CN110708287B - Intrusion response method based on attack graph and psychological theory - Google Patents

Intrusion response method based on attack graph and psychological theory Download PDF

Info

Publication number
CN110708287B
CN110708287B CN201910828610.3A CN201910828610A CN110708287B CN 110708287 B CN110708287 B CN 110708287B CN 201910828610 A CN201910828610 A CN 201910828610A CN 110708287 B CN110708287 B CN 110708287B
Authority
CN
China
Prior art keywords
node
attacker
defender
action
tom
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910828610.3A
Other languages
Chinese (zh)
Other versions
CN110708287A (en
Inventor
吴春明
程秋美
周伯阳
周海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910828610.3A priority Critical patent/CN110708287B/en
Publication of CN110708287A publication Critical patent/CN110708287A/en
Application granted granted Critical
Publication of CN110708287B publication Critical patent/CN110708287B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses an intrusion response method based on an attack graph and a psychological theory, which simulates each step of action when an attacker invades a network through the attack graph, analyzes the attack psychology of the attacker to conjecture the probability of taking a certain action by the attacker at the next moment, and in order to maximize the profit value in a network attack and defense game, a defender works out corresponding response measures according to the conjectured behavior of the attacker, thereby providing real-time network response. Compared with the traditional IDS alert mapping response action method, the method has the characteristics of real-time response and high-efficiency protection when the response strategy is adjusted in real time in the presence of multi-step complex intrusion detection.

Description

Intrusion response method based on attack graph and psychological theory
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an intrusion response method based on an attack graph and a psychological theory.
Background
With the ever-increasing sophistication of forms of network attacks, network intrusion detection and defense face severe challenges. Today, a complex network attack often gradually invades the entire network in the form of a multi-step attack, which greatly increases the difficulty for defenders to defend the network. When a network is exposed to multi-step intrusion, how to make correct defense measures for each step of attack behavior has become an important task for defenders. An Intrusion Response System (IRS) aims to make corresponding countermeasures for network intrusion, and takes response measures when network intrusion is detected, so as to shorten the time window for network repair.
The traditional intrusion response system maps the alarm message of the intrusion detection system to the response measure, and the mapping relation enables the system to quickly react when the system is exposed to network intrusion. However, this fixed mapping is not suitable for new types of network attacks. Secondly, in a complex attack and defense game, an attacker usually has certain learning ability, and after multiple failed attacks, the attacker may find that the current attack behavior is successfully defended. To win the game, the attacker continually adjusts the attack behavior. Therefore, from the attack psychology of the attacker, the actions which the attacker may take are presumed, and the corresponding response measures are made to be beneficial to the network defense game. Psychological theory (ToM) is applied to model the psychological process of opponents, enabling both attacking and defending parties in a game to predict the behavior of opponents with recursively nested beliefs (h.d. weerd, r.verarge, and b.verheij, "How hands are help to knock away hands you knock down. The zeroth order ToM refers to the probability that an attacker (or defender) forms a belief that an adversary will take some action. For example: after a plurality of attack and defense games, if an attacker finds that remote login (remote login) always fails, the attacker guesses that the defender takes defense measures such as a gateway firewall and the like, and therefore, the attacker adjusts attack behaviors such as a vulnerability of DNS cache instead.
ToM allows both parties in a Network attack and defense game to predict opponent behaviors with nested beliefs, and considering that Network intrusion is realized by multi-step attacks, the behavior of an attacker can be modeled by a bayesian attack graph (y.liu and h.man, "Network robustness assessment using basic networks," Proceedings of SPIE, pp.61-71,2005.). A Bayesian Attack Graph (BAG) is a directed acyclic graph, usually represented by a tuple: n, E, xi, P >, wherein N is a node in an attack graph, E is a directed edge of the attack graph, xi is an attribute of the node, and a non-leaf node has two attributes: and a node, or a node, P is the probability of success of the attack of each edge. For example: an attacker firstly acquires user authority by using the vulnerability in the IIS WebDAV, and then performs SQL injection according to the acquired user authority so as to acquire root access authority. Each time of vulnerability exploitation can be regarded as one-time atomic attack, and the probability of success of each atomic attack is the probability of the corresponding edge in the Bayesian attack graph. The probability of each edge occurring can be evaluated by a Common Virtualization Scoring System (CVSS). The available parameters in the CVSS reflect the intrinsic characteristics of the vulnerability and provide a numerical score for evaluating the occurrence of the attack.
Disclosure of Invention
The invention aims to provide an intrusion response method based on an attack graph and a psychological theory aiming at the defects of the prior art, and the method can be used for making a response strategy in time aiming at the current attack and realizing the real-time protection of a network.
The purpose of the invention is realized by the following technical scheme: an intrusion response method based on an attack graph and a psychological theory comprises the following steps:
(1) modeling the network intrusion process of an attacker by utilizing a Bayesian attack graph, and obtaining the probability of each edge in the Bayesian attack graph by analyzing the availability parameters in the general vulnerability scoring system; each server and the host are monitored by an intrusion detection system, and a vulnerability on each machine is regarded as a node of a Bayesian attack graph; there are two states per node: 1 indicates that the node is invaded, and 0 indicates that the node is not invaded;
(2) the defender analyzes the psychological behaviors of the attacker and the most probable actions to be taken at the next moment so as to make a real-time response strategy, and the strategy comprises the following two conditions:
(2.1) the defender has a zeroth order belief b0(ajS) is ToM0The defender, when the attacker does not have the learning ability, the defender makes a response strategy through the following steps:
(2.1.1)ToM0formation of the zeroth-order belief b of defenders0(ajS); the zero-order belief b of the defender0For the defender to think the attacker takes the probability distribution of the action under the current state, the Bayesian attack graph obtains: firstly, finding all child nodes of the invaded node and non-invaded leaf nodes, summing the probability of the edges connected with the invaded node and all the child nodes thereof and the probability of the edges connected with the non-invaded leaf nodes according to the probability of each edge of the Bayesian attack graph, and dividing the probability of one edge by the probability of the other edgeThe sum of the rates is the probability that the defender thinks that the attacker takes corresponding action in the current state;
(2.1.2) calculation of ToM0Subjective value of defense phi (a)i,b0(aj,s)):
Figure BDA0002189918880000021
Wherein, aiAct as a defender; a isjAn action that is an attacker; a. theiIs the action space of defender; a. thejAn action space for an attacker; s is the current state of the system; s' is the state at the next moment; s is a set of all states of the system; a isi'is the defender's action at the next moment; t (s' | s, a)i,aj) As a state transition function, R (s, a)i,ajS') is a revenue function; gamma is a discount factor, and the range of gamma is 0-1;
the transfer function T (s' | s, a)i,aj) The following three cases are included:
(a) if node k of the attack graph is the node being repaired by the defender, the node state sk=0,T(s'=0|s,ai,aj)=1;
(b) If node k is an AND node and the states of all the father nodes of node k are 1, the probability that the state of the node is 1 is
Figure BDA0002189918880000031
Therein, ΨkSet of parent nodes u, p (e) for node kuk) For the edge e connected with the father node u in the attack graphukThe probability of occurrence;
(c) if the node k is an OR node, and the state of at least one father node is 1, the probability that the state of the node is 1 is
Figure BDA0002189918880000032
The revenue function R (s, a)i,ajS') is calculated from the following formula:
R(s,ai,aj,s′)=wo×(perfd-dama)-wc×Cd
wherein, perfdSafety benefits are brought to defenders after response actions are carried out; damaThe damage brought by the attacker is obtained by calculating the fraction of the influencing sub-factors in the CVSS; cdThe cost of time spent by defenders; w is ao,wcThe value ranges are 0-1 for weight;
(2.1.3)ToM0the defender selects a defensive action aiMaximize its subjective value:
Figure BDA0002189918880000033
(2.2) the defender has a first-order belief of ToM1Defense person; the attacker has a zero-order belief b0(aiS) is ToM0When an attacker happens, the defender makes a response strategy through the following steps:
(2.2.1)ToM0attackers forming a zero-order belief b0(ai,s),ToM1Defending person about ToM0The attacker forms a first-order belief;
zero-order belief b of the attacker0(aiS) is the probability distribution that the attacker thinks the defender takes action in the current state, and is obtained by a Bayesian attack graph: firstly, finding an invaded node, all child nodes thereof and a non-invaded leaf node, summing the degrees of the invaded node, all child nodes thereof and the non-invaded leaf node according to the degree of occurrence of the Bayesian attack graph node, and dividing the degree of occurrence of a node by the sum of the degrees of occurrence to obtain the probability that an attacker considers that a defender takes corresponding action in the current state;
the first-order belief is the probability distribution that the defender thinks that the defender takes defensive measures under the current state;
(2.2.2) calculation of ToM0Subjective value of attacker phi (a)j,b0(ai,s)):
Figure BDA0002189918880000034
Wherein, aj' is the attacker action of the next moment state;
(2.2.3)ToM1defensive people think that ToM0The attacker will choose the attack action a that maximizes his subjective valuejAn intrusion into the system, the attack action ajIs determined by the following formula:
Figure BDA0002189918880000041
ToM1defender according to the attack action ajTake the corresponding action ai
Further, the discount factor γ is 0.8.
Further, the action a of the defenderiRepairing for the bug; action a of the attackerjTo implement an exploit.
Further, the action space A of the defenderiA set of security measures to fix a vulnerability; the action space A of the attackerjIs a set of vulnerabilities present on all machines in the system.
Further, the next time state s' is associated with the joint action ai×ajAssociated with the current state s.
The invention has the beneficial effects that: the intrusion response method based on the attack graph and the psychological theory provided by the invention simulates each step of action when an attacker invades the network through the attack graph, analyzes the attack psychology of the attacker, can conjecture the probability that the attacker takes a certain action at the next moment, and in order to maximize the profit value in the network attack and defense game, a defender works out corresponding response measures according to the conjectured behavior of the attacker, thereby providing real-time network response; compared with the traditional IDSalerts mapping response action method, the method has the characteristics of real-time response and efficient protection by adjusting the response strategy in real time when the multi-step complex intrusion detection is faced.
Drawings
FIG. 1 is a schematic of a topology of a network;
fig. 2 is a block diagram of a ToM-based intrusion response system.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings in order to highlight the object and specific effects of the present invention.
The invention relates to an intrusion response method based on an attack graph and a psychological theory. The attacker aims to invade the whole network by utilizing a series of vulnerabilities of the system, and the defender acquires the current network state by deploying monitoring equipment, analyzes the behavior of the attacker and speculates the most probable attack behavior of the attacker at the next moment by utilizing first-order ToM, so that real-time effective response measures can be made. The invention mainly comprises the following steps:
step 1: the invention firstly models the network attack and defense parties into a double-person zero-sum random game: g ═<S,A,T,R>(ii) a Wherein, S is the state of the system, if the system is invaded by an attacker; a ═ ai×ajA joint action for an attacker and defender; action a of an attackerjTo implement exploits, such as buffer overflows; action a of defenderiTo repair against attacks, such as: adding a firewall or using an OpenSSH patch; t is the discrete probability distribution over state S; when the system is converted from the current state S to the next moment state S', the income obtained by an attacker is R, and the income obtained by a defender is-R according to the concepts of the zero sum game; the next time state S' is only relevant for the joint action a and the current state S.
FIG. 1 illustrates a network topology that is subject to intrusion, the network topology including an isolation zone that includes a Web server and a Mail server, and a trusted zone that includes a gateway server,admin server and associated host. In consideration of the diversity and the complexity of the network attack form at present, in order to better describe the network invasion of an attacker, the invention utilizes a Bayesian attack graph to model the network invasion process of the attacker; an attacker uses leaf nodes of a Bayesian attack graph as access points of the network and invades the whole network by continuously invading new nodes; at least one vulnerability exists on each machine, the vulnerability utilization attack form is taken as a research point, and the probability of each edge in a Bayesian attack graph is obtained by analyzing the availability parameters (explicit availability metrics) in a general vulnerability scoring system (CVSS); the probability distribution that one party thinks that the other party takes a certain action in the current state, namely the zeroth-order belief b, can be inferred by analyzing the Bayesian attack graph0The probability distribution is obtained by a Bayesian attack graph:
(1) the zeroth order belief b of defenders0(ajS): firstly, finding all child nodes of an invaded node and non-invaded leaf nodes, summing the probability of the edges connected with the invaded node and all the child nodes thereof and the probability of the edges connected with the non-invaded leaf nodes according to the probability of each edge of the Bayesian attack graph, and dividing the probability of one edge by the sum of the probabilities, namely the probability that an defender considers that the attacker takes corresponding actions under the current state, thereby deducing the next most likely invaded node;
(2) zero-order beliefs b of attackers0(aiS): firstly, finding an invaded node, all child nodes thereof and a non-invaded leaf node, summing the degrees of the invaded node, all the child nodes thereof and the non-invaded leaf node according to the degree of occurrence of the Bayesian attack graph node, and dividing the degree of occurrence of a node by the sum of the degrees of occurrence, namely the probability that an attacker considers that a defender takes corresponding action under the current state, thereby deducing the next most likely invaded node;
the general framework diagram of the present invention is shown in fig. 2, wherein an defender acquires the current network status by deploying an Intrusion Detection System (IDS); each server and host are monitored by an IDS, and a vulnerability on each machine is considered as a Bayesian attackClicking nodes of the graph; there are two states per node: 1 indicates that the node is invaded, and 0 indicates that the node is not invaded; when the vulnerability is successfully utilized by an attacker, the state of the node is 1;
Figure BDA0002189918880000051
the state of a node i representing the Bayesian attack graph at the time t is a set of all node states:
Figure BDA0002189918880000052
intrusion detection systems typically generate a large number of IDS alert messages whose status can be obtained by analyzing the false alarm rate of the IDS alert messages.
Step 2: the defensive person can conjecture the current action of the attacker by analyzing the Bayesian attack graph in the step 1, and the defensive person can know the current state of the network; based on the step 1, the defender begins to analyze the psychological behaviors of the attacker and the most possible actions to be taken at the next moment, so as to make a real-time response strategy; this step defenders, who may have zero-order beliefs and first-order beliefs, who will elaborate both cases, utilize the psychology theory ToM to analyze and study the probability distribution of the aggressor's actions:
step 2.1 defender has zero-order belief b0(ajS) is ToM0When the defender and the attacker do not have the learning ability, namely the ability of conjecturing the behavior of the defender, the defender makes a response strategy through the following steps:
step (2.1.1) ToM0The defender first forms the zeroth order belief b of the defender about the attacker0(ajS); the zero-order belief is a probability distribution over the actions of the attacker, i.e., the probability that the defender believes that the attacker takes some action in the current state. The probability distribution here can be obtained from the bayesian attack graph above, and the probability calculation here has the following assumptions on the behavior of the attacker: (a) firstly, for a node which is successfully invaded, an attacker can not waste resources to invade the node at the next moment; (b) secondly, attackers are familiar with the difficulty of exploiting each vulnerabilityAnd (4) preferentially utilizing nodes which are easy to invade. In the zero-order belief of defenders to attackers, the attackers firstly find the child nodes of the invaded nodes and the unintrusive leaf nodes, and calculate the next most likely invaded node according to the probability of each edge of the attack graph.
Step (2.1.2) ToM0ToM when defender takes a defensive action0The defender will assign a subjective value phi (a)i,b0(ajS)) consisting of the instantaneous benefit at the current state and the desired expectation of the system when it enters the next state. To reflect the importance of future benefits as compared to immediate benefits, a discount factor is introduced to calculate the subjective value:
Figure BDA0002189918880000061
wherein, aiAnd ajThe actions of a defender and an attacker are respectively, the action of the attacker is to utilize the vulnerability at each moment, and the action of the defender is to take security measures for repairing the vulnerability; a. theiThe action space of a defender is a set of security measures for repairing the bug; a. thejThe method comprises the steps of setting an action space of an attacker as a vulnerability set existing on all machines in a system; s is the current state of the system; s' is the state at the next moment; s is a set of all states of the system; a isi'is the defender's action at the next moment; t (s' | s, a)i,aj) As a state transition function, R (s, a)i,ajS') is the revenue function under joint action; gamma is a discount factor, ranges from 0 to 1, and is set to 0.8.
Since each node in the attack graph only has two states of 0 and 1, the conversion function T (s' | s, a)i,aj) The method comprises the following steps:
(a) if node k of the attack graph is the node being repaired by the defender, the node state sk0, so T (s' ═ 0| s, a)i,aj)=1;
(b) If node k is an AND node, and all parents of node kIf the node state is 1, the probability T (s' ═ 1| s, a) that the node state is 1 is obtainedi,aj) Is the product of the probabilities of all edges connected to the parent node;
Figure BDA0002189918880000062
therein, ΨkSet of parent nodes u, p (e) for node kuk) Edge e connected for parent node u of node k in attack graphukThe probability of occurrence;
(c) if a node k is an or node and there is at least one parent node with a state of 1, the probability T that the node state is 1 (s' ═ 1| s, a)i,aj) Is composed of
Figure BDA0002189918880000071
The revenue function R (s, a)i,ajS') is calculated from the following formula:
R(s,ai,aj,s′)=wo×(perfd-dama)-wc×Cd
wherein, perfdSafety benefits are brought to defenders after response actions are carried out; damaCalculating the harm brought by an attacker according to an influence sub score (ISC) in the CVSS; cdThe cost of time spent by defenders; w is ao,wcThe value range is 0-1 for weight, and the values are respectively set to 0.9 and 0.7 according to the network security protection level.
Step (2.1.3) the defender follows the following principles when formulating a response strategy: when a node in the attack graph is invaded (i.e. the state of the node is 1), the defender preferentially repairs the node and the child nodes of the node. ToM under the premise that defender has zero-order belief0The defender selects a defensive action aiTo maximize the subjective value:
Figure BDA0002189918880000072
step 2.2 defenders have a first-order belief b1Is ToM1Defense person; the attacker has a zero-order belief b0(aiS) is ToM0The attacker has learning ability and can guess and learn the behavior of the defender; at this time, the defender makes a response policy by the following steps:
step (2.2.1) ToM0Attackers forming a zero-order belief b0(aiS), estimating a probability distribution of defensive player actions; ToM1Defending person about ToM0The attacker forms a first-order belief b1(ii) a The first order belief b1In order to stand at the angle of an attacker, the attacker is considered to be the probability distribution of the action of the defender under the current state, and the first-order belief is the nested belief. ToM1The defender stands at the angle of the opponent, and conjectures the action which the opponent can take, thereby conjecturing the probability distribution of the attack action taken by the attacker;
step (2.2.2) calculating ToM0Subjective value of attacker phi (a)j,b0(ai,s)):
Figure BDA0002189918880000073
To make the attack successful, the attacker chooses the action a that maximizes the subjective valuejThe intrusion system is determined by the following formula:
Figure BDA0002189918880000074
wherein, aj' is the attacker action of the next moment state; ToM1The defender acts according to the determined attacker with the maximum subjective value ajCorresponding action is taken.

Claims (3)

1. An intrusion response method based on an attack graph and a psychological theory is characterized by comprising the following steps:
(1) modeling the network intrusion process of an attacker by utilizing a Bayesian attack graph, and obtaining the probability of each edge in the Bayesian attack graph by analyzing the availability parameters in the general vulnerability scoring system; each server and the host are monitored by an intrusion detection system, and a vulnerability on each machine is regarded as a node of a Bayesian attack graph; there are two states per node: 1 indicates that the node is invaded, and 0 indicates that the node is not invaded;
(2) the defender analyzes the psychological behaviors of the attacker and the most probable actions to be taken at the next moment so as to make a real-time response strategy, and the strategy comprises the following two conditions:
(2.1) the defender has a zeroth order belief b0(ajS) is ToM0The defender, when the attacker does not have the learning ability, the defender makes a response strategy through the following steps:
(2.1.1)ToM0formation of the zeroth-order belief b of defenders0(ajS); the zero-order belief b of the defender0(ajS) is the probability distribution that the defender thinks the attacker takes action in the current state, obtained from the Bayesian attack graph: firstly, finding all child nodes of an invaded node and non-invaded leaf nodes, summing the probability of the edges connected with the invaded node and all the child nodes thereof and the probability of the edges connected with the non-invaded leaf nodes according to the probability of each edge of the Bayesian attack graph, and dividing the probability of one edge by the sum of the probabilities, namely the probability that a defender considers that the attacker takes corresponding action under the current state;
(2.1.2) calculation of ToM0Subjective value of defense phi (a)i,b0(aj,s)):
Figure FDA0002674270190000011
Wherein, aiAct as a defender; a isjAn action that is an attacker; a. theiIs the action space of defender; a. thejAn action space for an attacker; s isThe current state of the system; s' is the state at the next moment; s is a set of all states of the system; a isi'is the defender's action at the next moment; t (s' | s, a)i,aj) As a state transition function, R (s, a)i,ajS') is a revenue function; gamma is a discount factor, and the range of gamma is 0-1;
the transfer function T (s' | s, a)i,aj) The following three cases are included:
(a) if node k of the attack graph is the node being repaired by the defender, the node state sk=0,T(s′=0|s,ai,aj)=1;
(b) If node k is an AND node and the states of all the father nodes of node k are 1, the probability that the state of the node is 1 is
Figure FDA0002674270190000012
Therein, ΨkSet of parent nodes u, p (e) for node kuk) For the edge e connected with the father node u in the attack graphukThe probability of occurrence;
(c) if the node k is an OR node, and the state of at least one father node is 1, the probability that the state of the node is 1 is
Figure FDA0002674270190000021
The revenue function R (s, a)i,ajS') is calculated from the following formula:
R(s,ai,aj,s′)=wo×(perfd-dama)-wc×Cd
wherein, perfdSafety benefits are brought to defenders after response actions are carried out; damaCalculating the harm brought by the attacker according to the influence sub-factor score in the general vulnerability scoring system; cdThe cost of time spent by defenders; w is ao,wcThe value ranges are 0-1 for weight;
(2.1.3)ToM0the defender selects a defensive action aiMaximize its subjective value:
Figure FDA0002674270190000022
(2.2) the defender has a first-order belief of ToM1Defense person; the attacker has a zero-order belief b0(aiS) is ToM0When an attacker happens, the defender makes a response strategy through the following steps:
(2.2.1)ToM0attackers forming a zero-order belief b0(ai,s),ToM1Defending person about ToM0The attacker forms a first-order belief;
zero-order belief b of the attacker0(aiS) is the probability distribution that the attacker thinks the defender takes action in the current state, and is obtained by a Bayesian attack graph: firstly, finding an invaded node, all child nodes thereof and a non-invaded leaf node, summing the degrees of the invaded node, all child nodes thereof and the non-invaded leaf node according to the degree of occurrence of the Bayesian attack graph node, and dividing the degree of occurrence of a node by the sum of the degrees of occurrence to obtain the probability that an attacker considers that a defender takes corresponding action in the current state;
the first-order belief is the probability distribution that the defender thinks that the defender takes defensive measures under the current state;
(2.2.2) calculation of ToM0Subjective value of attacker phi (a)j,b0(ai,s)):
Figure FDA0002674270190000023
Wherein, aj' is the attacker action of the next moment state;
(2.2.3)ToM1defensive people think that ToM0Attack ofThe person selects the attack action a that maximizes his subjective valuejAn intrusion into the system, the attack action ajIs determined by the following formula:
Figure FDA0002674270190000024
ToM1defender according to the attack action ajTake the corresponding action ai
The action a of the defenderiRepairing for the bug; action a of the attackerjTo implement exploit; the action space A of defenderiA set of security measures to fix a vulnerability; the action space A of the attackerjIs a set of vulnerabilities present on all machines in the system.
2. The intrusion response method according to claim 1, wherein the discount factor γ is 0.8.
3. The intrusion response method according to claim 1, wherein the next time state s' is associated with the associated action ai×ajAssociated with the current state s.
CN201910828610.3A 2019-09-03 2019-09-03 Intrusion response method based on attack graph and psychological theory Active CN110708287B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910828610.3A CN110708287B (en) 2019-09-03 2019-09-03 Intrusion response method based on attack graph and psychological theory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910828610.3A CN110708287B (en) 2019-09-03 2019-09-03 Intrusion response method based on attack graph and psychological theory

Publications (2)

Publication Number Publication Date
CN110708287A CN110708287A (en) 2020-01-17
CN110708287B true CN110708287B (en) 2020-12-29

Family

ID=69193493

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910828610.3A Active CN110708287B (en) 2019-09-03 2019-09-03 Intrusion response method based on attack graph and psychological theory

Country Status (1)

Country Link
CN (1) CN110708287B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760095B (en) * 2022-03-09 2023-04-07 西安电子科技大学 Intention-driven network defense strategy generation method, system and application

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681338A (en) * 2016-03-04 2016-06-15 西北大学 Vulnerability exploiting success probability calculation method and network security risk management method
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108512837A (en) * 2018-03-16 2018-09-07 西安电子科技大学 A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231743A (en) * 2011-06-30 2011-11-02 江苏南大苏富特科技股份有限公司 Attack-graph-based intrusion response mode
US10108803B2 (en) * 2016-03-31 2018-10-23 International Business Machines Corporation Automatic generation of data-centric attack graphs
CN106341414B (en) * 2016-09-30 2019-04-23 重庆邮电大学 A kind of multi-step attack safety situation evaluation method based on Bayesian network
CN109714364A (en) * 2019-02-20 2019-05-03 湖南大学 A kind of network security defence method based on Bayes's improved model
CN110012037B (en) * 2019-05-21 2020-08-18 北京理工大学 Network attack prediction model construction method based on uncertainty perception attack graph

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681338A (en) * 2016-03-04 2016-06-15 西北大学 Vulnerability exploiting success probability calculation method and network security risk management method
CN108512837A (en) * 2018-03-16 2018-09-07 西安电子科技大学 A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Dynamic Network Security Situation Prediction based on Bayesian Attack Graph and Big Data;Pengwen Lin et al;;《2018 IEEE 4th Information Technology and Mechatronics Engineering Conference (ITOEC)》;20181216;第992-998页 *
一种基于攻击图的入侵响应方法;石进 等;《软件学报》;20081031;第2746-2753页 *
基于贝叶斯攻击图的动态安全风险评估模型;高妮 等;《四川大学学报( 工程科学版)》;20160131;第111-118页 *

Also Published As

Publication number Publication date
CN110708287A (en) 2020-01-17

Similar Documents

Publication Publication Date Title
US10803183B2 (en) System, method, and computer program product for detecting and assessing security risks in a network
CN101808020B (en) Intrusion response decision-making method based on incomplete information dynamic game
Hu et al. Dynamic defense strategy against advanced persistent threat with insiders
US10185832B2 (en) Methods and systems for defending cyber attack in real-time
US8863293B2 (en) Predicting attacks based on probabilistic game-theory
CN106341414B (en) A kind of multi-step attack safety situation evaluation method based on Bayesian network
US9912683B2 (en) Method and apparatus for determining a criticality surface of assets to enhance cyber defense
Ji et al. Attack-defense trees based cyber security analysis for CPSs
CN103401838B (en) A kind of Botnet prevention method based on bot program dissemination
CN109714364A (en) A kind of network security defence method based on Bayes&#39;s improved model
Tian et al. A digital evidence fusion method in network forensics systems with Dempster-shafer theory
Hyder et al. Optimization of cybersecurity investment strategies in the smart grid using game-theory
US11586921B2 (en) Method for forecasting health status of distributed networks by artificial neural networks
CN110708287B (en) Intrusion response method based on attack graph and psychological theory
CN114491541B (en) Automatic arrangement method of safe operation script based on knowledge graph path analysis
CN115102166A (en) Active power distribution network dynamic defense performance optimization method based on game theory
CN110061960A (en) WAF rule self-study system
Pricop et al. Fuzzy approach on modelling cyber attacks patterns on data transfer in industrial control systems
Truong et al. MetaCIDS: A metaverse collaborative intrusion detection system based on blockchain and federated learning
Bahareth et al. Constructing attack scenario using sequential pattern mining with correlated candidate sequences
Kadam et al. An enhanced approach for intrusion detection in virtual network of cloud computing
Cemerlic et al. Network Intrusion Detection Based on Bayesian Networks.
Hamid et al. Methodologies to develop quantitative risk evaluation metrics
Guan et al. A Bayesian Improved Defense Model for Deceptive Attack in Honeypot-Enabled Networks
CN114553517A (en) Nonlinear weighted network security assessment method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant