value in other obtained substitution attack paths and minimum attack cost path is not much different, the proportion expression that is to say Value then shows have more attack lesser paths of cost to can achieve the separate node, that is to say and show the tender spots close to 1 Safe coefficient it is lower and lower, the attack cost for attacking the tender spots will reduce, similarly on the contrary, if the value of the proportion expression is got over Small, then the value of the mean value and minimum attack cost path that show other substitution attack paths differs greatly, the safety of the tender spots Relatively high, the attack cost for attacking the tender spots will improve.In formulaTo Dp_min/Avemin It is deformed, expression is the probability attacked relative to other paths, the minimum attack path of selection.
Following equation indicates that the state node is when forcing the tie point in path, to calculate the numerical value of pe.
In formula in the pe value of pressure the attacked fragility node in path for calculating this conjunction relationship, this is also all relied on The result calculated before node.P in formulamaxIndicate attacker along attack path from start node to the tie point Distance value, here because being conjunction relationship, then the attack depth of next node must be (pmax+ 1) it carries out calculating partially again on Difference;Dp_maxIt indicates in all pressure paths, the attack path value of the maximum attack cost of the tie point can be reached.
Calculation formula is as follows in formula:
Wherein, Dp_iFor different i, the attack cost in different pressure paths is respectively indicated;∑ Dp_i indicates institute Force the sum of the attack cost of attack path.It forces to attack the maximum attack path D of cost in pathp_maxRoad is forced divided by other The attack cost mean value of diameter, in order to determine other influence journeys for forcing attack path relative to maximum attack cost path Degree that is to say the ratio if other obtained force the mean value of attack path and the value of maximum attack cost path to be not much different The value of formula then shows that reaching the tie point others forces the value of the attack cost in path to connect with maximum attack cost value close to 1 Closely, it that is to say and show that the safe coefficient of the tender spots is higher and higher, the attack cost for attacking the tender spots will be promoted, and on the contrary should The value of proportion expression is smaller, then shows that other force attack path smaller relative to the influence degree of maximum attack cost path, attack The difficulty for hitting the tender spots is easier to relatively.In formulaTo Dp_max/AvemaxIt is deformed, is indicated Be relative to other paths, selection is most difficult to the probability that attack path is attacked.
Therefore it obtains as follows for the attack cost evaluation formula of the fragility node of the alternative route for the relationship of extracting:
Therefore show that the attack cost evaluation formula of the fragility node in the pressure path for conjunction relationship is as follows:
It is as follows for the accumulated costs calculation formula for the tender spots that relationship alternative route converges of extracting:
The accumulated costs calculation formula of tender spots for forcing path to be converged conjunction relationship is as follows:
Therefore, it when seeking the attack probability of a certain attack path, carries out calculating attack path using cumulative thought Cost is attacked, for the attack path comprising relationship alternative route of extracting, it is as follows to calculate attack path attack cost formula: Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_dis, for forcing the attack path in path comprising conjunction relationship, calculate attack The attack cost formula in path is: Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_con
The embodiment of the present invention is applied in network model based on the fragility node evaluation method of depth index, in generation In fragility attack graph, the attack cost value that each tender spots has in attack graph different location is obtained, is that node is attached There is the attack graph of weight, to lay a good foundation subsequently with respect to the research for finding optimal attack path.
Example
It is different firstly, for attack cost under identical loophole attack depth conditions different in an attack path , in the case where without loss of generality, the present embodiment is using simply experiment is compared without individual path, here by a paths The number of upper loophole is set as n, wherein the CVSS score value of (n-1) a loophole is set as A, the CVSS of a remaining loophole is commented Score value is set as B, and two kinds of situations of A>B and A<B are only discussed here, the case where for A=B, regardless of the location of B, The attack cost based on depth index is not influenced to calculate.
Following schemes respectively indicate, and four kinds of different appraisal procedures are under same path length (path length is 5) Loophole is in the assessment result of the attack cost of different depth generation, illustrates respectively to the difference of loophole AB basic score size Relationship carries out analysis comparative experiments, is divided into A > B (A=5;B=2), A < B (A=5;B=8), two kinds of situations compare, as a result It is as shown in Figure 2:
What the ordinate of figure middle polyline figure indicated is the attack cost obtained using different evaluation measures, the horizontal seat of line chart Mark indicate be attack path at B loophole different depth position (conveniently and fast observing, use path length for 5 attack Path is shown).It can be clearly seen that from line chart, it is fragile on the attack path based on depth index that the present embodiment proposes The method that point is quantitatively evaluated can be very good to solve same loophole and be located at different attack depth to attack the different reality of cost Border problem provides good reference for fragility protection in network system.
Secondly, the present embodiment is obtained by changing different path lengths on attack path for each of different path lengths As a result, the data of experiment are as shown in the table caused by appraisal procedure:
Index and calculation method in different appraisal procedures is respectively adopted in data calculation process, as Fig. 3-6 respectively indicates this The result that four kinds of appraisal procedures obtain carries out line chart description, as follows:
Can be seen that the appraisal procedure based on shortest path by four kinds of different appraisal procedures, attack cost only with The length in path is related, and is positive correlation, does not account for loophole itself and attacks the influence of cost bring;Based on attack probability Appraisal procedure, obtained the increase with attack path upper pathway length, the probability of target of attack node can be smaller and smaller, It is to be more difficult to attack, but the dependence expertise that this method is excessive;Based on the appraisal procedure that attack hinders, show that attack hinders Increase along with the path length of attack path and increase, is consistent with actual conditions, but be compared to based on depth index It attacks for cost evaluation method, is not bound with depth index locating for attack node, the slope of the broken line by comparing two figures Degree relationship can be seen that the appraisal procedure hindered based on attack as the variation of attack depth is not based on depth index method pair Attack influences obviously caused by cost, according to actual attack process it is found that in the attack cost of short path, the increasing of path length Add influences smaller caused by attack cost, and in the attack cost in long path, attack cost is made in the increase of path length At be affected, be expressed as in broken line diagram, the front portion gradient of broken line is smaller, with the increase of path length, folding The gradient of line is in comparison increasing, and the appraisal procedure based on depth index can embody actual attack cost well It is influenced by pathdepth, and can not be embodied well in actual attack process based on the method that attack hinders and attack cost By the influence degree of node depth.From the diagram 7,8 in experiment can detailed analysis can obtain.
In conclusion the above is merely preferred embodiments of the present invention, being not intended to limit the scope of the present invention. All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in of the invention Within protection scope.

Claims (8)

1. a kind of fragile sexual assault cost quantitative evaluating method based on depth index, which is characterized in that detailed process are as follows:
Network model, definition attack graph model are generated for network to be attacked;
According to the network model and attack graph model, fragility attack graph is generated in conjunction with attack graph generating algorithm;
In fragility attack graph, the attack path from the start node launched a offensive to destination node is analyzed, if attack path When for multiple-limb path, when obtaining attacker to pathdepth between fragility node, alternative route and pressure road are considered Diameter brings the influence pe of fragile node attack cost, and attack the cost De=de*pe, de for calculating fragility node indicate to remove crisp Pure attack difficulty outside effect of depth locating for weakness;It finally calculates to the accumulation of destination node and attacks cost.
2. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 1, which is characterized in that institute State alternative route are as follows: if a certain fragility of attack can be reached by any one of mulitpath in attack graph The purpose of node then certainly exists the path of a minimum attack cost in these paths, this minimum attack cost path It is referred to as to attack the alternative route of the tender spots with other attack paths, is the relationship of extracting between these attack paths.
3. the fragile sexual assault cost quantitative evaluating method according to claim 1 or claim 2 based on depth index, feature exist In the pressure path are as follows: a certain crisp if attack all just must can achieve by a plurality of attack path in attack graph The purpose of weakness, then certainly exist the path of a highest attack cost in these paths, this highest attacks cost path It is referred to as attacking the pressure path of the tender spots with other attack paths, is conjunction relationship between these attack paths.
4. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 2, which is characterized in that when When fragile node is the burble point of alternative route, attacker to the pathdepth pe between fragility node are as follows:
Wherein, pminIndicate distance value of the attacker along attack path from start node to the separate node, Dp_minIt indicates in institute In some alternative routes, the attack path value of the minimum attack cost of the separate node can be reached, n indicates to reach separate node The number of all alternative routes, Dp_iIndicate the attack cost of different alternative routes.
5. the fragile sexual assault cost quantitative evaluating method according to claim 3 or 4 based on depth index, feature exist In, when fragile node is to force the tie point in path, attacker to the pathdepth pe between fragility node are as follows:
Wherein, pmaxIndicate distance value of the attacker along attack path from start node to the tie point, Dp_maxIt indicates all Pressure path in, the attack path value of the maximum attack cost of the tie point, D can be reachedp_iIndicate different pressure paths Attack cost;N indicates to reach all numbers for forcing path of the tie point.
6. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 5, which is characterized in that institute De is stated by the general loophole points-scoring system of CVSS to carry out that scoring is normalized to each tender spots,BS is For the basic score of the loophole in CVSS vulnerability assessment system;
It is as follows for the attack cost evaluation formula of the fragility node of the alternative route for the relationship of extracting:
It is as follows for the attack cost evaluation formula of the fragility node in the pressure path of conjunction relationship:
7. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 6, which is characterized in that right It is as follows in the accumulated costs calculation formula for the tender spots that the relationship alternative route of extracting converges:
The accumulated costs calculation formula of tender spots for forcing path to be converged conjunction relationship is as follows:
For the attack path comprising relationship alternative route of extracting, attack path attacks cost:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_dis
For forcing the attack path in path comprising conjunction relationship, the attack cost of attack path:
Dp_n=Dp_n-1+De_n, wherein De_nFor Dep_con
8. the fragile sexual assault cost quantitative evaluating method based on depth index according to claim 1, which is characterized in that if When no individual path is in the path, the attack cost of attack path be since attacker offensive attack until target of attack The attack cost summation of all fragility nodes attacked of nodeDe_iIt is each fragility on the path Property node required for attack cost;
Wherein, BS is the basic score in CVSS vulnerability assessment system for the loophole, and pe on the path by being attacked The number of loophole is calculated using iterative manner.
CN201910417526.2A 2019-05-20 2019-05-20 Vulnerability attack cost quantitative evaluation method based on depth index Active CN110138788B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910417526.2A CN110138788B (en) 2019-05-20 2019-05-20 Vulnerability attack cost quantitative evaluation method based on depth index

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910417526.2A CN110138788B (en) 2019-05-20 2019-05-20 Vulnerability attack cost quantitative evaluation method based on depth index

Publications (2)

Publication Number Publication Date
CN110138788A true CN110138788A (en) 2019-08-16
CN110138788B CN110138788B (en) 2020-07-10

Family

ID=67571443

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910417526.2A Active CN110138788B (en) 2019-05-20 2019-05-20 Vulnerability attack cost quantitative evaluation method based on depth index

Country Status (1)

Country Link
CN (1) CN110138788B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110889117A (en) * 2019-11-28 2020-03-17 支付宝(杭州)信息技术有限公司 Method and device for defending model attack
CN110930005A (en) * 2019-11-14 2020-03-27 华东师范大学 Automatic driving expected function safety hazard assessment method based on zero-day loophole
CN111262878A (en) * 2020-02-12 2020-06-09 华北电力大学 Vulnerability analysis method for safety-level digital instrument control system of nuclear power plant
US20210012012A1 (en) * 2019-07-12 2021-01-14 Palo Alto Research Center Incorporated System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system
CN113179241A (en) * 2021-03-01 2021-07-27 西安理工大学 Multi-step attack characterization method based on time sequence correlation analysis
CN113836679A (en) * 2021-10-14 2021-12-24 国网湖南省电力有限公司 Method and device for identifying fragile line combination in N-K attack mode
CN114048487A (en) * 2021-11-29 2022-02-15 北京永信至诚科技股份有限公司 Attack process evaluation method and device for network target range, storage medium and equipment
CN114428962A (en) * 2022-01-28 2022-05-03 北京灰度科技有限公司 Vulnerability risk priority processing method and device
US11930046B2 (en) 2021-06-17 2024-03-12 Xerox Corporation System and method for determining vulnerability metrics for graph-based configuration security

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447695A (en) * 2011-11-14 2012-05-09 中国科学院软件研究所 Method for identifying key attack path in service system
US9292695B1 (en) * 2013-04-10 2016-03-22 Gabriel Bassett System and method for cyber security analysis and human behavior prediction
CN106850607A (en) * 2017-01-20 2017-06-13 北京理工大学 The quantitative estimation method of the network safety situation based on attack graph
CN108683654A (en) * 2018-05-08 2018-10-19 北京理工大学 A kind of network vulnerability evaluation method based on zero-day attacks figure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447695A (en) * 2011-11-14 2012-05-09 中国科学院软件研究所 Method for identifying key attack path in service system
US9292695B1 (en) * 2013-04-10 2016-03-22 Gabriel Bassett System and method for cyber security analysis and human behavior prediction
CN106850607A (en) * 2017-01-20 2017-06-13 北京理工大学 The quantitative estimation method of the network safety situation based on attack graph
CN108683654A (en) * 2018-05-08 2018-10-19 北京理工大学 A kind of network vulnerability evaluation method based on zero-day attacks figure

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAN WANG等: "A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow", 《SPECIAL SECTION ON CONVERGENCE OF SENSOR NETWORKS, CLOUD COMPUTING AND BIG DATA IN INDUSTRIAL INTERNET OF THING》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210012012A1 (en) * 2019-07-12 2021-01-14 Palo Alto Research Center Incorporated System and method for constructing a graph-based model for optimizing the security posture of a composed internet of things system
CN110930005A (en) * 2019-11-14 2020-03-27 华东师范大学 Automatic driving expected function safety hazard assessment method based on zero-day loophole
CN110889117A (en) * 2019-11-28 2020-03-17 支付宝(杭州)信息技术有限公司 Method and device for defending model attack
CN111262878A (en) * 2020-02-12 2020-06-09 华北电力大学 Vulnerability analysis method for safety-level digital instrument control system of nuclear power plant
CN113179241A (en) * 2021-03-01 2021-07-27 西安理工大学 Multi-step attack characterization method based on time sequence correlation analysis
CN113179241B (en) * 2021-03-01 2022-06-17 西安理工大学 Multi-step attack characterization method based on time sequence correlation analysis
US11930046B2 (en) 2021-06-17 2024-03-12 Xerox Corporation System and method for determining vulnerability metrics for graph-based configuration security
CN113836679A (en) * 2021-10-14 2021-12-24 国网湖南省电力有限公司 Method and device for identifying fragile line combination in N-K attack mode
CN113836679B (en) * 2021-10-14 2024-02-23 国网湖南省电力有限公司 Method and device for identifying vulnerable line combination in N-K attack mode
CN114048487A (en) * 2021-11-29 2022-02-15 北京永信至诚科技股份有限公司 Attack process evaluation method and device for network target range, storage medium and equipment
CN114428962A (en) * 2022-01-28 2022-05-03 北京灰度科技有限公司 Vulnerability risk priority processing method and device

Also Published As

Publication number Publication date
CN110138788B (en) 2020-07-10

Similar Documents

Publication Publication Date Title
CN110138788A (en) A kind of fragile sexual assault cost quantitative evaluating method based on depth index
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
Hoque et al. An implementation of intrusion detection system using genetic algorithm
Roschke et al. A new alert correlation algorithm based on attack graph
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
US9787640B1 (en) Using hypergraphs to determine suspicious user activities
CN103368976B (en) Network security evaluation device based on attack graph adjacent matrix
CN110380896A (en) Network security situation awareness model and method based on attack graph
CN105871882A (en) Network-security-risk analysis method based on network node vulnerability and attack information
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
Hu et al. Security metric methods for network multistep attacks using AMC and big data correlation analysis
CN104394177A (en) Calculating method of attack target accessibility based on global attack graph
CN110472419A (en) A kind of network security risk evaluation method based on loss effect
CN114422224A (en) Attack tracing-oriented threat information intelligent analysis method and system
Wang et al. Noise-resistant statistical traffic classification
CN103001972A (en) Identification method and identification device and firewall for DDOS (distributed denial of service) attack
Abraham et al. Approximate string matching algorithm for phishing detection
Mathew et al. Situation awareness of multistage cyber attacks by semantic event fusion
CN108683654A (en) A kind of network vulnerability evaluation method based on zero-day attacks figure
CN103501302A (en) Method and system for automatically extracting worm features
Liu et al. Creating integrated evidence graphs for network forensics
CN108494791A (en) A kind of DDOS attack detection method and device based on Netflow daily record datas
Ahmed et al. A framework for phishing attack identification using rough set and formal concept analysis
Meng et al. Adaptive character frequency-based exclusive signature matching scheme in distributed intrusion detection environment
Ionită et al. Biologically inspired risk assessment in cyber security using neural networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant