Disclosure of Invention
The invention aims to solve the technical problem of providing a defense efficiency evaluation method applied to a network shooting range, which starts with the severity of potential attack risk and two dimensions of response actions of equipment with a defense function during attack defense, evaluates the design defects of a defense system and the problems existing in the actual operation of the equipment, quantifies the defense effect and realizes the objective evaluation of the defense efficiency.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a defense efficiency evaluation method applied to a network shooting range, which comprises a detection method of the defense efficiency of the network shooting range and comprises the following steps:
step A, defining a preset time length range of a network target range from an initial state moment as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state after passing through each potential attack in the detection time period as follows:
in the formula (I), the compound is shown in the specification,
,
representing the total number of mirrored devices in the network range,
indicating the first in the network range
The initial state of the individual mirroring devices,
,
representing the total state of the mirror image device in the detection time period;
is shown as
Through which the mirror device passes
The next to the potential attack is that of a potential attack,
is shown as
The mirror device passes through
The state after the next potential attack is,
is shown as
The mirror device passes through
The state after the next potential attack, i.e. the last state of the mirroring device during the detection time period,
is shown as
B, the mirror image equipment sequentially passes through all potential attacks and complete threat paths from an initial state to a final state in a detection time period, and then enters a step B;
and B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
the probability of each image device being successfully attacked is obtained, where,
,
is shown as
The mirror image device succeeds in the detection time period
The probability of a state transitioning to the next state,
is shown as
The mirror device is not successfully detected within the detection time period
The probability of a state transitioning to the next state,
is shown as
C, the probability of successful attack of the mirror image equipment is entered;
step C, according to the probability that each mirror image device is successfully attacked correspondingly, obtaining the risk level of each different type of potential threat related in the complete threat path of each mirror image device, and then entering step D;
step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then entering step E;
step E, according to the following formula:
obtaining defense efficacy results of network shooting range
Wherein, in the step (A),
indicating the first in the network range
The weight of the individual mirrored devices is,
,
is shown as
The number of different types of potential threats in the complete threat path for each mirrored device,
is shown as
In the complete threat path of the mirror image equipment
A potential threat of one type of the potential threats,
is shown as
Probability of a mirror device being successfully attacked at the mirror device
Down, in the complete threat path for
The result of the defense of a single type of potential threat,
is shown as
In the complete threat path of the mirror image equipment
Risk level of each type of potential threat.
As a preferred technical solution of the present invention, the step C includes the steps of:
c1, aiming at each mirror image device in the network shooting range, sequencing the mirror image devices according to the sequence that the probability of successful attack of each mirror image device is from small to large to form mirror image device sequencing, and then entering the step C2;
step C2, carrying out normalization operation aiming at the successful attack probability of each mirror image device in the network target range to obtain each normalization result, then sequentially using each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small, and entering the step C3;
step C3, aiming at each potential threat related in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; further acquiring risk result values corresponding to the potential threats respectively, and then entering step C4;
and C4, sequencing the potential threats in the order of the small risk result values corresponding to the potential threats from large to small, and forming the risk level of each potential threat by the sequencing serial number of each potential threat starting from 1.
As a preferred technical scheme of the invention: and D, according to successful attack, marking the defense result as 1, and if unsuccessful attack, marking the defense result as 0, and according to the complete threat path of the mirror image equipment, obtaining the defense results of the mirror image equipment aiming at the different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked.
As a preferred technical scheme of the invention: and E, performing normalization operation aiming at the preset economic value of each mirror image device in the network target range, wherein each result is the weight of each mirror image device.
As a preferred technical scheme of the invention: the method for detecting the importance of the mirror image equipment is used for realizing the detection of the importance value of the target mirror image equipment and comprises the following steps:
step i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and then entering step ii;
and ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
As a preferred technical scheme of the invention: the method also comprises a mirror image equipment deployment importance detection method used for obtaining the quantitative detection of the mirror image equipment deployment importance in the network target range, wherein the mirror image equipment deployment importance detection method is based on the execution of the steps A to C and also comprises the following steps I to IV;
step I, aiming at each mirror image device in a network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II;
step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then entering step III;
step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
is shown as
The mirror image device is on the first in the complete threat path
The response results for each type of potential threat quantify,
is shown as
The mirror image device is on the first in the complete threat path
The response results for each type of potential threat quantify the impact weight of the value,
indicating the first in the network range
Defense effects corresponding to the mirror image devices; then entering step IV;
step iv. according to the following formula:
quantitative detection result for obtaining deployment importance of mirror image equipment in network target range
。
Compared with the prior art, the defense effectiveness evaluation method applied to the network target range has the following technical effects by adopting the technical scheme:
the defense effectiveness evaluation method applied to the network shooting range starts with the severity of potential attack risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense scheme effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis on each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration test, and is favorable for determining the relationship between network security equipment and protected assets, The relationship between the security threat and the defense, and the relationship between the security device and the overall defense system, achieve objective assessment of defense effectiveness.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The network target site is composed of a plurality of mirror image devices which are connected with each other, and each mirror image device provides functional services to other mirror image devices through a network, as shown in fig. 1, the mirror image devices in the network target site are carriers of a series of data sets, and users access the functional services of the devices in the system through the network.
For each mirrored device in the network shooting range, use the set
Representing all data contained on a mirrored device.
The mirroring device provides an interface for external interaction through the function Service provided by Service, and one mirroring device may contain a plurality of function services. Each service is represented by S, and the set of data used and influenced by S at runtime is used
Is shown, and
;
defining a certain service provided by the mirroring device and the data influenced by the service as the state
。
The operation authority of the data can be divided into a read authority and a write authority, and a matrix is used
The rights to a certain data are represented,
the right to read is indicated,
indicating write rights. For theIn State
Data thereof
Authority matrix of
. For authority matrix
And
assuming that the matrix dimensions are the same,
representative matrix
First, the
Go to the first
The elements of the column are,
representative matrix
First, the
Go to the first
Elements of a column, for any
And
is provided with
Then, then
Is shown by
Is not greater than
The right of (1).
For services in State
User users of different identities access the service
The corresponding authority is per (user), and one service S may provide services to a plurality of user roles. Then
The authority to run in State is denoted as
Then, then
。
The potential attack is an inherent property existing in the whole life cycle of the mirror device and is any factor which can cause security problems to the network system. A network attack is any act of attempting to expose, destroy, modify, crash, illegally access or otherwise use target data on a target network and system. A potential attack may or may not occur. The vulnerability is a known potential attack point on the mirror image equipment, the vulnerability is utilized to promote the attack success, and the essence is that an attacker utilizes the vulnerability to initiate the attack so that the authority of the attacker is changed.
The potential attacks that exist on each mirrored device can be represented as
。
The security hole existing in each mirroring device can be represented as
。
If an attacker attacks a certain image device, the attack flow can be expressed as
Wherein
Indicating the type of potential attack to which the attack corresponds.
If the service S provided on a certain mirror image device has a bug
When the attacker operates with the User identity User, the authority is
. After the attacker successfully utilizes the vulnerability, the authority will be controlled by
Become into
Instant loopholes
Realize that
To
And (4) transforming. In general terms, the term "a" or "an" is used to describe a device that is capable of generating a signal
I.e. the attacker gains higher authority over the operation of the mirroring device by exploiting the vulnerability.
Various mirror image devices with security defense functions are deployed in a network system to form a security defense system, so that threats existing in the mirror image devices in the network system can be defended.
According to different function types, system defense can be divided into four aspects of detection, blocking, authentication and encryption security. The detection class can find out the attack behavior to the system, but can not prevent the attack behavior; blocking classes can prevent aggressive behavior; the encryption security can encrypt the data, and the data has unreadable authority to unauthorized users; authentication is used for authenticating a user, and the user obtains corresponding authority.
Different defense function usage
And (4) showing.
To attack flow
If, if
Then it indicates that the mirroring device is capable of defending against potential attacks
。
Use of
Representing a response to an attack in which,
indicates the detection,
Indicates that the block is blocked,
An alarm is indicated and the alarm is not indicated,
a detailed record of the heap attack is shown.
The type is used for indicating the access mode of the equipment with the defense function in the whole range system, when the type =1, the serial access is indicated, and when the type =0, the bypass access is indicated.
For attack flow
Only the device with the defense function can defend the attack
Based on the modeling of the network target range, the invention designs a defense effectiveness evaluation method applied to the network target range, which comprises a detection method of the defense effectiveness of the network target range, and specifically executes the following steps A to E as shown in fig. 2.
Step A, defining a preset time length range of a network target range from an initial state moment as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state after passing through each potential attack in the detection time period as follows:
in the formula (I), the compound is shown in the specification,
,
representing the total number of mirrored devices in the network range,
indicating the first in the network range
The initial state of the individual mirroring devices,
,
representing the total state of the mirror image device in the detection time period;
is shown as
Through which the mirror device passes
The next to the potential attack is that of a potential attack,
is shown as
The mirror device passes through
The state after the next potential attack is,
is shown as
The mirror device passes through
The state after the next potential attack, i.e. the last state of the mirroring device during the detection time period,
is shown as
And the mirror image equipment sequentially passes through all potential attacks and a complete threat path from the initial state to the final state in the detection time period, and then enters the step B.
And B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
the probability of each image device being successfully attacked is obtained, where,
,
is shown as
The mirror image device succeeds in the detection time period
The probability of a state transitioning to the next state,
is shown as
The mirror device is not successfully detected within the detection time period
The probability of a state transitioning to the next state,
is shown as
The probability of successful attack of the mirror device, and then step C.
And C, according to the probability of successful attack corresponding to each mirror image device, obtaining the risk level of each different type of potential threat involved in the complete threat path of each mirror image device, and then entering the step D.
In practical applications, the step C is performed as the following steps C1 to C4.
And C1, aiming at each mirror image device in the network shooting range, sequencing the mirror image devices according to the sequence that the probability of successful attack of each mirror image device is from small to large to form mirror image device sequencing, and then entering the step C2.
And C2, carrying out normalization operation according to the successful attack probability of each mirror image device in the network target range to obtain each normalization result, sequentially using each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small, and entering the step C3.
Step C3, aiming at each potential threat related in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; and obtaining a risk result value corresponding to each potential threat, and then entering step C4.
And C4, sequencing the potential threats in the order of the small risk result values corresponding to the potential threats from large to small, and forming the risk level of each potential threat by the sequencing serial number of each potential threat starting from 1.
Step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then step E is entered.
In practical application, for the acquisition of the defense result, according to successful attack, the defense result is marked as 1, and if the attack is unsuccessful, the defense result is marked as 0, and according to the complete threat path of the mirror image equipment, the defense results of the mirror image equipment aiming at different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked are acquired.
Step E, according to the following formula:
obtaining defense efficacy results of network shooting range
Wherein, in the step (A),
indicating the first in the network range
The weight of the individual mirrored devices is,
,
is shown as
The number of different types of potential threats in the complete threat path for each mirrored device,
is shown as
In the complete threat path of the mirror image equipment
A potential threat of one type of the potential threats,
is shown as
Probability of a mirror device being successfully attacked at the mirror device
Down, in the complete threat path for
The result of the defense of a single type of potential threat,
is shown as
In the complete threat path of the mirror image equipment
Risk level of each type of potential threat.
In application, if
If the network defense system is in a state of being short of the standard which can be met by the defense range in design, safety workers need to deploy equipment with the defense function at proper positions in a network system, so that the short board of the whole network safety defense system can be obtained through analyzing the defense result and the reverse of each equipment in the network target range, and the safety workers can be helped to perfect the defense system.
Regarding the weight of each mirror image device in the step E, in practical applications, a normalization operation is performed on the preset economic value of each mirror image device in the network target range, and each obtained result is the weight of each mirror image device.
Based on the defense performance evaluation method applied to the network target range, in practical application, the invention further designs a mirror image equipment importance detection method for realizing the detection of the importance value of the target mirror image equipment, and specifically executes the following steps i to ii.
And i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and entering the step ii.
And ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
In addition, in practical application, the invention further designs a mirror image device deployment importance detection method for obtaining quantitative detection of mirror image device deployment importance in a network target range, wherein the mirror image device deployment importance detection method is based on the execution of the steps A to C and further comprises the execution of the following steps I to IV.
And step I, aiming at each mirror image device in the network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II.
Step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then step III is entered.
Step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
is shown as
The mirror image device is on the first in the complete threat path
The response results for each type of potential threat quantify,
is shown as
The mirror image device is on the first in the complete threat path
The response results for each type of potential threat quantify the impact weight of the value,
indicating the first in the network range
Defense effects corresponding to the mirror image devices; then step IV is entered.
Step iv. according to the following formula:
quantitative detection result for obtaining deployment importance of mirror image equipment in network target range
。
In application, the importance value of each mirror image device in the network target range and the quantitative detection result of the deployment importance of the mirror image device in the network target range are obtained
Then, for each mirrored device value, the larger the value isThe more important the mirroring device is in the defense system. If the combination of the mirror image devices in the respective defense ranges of the two mirror image devices is the same, the severity of the potential attack to be defended and the corresponding risk of the potential attack are also the same, when the importance value of the mirror image device is larger, the larger the threat types that the mirror image device can defend are, if the two mirror image devices can defend the threats faced by the mirror image devices in the defense ranges of the two mirror image devices, the defense effect value of the single mirror image device is 1, and when the importance value or the combination of the importance value of the mirror image device is the same
The larger the value, the higher the total economic value of the asset corresponding to the protection of the safety equipment.
The defense effectiveness evaluation method applied to the network shooting range is designed based on the severity of potential attack risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis on each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration tests, and is favorable for determining the relationship between network security equipment and protected assets, The relationship between the security threat and the defense, and the relationship between the security device and the overall defense system, achieve objective assessment of defense effectiveness.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.