CN110417733B - Attack prediction method, device and system based on QBD attack and defense random evolution game model - Google Patents
Attack prediction method, device and system based on QBD attack and defense random evolution game model Download PDFInfo
- Publication number
- CN110417733B CN110417733B CN201910549015.6A CN201910549015A CN110417733B CN 110417733 B CN110417733 B CN 110417733B CN 201910549015 A CN201910549015 A CN 201910549015A CN 110417733 B CN110417733 B CN 110417733B
- Authority
- CN
- China
- Prior art keywords
- attack
- defense
- qbd
- strategy
- evolution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/04—Inference or reasoning models
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention belongs to the technical field of network security, and particularly relates to an attack prediction method, device and system based on a QBD attack and defense random evolution game model, wherein the method comprises the following steps: abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model; establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model; solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy. The method is closer to the actual attack and defense confrontation scene, takes the random disturbance influence in the attack and defense evolution process into consideration, provides a game model for simulating the attack and defense random evolution, enhances the attack behavior prediction capability, improves the attack prediction accuracy and the model effectiveness, and has important guiding significance for the development of network security technology.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an attack prediction method, device and system based on a QBD attack and defense random evolution game model.
Background
In the field of network security, attackers attack a defense system by using various attack means to acquire more valuable information resources, and defenders protect the defense system by adopting different defense means according to the intention of the attackers so as to prevent the information resources from being stolen by the attackers. In order to effectively defend the information system, the defender needs to accurately predict the attack behavior in advance to avoid huge loss of information resources. The oppositivity, policy dependency and relationship non-cooperativity of the targets embodied by the attacking and defending parties in the network attacking and defending counterwork process are perfectly matched with the basic characteristics of the game theory. Therefore, the research and application of game theory in the field of network security has become a focus and hot spot of research of experts in recent years.
At present, the research achievements of the game theory in the field of network security are based on the complete rational assumption, the attack and defense participants of the game are considered to completely master the optional strategy and the income structure of the opponents, and the optimal response strategy is obtained by solving Nash equilibrium. However, the achievement does not consider the characteristics of the limited rationality of the actual attack and defense participants, that is, the safety knowledge, skill level and the acquired game information of the attack and defense participants are limited, the reasoning is not always correct during the decision making, the optimal response according to the change of the decision making environment is not possible to be made under any condition, the ideal complete rationality assumption is not in accordance with the actual network attack and defense condition, and the practical effect is deviated. With the research and application of the evolutionary game theory in the field of network security, the attack behavior prediction and defense strategy selection are analyzed by the evolutionary game idea based on the limited rationality, so that the network attack and defense confrontation scene is better met. The evolutionary game considers the limited nature of the attack and defense participants, and through the continuous learning and adjustment of the strategies, the participants gradually master the decision environment, the opponent information, the income difference and other information generated by the game with different strategies, and finally dynamically evolves to a stable and balanced state. In the current research, an information security attack and defense confrontation evolution game model is established from the attack and defense cost in information security, and an evolution stable strategy of the information security attack and defense confrontation is obtained according to the dynamic relation of the attack and defense group replication; an attack and defense evolution game model is established by combining an evolution game and system dynamics, and the model is checked in the aspects of system boundary, effectiveness and parameter sensitivity, so that the objectivity, scientificity and practicability of the model are proved; from the perspective of the limited nature of the attack and defense participants, researching a defense strategy selection problem, constructing an attack and defense evolution game model, and utilizing a duplicate dynamic learning mechanism to provide a solution method of an evolution stability strategy and analyze the solution method; establishing a multi-stage attack and defense evolution game model of the Internet of things, quantifying the profit/cost of an attack and defense strategy, and determining an optimal defense strategy by using a duplicate dynamic learning mechanism. However, the above studies are all based on a replication dynamic learning mechanism, which is a deterministic, non-variant natural choice learning model, always determining to choose a strategy with expected yields higher than average yields. In the actual attack and defense countermeasure process, under the influence of random disturbances such as uncertain attack behaviors and intentions, change of decision environment and the like, the deterministic replication dynamic mechanism is difficult to accurately estimate and predict attack and defense dynamic evolution.
Disclosure of Invention
Therefore, the attack prediction method, the attack prediction device and the attack prediction system based on the QBD attack and defense random evolution game model are closer to an actual attack and defense confrontation scene, enhance the capability of predicting attack behaviors, improve the accuracy and effectiveness of attack prediction and have strong application prospects.
According to the design scheme provided by the invention, the attack prediction method based on the QBD attack and defense random evolution game model comprises the following contents:
abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model;
solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy.
In the above, the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
The learning degree set of the attack and defense participants comprises learning parameters for describing the mastery degree of the attack and defense information by the attackers and learning parameters for describing the mastery degree of the attack and defense information by the defenders; and the noise factor of the attack and defense participants is used for describing random disturbance in the attack and defense process and setting the noise factor of the attack and defense participants to be greater than 0.
And constructing a corresponding simulated birth and death process according to the QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation.
In the above, the process of establishing the equilibrium equation is as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; and constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process.
In the above-mentioned equilibrium state solving process, the equilibrium equation is first subjected to elementary transformation and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained from the normal return condition, so as to obtain the stable probability distribution of the attack and defense random evolution game.
Preferably, the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation.
Preferably, in the balance equation solving, game information is obtained by analyzing the confrontation analysis and mutual learning among game groups, and profits generated by games with different strategies are calculated so as to determine the transition probability according to the expected profits, the learning degree and the noise factors.
Further, the invention also provides an attack prediction device based on the QBD attack and defense random evolution game model, which comprises: the system comprises a model building module, an equation building module and an analysis solving module; wherein the content of the first and second substances,
the model establishing module is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module is used for solving the balance equation to obtain the strategy stable probability distribution of the process of the simulated fighting and fighting; and obtaining the most threatening attack strategy according to the strategy stationary probability distribution.
Furthermore, the invention also provides a network security system which comprises the attack prediction device based on the QBD attack and defense random evolution game model.
The invention has the beneficial effects that:
the method introduces learning degree parameters and noise factors, describes a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, solves the strategy stable probability distribution of the simulated attack and defense evolution process by establishing a balance equation of the simulated attack and defense countermeasure process, and provides the most threatening attack strategy; aiming at the influence of random disturbance on an attack and defense group in the game process, modeling an attack and defense random evolution game based on a simulated survival and death process by introducing a learning degree parameter and a noise factor, and solving a balance equation of the constructed attack and defense game simulated survival and death process to obtain the stable probability distribution of the strategy under the limit condition of the attack and defense group, so that the most threatening attack strategy can be known, and the attack prediction effect is achieved; the method is closer to the actual attack and defense confrontation scene, considers the influence of random disturbance in the attack and defense evolution process, provides a game model for simulating the attack and defense random evolution, enhances the capability of predicting the attack behavior, verifies the accuracy of attack prediction and the effectiveness of the model through a simulation experiment, and has important guiding significance for the development of network security technology.
Description of the drawings:
FIG. 1 is a schematic flow chart of an attack prediction method in an embodiment;
FIG. 2 is a schematic diagram of an attack prediction apparatus according to an embodiment;
FIG. 3 is a topology diagram of a network information experiment system in an embodiment;
fig. 4 is a stationary probability distribution of an attack population when α is 0.1 in the embodiment;
fig. 5 is a smooth probability distribution of the defense population when α is 0.1 in the example;
FIG. 6 shows an attack strategy A used under different values of α in the embodiment1A stationary probability distribution of;
FIG. 7 is a diagram illustrating the defense strategy D used in different values of α in the embodiment1A stationary probability distribution of;
FIG. 8 is a graph showing the stationary probability distribution of an attack group when β takes different values in the embodiment;
FIG. 9 is a graph showing the distribution of the stationary probability of the defense population when β takes different values in the example.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
Aiming at the situations that a deterministic replication dynamic mechanism is difficult to accurately estimate and predict attack and defense dynamic evolution and the like under the influence of random disturbances such as attack behaviors, uncertain intentions, decision environment changes and the like in the existing actual attack and defense countermeasure process, the embodiment of the invention, as shown in figure 1, provides an attack prediction method based on a QBD attack and defense random evolution game model, which comprises the following contents:
s101, abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
s102, establishing a balance equation of the simulated firefighting and attacking process according to the QBD attacking and defending random evolution game model;
s103, solving the balance equation to obtain the strategy balance probability distribution of the process of simulating the live fighting, the attack fighting and the defense fighting; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy.
The pseudo-extinguishing process is based on two-dimensional random variable chi (t) ═ chiA(t),χD(t)) defines the state, describes the number of people who use a certain strategy by the participants in the attack and defense group, and describes the state transition process through the change (increase, decrease or invariance) of the number of people who use the strategy. The t +1 game, the attack and defense participants analyze and are in the group according to the confrontation among the t game groupsThe method comprises the steps of mutually learning, directly or indirectly acquiring game information, calculating profits generated by games with different strategies, randomly selecting a high-benefit strategy according to transfer probabilities determined by expected profits, learning degrees and noise factors, increasing the number of participants using the high-benefit strategy, wherein the learning degrees describe the mastering degree of the attacking and defending participants on information such as decision environments, opponent information and profit differences generated by games with different strategies, and the noise factors describe random disturbance in the attacking and defending process. After multiple games, along with the improvement of the learning degree of participants, under the mechanism of strategy learning adjustment, until the strategy probability distribution on the state space approaches to stability, namely stable probability distribution, is the realization of nasty balance in the meaning of group behaviors, and as time goes on, the attacking and defending participants are subjected to strategy games, learning and improvement, finally the proportion of each strategy selection in the group reaches a stable state, and the higher the probability is, the higher the identity of the evolving stable strategy in the group is.
Further, in the embodiment of the present invention, the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM ═ (Γ, N, S, χ (t), α, β, U), wherein,
1) Γ ═ denotes groups participating in the game, atteckers denotes attack groups, defensers denotes defense groups;
2)N=(NA,ND) Indicating the number of game participants, NARepresenting the number of aggressors in the attack group, NDRepresenting the number of defenders in the defense group;
3)S=(SA,SD) Representing a policy space of attack and defense participants, wherein the set of attack policies SA={A1,A2,…,Am}, defense policy set SD={D1,D2,…,DnM and n represent the number of attack and defense strategies, and m, n belongs to Z and m is more than or equal to 2;
4)the state space representing the attack and defense evolution at the time t is a two-dimensional random variable, whereinRepresenting selection strategy A in attack groupiNumber of attackers, satisfyAnd is Representing selection strategies in defense groups DjThe number of defenders ofAnd isThe state space χ (t) has a scale of (N)A+1)(ND+1);
5)α=(α1,α2) The learning degree set of the attacking and defending participants is represented and used for describing the mastery degree of the attacking and defending participants on the information such as decision environment, opponent information, income difference generated by game with different strategies and the like, wherein alpha1Is the degree of learning of the attacker, α2Is the learning degree of defender and satisfies alpha1∈[0,2],α2∈[0,2];
6) Beta represents the noise factor of the attack and defense participants, is used for describing random disturbance in the attack and defense process, and satisfies that beta is more than 0;
7)U=(UA,UD) The method is a set of profit functions of both attacking and defending parties, and is determined by strategies of both attacking and defending parties, and profits obtained by different attacking and defending strategy combinations are different.
When the attacker adopts strategy AiPolicy D adopted by defendersjThe strategy gains of the attacker and defender are respectively aijAnd dijAnd (4) showing. It follows that an attacker uses policy A in a gameiIs expected to yieldAnd defender using policy D in gamejExpected profit of
And in the case that the information of the opponent game is uncertain by the attack and defense participants, the strategy psi is adoptedA(t),ψD(t) participating in the game, namely:
further, according to the QBD attack and defense random evolution game model, the corresponding simulated life and death process is constructed, the state space of the simulated life and death process is obtained, and a balance equation is established.
Constructing a simulated birth and death process corresponding to the QBD attack and defense random evolution game model, which is marked as { x (t), t is more than or equal to 0,from this, the state space of the pseudo-extinction process is: Θ { (0,0), (0,1), · (0, N)D);(1,0),(1,1),...(1,ND);...;(NA,0),(NA,1),...(NA,ND)}。
Further, in the embodiment of the present invention, the process of establishing the equilibrium equation is as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; and constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process.
Wherein A is-i=(A1,…,Ai-1,Ai+1,…,Am) A vector representing all attack strategy components except i,is represented by AiThe maximum of the expected gains for other strategies than,representation selection strategy A-iWill change the policy and in turn choose policy aiThe probability of (a) of (b) being,representation selection strategy AiThe attacker changes the policy and in turn chooses policy A-iThe probability of (c).
Wherein the content of the first and second substances,representation selection strategy DjThe defender will change the strategy and select strategy D-jThe probability of (a) of (b) being,representation selection strategy D-jThe defender will change the strategy and select strategy DjThe probability of (c).
in the above-mentioned matrix, the matrix is,representation matrix QβThe submatrix on the main diagonal, noted as:
when k is 0, note:
when k is more than or equal to 1 and less than or equal to N A1, note:
when k is equal to NAWhen, remember:
in addition to this, the present invention is,is a matrix QβThe submatrix of the upper right diagonal, noted:
further, in the embodiment of the invention, in the equilibrium state solving process, the equilibrium equation is firstly subjected to elementary transformation and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained through normal return conditions, so that the equilibrium probability distribution of the attack and defense random evolution game is obtained. Preferably, the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation. Preferably, in the balance equation solving, game information is obtained by analyzing the confrontation analysis among game groups and the mutual learning in the game groups, and the profits generated by the games with different strategies are calculated so as to determine the transition probability according to the expected profits, the learning degree and the noise factors.
Order toRepresenting a smooth probability distribution of QBD, whereinAssuming that the QBD process returns normally, the equation of equilibrium P (β) QβP (β) e is 0, and 1, and it is known thatTo facilitate understanding, orderThe equilibrium equation is equivalent to
The balance equation constructed in the embodiment of the invention is actually a nonlinear homogeneous equation set, the balance equation is subjected to elementary transformation by adopting a Guass elimination method based on a block matrix, a QBD balance equation is solved, and P (beta) is known as QBD stable probability distribution under a normal return condition, so that long-term stable balance of an attack and defense random evolution game is obtained.
Further, an embodiment of the present invention further provides an attack prediction device based on a QBD attack-defense random evolution game model, as shown in fig. 2, including: a model building module 101, an equation building module 102, and an analytical solution module 103, wherein,
the model establishing module 101 is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module 102 is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module 103 is used for solving the balance equation to obtain the strategy balance probability distribution of the process of the simulated fighting and fighting; and balancing probability distribution according to the strategy to obtain the most threatening attack strategy.
Further, an embodiment of the present invention further provides a network security system, which includes the attack prediction device based on the QBD attack-defense random evolution game model in the above embodiment, and is used for performing prediction analysis on an attack behavior in the network system.
In order to verify the effectiveness of the QBD random evolution game model and the accuracy of attack prediction, experiments are performed in a specific network information system environment, as shown in FIG. 3, the network system environment mainly comprises an external network attack group, a DMZ domain and an internal network, wherein the network security protection device comprises a firewall, an intrusion prevention device and a bastion host, and is used for protecting a database server of the internal network and preventing data resources from being stolen. Scanning a system environment through Nessus, referring to an attack and defense behavior database of the American MIT, and designing an attack and defense strategy set adopted in an experiment according to national information security breach library (CNNVD) information, wherein the attack strategy is A1(database snooping) and A2(Port Scan attack) defense strategy is D1(database upgrade) and D2(turning off idle port service).
Based on the established QBD random evolution game model, the characteristics of limited nature of the attack and defense participants are considered, and respective benefits are maximized on the premise of pursuing balance between risk and investment of information security, so that benefits generated by different attack and defense strategies in the game are calculated by referring to a benefit quantification method and combining the characteristics of the life-like and death process, and the attack and defense strategy benefit matrix of the table 1 can be obtained.
TABLE 1 attack and defense strategy revenue matrix
And assume that the number of attackers is NAThe number of defenders is N (8)D=10。
Considering the influence of certain random disturbance in the process of attack and defense fight, the noise factor β is assumed to be 0.5. Under the simulation scene, the learning degree parameter alpha is changedi(i is 1,2), observing the influence of the improvement of learning degree of both the attack and defense on the attack prediction, namely when alpha is1=α2When alpha is 0.1,0.5,1.0,2.0, the game of both attacking and defending parties is researchedAnd (5) evolution rules.
And solving the stable probability distribution of the QBD attacking and defending random evolution game model. When α is 0.1, the P matrix from which the stationary probability distribution can be calculated is:
setting:
wherein the content of the first and second substances,representing adopted strategy A in attack group1The number of the attackers is i, and a strategy D is selected from a defense group1The number of defenders in (1) is the stationary probability of j.Strategy A adopted in attack group after multiple games1The number of aggressors of (a) is the stationary probability of i;employing strategy D in defense group after representing multiple games1The number of defenders in (1) is the stationary probability of j. The strategy stationary probability distribution of the attack and defense group evolution game obtained by the method is shown in fig. 4 and 5, wherein fig. 4 is the stationary probability distribution of the attack group when alpha is 0.1, and fig. 5 is the stationary probability distribution of the defense group when alpha is 0.1
The stationary probability distribution of the attack group in FIG. 4, the abscissa represents the number of attackers, i.e., selection strategy A1Or A2The ordinate represents the policy A1The stationary probability of (2). When alpha is 0.1, all attackers in the attack group select strategy A1Has a probability of only 58.79%, i.e., 7 attackers pick policy A1But there are 1 attacker to choose strategy A2Has a probability of 24.44%, there are 6 attackers to choose strategy A1But there are 2 attackers to choose strategy A2The probability of (c) is 10.07%. Thus, the numerical results indicate that attack strategy selection creates significant divergence. Similarly, as can be seen from FIG. 5, all defenders select policy D1Has a probability of only 65.39%, and 1 defender selects the strategy D2The probability of (2) is 22.61%, and the strategy selection is obviously inconsistent.
For the same reason, when α ═ α1=α2When the value is 0.1,0.5,1.0 and 2.0, the result of the stationary probability distribution of the attack and defense group evolution game under different learning degree parameters is shown in table 2 and table 3. WhereinSelection strategy A in expression attack group1The number of attackers of (1) is i;selection strategy D in expression defense group1The number of defenders in (1) is j.
TABLE 2 Steady probability distribution results of attack group evolution game under different learning degree parameters
TABLE 3 Steady probability distribution results for defending group evolution game under different learning degree parameters
The stable probability distribution diagram of the attack and defense population evolution under different learning degree parameters shown in fig. 6 and 7 is obtained through Matlab2016b simulation, and two groups of numerical results shown in tables 2 and 3 can be intuitively analyzed and compared.
According to the learning degree alpha in the interval [0, 2]The value change of (2) can be seen from fig. 6 and 7, the attack strategy A is selected from attack and defense groups1And selecting defensesStrategy D1Respectively corresponding to the stationary probability distribution variation trend. When alpha tends to 2, attack strategy selection converges to optimal strategy A1The defense strategy selection converges to the optimal strategy D1I.e. all aggressors in the attack group choose strategy A1The probability of (1) is 96.94% (error is less than 5%), and all defenders in the defense group choose strategy D1The probability of (c) is 96.61% (error less than 5%).
From the above numerical results, the following conclusions can be drawn: through the analysis of the confrontation among the groups and the mutual learning in the same group, the game information is collected and analyzed, and the understanding of the behavior and the intention of the offending and defending participants to the hands and the decision environment is gradually enhanced. With the improvement of the learning degree alpha, selecting an optimal attack strategy A1Reach stable, thus knowing attack strategy A1Is the predicted most threatening attack strategy. When the alpha value is small, the fact that the attacking and defending participants lack knowledge of game results and decision environments is shown, and if the attacking and defending decision process has obvious randomness, the stable probability distribution of the evolutionary game is not necessarily converged to a specific strategy.
Assuming the degree of learning to be a fixed constant α1=α2Under the simulation scenario, the influence of different noise factors beta on the game evolution of the attack and defense parties is observed, wherein the influence of the noise factors beta is 0.7, and beta is 0.2,1.2,2.2 and 5.0. The stable probability distribution of the simulated birth and death process corresponding to the group of models is solved, and the internal evolution game results of the attack and defense groups under different noise factors can be obtained and are shown in tables 4 and 5.
TABLE 4 Steady probability distribution results of attack group evolution game under different noise factors
TABLE 5 Steady probability distribution results for defending group evolution game under different noise factors
The internal evolution law of the attack and defense group can be intuitively obtained through the images of the figure 8 and the figure 9. When beta is 0.2, the behavior of an attacker (defender) is less influenced by random disturbance, and the strategy selection has high consistency, namely all the attackers in the attack group select the strategy A1The probability of (D) is 96.53%, and all defenders in the defense group select D1The probability of (c) is 96.15%. However, as β increases, when β is 5.0, it is obviously affected by random perturbation, and the attacker in the population generates a divergence in strategy selection. All aggressors in the attack population choose A1Has a probability of only 49.39%, and has 1 attacker to select strategy A2Has a probability of 25.41%, and there are 2 attackers to select A2The probability of (2) is 12.96%; similarly, the data results for the defense group also show that all defenders adopt strategy D when β is 5.01Has a probability of only 59.51%, and 1 defender in the population selects strategy D2The probability of (c) is 24.01%, the strategy selection is obviously inconsistent.
Aiming at the influence of random disturbance on an attack and defense group in the game process, the invention models the attack and defense random evolution game based on the simulated elimination process by introducing the learning degree parameter and the noise factor, and solves the balance equation of the constructed attack and defense game simulated elimination process by utilizing the Gauss elimination method to obtain the stable probability distribution of the strategy under the limit condition of the attack and defense group, thereby knowing the attack strategy with the most threat and achieving the effect of attack prediction. Research results show that along with the advance of attack and defense evolution, the attack and defense groups gradually deepen the understanding of decision-making environment and opponents by collecting the game characteristic information of the opponents, the learning degree is continuously enhanced, no obvious divergence appears in the selection strategy of participants, and all participants tend to select the strategy with stable evolution. However, as the random disturbance is enhanced, the game system tends to be unstable, the game result is mainly affected by the random disturbance, and the attack and defense groups are obviously divergent in strategy selection. In an actual attack and defense scene, random factors are unavoidable, but the influence of the random factors is reduced as much as possible, the learning degree is enhanced, and the method has instructive significance for guiding actual network attack prediction.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (7)
1. An attack prediction method based on a QBD attack and defense random evolution game model is characterized by comprising the following contents:
abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model;
solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; according to the strategy balance probability distribution, obtaining the most threatening attack strategy;
constructing a corresponding simulated birth and death process according to a QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation;
the equilibrium equation is established as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process;
the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
2. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that the attack and defense participant learning degree set comprises learning parameters for describing the mastery degree of an attacker on attack and defense information and learning parameters for describing the mastery degree of a defender on attack and defense information; and the noise factor of the attack and defense participants is used for describing random disturbance in the attack and defense process and setting the noise factor of the attack and defense participants to be greater than 0.
3. The attack prediction method based on the QBD attack and defense random evolution game model according to claim 1, characterized in that in the equilibrium state solving process, the equilibrium equation is first transformed and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained through normal return conditions, so that the stable probability distribution of the attack and defense random evolution game is obtained.
4. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation.
5. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that in the balance equation solving, game information is obtained by analyzing the confrontation analysis and mutual learning among game groups, earnings generated by games with different strategies are calculated, and the transition probability is determined according to the expected earnings, the learning degree and the noise factor.
6. An attack prediction device based on QBD attack and defense random evolution game model is characterized by comprising: a model building module, an equation building module and an analysis solving module, wherein,
the model establishing module is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module is used for solving the balance equation to obtain the strategy stable probability distribution of the process of the simulated fighting and fighting; obtaining the most threatening attack strategy according to the strategy stable probability distribution;
constructing a corresponding simulated birth and death process according to a QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation;
the equilibrium equation is established as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process;
the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
7. A network security system, characterized by comprising the attack prediction device based on QBD attack and defense random evolution game model in claim 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910549015.6A CN110417733B (en) | 2019-06-24 | 2019-06-24 | Attack prediction method, device and system based on QBD attack and defense random evolution game model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910549015.6A CN110417733B (en) | 2019-06-24 | 2019-06-24 | Attack prediction method, device and system based on QBD attack and defense random evolution game model |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110417733A CN110417733A (en) | 2019-11-05 |
CN110417733B true CN110417733B (en) | 2021-09-10 |
Family
ID=68359709
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910549015.6A Active CN110417733B (en) | 2019-06-24 | 2019-06-24 | Attack prediction method, device and system based on QBD attack and defense random evolution game model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110417733B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112261016A (en) * | 2020-10-12 | 2021-01-22 | 国网甘肃省电力公司电力科学研究院 | Power grid protection method in attack scene |
CN112417751B (en) * | 2020-10-28 | 2024-03-29 | 清华大学 | Anti-interference fusion method and device based on graph evolution game theory |
CN112434922B (en) * | 2020-11-13 | 2021-08-24 | 北方工业大学 | Urban power grid system security control method and device based on zero sum game |
CN114024738A (en) * | 2021-11-03 | 2022-02-08 | 哈尔滨理工大学 | Network defense method based on multi-stage attack and defense signals |
CN115277250B (en) * | 2022-09-23 | 2023-02-21 | 中国汽车技术研究中心有限公司 | Vehicle-end attack path identification method, equipment and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9471777B1 (en) * | 2012-02-24 | 2016-10-18 | Emc Corporation | Scheduling of defensive security actions in information processing systems |
CN106446674A (en) * | 2016-07-27 | 2017-02-22 | 长春理工大学 | Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment |
CN107070956A (en) * | 2017-06-16 | 2017-08-18 | 福建中信网安信息科技有限公司 | APT Attack Prediction methods based on dynamic bayesian game |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8863293B2 (en) * | 2012-05-23 | 2014-10-14 | International Business Machines Corporation | Predicting attacks based on probabilistic game-theory |
-
2019
- 2019-06-24 CN CN201910549015.6A patent/CN110417733B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9471777B1 (en) * | 2012-02-24 | 2016-10-18 | Emc Corporation | Scheduling of defensive security actions in information processing systems |
CN106446674A (en) * | 2016-07-27 | 2017-02-22 | 长春理工大学 | Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment |
CN107070956A (en) * | 2017-06-16 | 2017-08-18 | 福建中信网安信息科技有限公司 | APT Attack Prediction methods based on dynamic bayesian game |
Non-Patent Citations (1)
Title |
---|
一种入侵防御系统性能分析方法;刘伟等;《信息网络安全》;20150930(第9期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN110417733A (en) | 2019-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110417733B (en) | Attack prediction method, device and system based on QBD attack and defense random evolution game model | |
CN107566387B (en) | Network defense action decision method based on attack and defense evolution game analysis | |
CN107135224B (en) | Network defense strategy selection method and device based on Markov evolution game | |
CN107483486B (en) | Network defense strategy selection method based on random evolution game model | |
Hu et al. | Optimal decision making approach for cyber security defense using evolutionary game | |
CN108833402A (en) | A kind of optimal defence policies choosing method of network based on game of bounded rationality theory and device | |
CN110460572A (en) | Mobile target defence policies choosing method and equipment based on Markov signaling games | |
CN111224966B (en) | Optimal defense strategy selection method based on evolutionary network game | |
CN111245828A (en) | Defense strategy generation method based on three-party dynamic game | |
Uriarte et al. | Automatic learning of combat models for RTS games | |
CN114417427A (en) | Deep learning-oriented data sensitivity attribute desensitization system and method | |
Gilad et al. | Intelligence, cyberspace, and national security | |
Barth et al. | A learning-based approach to reactive security | |
Hua et al. | Evolution of conditional cooperation in collective-risk social dilemma with repeated group interactions | |
Haopu | Method for behavior-prediction of APT attack based on dynamic Bayesian game | |
CN114024738A (en) | Network defense method based on multi-stage attack and defense signals | |
Zolotarev et al. | Strategies of social engineering attacks on information resources of gamified online education projects | |
Zawadzki et al. | Deterrence against Terrorist Attacks in Sports‐Mega Events: A Method to Identify the Optimal Portfolio of Defensive Countermeasures | |
CN115328189B (en) | Multi-unmanned plane cooperative game decision-making method and system | |
Shang et al. | Operation loop-based network design model for defense resource allocation with uncertainty | |
Guan et al. | A Bayesian Improved Defense Model for Deceptive Attack in Honeypot-Enabled Networks | |
Zhao et al. | Cloud of assets and threats: a playful method to raise awareness for cloud security in industry | |
CN113935039A (en) | Safety evaluation method, equipment and medium based on fuzzy matrix and Nash equilibrium | |
Liu et al. | Efficient defense decision-making approach for Multistep attacks based on the attack graph and game theory | |
Trad | Transformation Projects and Virtual Military Strategy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |