CN111818102A - Defense efficiency evaluation method applied to network target range - Google Patents

Defense efficiency evaluation method applied to network target range Download PDF

Info

Publication number
CN111818102A
CN111818102A CN202010937894.2A CN202010937894A CN111818102A CN 111818102 A CN111818102 A CN 111818102A CN 202010937894 A CN202010937894 A CN 202010937894A CN 111818102 A CN111818102 A CN 111818102A
Authority
CN
China
Prior art keywords
mirror image
defense
image device
network
potential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010937894.2A
Other languages
Chinese (zh)
Other versions
CN111818102B (en
Inventor
王森淼
涂腾飞
李超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Mingbo Xin'an Information Technology Co.,Ltd.
Original Assignee
Xinlian Technology Nanjing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinlian Technology Nanjing Co ltd filed Critical Xinlian Technology Nanjing Co ltd
Priority to CN202010937894.2A priority Critical patent/CN111818102B/en
Publication of CN111818102A publication Critical patent/CN111818102A/en
Application granted granted Critical
Publication of CN111818102B publication Critical patent/CN111818102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a defense effectiveness evaluation method applied to a network shooting range, which starts with the severity of potential attack risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense scheme effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis aiming at each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration test, and is favorable for defining the relationship between network security equipment and protected assets, The relationship between security threats and defenses, and the relationship between security devices and the overall defense system.

Description

Defense efficiency evaluation method applied to network target range
Technical Field
The invention relates to a defense effectiveness evaluation method applied to a network shooting range, and belongs to the technical field of network shooting range effectiveness evaluation.
Background
The continuous development of the internet brings convenience to people, and simultaneously, the security threats faced by people are more and more. The popularization and the opening of the internet enable network hackers to take advantage of the possibility, and the network hackers can make the network suffer from security threats such as Trojan horses, viruses and the like by various illegal means, so that the network cannot operate. With the increasing technical level, the variety of various network attacks is increasing, the attacks are also more complex, and especially the advanced persistent threats are merging multiple attack technologies at an extremely fast speed. The hiding of various vulnerabilities in the network brings great hidden danger to the network security, and network attackers often attack the network in various ways by taking the network vulnerabilities as breakthrough ports, and the attacks can affect various security indexes of the whole network and disturb the network order.
However, factors such as differences between the design and the expected implementation effect of the threat defense function of the security device, the technical level of security workers, the network security management system and the flow are not perfect, and the continuous progress of the network attack technology cause that the deployment mode of the security device in the information system cannot be optimized, and the network security problem of the information system cannot be completely solved, so that the evaluation of the defense system still faces a serious challenge. Meanwhile, the information system, as an infrastructure for carrying functional services and data information, has become a key factor in the operation and development processes of most enterprises and public institutions. Although an information system is composed of physical devices and network devices, the security threats of the information system are different due to the differences of the physical devices, the functional services, the data information and the network environment in different information systems.
At present, the main method for evaluating the defense effect in the industry is to simulate the network attack behavior through penetration test and discover the weakness that the target defense system cannot defend as much as possible. However, the actual operation method lacks the modeling of the information system, the evaluation effect completely depends on the technical level and the working experience of penetration testers, the process is easy to miss due to the difference between the information systems, and the evaluation result cannot be quantified by the method, so that the method has great uncontrollable property and limitation. For more comprehensive quantitative evaluation of the security of the information system, a modeling-based evaluation scheme is widely proposed. In the existing scheme, modeling research of a single equipment node and a single safety element in an information system is mature, but modeling is performed on the single equipment node, common description of various equipment nodes in the information system is lacked, modeling is performed on the single safety element, most of the modeling is performed on a specific application scene, and difference among the information systems cannot be met. Meanwhile, the information system and the defense system thereof are not modeled at home and abroad. Therefore, the technical aspect of quantitative evaluation of the efficiency of the overall defense effect of the network security defense system is still lacked in the present stage, the key technology related to evaluation and optimization of the network security defense system is researched, the safety equipment missing, defective or repeatedly built in the defense system is timely and effectively found, and the method has extremely important practical significance at present.
In the prior art, patent applications with patent application numbers of CN201610330336.3, CN105847291A and publication dates of 2016-08-10 provide a defense system, which includes a transparent firewall, a timing inspection module, a flow statistics module, a virus isolation module, a virus feature matching module, a port audit module, a flow statistics module, a network anomaly evaluation module, a defense decision generation module, a defense decision execution module, an emergency channel module, a restoration module and a data isolation uploading module. The monitoring and auditing of the network flow are realized, and the good state of the network is maintained; the network immunity is improved by analyzing and memorizing unknown invasion behaviors; after the intrusion, the damage range can be effectively controlled, the smooth network and the normal service provision are ensured, meanwhile, different defense decision schemes can be automatically generated and executed according to different network attacks, the autonomous repair and restoration capability of the system is improved, and the stable operation of the network is maintained. However, the invention does not quantify the defense system, and only establishes the defense strategy.
Patent applications with patent application numbers of CN201810588918.0, publication numbers of CN108809976A and publication dates of 2018-11-13 provide a network target defense performance evaluation method, electronic equipment, a storage medium and a system, and specifically disclose the network target defense performance evaluation method, which comprises the steps of carrying out layering processing on a network resource map to obtain a layered network resource map; acquiring an initial hierarchical network resource map at an initial moment and a current hierarchical network resource map; detecting the similarity between the initial node layer and the current node layer; calculating the resource dependency relationship and the resource association degree of the resource layers in the initial hierarchical network resource graph and the current hierarchical network resource graph; calculating the defense success rate and the defense cost of the current hierarchical network resource graph according to the resource association degree and the resource dependency relationship; and evaluating the defense benefits according to the defense success rate and the defense cost.
Patent applications with patent application numbers of CN201810594501.5, publication numbers of CN108494810A and publication dates of 2018-09-04 provide a method, a device and a system for predicting network security situation facing to attack, and specifically disclose a method, a device and a system for predicting network security situation facing to attack, wherein the method comprises the following steps: detecting and collecting alarm data and network environment operation and maintenance information under a network countermeasure environment, and acquiring an element set required by network security situation prediction, wherein the element set comprises three types of information of an attacker, a defender and a network environment; evaluating the ability of an attacking party and the level of a defending party, establishing a dynamic Bayesian attack graph, and calculating the number of attack stages and the occurrence probability vector of an attack state; and quantifying the network security situation value from the space-time dimension by combining the vulnerability scoring standard and the network asset information. The invention mainly aims at predicting the network security situation, so as to provide a defense construction place guide, but does not relate to the efficiency evaluation of a network defense system.
Patent applications with patent application numbers of CN201811358905.0, publication numbers of CN109547242A and publication dates of 2019-03-29 provide a network security performance evaluation method based on an attack and defense incidence matrix, and specifically disclose a network security performance evaluation method based on an attack and defense incidence matrix, and belong to the technical field of information security. The method comprehensively considers the system defense capability, the influence on the system performance, the core asset performance and the protection capability after the network is attacked, the service provided by the system and the like, and realizes the evaluation on the network security efficiency by calculating the attack and defense incidence matrix and integrating the weight accumulation of a plurality of discrete points by using the change values of the target network before and after the attack. The invention can evaluate the defense capacity of a single equipment node, and is still deficient in defense quantification of the whole network system.
Disclosure of Invention
The invention aims to solve the technical problem of providing a defense efficiency evaluation method applied to a network shooting range, which starts with the severity of potential attack risk and two dimensions of response actions of equipment with a defense function during attack defense, evaluates the design defects of a defense system and the problems existing in the actual operation of the equipment, quantifies the defense effect and realizes the objective evaluation of the defense efficiency.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a defense efficiency evaluation method applied to a network shooting range, which comprises a detection method of the defense efficiency of the network shooting range and comprises the following steps:
step A, defining a preset time length range of a network target range from an initial state moment as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state after passing through each potential attack in the detection time period as follows:
Figure DEST_PATH_IMAGE001
in the formula (I), the compound is shown in the specification,
Figure 819393DEST_PATH_IMAGE002
Figure DEST_PATH_IMAGE003
representing the total number of mirrored devices in the network range,
Figure 330009DEST_PATH_IMAGE004
indicating the first in the network range
Figure DEST_PATH_IMAGE005
The initial state of the individual mirroring devices,
Figure 703222DEST_PATH_IMAGE006
Figure DEST_PATH_IMAGE007
representing the total state of the mirror image device in the detection time period;
Figure 691906DEST_PATH_IMAGE008
is shown as
Figure 568595DEST_PATH_IMAGE005
Through which the mirror device passes
Figure DEST_PATH_IMAGE009
The next to the potential attack is that of a potential attack,
Figure 987463DEST_PATH_IMAGE010
is shown as
Figure 51234DEST_PATH_IMAGE005
The mirror device passes through
Figure 46872DEST_PATH_IMAGE009
The state after the next potential attack is,
Figure DEST_PATH_IMAGE011
is shown as
Figure 309226DEST_PATH_IMAGE005
The mirror device passes through
Figure DEST_PATH_IMAGE013
The state after the next potential attack, i.e. the last state of the mirroring device during the detection time period,
Figure 896065DEST_PATH_IMAGE014
is shown as
Figure 181553DEST_PATH_IMAGE005
B, the mirror image equipment sequentially passes through all potential attacks and complete threat paths from an initial state to a final state in a detection time period, and then enters a step B;
and B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
Figure DEST_PATH_IMAGE015
the probability of each image device being successfully attacked is obtained, where,
Figure 512040DEST_PATH_IMAGE016
Figure DEST_PATH_IMAGE017
is shown as
Figure 631830DEST_PATH_IMAGE005
The mirror image device succeeds in the detection time period
Figure 858412DEST_PATH_IMAGE018
The probability of a state transitioning to the next state,
Figure DEST_PATH_IMAGE019
is shown as
Figure 693513DEST_PATH_IMAGE005
The mirror device is not successfully detected within the detection time period
Figure 765374DEST_PATH_IMAGE018
The probability of a state transitioning to the next state,
Figure 205583DEST_PATH_IMAGE020
is shown as
Figure 71908DEST_PATH_IMAGE005
C, the probability of successful attack of the mirror image equipment is entered;
step C, according to the probability that each mirror image device is successfully attacked correspondingly, obtaining the risk level of each different type of potential threat related in the complete threat path of each mirror image device, and then entering step D;
step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then entering step E;
step E, according to the following formula:
Figure DEST_PATH_IMAGE021
obtaining defense efficacy results of network shooting range
Figure 394305DEST_PATH_IMAGE022
Wherein, in the step (A),
Figure DEST_PATH_IMAGE023
indicating the first in the network range
Figure 323385DEST_PATH_IMAGE005
The weight of the individual mirrored devices is,
Figure 352520DEST_PATH_IMAGE024
Figure DEST_PATH_IMAGE025
is shown as
Figure 983222DEST_PATH_IMAGE005
The number of different types of potential threats in the complete threat path for each mirrored device,
Figure 465019DEST_PATH_IMAGE026
is shown as
Figure 144262DEST_PATH_IMAGE005
In the complete threat path of the mirror image equipment
Figure DEST_PATH_IMAGE027
A potential threat of one type of the potential threats,
Figure 90221DEST_PATH_IMAGE028
is shown as
Figure 563928DEST_PATH_IMAGE005
Probability of a mirror device being successfully attacked at the mirror device
Figure DEST_PATH_IMAGE029
Down, in the complete threat path for
Figure 595338DEST_PATH_IMAGE027
The result of the defense of a single type of potential threat,
Figure 815622DEST_PATH_IMAGE030
is shown as
Figure 84929DEST_PATH_IMAGE005
In the complete threat path of the mirror image equipment
Figure 995117DEST_PATH_IMAGE027
Risk level of each type of potential threat.
As a preferred technical solution of the present invention, the step C includes the steps of:
c1, aiming at each mirror image device in the network shooting range, sequencing the mirror image devices according to the sequence that the probability of successful attack of each mirror image device is from small to large to form mirror image device sequencing, and then entering the step C2;
step C2, carrying out normalization operation aiming at the successful attack probability of each mirror image device in the network target range to obtain each normalization result, then sequentially using each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small, and entering the step C3;
step C3, aiming at each potential threat related in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; further acquiring risk result values corresponding to the potential threats respectively, and then entering step C4;
and C4, sequencing the potential threats in the order of the small risk result values corresponding to the potential threats from large to small, and forming the risk level of each potential threat by the sequencing serial number of each potential threat starting from 1.
As a preferred technical scheme of the invention: and D, according to successful attack, marking the defense result as 1, and if unsuccessful attack, marking the defense result as 0, and according to the complete threat path of the mirror image equipment, obtaining the defense results of the mirror image equipment aiming at the different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked.
As a preferred technical scheme of the invention: and E, performing normalization operation aiming at the preset economic value of each mirror image device in the network target range, wherein each result is the weight of each mirror image device.
As a preferred technical scheme of the invention: the method for detecting the importance of the mirror image equipment is used for realizing the detection of the importance value of the target mirror image equipment and comprises the following steps:
step i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and then entering step ii;
and ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
As a preferred technical scheme of the invention: the method also comprises a mirror image equipment deployment importance detection method used for obtaining the quantitative detection of the mirror image equipment deployment importance in the network target range, wherein the mirror image equipment deployment importance detection method is based on the execution of the steps A to C and also comprises the following steps I to IV;
step I, aiming at each mirror image device in a network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II;
step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then entering step III;
step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
Figure DEST_PATH_IMAGE031
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
Figure 513823DEST_PATH_IMAGE032
is shown as
Figure 534868DEST_PATH_IMAGE005
The mirror image device is on the first in the complete threat path
Figure 393103DEST_PATH_IMAGE027
The response results for each type of potential threat quantify,
Figure DEST_PATH_IMAGE033
is shown as
Figure 270929DEST_PATH_IMAGE005
The mirror image device is on the first in the complete threat path
Figure 745773DEST_PATH_IMAGE027
The response results for each type of potential threat quantify the impact weight of the value,
Figure 573439DEST_PATH_IMAGE034
indicating the first in the network range
Figure 286180DEST_PATH_IMAGE005
Defense effects corresponding to the mirror image devices; then entering step IV;
step iv. according to the following formula:
Figure DEST_PATH_IMAGE035
quantitative detection result for obtaining deployment importance of mirror image equipment in network target range
Figure 69328DEST_PATH_IMAGE036
Compared with the prior art, the defense effectiveness evaluation method applied to the network target range has the following technical effects by adopting the technical scheme:
the defense effectiveness evaluation method applied to the network shooting range starts with the severity of potential attack risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense scheme effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis on each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration test, and is favorable for determining the relationship between network security equipment and protected assets, The relationship between the security threat and the defense, and the relationship between the security device and the overall defense system, achieve objective assessment of defense effectiveness.
Drawings
FIG. 1 is a schematic diagram of the structure and application of a mirroring device in a network shooting range;
FIG. 2 is a schematic diagram of a defense performance evaluation method applied to a network target range according to the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The network target site is composed of a plurality of mirror image devices which are connected with each other, and each mirror image device provides functional services to other mirror image devices through a network, as shown in fig. 1, the mirror image devices in the network target site are carriers of a series of data sets, and users access the functional services of the devices in the system through the network.
For each mirrored device in the network shooting range, use the set
Figure DEST_PATH_IMAGE037
Representing all data contained on a mirrored device.
The mirroring device provides an interface for external interaction through the function Service provided by Service, and one mirroring device may contain a plurality of function services. Each service is represented by S, and the set of data used and influenced by S at runtime is used
Figure 562626DEST_PATH_IMAGE038
Is shown, and
Figure DEST_PATH_IMAGE039
defining a certain service provided by the mirroring device and the data influenced by the service as the state
Figure 722212DEST_PATH_IMAGE040
The operation authority of the data can be divided into a read authority and a write authority, and a matrix is used
Figure DEST_PATH_IMAGE041
The rights to a certain data are represented,
Figure 617356DEST_PATH_IMAGE042
the right to read is indicated,
Figure DEST_PATH_IMAGE043
indicating write rights. For theIn State
Figure 574335DEST_PATH_IMAGE044
Data thereof
Figure DEST_PATH_IMAGE045
Authority matrix of
Figure 554930DEST_PATH_IMAGE046
. For authority matrix
Figure DEST_PATH_IMAGE047
And
Figure 783786DEST_PATH_IMAGE048
assuming that the matrix dimensions are the same,
Figure DEST_PATH_IMAGE049
representative matrix
Figure 267857DEST_PATH_IMAGE047
First, the
Figure 861649DEST_PATH_IMAGE050
Go to the first
Figure DEST_PATH_IMAGE051
The elements of the column are,
Figure 63960DEST_PATH_IMAGE052
representative matrix
Figure 48839DEST_PATH_IMAGE048
First, the
Figure 856258DEST_PATH_IMAGE050
Go to the first
Figure 620951DEST_PATH_IMAGE051
Elements of a column, for any
Figure 513821DEST_PATH_IMAGE050
And
Figure 287742DEST_PATH_IMAGE051
is provided with
Figure DEST_PATH_IMAGE053
Then, then
Figure 480826DEST_PATH_IMAGE054
Is shown by
Figure 416421DEST_PATH_IMAGE047
Is not greater than
Figure 796587DEST_PATH_IMAGE048
The right of (1).
For services in State
Figure 108619DEST_PATH_IMAGE055
User users of different identities access the service
Figure 890630DEST_PATH_IMAGE044
The corresponding authority is per (user), and one service S may provide services to a plurality of user roles. Then
Figure 796794DEST_PATH_IMAGE044
The authority to run in State is denoted as
Figure 664256DEST_PATH_IMAGE056
Then, then
Figure 248821DEST_PATH_IMAGE057
The potential attack is an inherent property existing in the whole life cycle of the mirror device and is any factor which can cause security problems to the network system. A network attack is any act of attempting to expose, destroy, modify, crash, illegally access or otherwise use target data on a target network and system. A potential attack may or may not occur. The vulnerability is a known potential attack point on the mirror image equipment, the vulnerability is utilized to promote the attack success, and the essence is that an attacker utilizes the vulnerability to initiate the attack so that the authority of the attacker is changed.
The potential attacks that exist on each mirrored device can be represented as
Figure 885339DEST_PATH_IMAGE058
The security hole existing in each mirroring device can be represented as
Figure 428316DEST_PATH_IMAGE059
If an attacker attacks a certain image device, the attack flow can be expressed as
Figure 251915DEST_PATH_IMAGE060
Wherein
Figure 171329DEST_PATH_IMAGE061
Indicating the type of potential attack to which the attack corresponds.
If the service S provided on a certain mirror image device has a bug
Figure 662354DEST_PATH_IMAGE062
When the attacker operates with the User identity User, the authority is
Figure 110653DEST_PATH_IMAGE063
. After the attacker successfully utilizes the vulnerability, the authority will be controlled by
Figure 955636DEST_PATH_IMAGE064
Become into
Figure 147583DEST_PATH_IMAGE065
Instant loopholes
Figure 493114DEST_PATH_IMAGE066
Realize that
Figure 377893DEST_PATH_IMAGE067
To
Figure 707244DEST_PATH_IMAGE068
And (4) transforming. In general terms, the term "a" or "an" is used to describe a device that is capable of generating a signal
Figure 702881DEST_PATH_IMAGE069
I.e. the attacker gains higher authority over the operation of the mirroring device by exploiting the vulnerability.
Various mirror image devices with security defense functions are deployed in a network system to form a security defense system, so that threats existing in the mirror image devices in the network system can be defended.
According to different function types, system defense can be divided into four aspects of detection, blocking, authentication and encryption security. The detection class can find out the attack behavior to the system, but can not prevent the attack behavior; blocking classes can prevent aggressive behavior; the encryption security can encrypt the data, and the data has unreadable authority to unauthorized users; authentication is used for authenticating a user, and the user obtains corresponding authority.
Different defense function usage
Figure 902919DEST_PATH_IMAGE070
And (4) showing.
To attack flow
Figure 958599DEST_PATH_IMAGE071
If, if
Figure DEST_PATH_IMAGE072
Then it indicates that the mirroring device is capable of defending against potential attacks
Figure 306404DEST_PATH_IMAGE061
Use of
Figure 840153DEST_PATH_IMAGE073
Representing a response to an attack in which,
Figure DEST_PATH_IMAGE074
indicates the detection,
Figure 225523DEST_PATH_IMAGE075
Indicates that the block is blocked,
Figure DEST_PATH_IMAGE076
An alarm is indicated and the alarm is not indicated,
Figure 248843DEST_PATH_IMAGE077
a detailed record of the heap attack is shown.
The type is used for indicating the access mode of the equipment with the defense function in the whole range system, when the type =1, the serial access is indicated, and when the type =0, the bypass access is indicated.
For attack flow
Figure DEST_PATH_IMAGE078
Only the device with the defense function can defend the attack
Based on the modeling of the network target range, the invention designs a defense effectiveness evaluation method applied to the network target range, which comprises a detection method of the defense effectiveness of the network target range, and specifically executes the following steps A to E as shown in fig. 2.
Step A, defining a preset time length range of a network target range from an initial state moment as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state after passing through each potential attack in the detection time period as follows:
Figure 83943DEST_PATH_IMAGE079
in the formula (I), the compound is shown in the specification,
Figure 421384DEST_PATH_IMAGE002
Figure 861592DEST_PATH_IMAGE003
representing the total number of mirrored devices in the network range,
Figure 993497DEST_PATH_IMAGE004
indicating the first in the network range
Figure 519156DEST_PATH_IMAGE005
The initial state of the individual mirroring devices,
Figure 651498DEST_PATH_IMAGE006
Figure 946213DEST_PATH_IMAGE007
representing the total state of the mirror image device in the detection time period;
Figure 249019DEST_PATH_IMAGE008
is shown as
Figure 527553DEST_PATH_IMAGE005
Through which the mirror device passes
Figure 206796DEST_PATH_IMAGE009
The next to the potential attack is that of a potential attack,
Figure 356018DEST_PATH_IMAGE010
is shown as
Figure 95304DEST_PATH_IMAGE005
The mirror device passes through
Figure 595555DEST_PATH_IMAGE009
The state after the next potential attack is,
Figure 547331DEST_PATH_IMAGE011
is shown as
Figure 85147DEST_PATH_IMAGE005
The mirror device passes through
Figure DEST_PATH_IMAGE080
The state after the next potential attack, i.e. the last state of the mirroring device during the detection time period,
Figure 526492DEST_PATH_IMAGE014
is shown as
Figure 248461DEST_PATH_IMAGE005
And the mirror image equipment sequentially passes through all potential attacks and a complete threat path from the initial state to the final state in the detection time period, and then enters the step B.
And B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
Figure 535086DEST_PATH_IMAGE081
the probability of each image device being successfully attacked is obtained, where,
Figure 658899DEST_PATH_IMAGE016
Figure 474409DEST_PATH_IMAGE017
is shown as
Figure 949252DEST_PATH_IMAGE005
The mirror image device succeeds in the detection time period
Figure 508410DEST_PATH_IMAGE018
The probability of a state transitioning to the next state,
Figure DEST_PATH_IMAGE082
is shown as
Figure 551977DEST_PATH_IMAGE005
The mirror device is not successfully detected within the detection time period
Figure 803966DEST_PATH_IMAGE018
The probability of a state transitioning to the next state,
Figure 500527DEST_PATH_IMAGE029
is shown as
Figure 863375DEST_PATH_IMAGE005
The probability of successful attack of the mirror device, and then step C.
And C, according to the probability of successful attack corresponding to each mirror image device, obtaining the risk level of each different type of potential threat involved in the complete threat path of each mirror image device, and then entering the step D.
In practical applications, the step C is performed as the following steps C1 to C4.
And C1, aiming at each mirror image device in the network shooting range, sequencing the mirror image devices according to the sequence that the probability of successful attack of each mirror image device is from small to large to form mirror image device sequencing, and then entering the step C2.
And C2, carrying out normalization operation according to the successful attack probability of each mirror image device in the network target range to obtain each normalization result, sequentially using each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small, and entering the step C3.
Step C3, aiming at each potential threat related in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; and obtaining a risk result value corresponding to each potential threat, and then entering step C4.
And C4, sequencing the potential threats in the order of the small risk result values corresponding to the potential threats from large to small, and forming the risk level of each potential threat by the sequencing serial number of each potential threat starting from 1.
Step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then step E is entered.
In practical application, for the acquisition of the defense result, according to successful attack, the defense result is marked as 1, and if the attack is unsuccessful, the defense result is marked as 0, and according to the complete threat path of the mirror image equipment, the defense results of the mirror image equipment aiming at different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked are acquired.
Step E, according to the following formula:
Figure 696202DEST_PATH_IMAGE021
obtaining defense efficacy results of network shooting range
Figure 119093DEST_PATH_IMAGE022
Wherein, in the step (A),
Figure 302950DEST_PATH_IMAGE083
indicating the first in the network range
Figure 203910DEST_PATH_IMAGE005
The weight of the individual mirrored devices is,
Figure DEST_PATH_IMAGE084
Figure 219139DEST_PATH_IMAGE085
is shown as
Figure 812931DEST_PATH_IMAGE005
The number of different types of potential threats in the complete threat path for each mirrored device,
Figure 487014DEST_PATH_IMAGE086
is shown as
Figure 457244DEST_PATH_IMAGE005
In the complete threat path of the mirror image equipment
Figure 264663DEST_PATH_IMAGE027
A potential threat of one type of the potential threats,
Figure 294936DEST_PATH_IMAGE028
is shown as
Figure 187805DEST_PATH_IMAGE005
Probability of a mirror device being successfully attacked at the mirror device
Figure 430568DEST_PATH_IMAGE020
Down, in the complete threat path for
Figure 358073DEST_PATH_IMAGE027
The result of the defense of a single type of potential threat,
Figure 293668DEST_PATH_IMAGE030
is shown as
Figure 673833DEST_PATH_IMAGE005
In the complete threat path of the mirror image equipment
Figure 720287DEST_PATH_IMAGE027
Risk level of each type of potential threat.
In application, if
Figure 782526DEST_PATH_IMAGE087
If the network defense system is in a state of being short of the standard which can be met by the defense range in design, safety workers need to deploy equipment with the defense function at proper positions in a network system, so that the short board of the whole network safety defense system can be obtained through analyzing the defense result and the reverse of each equipment in the network target range, and the safety workers can be helped to perfect the defense system.
Regarding the weight of each mirror image device in the step E, in practical applications, a normalization operation is performed on the preset economic value of each mirror image device in the network target range, and each obtained result is the weight of each mirror image device.
Based on the defense performance evaluation method applied to the network target range, in practical application, the invention further designs a mirror image equipment importance detection method for realizing the detection of the importance value of the target mirror image equipment, and specifically executes the following steps i to ii.
And i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and entering the step ii.
And ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
In addition, in practical application, the invention further designs a mirror image device deployment importance detection method for obtaining quantitative detection of mirror image device deployment importance in a network target range, wherein the mirror image device deployment importance detection method is based on the execution of the steps A to C and further comprises the execution of the following steps I to IV.
And step I, aiming at each mirror image device in the network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II.
Step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then step III is entered.
Step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
Figure 889022DEST_PATH_IMAGE088
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
Figure 756484DEST_PATH_IMAGE032
is shown as
Figure 872207DEST_PATH_IMAGE005
The mirror image device is on the first in the complete threat path
Figure 508725DEST_PATH_IMAGE027
The response results for each type of potential threat quantify,
Figure 786123DEST_PATH_IMAGE033
is shown as
Figure 875301DEST_PATH_IMAGE005
The mirror image device is on the first in the complete threat path
Figure 794716DEST_PATH_IMAGE027
The response results for each type of potential threat quantify the impact weight of the value,
Figure 285740DEST_PATH_IMAGE034
indicating the first in the network range
Figure 2548DEST_PATH_IMAGE005
Defense effects corresponding to the mirror image devices; then step IV is entered.
Step iv. according to the following formula:
Figure 844602DEST_PATH_IMAGE035
quantitative detection result for obtaining deployment importance of mirror image equipment in network target range
Figure 36549DEST_PATH_IMAGE036
In application, the importance value of each mirror image device in the network target range and the quantitative detection result of the deployment importance of the mirror image device in the network target range are obtained
Figure 382080DEST_PATH_IMAGE036
Then, for each mirrored device value, the larger the value isThe more important the mirroring device is in the defense system. If the combination of the mirror image devices in the respective defense ranges of the two mirror image devices is the same, the severity of the potential attack to be defended and the corresponding risk of the potential attack are also the same, when the importance value of the mirror image device is larger, the larger the threat types that the mirror image device can defend are, if the two mirror image devices can defend the threats faced by the mirror image devices in the defense ranges of the two mirror image devices, the defense effect value of the single mirror image device is 1, and when the importance value or the combination of the importance value of the mirror image device is the same
Figure 266859DEST_PATH_IMAGE036
The larger the value, the higher the total economic value of the asset corresponding to the protection of the safety equipment.
The defense effectiveness evaluation method applied to the network shooting range is designed based on the severity of potential attack risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis on each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration tests, and is favorable for determining the relationship between network security equipment and protected assets, The relationship between the security threat and the defense, and the relationship between the security device and the overall defense system, achieve objective assessment of defense effectiveness.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (6)

1. A defense effectiveness evaluation method applied to a network target range is characterized by comprising the following steps: the method for detecting the defense efficiency of the network target range comprises the following steps:
step A, defining a preset time length range of a network target range from an initial state moment as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state after passing through each potential attack in the detection time period as follows:
Figure 90811DEST_PATH_IMAGE001
in the formula (I), the compound is shown in the specification,
Figure 989497DEST_PATH_IMAGE002
Figure 699964DEST_PATH_IMAGE003
representing the total number of mirrored devices in the network range,
Figure 975087DEST_PATH_IMAGE004
indicating the first in the network range
Figure 821820DEST_PATH_IMAGE005
The initial state of the individual mirroring devices,
Figure 156987DEST_PATH_IMAGE006
Figure 354750DEST_PATH_IMAGE007
representing the total state of the mirror image device in the detection time period;
Figure 167985DEST_PATH_IMAGE008
is shown as
Figure 134804DEST_PATH_IMAGE005
Through which the mirror device passes
Figure 375293DEST_PATH_IMAGE009
The next to the potential attack is that of a potential attack,
Figure 60352DEST_PATH_IMAGE010
is shown as
Figure 677278DEST_PATH_IMAGE005
The mirror device passes through
Figure 761253DEST_PATH_IMAGE009
The state after the next potential attack is,
Figure 438222DEST_PATH_IMAGE011
is shown as
Figure 610577DEST_PATH_IMAGE005
The mirror device passes through
Figure 765615DEST_PATH_IMAGE013
The state after the next potential attack, i.e. the last state of the mirroring device during the detection time period,
Figure 707026DEST_PATH_IMAGE014
is shown as
Figure 554897DEST_PATH_IMAGE005
B, the mirror image equipment sequentially passes through all potential attacks and complete threat paths from an initial state to a final state in a detection time period, and then enters a step B;
and B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
Figure 214548DEST_PATH_IMAGE015
the probability of each image device being successfully attacked is obtained, where,
Figure 907698DEST_PATH_IMAGE016
Figure 969195DEST_PATH_IMAGE017
is shown as
Figure 722387DEST_PATH_IMAGE005
The mirror image device succeeds in the detection time period
Figure 869335DEST_PATH_IMAGE018
The probability of a state transitioning to the next state,
Figure 631754DEST_PATH_IMAGE019
is shown as
Figure 282178DEST_PATH_IMAGE005
The mirror device is not successfully detected within the detection time period
Figure 471851DEST_PATH_IMAGE018
The probability of a state transitioning to the next state,
Figure 840516DEST_PATH_IMAGE020
is shown as
Figure 141047DEST_PATH_IMAGE005
C, the probability of successful attack of the mirror image equipment is entered;
step C, according to the probability that each mirror image device is successfully attacked correspondingly, obtaining the risk level of each different type of potential threat related in the complete threat path of each mirror image device, and then entering step D;
step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then entering step E;
step E, according to the following formula:
Figure 177136DEST_PATH_IMAGE021
obtaining defense efficacy results of network shooting range
Figure 272131DEST_PATH_IMAGE022
Wherein, in the step (A),
Figure 128092DEST_PATH_IMAGE023
indicating the first in the network range
Figure 232314DEST_PATH_IMAGE005
The weight of the individual mirrored devices is,
Figure 122909DEST_PATH_IMAGE024
Figure 654385DEST_PATH_IMAGE025
is shown as
Figure 997642DEST_PATH_IMAGE005
The number of different types of potential threats in the complete threat path for each mirrored device,
Figure 374396DEST_PATH_IMAGE026
is shown as
Figure 119498DEST_PATH_IMAGE005
In the complete threat path of the mirror image equipment
Figure 821875DEST_PATH_IMAGE027
A potential threat of one type of the potential threats,
Figure 652428DEST_PATH_IMAGE028
is shown as
Figure 829944DEST_PATH_IMAGE005
Probability of a mirror device being successfully attacked at the mirror device
Figure 429552DEST_PATH_IMAGE020
Down, in the complete threat path for
Figure 302831DEST_PATH_IMAGE027
The result of the defense of a single type of potential threat,
Figure 620679DEST_PATH_IMAGE029
is shown as
Figure 870395DEST_PATH_IMAGE005
In the complete threat path of the mirror image equipment
Figure 58931DEST_PATH_IMAGE027
Risk level of each type of potential threat.
2. The method for evaluating defense effectiveness applied to a network target range according to claim 1, wherein the step C comprises the following steps:
c1, aiming at each mirror image device in the network shooting range, sequencing the mirror image devices according to the sequence that the probability of successful attack of each mirror image device is from small to large to form mirror image device sequencing, and then entering the step C2;
step C2, carrying out normalization operation aiming at the successful attack probability of each mirror image device in the network target range to obtain each normalization result, then sequentially using each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small, and entering the step C3;
step C3, aiming at each potential threat related in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; further acquiring risk result values corresponding to the potential threats respectively, and then entering step C4;
and C4, sequencing the potential threats in the order of the small risk result values corresponding to the potential threats from large to small, and forming the risk level of each potential threat by the sequencing serial number of each potential threat starting from 1.
3. The method of claim 1, wherein the method comprises: and D, according to successful attack, marking the defense result as 1, and if unsuccessful attack, marking the defense result as 0, and according to the complete threat path of the mirror image equipment, obtaining the defense results of the mirror image equipment aiming at the different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked.
4. The method of claim 1, wherein the method comprises: and E, performing normalization operation aiming at the preset economic value of each mirror image device in the network target range, wherein each result is the weight of each mirror image device.
5. The method of claim 1, wherein the method comprises: the method for detecting the importance of the mirror image equipment is used for realizing the detection of the importance value of the target mirror image equipment and comprises the following steps:
step i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and then entering step ii;
and ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
6. The method for evaluating defense effectiveness applied to network target range according to claim 1 or 5, characterized in that: the method also comprises a mirror image equipment deployment importance detection method used for obtaining the quantitative detection of the mirror image equipment deployment importance in the network target range, wherein the mirror image equipment deployment importance detection method is based on the execution of the steps A to C and also comprises the following steps I to IV;
step I, aiming at each mirror image device in a network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II;
step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then entering step III;
step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
Figure 103110DEST_PATH_IMAGE030
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
Figure 908255DEST_PATH_IMAGE031
is shown as
Figure 696083DEST_PATH_IMAGE005
The mirror image device is on the first in the complete threat path
Figure 270284DEST_PATH_IMAGE027
The response results for each type of potential threat quantify,
Figure 485364DEST_PATH_IMAGE032
is shown as
Figure 512226DEST_PATH_IMAGE005
The mirror image device is on the first in the complete threat path
Figure 838165DEST_PATH_IMAGE027
The response results for each type of potential threat quantify the impact weight of the value,
Figure 266873DEST_PATH_IMAGE033
indicating the first in the network range
Figure 918434DEST_PATH_IMAGE005
Defense effects corresponding to the mirror image devices; then entering step IV;
step iv. according to the following formula:
Figure 432592DEST_PATH_IMAGE034
quantitative detection result for obtaining deployment importance of mirror image equipment in network target range
Figure 562222DEST_PATH_IMAGE035
CN202010937894.2A 2020-09-09 2020-09-09 Defense efficiency evaluation method applied to network target range Active CN111818102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010937894.2A CN111818102B (en) 2020-09-09 2020-09-09 Defense efficiency evaluation method applied to network target range

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010937894.2A CN111818102B (en) 2020-09-09 2020-09-09 Defense efficiency evaluation method applied to network target range

Publications (2)

Publication Number Publication Date
CN111818102A true CN111818102A (en) 2020-10-23
CN111818102B CN111818102B (en) 2020-12-11

Family

ID=72860156

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010937894.2A Active CN111818102B (en) 2020-09-09 2020-09-09 Defense efficiency evaluation method applied to network target range

Country Status (1)

Country Link
CN (1) CN111818102B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746830A (en) * 2021-09-02 2021-12-03 江苏昌巨电力工程有限公司 Photovoltaic power station network security defense resource configuration method and device and computer storage medium
CN114048487A (en) * 2021-11-29 2022-02-15 北京永信至诚科技股份有限公司 Attack process evaluation method and device for network target range, storage medium and equipment
CN114386751A (en) * 2021-12-03 2022-04-22 中国电子科技集团公司第三十研究所 Optimal system security strategy intelligent generation method based on iterative defense deduction
CN115134258A (en) * 2022-06-29 2022-09-30 北京计算机技术及应用研究所 Network security efficiency measurement method based on network attack plane
CN116186711A (en) * 2023-01-05 2023-05-30 北京永信至诚科技股份有限公司 Method and device for determining defense result of test application in network attack and defense competition

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130244564A1 (en) * 2009-11-04 2013-09-19 At&T Intellectual Property I, L.P. Campus alerting via wireless geocast
CN108270723A (en) * 2016-12-30 2018-07-10 全球能源互联网研究院有限公司 A kind of acquisition methods in electric power networks Forecast attack path
CN108900498A (en) * 2018-06-25 2018-11-27 哈尔滨工业大学 A kind of scheduling corpse machine attack method based on bgp network target range
CN110351255A (en) * 2019-06-25 2019-10-18 北京永信至诚科技股份有限公司 Collecting method and data collection system in a kind of system of network target range

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130244564A1 (en) * 2009-11-04 2013-09-19 At&T Intellectual Property I, L.P. Campus alerting via wireless geocast
CN108270723A (en) * 2016-12-30 2018-07-10 全球能源互联网研究院有限公司 A kind of acquisition methods in electric power networks Forecast attack path
CN108900498A (en) * 2018-06-25 2018-11-27 哈尔滨工业大学 A kind of scheduling corpse machine attack method based on bgp network target range
CN110351255A (en) * 2019-06-25 2019-10-18 北京永信至诚科技股份有限公司 Collecting method and data collection system in a kind of system of network target range

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746830A (en) * 2021-09-02 2021-12-03 江苏昌巨电力工程有限公司 Photovoltaic power station network security defense resource configuration method and device and computer storage medium
CN113746830B (en) * 2021-09-02 2023-04-07 江苏昌巨电力工程有限公司 Photovoltaic power station network security defense resource configuration method and device and computer storage medium
CN114048487A (en) * 2021-11-29 2022-02-15 北京永信至诚科技股份有限公司 Attack process evaluation method and device for network target range, storage medium and equipment
CN114386751A (en) * 2021-12-03 2022-04-22 中国电子科技集团公司第三十研究所 Optimal system security strategy intelligent generation method based on iterative defense deduction
CN115134258A (en) * 2022-06-29 2022-09-30 北京计算机技术及应用研究所 Network security efficiency measurement method based on network attack plane
CN115134258B (en) * 2022-06-29 2024-01-30 北京计算机技术及应用研究所 Network security effectiveness measurement method based on network attack surface
CN116186711A (en) * 2023-01-05 2023-05-30 北京永信至诚科技股份有限公司 Method and device for determining defense result of test application in network attack and defense competition
CN116186711B (en) * 2023-01-05 2023-12-12 永信至诚科技集团股份有限公司 Method and device for determining defense result of test application in network attack and defense competition

Also Published As

Publication number Publication date
CN111818102B (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN111818102B (en) Defense efficiency evaluation method applied to network target range
Nguyen et al. Design and implementation of intrusion detection system using convolutional neural network for DoS detection
Kavak et al. Simulation for cybersecurity: state of the art and future directions
Yaacoub et al. Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations
Mukkamala et al. Detecting denial of service attacks using support vector machines
Sharma et al. Advanced persistent threats (apt): evolution, anatomy, attribution and countermeasures
Khosravi et al. Alerts correlation and causal analysis for APT based cyber attack detection
Liu et al. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling
Qi et al. Subnet replacement: Deployment-stage backdoor attack against deep neural networks in gray-box setting
Wang et al. Threat Analysis of Cyber Attacks with Attack Tree+.
Ye et al. Zero-day vulnerability risk assessment and attack path analysis using security metric
Zheng et al. WMDefense: Using watermark to defense Byzantine attacks in federated learning
Shi et al. Quantitative security analysis of a dynamic network system under lateral movement-based attacks
Aljurayban et al. Framework for cloud intrusion detection system service
Karabacak et al. Zero Trust and Advanced Persistent Threats: Who Will Win the War?
Zhang et al. Evaluation of data poisoning attacks on federated learning-based network intrusion detection system
Singh et al. ZDAR system: defending against the unknown
CN113329026B (en) Attack capability determination method and system based on network target range vulnerability drilling
Maslan et al. Ddos detection on network protocol using neural network with feature extract optimization
Hong et al. Shock Trap: An active defense architecture based on trap vulnerabilities
Abbass et al. Evaluation of security risks using Apriori algorithm
Ikuomola et al. A framework for collaborative, adaptive and cost sensitive intrusion response system
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation
Tafkov Cloud Intelligence Network for Ransomware Detection and Infection Effect Reversing,”
Wagner et al. Quantitative analysis of the mission impact for host-level cyber defensive mitigations.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240516

Address after: Room D04, Building 2, No. 28 Zhenxing Road, Science and Technology Park, Changping District, Beijing, 102299

Patentee after: Beijing Mingbo Xin'an Information Technology Co.,Ltd.

Country or region after: China

Address before: No.1, Dongji Avenue, Jiangning Economic and Technological Development Zone, Nanjing, Jiangsu Province, 210000

Patentee before: XINLIAN TECHNOLOGY (NANJING) Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right