CN110417733B - Attack prediction method, device and system based on QBD attack and defense random evolution game model - Google Patents

Attack prediction method, device and system based on QBD attack and defense random evolution game model Download PDF

Info

Publication number
CN110417733B
CN110417733B CN201910549015.6A CN201910549015A CN110417733B CN 110417733 B CN110417733 B CN 110417733B CN 201910549015 A CN201910549015 A CN 201910549015A CN 110417733 B CN110417733 B CN 110417733B
Authority
CN
China
Prior art keywords
attack
defense
qbd
strategy
evolution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910549015.6A
Other languages
Chinese (zh)
Other versions
CN110417733A (en
Inventor
谭晶磊
金辉
张红旗
杨英杰
刘小虎
雷程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201910549015.6A priority Critical patent/CN110417733B/en
Publication of CN110417733A publication Critical patent/CN110417733A/en
Application granted granted Critical
Publication of CN110417733B publication Critical patent/CN110417733B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention belongs to the technical field of network security, and particularly relates to an attack prediction method, device and system based on a QBD attack and defense random evolution game model, wherein the method comprises the following steps: abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model; establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model; solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy. The method is closer to the actual attack and defense confrontation scene, takes the random disturbance influence in the attack and defense evolution process into consideration, provides a game model for simulating the attack and defense random evolution, enhances the attack behavior prediction capability, improves the attack prediction accuracy and the model effectiveness, and has important guiding significance for the development of network security technology.

Description

Attack prediction method, device and system based on QBD attack and defense random evolution game model
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an attack prediction method, device and system based on a QBD attack and defense random evolution game model.
Background
In the field of network security, attackers attack a defense system by using various attack means to acquire more valuable information resources, and defenders protect the defense system by adopting different defense means according to the intention of the attackers so as to prevent the information resources from being stolen by the attackers. In order to effectively defend the information system, the defender needs to accurately predict the attack behavior in advance to avoid huge loss of information resources. The oppositivity, policy dependency and relationship non-cooperativity of the targets embodied by the attacking and defending parties in the network attacking and defending counterwork process are perfectly matched with the basic characteristics of the game theory. Therefore, the research and application of game theory in the field of network security has become a focus and hot spot of research of experts in recent years.
At present, the research achievements of the game theory in the field of network security are based on the complete rational assumption, the attack and defense participants of the game are considered to completely master the optional strategy and the income structure of the opponents, and the optimal response strategy is obtained by solving Nash equilibrium. However, the achievement does not consider the characteristics of the limited rationality of the actual attack and defense participants, that is, the safety knowledge, skill level and the acquired game information of the attack and defense participants are limited, the reasoning is not always correct during the decision making, the optimal response according to the change of the decision making environment is not possible to be made under any condition, the ideal complete rationality assumption is not in accordance with the actual network attack and defense condition, and the practical effect is deviated. With the research and application of the evolutionary game theory in the field of network security, the attack behavior prediction and defense strategy selection are analyzed by the evolutionary game idea based on the limited rationality, so that the network attack and defense confrontation scene is better met. The evolutionary game considers the limited nature of the attack and defense participants, and through the continuous learning and adjustment of the strategies, the participants gradually master the decision environment, the opponent information, the income difference and other information generated by the game with different strategies, and finally dynamically evolves to a stable and balanced state. In the current research, an information security attack and defense confrontation evolution game model is established from the attack and defense cost in information security, and an evolution stable strategy of the information security attack and defense confrontation is obtained according to the dynamic relation of the attack and defense group replication; an attack and defense evolution game model is established by combining an evolution game and system dynamics, and the model is checked in the aspects of system boundary, effectiveness and parameter sensitivity, so that the objectivity, scientificity and practicability of the model are proved; from the perspective of the limited nature of the attack and defense participants, researching a defense strategy selection problem, constructing an attack and defense evolution game model, and utilizing a duplicate dynamic learning mechanism to provide a solution method of an evolution stability strategy and analyze the solution method; establishing a multi-stage attack and defense evolution game model of the Internet of things, quantifying the profit/cost of an attack and defense strategy, and determining an optimal defense strategy by using a duplicate dynamic learning mechanism. However, the above studies are all based on a replication dynamic learning mechanism, which is a deterministic, non-variant natural choice learning model, always determining to choose a strategy with expected yields higher than average yields. In the actual attack and defense countermeasure process, under the influence of random disturbances such as uncertain attack behaviors and intentions, change of decision environment and the like, the deterministic replication dynamic mechanism is difficult to accurately estimate and predict attack and defense dynamic evolution.
Disclosure of Invention
Therefore, the attack prediction method, the attack prediction device and the attack prediction system based on the QBD attack and defense random evolution game model are closer to an actual attack and defense confrontation scene, enhance the capability of predicting attack behaviors, improve the accuracy and effectiveness of attack prediction and have strong application prospects.
According to the design scheme provided by the invention, the attack prediction method based on the QBD attack and defense random evolution game model comprises the following contents:
abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model;
solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy.
In the above, the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
The learning degree set of the attack and defense participants comprises learning parameters for describing the mastery degree of the attack and defense information by the attackers and learning parameters for describing the mastery degree of the attack and defense information by the defenders; and the noise factor of the attack and defense participants is used for describing random disturbance in the attack and defense process and setting the noise factor of the attack and defense participants to be greater than 0.
And constructing a corresponding simulated birth and death process according to the QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation.
In the above, the process of establishing the equilibrium equation is as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; and constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process.
In the above-mentioned equilibrium state solving process, the equilibrium equation is first subjected to elementary transformation and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained from the normal return condition, so as to obtain the stable probability distribution of the attack and defense random evolution game.
Preferably, the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation.
Preferably, in the balance equation solving, game information is obtained by analyzing the confrontation analysis and mutual learning among game groups, and profits generated by games with different strategies are calculated so as to determine the transition probability according to the expected profits, the learning degree and the noise factors.
Further, the invention also provides an attack prediction device based on the QBD attack and defense random evolution game model, which comprises: the system comprises a model building module, an equation building module and an analysis solving module; wherein the content of the first and second substances,
the model establishing module is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module is used for solving the balance equation to obtain the strategy stable probability distribution of the process of the simulated fighting and fighting; and obtaining the most threatening attack strategy according to the strategy stationary probability distribution.
Furthermore, the invention also provides a network security system which comprises the attack prediction device based on the QBD attack and defense random evolution game model.
The invention has the beneficial effects that:
the method introduces learning degree parameters and noise factors, describes a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, solves the strategy stable probability distribution of the simulated attack and defense evolution process by establishing a balance equation of the simulated attack and defense countermeasure process, and provides the most threatening attack strategy; aiming at the influence of random disturbance on an attack and defense group in the game process, modeling an attack and defense random evolution game based on a simulated survival and death process by introducing a learning degree parameter and a noise factor, and solving a balance equation of the constructed attack and defense game simulated survival and death process to obtain the stable probability distribution of the strategy under the limit condition of the attack and defense group, so that the most threatening attack strategy can be known, and the attack prediction effect is achieved; the method is closer to the actual attack and defense confrontation scene, considers the influence of random disturbance in the attack and defense evolution process, provides a game model for simulating the attack and defense random evolution, enhances the capability of predicting the attack behavior, verifies the accuracy of attack prediction and the effectiveness of the model through a simulation experiment, and has important guiding significance for the development of network security technology.
Description of the drawings:
FIG. 1 is a schematic flow chart of an attack prediction method in an embodiment;
FIG. 2 is a schematic diagram of an attack prediction apparatus according to an embodiment;
FIG. 3 is a topology diagram of a network information experiment system in an embodiment;
fig. 4 is a stationary probability distribution of an attack population when α is 0.1 in the embodiment;
fig. 5 is a smooth probability distribution of the defense population when α is 0.1 in the example;
FIG. 6 shows an attack strategy A used under different values of α in the embodiment1A stationary probability distribution of;
FIG. 7 is a diagram illustrating the defense strategy D used in different values of α in the embodiment1A stationary probability distribution of;
FIG. 8 is a graph showing the stationary probability distribution of an attack group when β takes different values in the embodiment;
FIG. 9 is a graph showing the distribution of the stationary probability of the defense population when β takes different values in the example.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
Aiming at the situations that a deterministic replication dynamic mechanism is difficult to accurately estimate and predict attack and defense dynamic evolution and the like under the influence of random disturbances such as attack behaviors, uncertain intentions, decision environment changes and the like in the existing actual attack and defense countermeasure process, the embodiment of the invention, as shown in figure 1, provides an attack prediction method based on a QBD attack and defense random evolution game model, which comprises the following contents:
s101, abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
s102, establishing a balance equation of the simulated firefighting and attacking process according to the QBD attacking and defending random evolution game model;
s103, solving the balance equation to obtain the strategy balance probability distribution of the process of simulating the live fighting, the attack fighting and the defense fighting; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy.
The pseudo-extinguishing process is based on two-dimensional random variable chi (t) ═ chiA(t),χD(t)) defines the state, describes the number of people who use a certain strategy by the participants in the attack and defense group, and describes the state transition process through the change (increase, decrease or invariance) of the number of people who use the strategy. The t +1 game, the attack and defense participants analyze and are in the group according to the confrontation among the t game groupsThe method comprises the steps of mutually learning, directly or indirectly acquiring game information, calculating profits generated by games with different strategies, randomly selecting a high-benefit strategy according to transfer probabilities determined by expected profits, learning degrees and noise factors, increasing the number of participants using the high-benefit strategy, wherein the learning degrees describe the mastering degree of the attacking and defending participants on information such as decision environments, opponent information and profit differences generated by games with different strategies, and the noise factors describe random disturbance in the attacking and defending process. After multiple games, along with the improvement of the learning degree of participants, under the mechanism of strategy learning adjustment, until the strategy probability distribution on the state space approaches to stability, namely stable probability distribution, is the realization of nasty balance in the meaning of group behaviors, and as time goes on, the attacking and defending participants are subjected to strategy games, learning and improvement, finally the proportion of each strategy selection in the group reaches a stable state, and the higher the probability is, the higher the identity of the evolving stable strategy in the group is.
Further, in the embodiment of the present invention, the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM ═ (Γ, N, S, χ (t), α, β, U), wherein,
1) Γ ═ denotes groups participating in the game, atteckers denotes attack groups, defensers denotes defense groups;
2)N=(NA,ND) Indicating the number of game participants, NARepresenting the number of aggressors in the attack group, NDRepresenting the number of defenders in the defense group;
3)S=(SA,SD) Representing a policy space of attack and defense participants, wherein the set of attack policies SA={A1,A2,…,Am}, defense policy set SD={D1,D2,…,DnM and n represent the number of attack and defense strategies, and m, n belongs to Z and m is more than or equal to 2;
4)
Figure GDA0002108748360000051
the state space representing the attack and defense evolution at the time t is a two-dimensional random variable, wherein
Figure GDA0002108748360000052
Representing selection strategy A in attack groupiNumber of attackers, satisfy
Figure GDA00021087483600000611
And is
Figure GDA0002108748360000061
Figure GDA0002108748360000062
Representing selection strategies in defense groups DjThe number of defenders of
Figure GDA0002108748360000063
And is
Figure GDA0002108748360000064
The state space χ (t) has a scale of (N)A+1)(ND+1);
5)α=(α12) The learning degree set of the attacking and defending participants is represented and used for describing the mastery degree of the attacking and defending participants on the information such as decision environment, opponent information, income difference generated by game with different strategies and the like, wherein alpha1Is the degree of learning of the attacker, α2Is the learning degree of defender and satisfies alpha1∈[0,2],α2∈[0,2];
6) Beta represents the noise factor of the attack and defense participants, is used for describing random disturbance in the attack and defense process, and satisfies that beta is more than 0;
7)U=(UA,UD) The method is a set of profit functions of both attacking and defending parties, and is determined by strategies of both attacking and defending parties, and profits obtained by different attacking and defending strategy combinations are different.
When the attacker adopts strategy AiPolicy D adopted by defendersjThe strategy gains of the attacker and defender are respectively aijAnd dijAnd (4) showing. It follows that an attacker uses policy A in a gameiIs expected to yield
Figure GDA0002108748360000065
And defender using policy D in gamejExpected profit of
Figure GDA0002108748360000066
Figure GDA0002108748360000067
Figure GDA0002108748360000068
And in the case that the information of the opponent game is uncertain by the attack and defense participants, the strategy psi is adoptedA(t),ψD(t) participating in the game, namely:
Figure GDA0002108748360000069
Figure GDA00021087483600000610
further, according to the QBD attack and defense random evolution game model, the corresponding simulated life and death process is constructed, the state space of the simulated life and death process is obtained, and a balance equation is established.
Constructing a simulated birth and death process corresponding to the QBD attack and defense random evolution game model, which is marked as { x (t), t is more than or equal to 0,
Figure GDA0002108748360000071
from this, the state space of the pseudo-extinction process is: Θ { (0,0), (0,1), · (0, N)D);(1,0),(1,1),...(1,ND);...;(NA,0),(NA,1),...(NA,ND)}。
Further, in the embodiment of the present invention, the process of establishing the equilibrium equation is as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; and constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process.
First, the transition probabilities of the attacker policy choices are defined
Figure GDA0002108748360000072
Figure GDA0002108748360000073
Figure GDA0002108748360000074
Wherein A is-i=(A1,…,Ai-1,Ai+1,…,Am) A vector representing all attack strategy components except i,
Figure GDA0002108748360000075
is represented by AiThe maximum of the expected gains for other strategies than,
Figure GDA0002108748360000076
representation selection strategy A-iWill change the policy and in turn choose policy aiThe probability of (a) of (b) being,
Figure GDA0002108748360000077
representation selection strategy AiThe attacker changes the policy and in turn chooses policy A-iThe probability of (c).
Similarly, the transition probability of defender policy selection
Figure GDA0002108748360000078
Figure GDA0002108748360000079
Figure GDA00021087483600000710
Wherein the content of the first and second substances,
Figure GDA00021087483600000711
representation selection strategy DjThe defender will change the strategy and select strategy D-jThe probability of (a) of (b) being,
Figure GDA00021087483600000712
representation selection strategy D-jThe defender will change the strategy and select strategy DjThe probability of (c).
Then the evolution process of life-like fighting
Figure GDA00021087483600000713
The transition probability matrix of (a) is:
Figure GDA0002108748360000081
in the above-mentioned matrix, the matrix is,
Figure GDA0002108748360000082
representation matrix QβThe submatrix on the main diagonal, noted as:
Figure GDA0002108748360000083
when k is 0, note:
Figure GDA0002108748360000084
when k is more than or equal to 1 and less than or equal to N A1, note:
Figure GDA0002108748360000085
when k is equal to NAWhen, remember:
Figure GDA0002108748360000086
in addition to this, the present invention is,
Figure GDA0002108748360000087
is a matrix QβThe submatrix of the upper right diagonal, noted:
Figure GDA0002108748360000091
Figure GDA0002108748360000092
representation matrix QβThe submatrix of the next left diagonal, noted:
Figure GDA0002108748360000093
further, in the embodiment of the invention, in the equilibrium state solving process, the equilibrium equation is firstly subjected to elementary transformation and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained through normal return conditions, so that the equilibrium probability distribution of the attack and defense random evolution game is obtained. Preferably, the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation. Preferably, in the balance equation solving, game information is obtained by analyzing the confrontation analysis among game groups and the mutual learning in the game groups, and the profits generated by the games with different strategies are calculated so as to determine the transition probability according to the expected profits, the learning degree and the noise factors.
Order to
Figure GDA0002108748360000094
Representing a smooth probability distribution of QBD, wherein
Figure GDA0002108748360000095
Assuming that the QBD process returns normally, the equation of equilibrium P (β) QβP (β) e is 0, and 1, and it is known that
Figure GDA0002108748360000096
To facilitate understanding, order
Figure GDA0002108748360000097
The equilibrium equation is equivalent to
Figure GDA0002108748360000098
The balance equation constructed in the embodiment of the invention is actually a nonlinear homogeneous equation set, the balance equation is subjected to elementary transformation by adopting a Guass elimination method based on a block matrix, a QBD balance equation is solved, and P (beta) is known as QBD stable probability distribution under a normal return condition, so that long-term stable balance of an attack and defense random evolution game is obtained.
Further, an embodiment of the present invention further provides an attack prediction device based on a QBD attack-defense random evolution game model, as shown in fig. 2, including: a model building module 101, an equation building module 102, and an analytical solution module 103, wherein,
the model establishing module 101 is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module 102 is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module 103 is used for solving the balance equation to obtain the strategy balance probability distribution of the process of the simulated fighting and fighting; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy.
Further, an embodiment of the present invention further provides a network security system, which includes the attack prediction device based on the QBD attack-defense random evolution game model in the above embodiment, and is used for performing prediction analysis on an attack behavior in the network system.
In order to verify the effectiveness of the QBD random evolution game model and the accuracy of attack prediction, experiments are performed in a specific network information system environment, as shown in FIG. 3, the network system environment mainly comprises an external network attack group, a DMZ domain and an internal network, wherein the network security protection device comprises a firewall, an intrusion prevention device and a bastion host, and is used for protecting a database server of the internal network and preventing data resources from being stolen. Scanning a system environment through Nessus, referring to an attack and defense behavior database of the American MIT, and designing an attack and defense strategy set adopted in an experiment according to national information security breach library (CNNVD) information, wherein the attack strategy is A1(database snooping) and A2(Port Scan attack) defense strategy is D1(database upgrade) and D2(turning off idle port service).
Based on the established QBD random evolution game model, the characteristics of limited nature of the attack and defense participants are considered, and respective benefits are maximized on the premise of pursuing balance between risk and investment of information security, so that benefits generated by different attack and defense strategies in the game are calculated by referring to a benefit quantification method and combining the characteristics of the life-like and death process, and the attack and defense strategy benefit matrix of the table 1 can be obtained.
TABLE 1 attack and defense strategy revenue matrix
Figure GDA0002108748360000101
And assume that the number of attackers is NAThe number of defenders is N (8)D=10。
Considering the influence of certain random disturbance in the process of attack and defense fight, the noise factor β is assumed to be 0.5. Under the simulation scene, the learning degree parameter alpha is changedi(i is 1,2), observing the influence of the improvement of learning degree of both the attack and defense on the attack prediction, namely when alpha is1=α2When alpha is 0.1,0.5,1.0,2.0, the game of both attacking and defending parties is researchedAnd (5) evolution rules.
And solving the stable probability distribution of the QBD attacking and defending random evolution game model. When α is 0.1, the P matrix from which the stationary probability distribution can be calculated is:
Figure GDA0002108748360000111
setting:
Figure GDA0002108748360000112
wherein the content of the first and second substances,
Figure GDA0002108748360000113
representing adopted strategy A in attack group1The number of the attackers is i, and a strategy D is selected from a defense group1The number of defenders in (1) is the stationary probability of j.
Figure GDA0002108748360000114
Strategy A adopted in attack group after multiple games1The number of aggressors of (a) is the stationary probability of i;
Figure GDA0002108748360000115
employing strategy D in defense group after representing multiple games1The number of defenders in (1) is the stationary probability of j. The strategy stationary probability distribution of the attack and defense group evolution game obtained by the method is shown in fig. 4 and 5, wherein fig. 4 is the stationary probability distribution of the attack group when alpha is 0.1, and fig. 5 is the stationary probability distribution of the defense group when alpha is 0.1
The stationary probability distribution of the attack group in FIG. 4, the abscissa represents the number of attackers, i.e., selection strategy A1Or A2The ordinate represents the policy A1The stationary probability of (2). When alpha is 0.1, all attackers in the attack group select strategy A1Has a probability of only 58.79%, i.e., 7 attackers pick policy A1But there are 1 attacker to choose strategy A2Has a probability of 24.44%, there are 6 attackers to choose strategy A1But there are 2 attackers to choose strategy A2The probability of (c) is 10.07%. Thus, the numerical results indicate that attack strategy selection creates significant divergence. Similarly, as can be seen from FIG. 5, all defenders select policy D1Has a probability of only 65.39%, and 1 defender selects the strategy D2The probability of (2) is 22.61%, and the strategy selection is obviously inconsistent.
For the same reason, when α ═ α1=α2When the value is 0.1,0.5,1.0 and 2.0, the result of the stationary probability distribution of the attack and defense group evolution game under different learning degree parameters is shown in table 2 and table 3. Wherein
Figure GDA0002108748360000121
Selection strategy A in expression attack group1The number of attackers of (1) is i;
Figure GDA0002108748360000122
selection strategy D in expression defense group1The number of defenders in (1) is j.
TABLE 2 Steady probability distribution results of attack group evolution game under different learning degree parameters
Figure GDA0002108748360000123
TABLE 3 Steady probability distribution results for defending group evolution game under different learning degree parameters
Figure GDA0002108748360000124
The stable probability distribution diagram of the attack and defense population evolution under different learning degree parameters shown in fig. 6 and 7 is obtained through Matlab2016b simulation, and two groups of numerical results shown in tables 2 and 3 can be intuitively analyzed and compared.
According to the learning degree alpha in the interval [0, 2]The value change of (2) can be seen from fig. 6 and 7, the attack strategy A is selected from attack and defense groups1And selecting defensesStrategy D1Respectively corresponding to the stationary probability distribution variation trend. When alpha tends to 2, attack strategy selection converges to optimal strategy A1The defense strategy selection converges to the optimal strategy D1I.e. all aggressors in the attack group choose strategy A1The probability of (1) is 96.94% (error is less than 5%), and all defenders in the defense group choose strategy D1The probability of (c) is 96.61% (error less than 5%).
From the above numerical results, the following conclusions can be drawn: through the analysis of the confrontation among the groups and the mutual learning in the same group, the game information is collected and analyzed, and the understanding of the behavior and the intention of the offending and defending participants to the hands and the decision environment is gradually enhanced. With the improvement of the learning degree alpha, selecting an optimal attack strategy A1Reach stable, thus knowing attack strategy A1Is the predicted most threatening attack strategy. When the alpha value is small, the fact that the attacking and defending participants lack knowledge of game results and decision environments is shown, and if the attacking and defending decision process has obvious randomness, the stable probability distribution of the evolutionary game is not necessarily converged to a specific strategy.
Assuming the degree of learning to be a fixed constant α1=α2Under the simulation scenario, the influence of different noise factors beta on the game evolution of the attack and defense parties is observed, wherein the influence of the noise factors beta is 0.7, and beta is 0.2,1.2,2.2 and 5.0. The stable probability distribution of the simulated birth and death process corresponding to the group of models is solved, and the internal evolution game results of the attack and defense groups under different noise factors can be obtained and are shown in tables 4 and 5.
TABLE 4 Steady probability distribution results of attack group evolution game under different noise factors
Figure GDA0002108748360000131
TABLE 5 Steady probability distribution results for defending group evolution game under different noise factors
Figure GDA0002108748360000132
The internal evolution law of the attack and defense group can be intuitively obtained through the images of the figure 8 and the figure 9. When beta is 0.2, the behavior of an attacker (defender) is less influenced by random disturbance, and the strategy selection has high consistency, namely all the attackers in the attack group select the strategy A1The probability of (D) is 96.53%, and all defenders in the defense group select D1The probability of (c) is 96.15%. However, as β increases, when β is 5.0, it is obviously affected by random perturbation, and the attacker in the population generates a divergence in strategy selection. All aggressors in the attack population choose A1Has a probability of only 49.39%, and has 1 attacker to select strategy A2Has a probability of 25.41%, and there are 2 attackers to select A2The probability of (2) is 12.96%; similarly, the data results for the defense group also show that all defenders adopt strategy D when β is 5.01Has a probability of only 59.51%, and 1 defender in the population selects strategy D2The probability of (c) is 24.01%, the strategy selection is obviously inconsistent.
Aiming at the influence of random disturbance on an attack and defense group in the game process, the invention models the attack and defense random evolution game based on the simulated elimination process by introducing the learning degree parameter and the noise factor, and solves the balance equation of the constructed attack and defense game simulated elimination process by utilizing the Gauss elimination method to obtain the stable probability distribution of the strategy under the limit condition of the attack and defense group, thereby knowing the attack strategy with the most threat and achieving the effect of attack prediction. Research results show that along with the advance of attack and defense evolution, the attack and defense groups gradually deepen the understanding of decision-making environment and opponents by collecting the game characteristic information of the opponents, the learning degree is continuously enhanced, no obvious divergence appears in the selection strategy of participants, and all participants tend to select the strategy with stable evolution. However, as the random disturbance is enhanced, the game system tends to be unstable, the game result is mainly affected by the random disturbance, and the attack and defense groups are obviously divergent in strategy selection. In an actual attack and defense scene, random factors are unavoidable, but the influence of the random factors is reduced as much as possible, the learning degree is enhanced, and the method has instructive significance for guiding actual network attack prediction.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (7)

1. An attack prediction method based on a QBD attack and defense random evolution game model is characterized by comprising the following contents:
abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model;
solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; according to the strategy balance probability distribution, obtaining the most threatening attack strategy;
constructing a corresponding simulated birth and death process according to a QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation;
the equilibrium equation is established as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process;
the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
2. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that the attack and defense participant learning degree set comprises learning parameters for describing the mastery degree of an attacker on attack and defense information and learning parameters for describing the mastery degree of a defender on attack and defense information; and the noise factor of the attack and defense participants is used for describing random disturbance in the attack and defense process and setting the noise factor of the attack and defense participants to be greater than 0.
3. The attack prediction method based on the QBD attack and defense random evolution game model according to claim 1, characterized in that in the equilibrium state solving process, the equilibrium equation is first transformed and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained through normal return conditions, so that the stable probability distribution of the attack and defense random evolution game is obtained.
4. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation.
5. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that in the balance equation solving, game information is obtained by analyzing the confrontation analysis and mutual learning among game groups, earnings generated by games with different strategies are calculated, and the transition probability is determined according to the expected earnings, the learning degree and the noise factor.
6. An attack prediction device based on QBD attack and defense random evolution game model is characterized by comprising: a model building module, an equation building module and an analysis solving module, wherein,
the model establishing module is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module is used for solving the balance equation to obtain the strategy stable probability distribution of the process of the simulated fighting and fighting; obtaining the most threatening attack strategy according to the strategy stable probability distribution;
constructing a corresponding simulated birth and death process according to a QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation;
the equilibrium equation is established as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process;
the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
7. A network security system, characterized by comprising the attack prediction device based on QBD attack and defense random evolution game model in claim 6.
CN201910549015.6A 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model Active CN110417733B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910549015.6A CN110417733B (en) 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910549015.6A CN110417733B (en) 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model

Publications (2)

Publication Number Publication Date
CN110417733A CN110417733A (en) 2019-11-05
CN110417733B true CN110417733B (en) 2021-09-10

Family

ID=68359709

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910549015.6A Active CN110417733B (en) 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model

Country Status (1)

Country Link
CN (1) CN110417733B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112261016A (en) * 2020-10-12 2021-01-22 国网甘肃省电力公司电力科学研究院 Power grid protection method in attack scene
CN112417751B (en) * 2020-10-28 2024-03-29 清华大学 Anti-interference fusion method and device based on graph evolution game theory
CN112434922B (en) * 2020-11-13 2021-08-24 北方工业大学 Urban power grid system security control method and device based on zero sum game
CN114024738A (en) * 2021-11-03 2022-02-08 哈尔滨理工大学 Network defense method based on multi-stage attack and defense signals
CN115277250B (en) * 2022-09-23 2023-02-21 中国汽车技术研究中心有限公司 Vehicle-end attack path identification method, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9471777B1 (en) * 2012-02-24 2016-10-18 Emc Corporation Scheduling of defensive security actions in information processing systems
CN106446674A (en) * 2016-07-27 2017-02-22 长春理工大学 Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment
CN107070956A (en) * 2017-06-16 2017-08-18 福建中信网安信息科技有限公司 APT Attack Prediction methods based on dynamic bayesian game

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8863293B2 (en) * 2012-05-23 2014-10-14 International Business Machines Corporation Predicting attacks based on probabilistic game-theory

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9471777B1 (en) * 2012-02-24 2016-10-18 Emc Corporation Scheduling of defensive security actions in information processing systems
CN106446674A (en) * 2016-07-27 2017-02-22 长春理工大学 Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment
CN107070956A (en) * 2017-06-16 2017-08-18 福建中信网安信息科技有限公司 APT Attack Prediction methods based on dynamic bayesian game

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种入侵防御系统性能分析方法;刘伟等;《信息网络安全》;20150930(第9期);全文 *

Also Published As

Publication number Publication date
CN110417733A (en) 2019-11-05

Similar Documents

Publication Publication Date Title
CN110417733B (en) Attack prediction method, device and system based on QBD attack and defense random evolution game model
CN107566387B (en) Network defense action decision method based on attack and defense evolution game analysis
CN107135224B (en) Network defense strategy selection method and device based on Markov evolution game
CN107483486B (en) Network defense strategy selection method based on random evolution game model
Hu et al. Optimal decision making approach for cyber security defense using evolutionary game
CN108833402A (en) A kind of optimal defence policies choosing method of network based on game of bounded rationality theory and device
CN110460572A (en) Mobile target defence policies choosing method and equipment based on Markov signaling games
CN111224966B (en) Optimal defense strategy selection method based on evolutionary network game
CN111245828A (en) Defense strategy generation method based on three-party dynamic game
Uriarte et al. Automatic learning of combat models for RTS games
CN114417427A (en) Deep learning-oriented data sensitivity attribute desensitization system and method
Gilad et al. Intelligence, cyberspace, and national security
Barth et al. A learning-based approach to reactive security
Hua et al. Evolution of conditional cooperation in collective-risk social dilemma with repeated group interactions
Haopu Method for behavior-prediction of APT attack based on dynamic Bayesian game
CN114024738A (en) Network defense method based on multi-stage attack and defense signals
Zolotarev et al. Strategies of social engineering attacks on information resources of gamified online education projects
Zawadzki et al. Deterrence against Terrorist Attacks in Sports‐Mega Events: A Method to Identify the Optimal Portfolio of Defensive Countermeasures
CN115328189B (en) Multi-unmanned plane cooperative game decision-making method and system
Shang et al. Operation loop-based network design model for defense resource allocation with uncertainty
Guan et al. A Bayesian Improved Defense Model for Deceptive Attack in Honeypot-Enabled Networks
Zhao et al. Cloud of assets and threats: a playful method to raise awareness for cloud security in industry
CN113935039A (en) Safety evaluation method, equipment and medium based on fuzzy matrix and Nash equilibrium
Liu et al. Efficient defense decision-making approach for Multistep attacks based on the attack graph and game theory
Trad Transformation Projects and Virtual Military Strategy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant