CN111818102B - Defense efficiency evaluation method applied to network target range - Google Patents
Defense efficiency evaluation method applied to network target range Download PDFInfo
- Publication number
- CN111818102B CN111818102B CN202010937894.2A CN202010937894A CN111818102B CN 111818102 B CN111818102 B CN 111818102B CN 202010937894 A CN202010937894 A CN 202010937894A CN 111818102 B CN111818102 B CN 111818102B
- Authority
- CN
- China
- Prior art keywords
- mirror image
- defense
- image device
- network
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 127
- 238000011156 evaluation Methods 0.000 title claims abstract description 41
- 238000000034 method Methods 0.000 claims abstract description 37
- 230000004044 response Effects 0.000 claims abstract description 20
- 230000000694 effects Effects 0.000 claims abstract description 16
- 238000001514 detection method Methods 0.000 claims description 43
- 238000010606 normalization Methods 0.000 claims description 16
- 238000012163 sequencing technique Methods 0.000 claims description 12
- 150000001875 compounds Chemical class 0.000 claims description 3
- 230000007704 transition Effects 0.000 claims description 3
- 238000013461 design Methods 0.000 abstract description 9
- 230000006399 behavior Effects 0.000 abstract description 7
- 230000035515 penetration Effects 0.000 abstract description 6
- 238000012360 testing method Methods 0.000 abstract description 5
- 230000007547 defect Effects 0.000 abstract description 4
- 238000004458 analytical method Methods 0.000 abstract description 3
- 230000002349 favourable effect Effects 0.000 abstract description 3
- 239000011159 matrix material Substances 0.000 description 9
- 230000008569 process Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000011158 quantitative evaluation Methods 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a defense effectiveness evaluation method applied to a network shooting range, which starts with the severity of potential threat risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense scheme effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis aiming at each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration test, and is favorable for determining the relationship, the probability and the like between network security equipment and protected assets, The relationship between security threats and defenses, and the relationship between security devices and the overall defense system.
Description
Technical Field
The invention relates to a defense effectiveness evaluation method applied to a network shooting range, and belongs to the technical field of network shooting range effectiveness evaluation.
Background
The continuous development of the internet brings convenience to people, and simultaneously, the security threats faced by people are more and more. The popularization and the opening of the internet enable network hackers to take advantage of the possibility, and the network hackers can make the network suffer from security threats such as Trojan horses, viruses and the like by various illegal means, so that the network cannot operate. With the increasing technical level, the variety of various network attacks is increasing, the attacks are also more complex, and especially the advanced persistent threats are merging multiple attack technologies at an extremely fast speed. The hiding of various vulnerabilities in the network brings great hidden danger to the network security, and network attackers often attack the network in various ways by taking the network vulnerabilities as breakthrough ports, and the attacks can affect various security indexes of the whole network and disturb the network order.
However, factors such as differences between the design and the expected implementation effect of the threat defense function of the security device, the technical level of security workers, the network security management system and the flow are not perfect, and the continuous progress of the network attack technology cause that the deployment mode of the security device in the information system cannot be optimized, and the network security problem of the information system cannot be completely solved, so that the evaluation of the defense system still faces a serious challenge. Meanwhile, the information system, as an infrastructure for carrying functional services and data information, has become a key factor in the operation and development processes of most enterprises and public institutions. Although an information system is composed of physical devices and network devices, the security threats of the information system are different due to the differences of the physical devices, the functional services, the data information and the network environment in different information systems.
At present, the main method for evaluating the defense effect in the industry is to simulate the network attack behavior through penetration test and discover the weakness that the target defense system cannot defend as much as possible. However, the actual operation method lacks the modeling of the information system, the evaluation effect completely depends on the technical level and the working experience of penetration testers, the process is easy to miss due to the difference between the information systems, and the evaluation result cannot be quantified by the method, so that the method has great uncontrollable property and limitation. For more comprehensive quantitative evaluation of the security of the information system, a modeling-based evaluation scheme is widely proposed. In the existing scheme, modeling research of a single equipment node and a single safety element in an information system is mature, but modeling is performed on the single equipment node, common description of various equipment nodes in the information system is lacked, modeling is performed on the single safety element, most of the modeling is performed on a specific application scene, and difference among the information systems cannot be met. Meanwhile, the information system and the defense system thereof are not modeled at home and abroad. Therefore, the technical aspect of quantitative evaluation of the efficiency of the overall defense effect of the network security defense system is still lacked in the present stage, the key technology related to evaluation and optimization of the network security defense system is researched, the safety equipment missing, defective or repeatedly built in the defense system is timely and effectively found, and the method has extremely important practical significance at present.
In the prior art, patent CN 201610330336.3 proposes a defense system, which includes a transparent firewall, a timing inspection module, a flow statistics module, a virus isolation module, a virus feature matching module, a port audit module, a flow statistics module, a network anomaly evaluation module, a defense decision generation module, a defense decision execution module, an emergency channel module, a restoration module, and a data isolation uploading module. The monitoring and auditing of the network flow are realized, and the good state of the network is maintained; the network immunity is improved by analyzing and memorizing unknown invasion behaviors; after the intrusion, the damage range can be effectively controlled, the smooth network and the normal service provision are ensured, meanwhile, different defense decision schemes can be automatically generated and executed according to different network attacks, the autonomous repair and restoration capability of the system is improved, and the stable operation of the network is maintained. However, the invention does not quantify the defense system, and only establishes the defense strategy.
Patent CN 201810588918.0 proposes "network target defense effectiveness evaluation method, electronic device, storage medium and system", and specifically discloses a network target defense effectiveness evaluation method, which includes performing hierarchical processing on a network resource map to obtain a hierarchical network resource map; acquiring an initial hierarchical network resource map at an initial moment and a current hierarchical network resource map; detecting the similarity between the initial node layer and the current node layer; calculating the resource dependency relationship and the resource association degree of the resource layers in the initial hierarchical network resource graph and the current hierarchical network resource graph; calculating the defense success rate and the defense cost of the current hierarchical network resource graph according to the resource association degree and the resource dependency relationship; and evaluating the defense benefits according to the defense success rate and the defense cost.
Patent CN 201810594501.5 proposes "attack-oriented network security situation prediction method, device and system", and specifically discloses an attack-oriented network security situation prediction method, device and system, the method includes: detecting and collecting alarm data and network environment operation and maintenance information under a network countermeasure environment, and acquiring an element set required by network security situation prediction, wherein the element set comprises three types of information of an attacker, a defender and a network environment; evaluating the ability of an attacking party and the level of a defending party, establishing a dynamic Bayesian attack graph, and calculating the number of attack stages and the occurrence probability vector of an attack state; and quantifying the network security situation value from the space-time dimension by combining the vulnerability scoring standard and the network asset information. The invention mainly aims at predicting the network security situation, so as to provide a defense construction place guide, but does not relate to the efficiency evaluation of a network defense system.
Patent CN 201811358905.0 proposes "network security performance evaluation method based on attack and defense correlation matrix", and specifically discloses a network security performance evaluation method based on attack and defense correlation matrix, belonging to the technical field of information security. The method comprehensively considers the system defense capability, the influence on the system performance, the core asset performance and the protection capability after the network is attacked, the service provided by the system and the like, and realizes the evaluation on the network security efficiency by calculating the attack and defense incidence matrix and integrating the weight accumulation of a plurality of discrete points by using the change values of the target network before and after the attack. The invention can evaluate the defense capacity of a single equipment node, and is still deficient in defense quantification of the whole network system.
Patent CN 201911028421.4 proposes "a method, an apparatus, an electronic device and a storage medium for evaluating the current status of a network environment", in which a method, an apparatus, an electronic device and a storage medium for evaluating the current status of a network environment are specifically disclosed, so as to solve the problems of low evaluation accuracy and high cost in the prior art that a method of penetration testing and virtual environment construction is mostly adopted to evaluate the current status of network security. The method comprises the following steps: researching the target network environment information, performing resource allocation according to the information, and establishing a simulation network environment of the target network environment; utilizing a simulation intrusion scheme to intrude the simulation network environment, describing an intrusion process and a protection condition, generating an intrusion result, and visually displaying the intrusion process, the protection condition and the intrusion result; deducing and generating an electronic report according to the intrusion process, the protection condition and the intrusion result; and the evaluators evaluate the defense condition of the target network according to the electronic report and the visual display condition, and generate a target network environment current state evaluation report and a target network environment optimization suggestion report. But this invention does not quantify the assessment of defense efficacy.
Disclosure of Invention
The invention aims to solve the technical problem of providing a defense efficiency evaluation method applied to a network shooting range, which starts with the severity of potential threat risk and two dimensions of response actions of equipment with a defense function during attack defense, evaluates the design defects of a defense system and the problems existing in the actual operation of the equipment, quantifies the defense effect and realizes the objective evaluation of the defense efficiency.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a defense efficiency evaluation method applied to a network shooting range, which comprises a detection method of the defense efficiency of the network shooting range and comprises the following steps:
step A, defining a preset time length range from the initial state moment of the network target range as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state sequentially passing through each potential threat in the detection time period as follows:
Pn={sn1、en1、sn2、…、enm-1、snm、…enM-1、snM}
where N is e {1, …, N }, where N represents the total number of mirrored devices in the network range, sn1Representing the initial state of the nth mirror device in the network target range, wherein M belongs to {1, …, M }, and M represents the total state number of the mirror device in the detection time period; e.g. of the typenm-1 represents the m-1 th potential threat passed by the nth mirroring device, snmRepresents the state of the nth mirror device after the (m-1) th potential threat, snMRepresents the state of the nth mirror device after the M-1 th potential threat, i.e. the last state of the mirror device in the detection time period, PnRepresenting that the nth mirror image equipment sequentially passes through all potential threats and a complete threat path from an initial state to a final state in a detection time period, and then entering a step B;
and B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
obtaining the probability of each image device being successfully attackedWherein j is more than 1 and less than or equal to k is more than or equal to i and less than or equal to M, ankRepresenting the probability of successful transition from the kth state to the next state of the nth mirroring device within the detection time period, bnkIndicating the probability that the nth mirroring device has not successfully transitioned from the kth state to the next state during the detection period, PntRepresenting the probability of successful attack of the nth mirror image equipment, and then entering the step C;
step C, according to the probability that each mirror image device is successfully attacked correspondingly, obtaining the risk level of each different type of potential threat related in the complete threat path of each mirror image device, and then entering step D;
step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then entering step E;
step E, according to the following formula:
obtaining a defense performance result S of the network shooting range, wherein wnWeight of the nth mirror device in the network range, ln∈{1、…、Ln},LnRepresenting the number of different types of potential threats in the complete threat path of the nth mirror device, lnRepresenting the ith type of potential threat in the nth mirrored device's full threat path,
indicates the probability P that the nth mirror device is successfully attacked atntNext, as a result of the defense against the ith type of potential threat in its complete threat path,
representing the nth mirror device in the complete threat pathRisk levels for l types of potential threats.
As a preferred technical solution of the present invention, the step C includes the steps of:
c1, aiming at each mirror image device in the network target range, sequencing the mirror image devices in the sequence of the successful attack probability from small to large to form mirror image device sequencing, and then entering the step C2;
step C2., normalizing the successful attack probability of each mirror image device in the network target range to obtain each normalization result, then taking each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small in sequence, and entering step C3;
step C3., aiming at each different type of potential threats involved in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; further acquiring risk result values corresponding to the potential threats respectively, and then entering step C4;
and C4, aiming at each potential threat, sequencing the potential threats in the order of the risk result values corresponding to the potential threats from small to large, and forming the risk level of each potential threat according to the sequencing serial number of each potential threat from 1.
As a preferred technical scheme of the invention: and D, according to successful attack, marking the defense result as 1, and if unsuccessful attack, marking the defense result as 0, and according to the complete threat path of the mirror image equipment, obtaining the defense results of the mirror image equipment aiming at the different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked.
As a preferred technical scheme of the invention: and E, performing normalization operation aiming at the preset economic value of each mirror image device in the network target range, wherein each result is the weight of each mirror image device.
As a preferred technical scheme of the invention: the method for detecting the importance of the mirror image equipment is used for realizing the detection of the importance value of the target mirror image equipment and comprises the following steps:
step i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and then entering step ii;
and ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
As a preferred technical scheme of the invention: the method also comprises a mirror image equipment deployment importance detection method used for obtaining the quantitative detection of the mirror image equipment deployment importance in the network target range, wherein the mirror image equipment deployment importance detection method is based on the execution of the steps A to C and also comprises the following steps I to IV;
step I, aiming at each mirror image device in a network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II;
step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then entering step III;
step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
representing the response result of the nth mirror device to the ith type potential threat in the complete threat pathThe value of the quantization is then calculated,
representing the influence weight of the response result quantized value of the ith type potential threat in the nth mirror device to the ith type potential threat in the complete threat path,
representing the defense effect corresponding to the nth mirror image equipment in the network target range; then entering step IV;
step iv. according to the following formula:
quantitative detection result I for obtaining deployment importance of mirror image equipment in network target rangedq。
Compared with the prior art, the defense effectiveness evaluation method applied to the network target range has the following technical effects by adopting the technical scheme:
the defense effectiveness evaluation method applied to the network shooting range starts with the severity of potential threat risk and two dimensions of response actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense scheme effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis on each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration test, and is favorable for determining the relationship between network security equipment and protected assets, The relationship between the security threat and the defense, and the relationship between the security device and the overall defense system, achieve objective assessment of defense effectiveness.
Drawings
FIG. 1 is a schematic diagram of the structure and application of a mirroring device in a network shooting range;
FIG. 2 is a schematic diagram of a defense performance evaluation method applied to a network target range according to the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The network target site is composed of a plurality of mirror image devices which are connected with each other, and each mirror image device provides functional services to other mirror image devices through a network, as shown in fig. 1, the mirror image devices in the network target site are carriers of a series of data sets, and users access the functional services of the devices in the system through the network.
For each mirrored device in the network range, with the set Data ═ Data1,data2,...,datanIndicates all data contained on a mirrored device.
The mirroring device provides its interface to interact with the outside through the functional services provided by Service, and one mirroring device may contain several functional services. Each service is represented by S, and Data is used for the collection of Data used and influenced by S at runtimeSIs shown, and
defining a service provided by the mirroring device and Data affected by the service as State { S, Data }S}。
The operation authority of data can be divided into read authority and write authority, and the matrix per ═ r, w is used]TIndicating the rights to a certain data, r the read rights and w the write rights. For S in State, its DataSIs the permission matrix per ═ per [ per ]d1,perd2,...,perdn]. For the permission matrix per1And per2Assuming the matrix dimensions are the same, aijRepresentative matrix per1Element of ith row and jth column, bijRepresentative matrix per2Row i and column j elements, pairAt any of i and j, has aij≤bijThen per1≤per2Is to represent per1Is not greater than per2The right of (1).
For a service S in the State, the authority of a User with different identities to access the service S is per (User), and one service S may provide services to a plurality of User roles. Then the right to S run in State is denoted perStateIf the average value of per is less than or equal to perState。
The potential threat is an inherent property existing in the whole life cycle of the mirroring device, and is any factor which can potentially cause a security problem to the network system. A network attack is any act of attempting to expose, destroy, modify, crash, illegally access or otherwise use target data on a target network and system. The potential threat may or may not occur. The vulnerability is a known potential threat point on the mirror image equipment, the attack is promoted to be successful by utilizing the vulnerability, and the essence is that an attacker utilizes the vulnerability to launch the attack so that the authority of the attacker is changed.
The potential threat presented by each mirrored device may be denoted ATT ═ ATT1,att2,...,attn}。
The security hole existing in each mirroring device can be expressed as VUL ═ { VUL ═ VUL1,vul2,...,vuln}。
If an attacker attacks a certain image device, the attack flow can be represented as (srcip, srcport, destip, destport, pro, att), where att represents the potential threat type corresponding to the attack.
If a bug vul exists in the service S provided on a certain image device, and an attacker operates with the User identity User, the authority of the attacker is per (User). After the attacker successfully utilizes the vulnerability, the authority is changed from per (User) to per '(User), namely, the vulnerability vul realizes the conversion from per (User) to per' (User). Generally per (User) ≦ per' (User), i.e., the attacker gains higher rights to the operation of the mirroring device by exploiting vulnerabilities.
Various mirror image devices with security defense functions are deployed in a network system to form a security defense system, so that threats existing in the mirror image devices in the network system can be defended.
Depending on the type of function, the system defense can be divided into four aspects, detection, blocking, authentication, and encryption security. The detection class can find out the attack behavior to the system, but can not prevent the attack behavior; blocking classes can prevent aggressive behavior; the encryption security can encrypt the data, and the data has unreadable authority to unauthorized users; authentication is used for authenticating a user, and the user obtains corresponding authority.
Different defense functions are expressed using Fun.
For attack streams (srcip, srcport, destip, destport, pro, att), if att ∈ Fun, it means that the mirroring device can defend against the potential threat att.
Use (detect, stop, war, log) to represent responses to attacks, where detect represents detection, stop represents blocking, war represents alarm, and log represents detailed records of heap attacks.
The type indicates the access mode of the device with the defense function in the whole range system, and when the type is 1, the serial access is indicated, and when the type is 0, the bypass access is indicated.
For attack flows (srcip, srcport, destip, destport, pro, att), only devices that deploy defense functions can defend against the attack
Based on the modeling of the network target range, the invention designs a defense effectiveness evaluation method applied to the network target range, which comprises a detection method of the defense effectiveness of the network target range, and specifically executes the following steps A to E as shown in fig. 2.
Step A, defining a preset time length range from the initial state moment of the network target range as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state sequentially passing through each potential threat in the detection time period as follows:
Pn={sn1、en1、sn2、…、enm-1、snm、…enM-1、snM}
where N is e {1, …, N }, where N represents the total number of mirrored devices in the network range, sn1Representing the initial state of the nth mirror device in the network target range, wherein M belongs to {1, …, M }, and M represents the total state number of the mirror device in the detection time period; e.g. of the typenm-1Represents the m-1 th potential threat, s, passed by the nth mirror devicenmRepresents the state of the nth mirror device after the (m-1) th potential threat, snMRepresents the state of the nth mirror device after the M-1 th potential threat, i.e. the last state of the mirror device in the detection time period, PnAnd the nth mirror image device sequentially passes through the complete threat path from the initial state to the final state of each potential threat in the detection time period, and then enters the step B.
And B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
obtaining the probability of each mirror image device being successfully attacked, wherein j is more than 1 and less than or equal to k is more than or equal to i and less than or equal to M, ankRepresenting the probability of successful transition from the kth state to the next state of the nth mirroring device within the detection time period, bnkIndicating the probability that the nth mirroring device has not successfully transitioned from the kth state to the next state during the detection period, PntIndicating the probability of successful attack of the nth mirror device and then proceeds to step C.
And C, according to the probability of successful attack corresponding to each mirror image device, obtaining the risk level of each different type of potential threat involved in the complete threat path of each mirror image device, and then entering the step D.
In practical applications, the step C is performed as the following steps C1 to C4.
And C1, aiming at each mirror image device in the network target range, sequencing the mirror image devices in the sequence of the successful attack probability from small to large to form mirror image device sequencing, and then entering the step C2.
Step C2. is to perform normalization operation on the successful attack probability of each mirror image device in the network target range to obtain each normalization result, and then to take each normalization result as the coefficient of each mirror image device in the mirror image device sequence from large to small, and to proceed to step C3.
Step C3., aiming at each different type of potential threats involved in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; and obtaining a risk result value corresponding to each potential threat, and then entering step C4.
And C4, aiming at each potential threat, sequencing the potential threats in the order of the risk result values corresponding to the potential threats from small to large, and forming the risk level of each potential threat according to the sequencing serial number of each potential threat from 1.
Step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then step E is entered.
In practical application, for the acquisition of the defense result, according to successful attack, the defense result is marked as 1, and if the attack is unsuccessful, the defense result is marked as 0, and according to the complete threat path of the mirror image equipment, the defense results of the mirror image equipment aiming at different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked are acquired.
Step E, according to the following formula:
obtaining a defense performance result S of the network shooting range, wherein wnRepresenting network targetsWeight of the nth mirror device in the field, ln∈{1、…、Ln},LnRepresenting the number of different types of potential threats in the complete threat path of the nth mirror device, lnRepresenting the ith type of potential threat in the nth mirrored device's full threat path,
indicates the probability P that the nth mirror device is successfully attacked atntNext, as a result of the defense against the ith type of potential threat in its complete threat path,
representing the risk level of the ith type of potential threat in the nth mirror device's full threat path.
In application, if
It indicates that the defense system lacks the standard which can be achieved by the defense range in design, and safety workers need to deploy equipment with defense function at proper positions in a network system, so that by analyzing the defense result and the retrograde of each equipment in the network target range, a short board of the whole network safety defense system can be obtained, and the safety workers can be helped to perfect the defense system.
Regarding the weight of each mirror image device in the step E, in practical applications, a normalization operation is performed on the preset economic value of each mirror image device in the network target range, and each obtained result is the weight of each mirror image device.
Based on the defense performance evaluation method applied to the network target range, in practical application, the invention further designs a mirror image equipment importance detection method for realizing the detection of the importance value of the target mirror image equipment, and specifically executes the following steps i to ii.
And i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and entering the step ii.
And ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
In addition, in practical application, the invention further designs a mirror image device deployment importance detection method for obtaining quantitative detection of mirror image device deployment importance in a network target range, wherein the mirror image device deployment importance detection method is based on the execution of the steps A to C and further comprises the execution of the following steps I to IV.
And step I, aiming at each mirror image device in the network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II.
Step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then step III is entered.
Step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
representing the quantitative value of the response result of the nth mirror device to the ith type of potential threat in the complete threat path,
means for representing the response node of the nth mirror device to the ith type of potential threat in its complete threat pathThe weight of the impact of the quantitative value is affected,
representing the defense effect corresponding to the nth mirror image equipment in the network target range; then step IV is entered.
Step iv. according to the following formula:
quantitative detection result I for obtaining deployment importance of mirror image equipment in network target rangedq。
In application, the importance value of each mirror image device in the network target range and the quantitative detection result I of the deployment importance of the mirror image devices in the network target range are obtaineddqLater, for each mirror device value, a larger value represents a higher degree of importance of the mirror device in the defense system. If the combination of the mirror image devices in the respective defense ranges of the two mirror image devices is the same, the severity of the potential threat to be defended and the corresponding risk of the potential threat are also the same, when the importance value of the mirror image device is larger, the larger the threat types that the mirror image device can defend are, if the two mirror image devices can defend the threats faced by the mirror image devices in the defense ranges of the two mirror image devices, the defense effect value of the single mirror image device is 1, and when the importance value or the I of the mirror image device is the samedqThe larger the value, the higher the total economic value of the asset corresponding to the protection of the safety equipment.
The defense effectiveness evaluation method applied to the network shooting range is designed based on the severity of potential threat risk and two dimensions of response two actions of equipment with defense function during attack defense, realizes evaluation aiming at design defects of a defense system and problems existing in actual operation of the equipment, quantifies defense effect, realizes objective evaluation of defense effectiveness, can meet defense effectiveness evaluation under different application scenes and safety risk definition standards in application, does not need to perform independent modeling analysis on each specific scene, can perform effectiveness evaluation on defense strategies of the system in a quantified mode, and is more comprehensive and controllable compared with a method for simulating network attack behaviors by security personnel by penetration test, and is favorable for determining the relationship between network security equipment and protected assets, The relationship between the security threat and the defense, and the relationship between the security device and the overall defense system, achieve objective assessment of defense effectiveness.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (6)
1. A defense effectiveness evaluation method applied to a network target range is characterized by comprising the following steps: the method for detecting the defense efficiency of the network target range comprises the following steps:
step A, defining a preset time length range from the initial state moment of the network target range as a detection time period, and counting, for each mirror image device in the network target range, the complete threat paths of the mirror image device from the initial state to the final state sequentially passing through each potential threat in the detection time period as follows:
Pn={sn1、en1、sn2、…、enm-1、snm、…enM-1、snM}
where N is e {1, …, N }, where N represents the total number of mirrored devices in the network range, sn1Representing the initial state of the nth mirror device in the network target range, wherein M belongs to {1, …, M }, and M represents the total state number of the mirror device in the detection time period; e.g. of the typenm-1Represents the m-1 th potential threat, s, passed by the nth mirror devicenmRepresents the state of the nth mirror device after the (m-1) th potential threat, snMRepresents the state of the nth mirror device after the M-1 th potential threat, i.e. the last state of the mirror device in the detection time period, PnRepresenting the nth mirror image equipment to pass through the complete threat path from the initial state to the final state of each potential threat in turn in the detection time periodEntering the step B;
and B, aiming at each mirror image device in the network target range, according to the complete threat path of the mirror image device, according to the following formula:
obtaining the probability of each mirror image device being successfully attacked, wherein j is more than 1 and less than or equal to k is more than or equal to i and less than or equal to M, ankRepresenting the probability of successful transition from the kth state to the next state of the nth mirroring device within the detection time period, bnkIndicating the probability that the nth mirroring device has not successfully transitioned from the kth state to the next state during the detection period, PntRepresenting the probability of successful attack of the nth mirror image equipment, and then entering the step C;
step C, according to the probability that each mirror image device is successfully attacked correspondingly, obtaining the risk level of each different type of potential threat related in the complete threat path of each mirror image device, and then entering step D;
step D, aiming at each mirror image device in the network target range, obtaining each different type of potential threat passed by the mirror image device in the complete threat path, and obtaining the defense result of the mirror image device aiming at each different type of potential threat under the successful attack probability of the mirror image device according to the complete threat path of the mirror image device; then entering step E;
step E, according to the following formula:
obtaining a defense performance result S of the network shooting range, wherein wnWeight of the nth mirror device in the network range, ln∈{1、…、Ln},LnRepresenting the number of different types of potential threats in the complete threat path of the nth mirror device, lnRepresenting the ith type of latency in the nth mirrored device's complete threat pathIn the event of a threat,
indicates the probability P that the nth mirror device is successfully attacked atntNext, as a result of the defense against the ith type of potential threat in its complete threat path,
representing the risk level of the ith type of potential threat in the nth mirror device's full threat path.
2. The method for evaluating defense effectiveness applied to a network target range according to claim 1, wherein the step C comprises the following steps:
c1, aiming at each mirror image device in the network target range, sequencing the mirror image devices in the sequence of the successful attack probability from small to large to form mirror image device sequencing, and then entering the step C2;
step C2., normalizing the successful attack probability of each mirror image device in the network target range to obtain each normalization result, then taking each normalization result as the coefficient of each mirror image device in the mirror image device sequence from big to small in sequence, and entering step C3;
step C3., aiming at each different type of potential threats involved in the complete threat path of all the mirror image devices, the potential threats attack each mirror image device in the network target range respectively, and the sum of the coefficients of each successfully attacked mirror image device is obtained as the risk result value corresponding to the potential threat; further acquiring risk result values corresponding to the potential threats respectively, and then entering step C4;
and C4, aiming at each potential threat, sequencing the potential threats in the order of the risk result values corresponding to the potential threats from small to large, and forming the risk level of each potential threat according to the sequencing serial number of each potential threat from 1.
3. The method of claim 1, wherein the method comprises: and D, according to successful attack, marking the defense result as 1, and if unsuccessful attack, marking the defense result as 0, and according to the complete threat path of the mirror image equipment, obtaining the defense results of the mirror image equipment aiming at the different types of potential threats respectively under the probability that the mirror image equipment is successfully attacked.
4. The method of claim 1, wherein the method comprises: and E, performing normalization operation aiming at the preset economic value of each mirror image device in the network target range, wherein each result is the weight of each mirror image device.
5. The method of claim 1, wherein the method comprises: the method for detecting the importance of the mirror image equipment is used for realizing the detection of the importance value of the target mirror image equipment and comprises the following steps:
step i, determining each mirror image device in the defense range corresponding to the target mirror image device to form a defense mirror image device set corresponding to the target mirror image device, and then entering step ii;
and ii, taking the defense mirror image device set corresponding to the target mirror image device as a network target range, and executing the methods from the step A to the step E to obtain a defense efficiency result of the network target range, namely, the defense efficiency result is taken as an importance value of the target mirror image device.
6. The method for evaluating defense effectiveness applied to network target range according to claim 1 or 5, characterized in that: the method also comprises a mirror image equipment deployment importance detection method used for obtaining the quantitative detection of the mirror image equipment deployment importance in the network target range, wherein the mirror image equipment deployment importance detection method is based on the execution of the steps A to C and also comprises the following steps I to IV;
step I, aiming at each mirror image device in a network target range, respectively, obtaining a response result quantized value of the mirror image device to each different type of potential threats in the complete threat path based on the complete threat path of the mirror image device, and then entering step II;
step II, respectively aiming at each mirror image device in the network target range and response result quantized values of the mirror image device to different types of potential threats in the complete threat path, executing normalization operation to obtain each normalization result and form influence weights respectively corresponding to each response result quantized value; then entering step III;
step III, aiming at each mirror image device in the network target range, respectively, according to the following formula:
obtaining the defense effect corresponding to each mirror image device in the network shooting range; in the formula (I), the compound is shown in the specification,
representing the quantitative value of the response result of the nth mirror device to the ith type of potential threat in the complete threat path,
representing the influence weight of the response result quantized value of the ith type potential threat in the nth mirror device to the ith type potential threat in the complete threat path,
representing the defense effect corresponding to the nth mirror image equipment in the network target range; then entering step IV;
step iv. according to the following formula:
quantitative detection result I for obtaining deployment importance of mirror image equipment in network target rangedq。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010937894.2A CN111818102B (en) | 2020-09-09 | 2020-09-09 | Defense efficiency evaluation method applied to network target range |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010937894.2A CN111818102B (en) | 2020-09-09 | 2020-09-09 | Defense efficiency evaluation method applied to network target range |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111818102A CN111818102A (en) | 2020-10-23 |
| CN111818102B true CN111818102B (en) | 2020-12-11 |
Family
ID=72860156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010937894.2A Active CN111818102B (en) | 2020-09-09 | 2020-09-09 | Defense efficiency evaluation method applied to network target range |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111818102B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113746830B (en) * | 2021-09-02 | 2023-04-07 | 江苏昌巨电力工程有限公司 | Photovoltaic power station network security defense resource configuration method and device and computer storage medium |
| CN114048487B (en) * | 2021-11-29 | 2022-06-17 | 北京永信至诚科技股份有限公司 | Attack process evaluation method and device for network shooting range, storage medium and equipment |
| CN114386751B (en) * | 2021-12-03 | 2023-04-07 | 中国电子科技集团公司第三十研究所 | Optimal system security strategy intelligent generation method based on iterative defense deduction |
| CN115134258B (en) * | 2022-06-29 | 2024-01-30 | 北京计算机技术及应用研究所 | Network security effectiveness measurement method based on network attack surface |
| CN116186711B (en) * | 2023-01-05 | 2023-12-12 | 永信至诚科技集团股份有限公司 | Method and device for determining defense result of test application in network attack and defense competition |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900498A (en) * | 2018-06-25 | 2018-11-27 | 哈尔滨工业大学 | A kind of scheduling corpse machine attack method based on bgp network target range |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9118428B2 (en) * | 2009-11-04 | 2015-08-25 | At&T Intellectual Property I, L.P. | Geographic advertising using a scalable wireless geocast protocol |
| CN108270723B (en) * | 2016-12-30 | 2020-11-13 | 全球能源互联网研究院有限公司 | Method for acquiring predicted attack path of power network |
| CN110351255B (en) * | 2019-06-25 | 2021-07-20 | 北京永信至诚科技股份有限公司 | Data acquisition method and data acquisition system in network target range system |
-
2020
- 2020-09-09 CN CN202010937894.2A patent/CN111818102B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900498A (en) * | 2018-06-25 | 2018-11-27 | 哈尔滨工业大学 | A kind of scheduling corpse machine attack method based on bgp network target range |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111818102A (en) | 2020-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111818102B (en) | Defense efficiency evaluation method applied to network target range | |
| Yang et al. | Anomaly-based intrusion detection for SCADA systems | |
| US11347867B2 (en) | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful | |
| Mukkamala et al. | Detecting denial of service attacks using support vector machines | |
| Qi et al. | Subnet replacement: Deployment-stage backdoor attack against deep neural networks in gray-box setting | |
| Liu et al. | Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling | |
| Yang | Research on network behavior anomaly analysis based on bidirectional LSTM | |
| Liao et al. | Feature extraction and construction of application layer DDoS attack based on user behavior | |
| Subedar et al. | Deep probabilistic models to detect data poisoning attacks | |
| CN116996286A (en) | Network attack and security vulnerability management framework platform based on big data analysis | |
| CN116318924A (en) | Small sample intrusion detection method, system, medium, equipment and terminal | |
| Wang et al. | Threat Analysis of Cyber Attacks with Attack Tree+. | |
| CN114531283B (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| Zheng et al. | WMDefense: Using watermark to defense Byzantine attacks in federated learning | |
| Alfantookh | DoS attacks intelligent detection using neural networks | |
| CN111784404B (en) | Abnormal asset identification method based on behavior variable prediction | |
| Ye et al. | Zero-day vulnerability risk assessment and attack path analysis using security metric | |
| CN117829677A (en) | Automatic evaluation method, equipment and medium for industrial network target range task | |
| Khan et al. | Cyber security quantification model | |
| Barabas et al. | Behavioral signature generation using shadow honeypot | |
| Song et al. | A comprehensive approach to detect unknown attacks via intrusion detection alerts | |
| CN113329026B (en) | Attack capability determination method and system based on network target range vulnerability drilling | |
| Maslan et al. | Ddos detection on network protocol using neural network with feature extract optimization | |
| Zhang et al. | An active defense model and framework of insider threats detection and sense | |
| Yang | Research on network malicious behavior analysis based on deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240516 Address after: Room D04, Building 2, No. 28 Zhenxing Road, Science and Technology Park, Changping District, Beijing, 102299 Patentee after: Beijing Mingbo Xin'an Information Technology Co.,Ltd. Country or region after: China Address before: No.1, Dongji Avenue, Jiangning Economic and Technological Development Zone, Nanjing, Jiangsu Province, 210000 Patentee before: XINLIAN TECHNOLOGY (NANJING) Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |