CN111818007B - A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm - Google Patents

A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm Download PDF

Info

Publication number
CN111818007B
CN111818007B CN202010404149.1A CN202010404149A CN111818007B CN 111818007 B CN111818007 B CN 111818007B CN 202010404149 A CN202010404149 A CN 202010404149A CN 111818007 B CN111818007 B CN 111818007B
Authority
CN
China
Prior art keywords
vulnerability
information
optimal
fitness
repair
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010404149.1A
Other languages
Chinese (zh)
Other versions
CN111818007A (en
Inventor
刘镓煜
吴敬征
罗天悦
杨牧天
王丽敏
武延军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN202010404149.1A priority Critical patent/CN111818007B/en
Publication of CN111818007A publication Critical patent/CN111818007A/en
Application granted granted Critical
Publication of CN111818007B publication Critical patent/CN111818007B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/12Computing arrangements based on biological models using genetic models
    • G06N3/126Evolutionary algorithms, e.g. genetic algorithms or genetic programming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Biophysics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Physiology (AREA)
  • Genetics & Genomics (AREA)
  • Electromagnetism (AREA)
  • Biomedical Technology (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明提供一种基于量子遗传算法的漏洞修复收益优先级评估方法及电子装置,该方法包括:通过获取的网络系统中存在的漏洞信息及系统的访问连通拓扑结构信息;计算系统受到的总体危害损失及修复系统中一组漏洞所产生的总负面代价;使用有限成本修复一组漏洞,构造约束函数,根据总体危害损失与总负面代价,构造系统损失降低最大的目标函数;通过总体危害损失、总负面代价、约束函数及目标函数,构造适应度函数;根据适应度函数进行适应度计算,获取最优漏洞修复收益的进化方向,得到最优漏洞修复收益方案。本发明运用量子比特对染色体编码,采用量子逻辑门完成种群的进化更新,实现目标的优化求解,避免早熟收敛及陷入局部最优解,寻优能力更强。

Figure 202010404149

The invention provides a method and an electronic device for evaluating the priority of vulnerability repair benefits based on a quantum genetic algorithm. The method includes: obtaining vulnerability information existing in a network system and access connectivity topology information of the system; calculating the overall damage to the system. Loss and the total negative cost of repairing a set of vulnerabilities in the system; use a finite cost to repair a set of vulnerabilities, construct a constraint function, and construct an objective function that reduces the system loss the most according to the total damage loss and total negative cost; The total negative cost, the constraint function and the objective function are used to construct the fitness function; according to the fitness function, the fitness calculation is performed to obtain the evolution direction of the optimal vulnerability repair benefit, and the optimal vulnerability repair benefit scheme is obtained. The invention uses quantum bits to encode chromosomes, uses quantum logic gates to complete the evolutionary update of the population, realizes the optimal solution of the target, avoids premature convergence and falls into the local optimal solution, and has stronger optimization ability.

Figure 202010404149

Description

Vulnerability repair income priority evaluation method based on quantum genetic algorithm and electronic device
Technical Field
The invention relates to the technical field of information security, in particular to a vulnerability repair income priority assessment method based on a quantum genetic algorithm and an electronic device.
Background
As computer systems are widely used in various industries, computer systems have become closely related to the lives of people. Meanwhile, the number of various information security holes is increased sharply, and the frequency is utilized by hackers, resulting in huge security risks. According to the Security company Risk Based Security (RBS) vulnerability report in 2019, only in the first half of 2019, as many as 11092 vulnerabilities were disclosed. Therefore, detecting bugs existing in the information system, and performing reasonable and effective management and repair on the bugs become key problems of the information security guarantee system.
At present, a management method for a vulnerability generally makes different vulnerability repair schemes according to a risk value or a risk level obtained by quantitatively evaluating the risk of the vulnerability. For example, the evaluation criteria of the general vulnerability database and the service information, the network topology structure and other information associated with the host where the actual vulnerability is located are combined, the risk value of the vulnerability is comprehensively calculated, and the vulnerability with a high risk value is preferentially repaired. For another example, chinese patent application CN101950338A discloses a vulnerability repair method based on hierarchical vulnerability threat assessment, which performs assessment according to an attack utilization score and a qualitative grade score.
However, the current method lacks analysis of cost and influence required by bug fixing to a certain extent, so that it is difficult to obtain better security benefit for a bug fixing scheme formulated according to a risk value. For example, the repair process of part of high-risk vulnerabilities is complex, a large amount of expenses such as manpower, time and computing resources are required to be spent, and after the vulnerability repair is completed, negative effects such as reduction of system performance are brought, and comprehensively, the cost spent for repairing the vulnerabilities is not inferior to the loss caused by utilization of the vulnerabilities, and the security benefit obtained by preferentially repairing such high-risk vulnerabilities according to the risk value is not high.
In practice, the security resources that the operation and maintenance personnel can use to repair the vulnerability are limited, and it is often expected that these limited security resources can preferentially repair the vulnerability that can achieve the optimal security benefits. The vulnerability management method based on risk assessment does not fully consider the income information of vulnerability repair, so that the provided vulnerability repair scheme is difficult to meet the requirements of operation and maintenance personnel.
Although chinese patent application CN109547401A discloses network security vulnerability prioritization and remediation, which calculates a network priority security level based on impact metrics and final resource metrics for each of the network security vulnerabilities, the optimization capability is not strong in calculating the network priority security level.
Disclosure of Invention
Based on the problems, the invention provides a vulnerability repair income priority assessment method and an electronic device based on a quantum genetic algorithm, so as to assess vulnerability repair income, output a vulnerability priority repair scheme and assist operation and maintenance personnel in preferentially repairing the vulnerability which can obtain the optimal security income under the constraint of limited vulnerability repair resources.
In order to achieve the purpose, the invention adopts the following technical scheme:
a vulnerability repair income priority assessment method based on a quantum genetic algorithm comprises the following steps:
1) calculating the total damage loss suffered by the system and the total negative cost generated by repairing a group of bugs in the system through the acquired bug information existing in the network system and the access communication topological structure information of the system;
2) randomly repairing a group of bugs by using limited cost, constructing a constraint function, and constructing a target function with the maximum system loss reduction according to the total damage loss and the total negative cost;
3) constructing a fitness function through the total damage loss, the total negative cost, a constraint function and an objective function;
4) and calculating the fitness according to the fitness function to obtain the evolution direction of the optimal bug repairing income so as to obtain an optimal bug repairing income scheme.
Further, the vulnerability information comprises vulnerability number, vulnerability identification, vulnerability associated service information and vulnerability distribution information; the service associated information comprises importance information, confidentiality information, integrity information and availability information of the application vulnerability related service.
Further, the overall hazard loss suffered by the system is calculated by:
1) calculating the attack launching probability of each vulnerability in each host for successful utilization according to the vulnerability information;
2) calculating the shortest attack link information between any two hosts according to the vulnerability attack launching probability and the access communication topological structure information which are successfully utilized;
3) selecting a set of potential intrusion initial hosts of an attacker, and calculating the probability of the attack information reaching a specific host;
4) calculating the loss of a single vulnerability to a specific host through the probability of the attack information reaching the specific host, the attack probability of successfully utilizing the vulnerability and the vulnerability information;
5) calculating the total damage of the specific host according to the loss and vulnerability information of the single vulnerability to the specific host;
6) and by combining the vulnerability information and the access connection topological structure information, the overall damage loss of the system is calculated.
Further, the method for calculating the attack probability of successful utilization of each vulnerability in each host comprises a factor analysis method; methods of calculating the shortest attack link information between any two hosts include factor analysis.
Further, the total negative cost generated by repairing a set of vulnerabilities in the system is calculated by:
1) calculating the negative cost of a single vulnerability generated by single vulnerability repair through vulnerability information and access connection topological structure information;
2) calculating the single-computer negative cost generated by repairing a plurality of vulnerabilities in the specific host by combining the repaired vulnerabilities on the specific host;
3) and calculating the total negative cost generated by a plurality of vulnerabilities in the repairing system by combining the access connection topological structure information of the vulnerability information system.
Further, fitness calculation is carried out through the following steps, and the evolution direction of the optimal vulnerability repair income is obtained:
1) setting the number of the loopholes obtained through the loophole information as the length of a quantum chromosome, and setting the size of the quantum population scale and the maximum genetic algebra according to the gene complexity and the actual operation environment of the model;
2) the quantum population of the t generation is represented as
Figure BDA0002490641110000031
Wherein N represents the size of the population,
Figure BDA0002490641110000032
representing the ith quantum chromosome in the t-th generation quantum population, m is the length of the quantum chromosome,
Figure BDA0002490641110000033
represents the ith qubit, wherein
Figure BDA0002490641110000034
And
Figure BDA0002490641110000035
are all plural, and respectively represent the state 0->And 1->And satisfies the following conditions:
Figure BDA0002490641110000036
3) state-generating binary solution set for observing Q (t)
Figure BDA0002490641110000037
4) Randomly generating N chromosomes represented by quantum bits, and all genes of all chromosomes in the population
Figure BDA0002490641110000038
Are all initialized to
Figure BDA0002490641110000039
5) Observing the population Q (t) of the current generation t, and randomly generating an interval [0,1 ]]A number γ of, if
Figure BDA00024906411100000310
Obtaining a measurement result value 1, and obtaining a binary solution set P (t) if the measurement result value is not 1, or else 0;
6) and (4) calculating the fitness of each solution in the P (t), recording the optimal individual with the optimal fitness, setting the optimal individual as the evolution direction of the population, and acquiring the evolution direction of the optimal vulnerability repair income.
Further, the direction of evolution of the population is set by:
1) comparing the optimal fitness of the current generation t with the t-1 th generation;
2) if the optimal fitness of the t generation is larger than the t-1 generation, setting the optimal fitness of the t generation as the evolution target of the next generation;
3) and if the optimal fitness of the t generation is less than or equal to the t-1 generation, keeping the optimal fitness of the t-1 generation as the evolution target of the next generation.
Further, an optimal vulnerability fix income scheme is obtained through the following steps:
1) judging whether the current algebra t is equal to the maximum genetic algebra G of the termination condition;
2) if yes, outputting a scheme of obtaining the optimal fitness by the current algebra t as an optimal vulnerability repair income scheme;
3) if not, by using quantum revolving door
Figure BDA00024906411100000311
The basis for chromosomes in the population Q (t)
Figure BDA00024906411100000312
And updating the rotation angle adjustment strategy, and taking the scheme of obtaining the optimal fitness of the t +1 th generation as the optimal vulnerability repair income scheme.
Further, the rotation angle adjustment strategy is performed by:
1) comparing the fitness value Fit (c) of the current chromosome c with the fitness value Fit (b) of the optimal chromosome b;
2) if fit (c) is preferred over fit (b), the chromosomes are controlled to evolve in favor of c;
3) if fit (b) is preferred over fit (c), the control chromosomes evolve in favor of b.
A storage medium having a computer program stored therein, wherein the computer program performs the above method.
An electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the above method.
Compared with the prior art, the invention has the following advantages:
1) calculating the optimized security benefit under the limited repair resources by using a quantum genetic algorithm, thereby designing a corresponding vulnerability repair scheme;
2) the quantum genetic algorithm is a genetic algorithm introducing a quantum computing concept, a chromosome is coded by using quantum bits, and evolution and updating of a population are completed by adopting a quantum logic gate, so that optimization and solving of a target are realized; compared with the original genetic algorithm, the quantum genetic algorithm can effectively avoid premature convergence, is trapped in a local optimal solution, and has stronger optimization capability.
Drawings
Fig. 1 is a flowchart of a vulnerability fix income priority assessment method based on a quantum genetic algorithm.
FIG. 2 is a flow chart of an overall hazard loss calculation model suffered by the system.
FIG. 3 is a flow diagram of a model of total negative cost calculations resulting from repairing a set of vulnerabilities in a system.
FIG. 4 is a flow diagram of constructing a quantum genetic algorithm-based security-benefit optimized vulnerability fix scheme.
Detailed Description
The technical scheme of the invention is clearly and completely described below with reference to the accompanying drawings. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment is based on a vulnerability repair income priority assessment method based on a quantum genetic algorithm, wherein the overall flow is shown in fig. 1, and the method mainly comprises the following steps:
1) acquiring vulnerability information and access connection topological structure information existing in a network system, wherein the specific implementation description is as follows:
1a) acquiring vulnerability information existing in a network system, wherein the vulnerability information comprises but is not limited to vulnerability quantity, vulnerability identification, vulnerability associated service information, vulnerability distribution information and other related information capable of guiding vulnerability damage and repair cost evaluation. The service related information comprises the importance Imp, confidentiality Con, integrity Int, availability Ava and other information of the application vulnerability related service, is obtained by applying an analytic hierarchy process or other analytical methods, and is represented in a numerical form. The importance represents the importance degree of the vulnerability related to the service in the system, and the larger the numerical value is, the higher the importance of the service is; confidentiality represents the degree to which the related service can be disclosed, and the larger the numerical value is, the higher the confidentiality of the service is; the integrity represents the influence degree of the related service on the system benefit, and the larger the numerical value is, the higher the influence degree of the service on the system benefit is; availability represents the degree of influence of the involved services on the operation of the system, and the larger the value, the higher the degree of influence on the operation of the system.
It should be noted that the attribute information can be flexibly configured according to actual needs, that is, the types of the parameters listed above are not limited.
1b) And acquiring access communication topological structure information of the network system, wherein the access communication topological structure information comprises communication information of each host in the network system.
2) The calculation flow of the overall damage loss calculation model for the construction system is shown in fig. 2, and the specific implementation is described as follows:
2a) for each vulnerability, according to information such as vulnerability identification and associated services, a factor analysis method or other analysis methods are applied to obtain the probability P of launching an attack by successfully applying the vulnerability to the host where the vulnerability is locatedattack_success. Turning to 2b)
2b) According to the successful utilization probability P of each vulnerability existing in each host in the network systemattack_successAnd accessing the information of the connected topological structure, and calculating to obtain the shortest attack link information between any two hosts by using a factor analysis method or other analysis methods. Rotating shaftTo 2c)
2c) Selecting a set N of potential intrusion initiating hosts of an attackerEntryAnd each initial host is given corresponding weight w, and the probability that an attacker can reach a specific host is calculated
Figure BDA0002490641110000051
Go to 2 d).
2d) The expected direct loss of a particular host by a single vulnerability is evaluated. The probability P of attack launching is successfully utilized according to the probability of attackers reaching a specific host where the vulnerability is locatedattack_successAnd service information related to the vulnerabilities, and calculating the direct loss VD (equal to P) of a single vulnerability to a specific hostvisit_host*Pattack_success(Imp + Con + Int + Ava), go to 2 e).
2e) The expected loss to the system due to all vulnerabilities present for a particular host is evaluated. The overall damage loss HD suffered by a particular host is evaluated in conjunction with the expected direct loss due to all n vulnerabilities present on the particular host. Because the same asset on the host computer can be simultaneously influenced by a plurality of bugs, the direct summation of the expected direct loss VD of each bug can lead to repeated calculation of partial loss, and a Cross function valuation function Cross (v) is introduced1,v2…vn) For bug v on host1,v2…vnEstimating the overlap causing the expected direct loss, eliminating the effect of repeated calculations, i.e.
Figure BDA0002490641110000061
Go to 2 f).
2f) And evaluating the expected loss caused by all the loopholes existing in the whole system. Repeatedly executing the steps 2c) -2e) to obtain the damage losses HD of all n hosts in the system, and calculating the total damage losses of the whole system
Figure BDA0002490641110000062
3) A calculation model of total negative cost generated by a group of vulnerabilities in the repair system is constructed, a calculation flow of which is shown in fig. 3, and specific implementation is described as follows:
3a) and calculating the operation cost OC spent on repairing a single vulnerability in a selected group of vulnerabilities by combining information such as vulnerability identification and system access connection topological structure and adopting a factor analysis method or other analysis methods, namely calculating the labor, time, space and calculation resource overhead which are directly spent on repairing the vulnerability, wherein the larger the numerical value is, the higher the operation cost representing repairing the vulnerability is. Turning to 3b)
3b) And evaluating the negative cost of the single vulnerability generated by repairing the single vulnerability in the selected group of vulnerabilities. By combining information of vulnerability related services, system access communication topological structures and the like, a factor analysis method or other analysis methods are adopted to calculate the negative cost VNC of a single vulnerability generated by single vulnerability repair, namely, the loss caused by the fact that the system cannot normally serve and the like due to vulnerability repair is calculated. In the embodiment, loss caused by importance, confidentiality, integrity and availability of the service related to the vulnerability is calculated, and VNC (virtual network computing platform) ═ Imp is calculatedlost+Conlost+Intlost+AvalostGo to 3 c).
3c) A single machine negative cost resulting from fixing multiple vulnerabilities on a particular host machine is evaluated. And evaluating the single-machine negative cost HNC generated by repairing a plurality of vulnerabilities by the specific host according to the negative cost VNC of all n vulnerabilities selected to be repaired on the specific host. Because the same asset on the host computer can be simultaneously influenced by the repair of a plurality of vulnerabilities, the direct summation of negative costs of all vulnerabilities can lead to repeated calculation of partial negative costs, and a Cross function valuation function Cross is introducedlost(v1,v2…vn) For repaired bug v on host1,v2…vnThe overlapping parts causing negative cost are estimated, eliminating the effect of repeated calculations, i.e.
Figure BDA0002490641110000063
Go to 3 d).
3d) The total negative cost resulting from repairing a set of vulnerabilities in the system is evaluated. Repeating the steps 3b) -3c) Obtaining the single-machine negative cost HNC generated by a plurality of bugs on all n hosts selected for bug fixing, and calculating the total negative cost of bug fixing suffered by the whole system
Figure BDA0002490641110000064
4) And constructing a security profit optimization vulnerability repair scheme based on a quantum genetic algorithm. And (3) calculating the optimized security benefits under the limited repair resources by combining the calculation models obtained in the step 2) and the step 3) by using a quantum genetic algorithm, thereby designing a corresponding vulnerability repair scheme, wherein the modeling operation flow of the quantum genetic algorithm is shown in FIG. 4, and the specific implementation description is as follows:
4a) and constructing quantum genetic algorithm constraints. The optimal bug fix scheme is at finite cost CallUnder the constraint condition of (2), selecting a group of bugs V existing in the systemrepairRepairing is performed, thereby constructing a constraint function
Figure BDA0002490641110000071
Go to 4 b).
4b) And constructing a quantum genetic algorithm target function. The optimal vulnerability fix scheme aims at: after all bugs in the scheme are repaired, the overall loss of the system is reduced by the maximum value of the expectation function f, so that an objective function maxf is constructed as SD-SD '-SNC, wherein SD' represents a repair VrepairAnd (4) turning to 4c) according to the calculation principle of the total loss caused by the residual system bugs after all bugs in the process and the calculation mode of SD in the step 2).
4c) And constructing a fitness function of the quantum genetic algorithm. Constructing a fitness function by constraint conditions, an objective function and a penalty coefficient c
Figure BDA0002490641110000072
Wherein the penalty factor c is such that the fitness of chromosomes not satisfying the constraint is much smaller than chromosomes satisfying the constraint, go to 4 d).
4d) And setting related parameters and coding modes of the quantum genetic algorithm. The related parameters comprise population size N, maximum genetic algebra G and fitnessAnd (4) indexes. Preferably, the population size N is set to 100 and the maximum number of generations G is set to 300 in this embodiment. The encoding method of the quantum bit is that the t-th generation quantum population is expressed as
Figure BDA0002490641110000073
Wherein N represents the size of the population,
Figure BDA0002490641110000074
represents the ith quantum chromosome in the t-th generation quantum population, and
Figure BDA0002490641110000075
the definition is as follows:
Figure BDA0002490641110000076
the length of the quantum chromosome is m, which is the total number of holes in the system in this example. In the chromosome
Figure BDA0002490641110000077
In (1),
Figure BDA0002490641110000078
represents the ith qubit, wherein
Figure BDA0002490641110000079
And
Figure BDA00024906411100000710
are all plural, and respectively represent the state 0->And 1->And satisfies the following conditions:
Figure BDA00024906411100000711
generating a binary solution set by observing the state of Q (t)
Figure BDA00024906411100000712
Each solution
Figure BDA00024906411100000713
Is a binary string of length m. Numbering all m loopholes existing in the system in sequence,
Figure BDA00024906411100000714
the value of the j th bit is 1, which represents that the j th bug is selected to be repaired, and the value of the j th bit is 0, which represents that the j th bug is not repaired. Go to 4 e).
4e) An initial population Q (0) of qubit codes is generated. Q (0) is initialized by randomly generating N chromosomes represented by quantum bits and all genes of all chromosomes in the population
Figure BDA0002490641110000081
Are all initialized to
Figure BDA0002490641110000082
Go to 4 f).
4f) Observing the population Q (t) of the current generation t to obtain a binary solution set P (t). The specific observation process in this embodiment is to randomly generate an interval [0,1 ]]A number γ of, if
Figure BDA0002490641110000083
The measurement result takes a value of 1, otherwise takes a value of 0. In actual implementation, other observation rules may be used. Go to 4 g).
4g) And (4) calculating the fitness of each solution in the P (t) by referring to the calculation model constructed in the step 2) and the step 3) and the fitness function Fit constructed in the step 4c), recording the optimal individual with the optimal fitness, and setting the optimal individual as the evolution direction of the population. The specific setting mode of the population evolution direction is as follows: and comparing the optimal fitness of the current generation t with the optimal fitness of the t-1 generation, if the optimal fitness of the t-1 generation is greater than that of the t-1 generation, setting the optimal fitness of the t-1 generation as the evolution target of the next generation, and otherwise, keeping the optimal fitness of the t-1 generation as the evolution target of the next generation. In particular, when t is 0, the optimal fitness of the 0 th generation is taken as an evolution target. Go to 4h).
4h) Judging whether the current algebra t is equal to the maximum genetic algebra G, if so, obtaining the optimal current algebra tOutputting the fitness scheme as an optimal vulnerability repair income scheme, and if not, applying a quantum revolving door
Figure BDA0002490641110000084
The basis for chromosomes in the population Q (t)
Figure BDA0002490641110000085
And updating the rotation angle adjustment strategy to obtain the t +1 th generation population Q (t +1), and returning to execute the step 4 f).
Preferably, the rotation angle adjustment strategy employed in the present embodiment is:
Figure BDA0002490641110000086
the design idea of the adjustment strategy is that the fitness value Fit (c) of the current chromosome c is compared with the fitness value Fit (b) of the optimal chromosome b, if Fit (c) is superior to Fit (b), the chromosome is controlled to evolve towards the direction favorable for c, otherwise, the chromosome is controlled to evolve towards the direction favorable for b, so that the current individual can evolve towards the current optimal direction under any state. In actual implementation, other adjustment strategies may also be employed.

Claims (10)

1.一种基于量子遗传算法的漏洞修复收益优先级评估方法,其步骤包括:1. A method for evaluating the priority of vulnerability repair benefits based on a quantum genetic algorithm, the steps of which include: 1)通过获取的网络系统中存在的漏洞信息及系统的访问连通拓扑结构信息,计算系统受到的总体危害损失SD及修复系统中一组漏洞Vrepair所产生的总负面代价SNC;1) by the vulnerability information existing in the acquired network system and the access connectivity topology information of the system, calculate the total damage loss SD that the system receives and the total negative cost SNC generated by a group of vulnerabilities V repair in the repair system; 2)使用有限成本随机修复一组漏洞Vrepair,构造约束函数,并根据总体危害损失与总负面代价,构造系统损失降低最大的目标函数maxf=SD-SD′-SNC,其中SD′为修复系统中一组漏洞Vrepair中所有漏洞后系统剩余漏洞造成的总体损失;2) Use finite cost to randomly repair a set of vulnerabilities V repair , construct a constraint function, and according to the total damage loss and total negative cost, construct an objective function maxf=SD-SD′-SNC with the largest system loss reduction, where SD′ is the repair system The total loss caused by the remaining loopholes in the system after all loopholes in a group of loopholes V repair ; 3)通过总体危害损失、总负面代价、约束函数及目标函数,构造适应度函数
Figure FDA0003053690850000011
Figure FDA0003053690850000012
其中惩罚系数c使得不满足约束条件的染色体适应度远远小于满足约束条件的染色体,OCv为修复一组漏洞Vrepair中的单个漏洞v所花费的操作代价,Call为有限成本;3) Construct the fitness function through the total damage loss, total negative cost, constraint function and objective function
Figure FDA0003053690850000011
Figure FDA0003053690850000012
The penalty coefficient c makes the fitness of chromosomes that do not meet the constraints much smaller than those that meet the constraints, OC v is the operation cost of repairing a single vulnerability v in a group of vulnerabilities V repair , and C all is a finite cost; 4)根据适应度函数进行适应度计算,获取最优漏洞修复收益的进化方向,得到最优漏洞修复收益方案。4) Calculate the fitness according to the fitness function, obtain the evolution direction of the optimal vulnerability repair benefit, and obtain the optimal vulnerability repair benefit scheme. 2.如权利要求1所述的方法,其特征在于,漏洞信息包括漏洞数量、漏洞标识、漏洞关联业务信息和漏洞分布信息;业务关联信息包含运用漏洞涉及业务的重要性信息、机密性信息、完整性信息和可用性信息。2. The method according to claim 1, wherein the vulnerability information includes the number of vulnerabilities, the vulnerability identification, the vulnerability-related business information and the vulnerability distribution information; the business-related information includes the importance information, confidentiality information, Integrity information and availability information. 3.如权利要求1所述的方法,其特征在于,通过以下步骤计算系统受到的总体危害损失:3. The method of claim 1, wherein the overall damage loss to the system is calculated by the following steps: 1)根据漏洞信息,计算每一主机中每一漏洞的成功利用漏洞发起攻击概率;1) According to the vulnerability information, calculate the probability of successfully exploiting each vulnerability in each host to initiate an attack; 2)根据成功利用漏洞发起攻击概率及访问连通拓扑结构信息,计算任意两台主机之间的最短攻击链路信息;2) Calculate the shortest attack link information between any two hosts according to the probability of successfully exploiting the vulnerability to initiate an attack and the access topology information; 3)选择攻击者潜在的入侵起始主机集合,计算攻击信息到达一特定主机的概率;3) Select the attacker's potential intrusion starting host set, and calculate the probability that the attack information reaches a specific host; 4)通过攻击信息到达一特定主机的概率、成功利用漏洞发起攻击概率以及漏洞信息,计算单个漏洞对特定主机造成的损失;4) Calculate the loss caused by a single vulnerability to a specific host through the probability of the attack information reaching a specific host, the probability of successfully exploiting the vulnerability to initiate an attack, and the vulnerability information; 5)由单个漏洞对特定主机造成的损失及漏洞信息,计算特定主机的总体危害;5) The loss and vulnerability information caused by a single vulnerability to a specific host, and calculate the overall harm of a specific host; 6)结合漏洞信息及访问连通拓扑结构信息,计算系统受到的总体危害损失。6) Combined with vulnerability information and access connectivity topology information, calculate the overall damage loss suffered by the system. 4.如权利要求3所述的方法,其特征在于,计算每一主机中每一漏洞的成功利用漏洞发起攻击概率的方法包括因子分析法;计算任意两台主机之间的最短攻击链路信息的方法包括因子分析法。4. method as claimed in claim 3 is characterized in that, the method that calculates the successful exploiting vulnerability to initiate attack probability of each vulnerability in each mainframe comprises factor analysis method; Calculate the shortest attack link information between any two mainframes The methods include factor analysis. 5.如权利要求1所述的方法,其特征在于,通过以下步骤计算修复系统中一组漏洞所产生的总负面代价:5. The method of claim 1, wherein the total negative cost of repairing a group of vulnerabilities in the system is calculated by the following steps: 1)通过漏洞信息及访问连通拓扑结构信息,计算单个漏洞修复产生的单漏洞负面代价;1) Calculate the negative cost of a single vulnerability caused by repairing a single vulnerability through vulnerability information and access connectivity topology information; 2)结合特定主机上已修复的漏洞,计算修复特定主机中多个漏洞产生的单机负面代价;2) Combined with the fixed vulnerabilities on a specific host, calculate the single-machine negative cost of fixing multiple vulnerabilities in a specific host; 3)结合漏洞信息系统的访问连通拓扑结构信息,计算修复系统中多个漏洞产生的总负面代价。3) Combined with the access connectivity topology information of the vulnerability information system, calculate the total negative cost of repairing multiple vulnerabilities in the system. 6.如权利要求1所述的方法,其特征在于,通过以下步骤进行适应度计算,获取最优漏洞修复收益的进化方向:6. The method of claim 1, wherein the fitness calculation is performed through the following steps to obtain the evolutionary direction of the optimal vulnerability repair benefit: 1)将通过漏洞信息获取的漏洞数量设置为量子染色体长度,并依据基因复杂程度和模型实际运行环境设定量子种群规模大小以及最大遗传代数;1) Set the number of vulnerabilities obtained through vulnerability information as the length of the quantum chromosome, and set the size of the quantum population and the maximum genetic algebra according to the complexity of the gene and the actual operating environment of the model; 2)设置第t代的量子种群表示为
Figure FDA00030536908500000211
其中N表示种群大小,
Figure FDA0003053690850000022
表示第t代量子种群中第i个量子染色体,m为量子染色体长度,
Figure FDA0003053690850000023
表示第i个量子位,其中
Figure FDA0003053690850000024
Figure FDA0003053690850000025
均为复数,分别表示表示状态0|>和1|>的概率幅,且满足:
Figure FDA0003053690850000026
2) Set the quantum population of the t-th generation to be expressed as
Figure FDA00030536908500000211
where N is the population size,
Figure FDA0003053690850000022
represents the i-th quantum chromosome in the t-th generation quantum population, m is the length of the quantum chromosome,
Figure FDA0003053690850000023
represents the i-th qubit, where
Figure FDA0003053690850000024
and
Figure FDA0003053690850000025
are complex numbers, representing the probability amplitudes of states 0|> and 1|>, respectively, and satisfy:
Figure FDA0003053690850000026
 3)观测Q(t)的状态生成二进制解集
Figure FDA0003053690850000027
3) Observing the state of Q(t) to generate a binary solution set
Figure FDA0003053690850000027
 4)随机生成N个用量子比特表示的染色体,且种群中全部染色体的所有基因
Figure FDA0003053690850000028
都初始化为
Figure FDA0003053690850000029
4) Randomly generate N chromosomes represented by qubits, and all genes of all chromosomes in the population
Figure FDA0003053690850000028
are initialized to
Figure FDA0003053690850000029
 5)观测当前代t的种群Q(t),随机生成一个在区间[0,1]的数γ,如果
Figure FDA00030536908500000210
则测量结果取值1,否则取值0,得到二进制解集P(t);5) Observe the population Q(t) of the current generation t, and randomly generate a number γ in the interval [0, 1], if
Figure FDA00030536908500000210
Then the measurement result takes the value 1, otherwise it takes the value 0, and the binary solution set P(t) is obtained; 6)对P(t)中每个解,进行适应度计算,记录具备最优适应度的最优个体,设置为种群的进化方向,获取最优漏洞修复收益的进化方向。6) Calculate the fitness of each solution in P(t), record the optimal individual with the optimal fitness, set it as the evolution direction of the population, and obtain the evolution direction of the optimal vulnerability repair benefit. 7.如权利要求6所述的方法,其特征在于,通过以下步骤设置为种群的进化方向:7. The method of claim 6, wherein the evolution direction of the population is set by the following steps: 1)对比当前代数t与第t-1代的最优适应度;1) Compare the optimal fitness of the current generation t and the t-1 generation; 2)若第t代的最优适应度大于第t-1代,则将第t代的最优适应度设置为下一代的进化目标;2) If the optimal fitness of the t-th generation is greater than the t-1 generation, set the optimal fitness of the t-th generation as the evolutionary goal of the next generation; 3)若第t代的最优适应度小于等于第t-1代,则保留第t-1代的最优适应度作为下一代的进化目标。3) If the optimal fitness of the t-th generation is less than or equal to the t-1-th generation, the optimal fitness of the t-1-th generation is reserved as the evolution target of the next generation. 8.如权利要求7所述的方法,其特征在于,通过以下步骤得到最优漏洞修复收益方案:8. The method of claim 7, wherein an optimal vulnerability repair benefit scheme is obtained through the following steps: 1)判断当前代数t是否等于终止条件最大遗传代数G;1) Determine whether the current algebra t is equal to the maximum genetic algebra G of the termination condition; 2)若是,则将当前代数t取得最优适应度的方案作为最优漏洞修复收益方案输出;2) If yes, output the solution that obtains the optimal fitness in the current algebra t as the optimal vulnerability repair benefit plan; 3)若否,通过运用量子旋转门
Figure FDA0003053690850000031
对种群Q(t)中的染色体依据
Figure FDA0003053690850000032
及旋转角调整策略进行更新,将得到第t+1代取得最优适应度的方案作为最优漏洞修复收益方案。3) If not, by using quantum revolving gate
Figure FDA0003053690850000031
Chromosome basis in population Q(t)
Figure FDA0003053690850000032
And the rotation angle adjustment strategy is updated, and the solution that obtains the optimal fitness in the t+1 generation is taken as the optimal vulnerability repair benefit solution. 9.如权利要求8所述的方法,其特征在于,通过以下步骤进行旋转角调整策略:9. The method of claim 8, wherein the rotation angle adjustment strategy is carried out by the following steps: 1)运用当前染色体c的适应度值Fit(c)与最优染色体b的适应度值Fit(b)的值进行比较;1) Compare the fitness value Fit(c) of the current chromosome c with the fitness value Fit(b) of the optimal chromosome b; 2)若Fit(c)优于Fit(b),则控制染色体朝有利于c的方向进化;2) If Fit(c) is better than Fit(b), control the chromosome to evolve in a direction that is favorable to c; 3)若Fit(b)优于Fit(c),则控制染色体朝有利于b的方向进化。3) If Fit(b) is better than Fit(c), control the chromosomes to evolve in the direction that favors b. 10.一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行如权利要求1-9中任一所述方法。10. An electronic device comprising a memory and a processor having a computer program stored in the memory, the processor being arranged to run the computer program to perform the method of any of claims 1-9.
CN202010404149.1A 2020-05-13 2020-05-13 A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm Active CN111818007B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010404149.1A CN111818007B (en) 2020-05-13 2020-05-13 A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010404149.1A CN111818007B (en) 2020-05-13 2020-05-13 A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm

Publications (2)

Publication Number Publication Date
CN111818007A CN111818007A (en) 2020-10-23
CN111818007B true CN111818007B (en) 2021-08-31

Family

ID=72848045

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010404149.1A Active CN111818007B (en) 2020-05-13 2020-05-13 A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm

Country Status (1)

Country Link
CN (1) CN111818007B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112487493A (en) * 2020-11-25 2021-03-12 电子科技大学 Safety strategy scheduling optimization method based on genetic algorithm
CN116244705B (en) * 2023-03-08 2024-01-12 北京航天驭星科技有限公司 Commercial satellite operation control platform vulnerability processing method and related equipment
CN118503991B (en) * 2024-07-17 2024-10-15 中汽研汽车检验中心(常州)有限公司 Method, device and storage medium for balancing risk rate and repair cost of automobile component

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101950338A (en) * 2010-09-14 2011-01-19 中国科学院研究生院 Bug repair method based on hierarchical bug threat assessment
CN104394541A (en) * 2014-10-31 2015-03-04 广东工业大学 Perception coverage holes' healing method of manufacture Internet of things
CN109886018A (en) * 2019-01-25 2019-06-14 北京工业大学 An optimization method of stored XSS attack vector based on genetic algorithm
CN110879778A (en) * 2019-10-14 2020-03-13 杭州电子科技大学 A New Automatic Software Repair Method with Dynamic Feedback and Improved Patch Evaluation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109995771A (en) * 2019-03-19 2019-07-09 北京工业大学 A kind of storage-type XSS leakage location based on genetic algorithm

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101950338A (en) * 2010-09-14 2011-01-19 中国科学院研究生院 Bug repair method based on hierarchical bug threat assessment
CN104394541A (en) * 2014-10-31 2015-03-04 广东工业大学 Perception coverage holes' healing method of manufacture Internet of things
CN109886018A (en) * 2019-01-25 2019-06-14 北京工业大学 An optimization method of stored XSS attack vector based on genetic algorithm
CN110879778A (en) * 2019-10-14 2020-03-13 杭州电子科技大学 A New Automatic Software Repair Method with Dynamic Feedback and Improved Patch Evaluation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Application of BP Neural Network for Line Losses Calculation Based on Quantum Genetic Algorithm;Kewen Liu;Haiming Zhou;.etc;《2011 Fourth International Symposium on Computational Intelligence and Design》;20111030;全文 *

Also Published As

Publication number Publication date
CN111818007A (en) 2020-10-23

Similar Documents

Publication Publication Date Title
Hu et al. Automated penetration testing using deep reinforcement learning
CN111818007B (en) A method and electronic device for evaluating the priority of vulnerability repair benefits based on quantum genetic algorithm
Sarraute et al. An algorithm to find optimal attack paths in nondeterministic scenarios
CN109376544B (en) A method to prevent the community structure in complex network from being deeply mined
CN106453217A (en) Network attack path behavior prediction method based on path revenue calculation
CN104243445A (en) Methods and systems for use in analyzing cyber-security threats in an aviation platform
Morozova et al. Methods and technologies for ensuring cybersecurity of industrial and web-oriented systems and networks
US11765196B2 (en) Attack scenario simulation device, attack scenario generation system, and attack scenario generation method
Xiao et al. Network security situation prediction method based on MEA-BP
CN113688383A (en) Attack defense testing method based on artificial intelligence and artificial intelligence analysis system
CN114840857A (en) Smart contract fuzzing method and system based on deep reinforcement learning and multi-level coverage strategy
CN115460608A (en) Method, device and electronic device for executing network security policy
CN114726634B (en) Knowledge graph-based hacking scene construction method and device
CN118606953A (en) A cloud environment vulnerability scanning method based on model detection
CN116684135B (en) Weapon equipment network attack surface evaluation method based on improved SGA
Kezih et al. Evaluation effectiveness of intrusion detection system with reduced dimension using data mining classification tools
CN111770111A (en) A Quantitative Analysis Method of Attack Defense Tree
KR102729978B1 (en) Method and apparatus for training cyber based on ai
CN114553489B (en) Industrial control system safety protection method and device based on multi-objective optimization algorithm
CN115150152A (en) Method for rapidly reasoning actual authority of network user based on authority dependency graph reduction
Lagerström et al. Automatic design of secure enterprise architecture: Work in progress paper
Kumar et al. Fuzzy inference based feature selection and optimized deep learning for Advanced Persistent Threat attack detection
Koutiva et al. An Agent-Based Modelling approach to assess risk in Cyber-Physical Systems (CPS)
Al-Eiadeh et al. Genigraph: a genetic-based novel security defense resource allocation method for interdependent systems modeled by attack graphs
CN114726601A (en) Graph structure-based information security simulation modeling and verification evaluation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant