CN112039914A - Network attack chain efficiency modeling method - Google Patents

Network attack chain efficiency modeling method Download PDF

Info

Publication number
CN112039914A
CN112039914A CN202010930453.XA CN202010930453A CN112039914A CN 112039914 A CN112039914 A CN 112039914A CN 202010930453 A CN202010930453 A CN 202010930453A CN 112039914 A CN112039914 A CN 112039914A
Authority
CN
China
Prior art keywords
attack
network
efficiency
chain
atomic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010930453.XA
Other languages
Chinese (zh)
Inventor
鲁可儿
胡扬
鲁智勇
郭军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
63880 Unit Of Pla
Original Assignee
63880 Unit Of Pla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 63880 Unit Of Pla filed Critical 63880 Unit Of Pla
Priority to CN202010930453.XA priority Critical patent/CN112039914A/en
Publication of CN112039914A publication Critical patent/CN112039914A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

A network attack chain efficiency modeling method belongs to the technical field of network security, and comprises the following steps: modeling atomic attack efficiency, network attack efficiency and network attack chain efficiency; on the basis of constructing an atomic attack efficiency model, a network attack efficiency model is established; the method comprises the steps of establishing a network host information safety integrity test tree by taking loopholes existing in each host in a target network as leaf nodes of the tree, taking a loophole utilization attack mode as edges between the nodes, expressing intermediate nodes of the tree by using an attack result generated by loopholes of child nodes, and taking a network host information safety integrity test as a root node of the tree; and finally, constructing a network attack chain efficiency model according to the optimal network host information safety integrity test efficiency.

Description

Network attack chain efficiency modeling method
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network attack chain efficiency modeling method.
Background
The integrity of the information security of the network host refers to the characteristic that the network information is not added, deleted or modified by illegal users. Ensuring the integrity of information is a basic requirement of information security, and destroying the integrity of information is one of the purposes of launching network attacks on an information system and is a common means for influencing the information security. For authorized network users, obtaining the write authority of a host in the network can write information to the host in a legal identity, but for unauthorized users, obtaining the write authority of a host through network attack and other means that the network information is added, deleted and modified by illegal users, that is, the integrity of the information network is damaged (the illegally obtained security integrity authority of the host information is divided into Root write authority and User write authority from high to low).
Modeling and simulation techniques have been widely used in the field of computer network security for the purpose of network attacks or for the purpose of network/host information security (including mainly confidentiality, integrity and availability) attack testing and evaluation. Computer network attacks are known to be targeted system specific destructive actions performed by attackers, and the complexity, timeliness and variability of the subjects and objects of the network attacks determine the uncertainty and complexity of the network attack process. At present, the main methods for modeling and simulating network attack efficiency are an attack tree, an attack graph and an attack network method, although the methods well describe the network attack process and are helpful for researching and understanding the time sequence and logic relationship of the network attack, when the single safety integrity of a host in a certain network is examined, the traditional modeling method lacks pertinence when implementing network attack scheme selection, and has the defects that the method is difficult to overcome:
(1) disorder of attack model generation. The time efficiency and the achievement efficiency of an attack method are not fully considered in the traditional attack modeling generation algorithm, and an attack model lacks orderliness, so that the cost of executing a complex attack model search algorithm is required for implementing efficient testing.
(2) Disregarding the probabilistic nature of the network attack. Due to the complexity and variability of the network and the experience of a network attack implementation subject, each network attack has probability of success, so that the probability problem of the network attack is considered in the attack implementation times when an attack scheme is established, and the attack cannot be executed all the time.
(3) Attack scheme selection lacks pertinence. The attack tree, the attack graph and the attack network are used for attacking the whole network whether for the purpose of network security test or network attack, and when the security integrity of a certain host needs to be checked in a targeted manner, the traditional attack tree modeling method is lack of pertinence when the network attack scheme is selected.
In order to solve the problem of network attack efficiency modeling, the invention establishes a network attack efficiency model on the basis of establishing network atom attack efficiency, generates a network host information safety integrity test vulnerability chain, establishes a network attack chain efficiency model and efficiently realizes the attack test on the network host information safety integrity. The network attack efficiency modeling method provided by the invention can be widely applied to the field of computer network security aiming at network security attack testing and network security evaluation.
Disclosure of Invention
The invention provides a network attack chain efficiency modeling method aiming at the problems of weak pertinence and lack of effectiveness of the traditional network attack efficiency modeling method when implementing network host information safety integrity attack test scheme selection, and the specific steps are as follows:
step 1, modeling of atomic attack efficiency
The atomic attack efficiency represents the time consumed to complete a successful atomic attack in an ideal attack scenario. Thus, the atomic attack efficiency model is: efficiencyatomTime/probability (time represents the time it takes to complete a successful atomic attack and probability represents the probability of completing an atomic attack).
Step 2, modeling network attack efficiency
The one-time network attack is a combination of a plurality of atom attacks, and according to the relationship among the atom attacks, a network attack efficiency model is as follows:
(1) if the relationship between the i atomic attacks of the network attack is logical OR ", then the i atomic attack cost is chosen to be the smallest as the network attack efficiency:
Figure BDA0002670021580000031
(2) if the relation between the i atomic attacks of the network attack is logical AND, selecting the i atomic attacks with the largest cost as the network attack efficiency:
Figure BDA0002670021580000032
(3) if the relation between the i atomic attacks of the network attack is the sequence and operation 'SAND', the sum of the i atomic attack costs is selected as the network attack efficiency:
Figure BDA0002670021580000033
step 3, network attack chain efficiency modeling
The network attack chain efficiency is defined as the sum of all network attack efficiencies on the vulnerability chain.
Modeling the efficiency of the network attack chain:
Figure BDA0002670021580000034
and n is the number of network attacks on the vulnerability chain.
In particular, after step 3, it also includes: and 4, constructing a Network Host information Security Integrity Test Tree (NHSITT), starting from a leaf node of the Test Tree to a root node of the Tree, and forming a vulnerability chain by the experienced middle node vulnerability and the side representing the attack mode.
Particularly, the method further includes step 5, constructing a network host information security integrity test vulnerability chain according to an efficiency priority principle, wherein a generation rule is as follows:
(1) if two vulnerability chains are the same after a certain node, in the test tree, the same parts of the two vulnerability chains are combined, and different parts are combined according to a logic OR 'OR' relationship;
(2) the relationship between the vulnerability nodes is logical OR, then the atomic attack cost efficiencyatomThe smaller atomic attack is located on the left branch of the node; the relation between the bug nodes is logical AND, AND then the atomic attack cost efficiencyatomThe larger atom attack is located on the left branch of the node; the relation between the bug nodes is the sequence and operation 'SAND', and the sequence of the atom attack is executed according to the attack sequence;
(3) and in the network attack, the obtained vulnerability chain with higher control authority is positioned at the left branch of the tree.
Drawings
FIG. 1 is a flow chart of an implementation of the present invention;
FIG. 2 is a diagram illustrating relationships between nodes of a network host information security integrity test tree according to the present invention;
FIG. 3 is a tree structure for testing the information security integrity of a network host according to the present invention;
FIG. 4 is a diagram of a test network topology according to the present invention;
fig. 5 is a network host information security integrity test tree for a core database server according to the present invention.
Detailed Description
Referring to fig. 1, an implementation flow chart of the present invention, and the specific implementation of each part is as follows:
step 1, modeling of atomic attack efficiency
The atomic attack efficiency represents the time consumed to complete a successful atomic attack in an ideal attack scenario.
Thus, the atomic attack efficiency model is: efficiencyatom=time/probability,efficiencyatomThe atomic attack cost is represented, time represents the time consumed by completing one successful atomic attack, and probability represents the probability of completing the atomic attack.
Step 2, modeling network attack efficiency
The network attack is a combination of a plurality of atom attacks, and according to the logic relation among the atom attacks, the network attack efficiency model is as follows:
(1) if the relationship between the i atomic attacks of the network attack is OR operation 'OR', the i atomic attack cost is the minimum to be selected as the network attack efficiency:
Figure BDA0002670021580000041
(2) if the relation between the i atomic attacks of the network attack is AND operation 'AND', the i atomic attacks with the largest cost are selected as the network attack efficiency:
Figure BDA0002670021580000042
(3) if the relation between the i atomic attacks of the network attack is the sequence and operation 'SAND', the sum of the i atomic attack costs is selected as the network attack efficiency:
Figure BDA0002670021580000051
step 3, network attack chain efficiency modeling
The network attack chain efficiency is defined as the sum of all network attack efficiencies on the vulnerability chain.
Modeling the efficiency of the network attack chain:
Figure BDA0002670021580000052
(n is the number of network attacks on the vulnerability chain).
Step 4, constructing a Network Host Security Integrity Test Tree (NHSITT)
The network host information safety integrity test tree aims at destroying the integrity of a host in a target network and serves as a root node of the tree, the rest nodes represent loopholes of all hosts in the network utilized by the root node (leaf nodes represent loopholes existing in the network, middle nodes represent attack results generated by utilizing loopholes of child nodes), and edges between the nodes represent atomic attacks of the loopholes of the child nodes utilized by the child nodes for reaching a father node.
In the network host information security integrity test tree, from the attack process, in order to realize a root target, a vulnerability chain is formed from the leaf node of the test tree to the root node of the tree, and the middle node vulnerability experienced and the side representing the attack mode.
Through the assignment of each node attribute, some basic calculations can be performed according to the tree structure to describe various vulnerability utilization modes aiming at the general target. According to a given test tree, an attack link which can reach a root target can be found from a certain leaf node, so that a high attack effect is achieved, and meanwhile, the cost is low.
In the network host information security integrity test tree, the completion of one target depends on the completion of several sub-targets, AND the relationship between the sub-targets can be one of three relationships of OR (OR), AND (AND) AND (SAND). The OR node can select one of a plurality of methods to reach the target; the AND node indicates that the parent node target can be completed only after all the child node targets are completed; an "ordered and" node means that all child node targets must complete in order for the parent node target to complete.
The relationship between network host information security integrity test tree nodes (TTN, TestTree Node) is shown in fig. 2.
Modeling is carried out according to the purpose and effect of the network attack, and the network host information safety integrity test tree model provides a target-oriented traversal method for describing multi-stage vulnerability exploitation attacks. The network host information security integrity test tree determines the sub-targets for realizing the final attack targets in the simplest form, AND all attack modes can be divided into sequences of ' OR ', ' AND ' AND in Sequence (SAND) ' respectively, AND relevant AND irrelevant attack conditions can be found out from the sequences. Each vulnerability exploiting mode can reflect the attack success probability or time efficiency by setting a weight.
The network host information security integrity test tree structure is shown in fig. 3. Leaf nodes are vulnerabilities present in the network system, and intermediate nodes are the outcomes of the attacks that result in a more deep level of exploitation.
It can be expressed as NHSITT (IP _ addr), where IP _ addr is the IP address of the target host in the network, and the return value of the execution function NHSITT (IP _ addr) is the value to get the write right to the target host.
The edges between the nodes of the network host information safety integrity test tree represent attack modes utilizing vulnerabilities, and for convenience, the attack modes can be described in node attributes, so that the network host information safety integrity test tree node attribute quintuple structure is defined as follows:
TTN=(source_IP,dest_IP,precondition,relation,attack)
source address (source _ IP) is used to represent the host IP address that owns the node vulnerability.
Destination address (dest _ IP) is used to indicate the IP address of the attacked target host in the network.
And the precondition (precondition) is used for representing the vulnerability or attack effect of the tree node (the result of the last attack is used as the condition of the deeper attack).
Vulnerabilities of the same type on different hosts should be treated differently on the host information security integrity test tree, for which the preconditions can be represented by a binary structure:
precondition ═ source _ IP, vulnerability denotes vulnerabilities.
The network scanning system scans a target network, and a Vulnerability library Vulnerability _ set is formed by a duplet consisting of all scanned network vulnerabilities (including attack effects) and network addresses of hosts with the vulnerabilities, and the precondition belongs to the Vulnerability _ set.
Relationship (relationship) is used to indicate the relationship between this node AND other nodes under the same father node, AND is one of "OR", "AND" OR "SAND": the relationship ∈ ("OR", "AND", "SAND").
Attack (attack) is used to represent the network attack mode using precondition (precondition).
The Attack mode library Attack _ mode is formed by some commonly used network Attack modes with typical representative meanings, the Attack _ mode must ensure that all vulnerabilities in Vulnerability _ set have Attack modes corresponding to the vulnerabilities, and if an Attack test mode of a certain Vulnerability is not in the Attack _ mode, test codes need to be downloaded or written on the internet.
Attack ∈ Attack _ mode, and Attack can be represented by a six-membered group structure as:
attack=(precondition,postcondition,time,probability,relation,attackrelating[])
the precondition (precondition) is consistent with the precondition in the TTN, and refers to a vulnerability exploited by the attack.
There is a relation: TTN- > attack- > precondition ═ TTN- > precondition.
And secondly, a posterior condition (postcondition) is used for expressing the effect which the node needs to obtain after the attack is finished, if the obtained effect is the final target which the attack needs to reach, namely the attack obtains the read authority and the write authority or enables the host to refuse service, at the moment, the node points to the root node of the tree.
The final goal is defined as taking the host's read rights, write rights, or having the host deny service.
If the obtained effect is not the final target to be reached by the attack, the attack using the node Vulnerability can obtain the effect of a springboard of a deeper attack, at this time, the node points to a tree node with a posterior condition as a Precondition, and the posterior condition is added into a Vulnerability library Vulnerability _ set, and the Precondition- > Vulnerability _ set is greater than postcondition, and the Precondition- > source _ IP is greater than dest _ IP.
The whole test tree is built by taking the posterior condition as a link.
Time (time) is used to represent the time consumed by a successful attack. Is an empirical statistic.
Probability (probability) is used to represent the probability of success of the attack. Is an empirical statistic.
The relation (relationship) is used to indicate that the relation between the attack AND other atom attacks is "OR", "AND" OR "SAND".
There is the relationship: TTN- > attack- > relationship ═ TTN- > relationship.
Association attack array (array) is used to represent the attack AND its atom attack with "OR", "AND" OR "SAND" relationship, AND is expressed by array.
When the relationship is "OR", the array is empty;
when the relation is AND, the atom attack is stored in the array according to the high AND low order of the atom attack cost;
when the relationship is "SAND", the atomic attacks are stored in the array in the order in which the attacks occurred.
Step 5, constructing a network host information safety integrity test vulnerability chain according to an efficiency priority principle;
there are two implications to the efficiency of the generation of the test vulnerability chain, time efficiency and outcome efficiency: time efficiency is that the time required to complete an attack is as short as possible; the efficiency of the effort is that the right obtained by the attack is as high as possible. Starting from attack efficiency, the test chain generation rule is as follows:
(1) if two vulnerability chains are the same after a certain node, in the test tree, the same parts of the two vulnerability chains are combined, and different parts are combined according to an 'OR' relationship;
(2) the relationship between the vulnerability nodes is "OR", then the atomic attack cost efficiencyatomThe smaller atomic attack is located on the left branch of the node; the relation between the vulnerability nodes is 'AND', then the atomic attack cost efficiencyatomThe larger atom attack is located on the left branch of the node; the relation between the vulnerability nodes is 'SAND', and the sequence of the atomic attack is executed according to the attack sequence;
(3) in the network attack, the vulnerability chain with higher control authority is located in the left branch of the tree, and the control authority includes: operation control authority for reading, writing, adding, deleting and the like;
(4)efficiencylinkthe smaller chain of holes is located at the left branch of the tree, which is weaker than rule (3).
According to the above rules, the host information security attribute test tree algorithm with priority on efficiency is described as follows: [ Algorithm 1 ] Efficiency-First network host information security attribute Test Tree Generation (EFTTG)
EFTTG(IP_addr,attribute,VL_set)
while(VL_set≠NULL)
{
Firstly, taking a vulnerability chain link from a vulnerability chain set VL _ set;
if the root target network address of the loophole link is not the IP _ addr, turning to the sixth step;
③ attribute e { Confidentiality/Confidentiality, Integrity/Integrity, availabilitity/Availability }
When attribute is Integrity, a host information security Integrity test tree HSITT (IP _ addr) is generated.
Fourthly, according to the root target authority of the vulnerability chain link:
when the root target authority is the write authority, the vulnerability chain link is added to the NHSITT (IP _ addr).
According to the height of the root target authority of the vulnerability chain link, in the corresponding vulnerability tree:
merging the vulnerability chains with the same rear part in the vulnerability tree, and combining different parts according to an OR relation;
the vulnerability chain with higher authority is positioned at the left branch of the tree;
efficiencylinkthe smaller chain of holes is located at the left branch of the tree.
⑥return;
}
Generating a complete test vulnerability chain of the network host information safety: constructing a network host information safety integrity test tree according to an efficiency priority principle, wherein the time for carrying out attack test on the target host information safety integrity by a leftmost test chain of the test tree is shortest, the obtained result is highest, and vulnerabilities existing in the test chain and network addresses attached to the vulnerabilities form binary (vulnerab)Reliability, source _ IP), the test chain generates a network host information security integrity test vulnerability chain from the binary group arranged in sequence from the leaf node to the root node: (Vulnerability)1,source_IP1)->(vulnerability2,source_IP2)->…->(vulnerabilityn,source_IPn)。
Due to the dynamic variability of the information network, new vulnerabilities may appear, old vulnerabilities may be patched, in which case the test tree will change, and the insertion algorithm and deletion algorithm of vulnerability precondition are described in the following as a simple example of HSITT with the host address IP _ addr.
[ Algorithm 2 ] InsertVulnerability (NHSITT (IP _ addr), precondition)
{
Firstly, constructing all new vulnerability chain links according to an Attack mode library Attack _ mode by taking vulnerability prediction as leaf nodes of a vulnerability chain to form a vulnerability chain set VL _ set;
secondly, traversing the vulnerability chain set VL _ set, if the root target of the vulnerability chain link is a read right and the network address of the root target is IP _ addr:
adding the vulnerability chain link into NHSITT (IP _ addr);
according to the height of the root target authority of the vulnerability chain link, in the corresponding vulnerability tree:
merging vulnerability chains with the same later parts in the test tree, and combining different parts according to an OR relation;
the vulnerability chain with higher authority is positioned at the left branch of the tree;
efficiencylinkthe smaller vulnerability chain is located at the left branch of the tree;
}
[ Algorithm 3 ] DeleteVulnerability (NHSITT (IP _ addr), precondition)
do{
Firstly, taking out a node from HSITT (IP _ addr);
when the vulnerability of the node is precondition:
if the branch where the node is located does not have the node with the OR relation, cutting off the branch;
if the branch where the node is located has a node with an OR relationship, the OR branch containing the node is cut off;
uhile (NHSITT (IP _ addr) with uncompared nodes)
Step 6, attack test application example for testing vulnerability chain based on network host information safety integrity
In order to verify the performance of the host information security integrity test vulnerability chain, a network platform of a certain information network is used as a test environment, and the network topology structure is shown in fig. 4.
In fig. 4, a router 1 is connected to the Internet and a firewall, the firewall uses three network interfaces, a network port 1 is connected to the router 1, a network port 2 is connected to a switch 1 in a dmz (minimized zone) area, and a network port 3 is connected to an intranet router 2. Since building a network requires different levels of security protection for different resources, the network is divided into 3 segments by configuring the firewall: an outer net, a DMZ zone, and an inner net. DMZ may be understood as a special network region other than an extranet or an intranet. Public servers without confidential information, such as Web, Mail, FTP, etc., are typically placed within the DMZ so that visitors to the extranet can access the services in the DMZ, but not the company's confidential or private information stored in the intranet. Even if the server in the DMZ is damaged, the confidential information in the intranet cannot be influenced.
The intranet has deployed WEB server 2 and the core database server that only supply inside user to visit, and office host and administrator's host computer can both visit it, but the authority is different, and office host computer only has WEB server 2's the permission of reading, and administrator's host computer has the configuration permission of reading and writing to WEB server 2, and the permission of reading and writing of core database only allows WEB server 2 to visit, and administrator must long-range login WEB server 2, then manages the core database through WEB server 2.
The firewall sets the following six access control policies:
(1) the intranet may access the extranet: the users of the intranet obviously need to freely access the extranet. In this policy, the firewall needs to do source address translation.
(2) The intranet can access the DMZ: this policy is to facilitate intranet users to use and manage the servers in the DMZ.
(3) The extranet cannot access the intranet: it is clear that the intranet stores data internal to the company that is not accessible to users of the extranet.
(4) The extranet has access to the DMZ: the servers in the DMZ themselves are intended to provide services to the outside world, so the external network must have access to the DMZ. Meanwhile, when the external network accesses the DMZ, the firewall needs to complete the conversion from the external address to the actual address of the server.
(5) DMZ cannot access the intranet: if this policy is violated, important data of the intranet can be further attacked when an intruder attacks the DMZ.
(6) The DMZ cannot access the extranet: there are exceptions to this strategy, such as when a mail server is placed in the DMZ, it is necessary to access the extranet, otherwise it will not work properly.
The network vulnerabilities and attack rights are shown in table 1.
TABLE 1 testing vulnerability and attack authority of network
Network device Exploitable leak Attack mode Obtaining rights probability time
FTP server Serv-U overflow vulnerability Overflow attack System read-write permission 50% 120s
WEB server
1 Sql empty cipher Direct utilization of System read-write permission 40% 80s
Administrator host Browser overflow Overflow planting reverse Trojan User's right of reading and writing 50% 120s
Office host Telnet Network monitoring System read permission 50% 180s
WEB server
2 Running files with virus Virus infected reverse Trojan System read-write permission 40% 120s
WEB server
2 WEB hanging horse WEB hanging reverse trojan User write authority 50% 80s
Core database server Directory rights management Directory traversal attacks System read-write permission 50% 280s
An attack on the integrity of the core database server is made and the host information security integrity test tree generated by the NHSITT (192.168.1.3) is shown in fig. 5.
Wherein, the Attack _ mode (1) is an Sql empty password Attack mode; the attach _ mode (2) is an overflow planting reverse Trojan Attack mode; attack _ mode (3) is a virus infection reverse Trojan horse Attack mode; attack _ mode (4) is a root directory traversal Attack mode; attack _ mode (5) is a Serv-U overflow Attack mode; attack _ mode (6) is a network monitoring Attack mode; the attach _ mode (7) is a WEB-hung reverse Trojan Attack mode; attack _ mode (8) is a user directory write authority management Attack mode; attack _ mode (9) is a root directory read permission management Attack mode; attack _ mode (10) is a root directory rights management Attack mode; attack _ mode (11) is an unrecoverable denial of service Attack; attack _ mode (12) is a user directory rights management Attack mode; attack _ mode (13) is a recoverable denial of service Attack.
In fig. 5, according to the principle of efficiency priority, from an attacker, the maximum integrity access right of the core database server can be obtained, and the attack sequence is shown in table 2.
TABLE 2 attack sequences List
Figure BDA0002670021580000121
The network attack testing algorithm is performed on the NHSITT (192.168.1.3), and obviously, the attack sequence 1-2-3-4 is the highest in both outcome efficiency and time efficiency in the attack of obtaining the core database server integrity access right. The host information safety integrity test vulnerability chain is as follows: (Sql empty password, 192.168.0.2) - > (browser overflow, 192.168.1.5) - > (run poison file, 192.168.1.2) - > (directory rights management, 192.168.1.3).
The attack tree, the attack graph and the attack network constructed by the traditional method are also the test tree proposed by the patent, and the aim is to perform network security test or network attack. In the modeling methods of the attack tree, the attack graph and the attack network, traversal search is needed to be carried out in order to find out an attack scheme with the maximum success probability; all attacks must be traversed in order to assess the security of the network; in order to obtain the control authority of a certain host, an attack scheme with the minimum cost cannot be selected in a targeted manner. The method for generating the network host information safety integrity test vulnerability chain constructed on the basis of the test tree can pointedly obtain the maximum access right value of the network host integrity with the highest efficiency according to a network attack or network safety test scheme, and model and attack the integrity of a single network host to complete the attack or safety test on a target host.
Those skilled in the art will appreciate that all or part of the processes for implementing the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium, to instruct associated hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.

Claims (4)

1. A network attack chain efficiency modeling method is characterized by comprising the following steps:
step 1, modeling of atomic attack efficiency
Establishing an atomic attack efficiency model: efficiencyatomTime/probability, where time represents the time it takes to complete a successful atomic attack and probability represents the probability of completing an atomic attack;
step 2, modeling network attack efficiency
The one-time network attack is a combination of a plurality of atom attacks, and according to the relationship among the atom attacks, a network attack efficiency model is as follows:
(1) if the relationship between the i atomic attacks of the network attack is logical OR ", then the i atomic attack cost is chosen to be the smallest as the network attack efficiency:
Figure FDA0002670021570000011
(2) if the relation between the i atomic attacks of the network attack is logical AND, selecting the i atomic attacks with the largest cost as the network attack efficiency:
Figure FDA0002670021570000012
(3) if the relation between the i atomic attacks of the network attack is the sequence and operation 'SAND', the sum of the i atomic attack costs is selected as the network attack efficiency:
Figure FDA0002670021570000013
step 3, network attack chain efficiency modeling
The network attack chain efficiency is defined as the sum of all network attack efficiencies on the vulnerability chain;
modeling the efficiency of the network attack chain:
Figure FDA0002670021570000014
and n is the number of network attacks on the vulnerability chain.
2. The network attack chain efficiency modeling method according to claim 1, further comprising after step 3:
and 4, constructing a Network Host information Security Integrity Test Tree (NHSITT), starting from a leaf node of the Test Tree to a root node of the Tree, and forming a vulnerability chain by the experienced middle node vulnerability and the side representing the attack mode.
3. The network attack chain efficiency modeling method according to claim 2,
the network host information safety integrity test tree aims at destroying the integrity of a host in a target network and serves as a root node of the tree, other nodes represent vulnerabilities of all hosts in the network utilized by the root node, leaf nodes represent vulnerabilities existing in the network, middle nodes represent attack results generated by utilizing vulnerabilities of child nodes, and edges between the nodes represent atomic attacks of the vulnerabilities of the child nodes utilized by the child nodes to reach father nodes.
4. The network attack chain efficiency modeling method according to claim 2, characterized in that the method further comprises the step 5:
constructing a network host information safety integrity test vulnerability chain according to an efficiency priority principle, wherein the generation rule is as follows:
(1) if two vulnerability chains are the same after a certain node, in the test tree, the same parts of the two vulnerability chains are combined, and different parts are combined according to a logic OR 'OR' relationship;
(2) the relationship between the vulnerability nodes isLogical OR, then the atomic attack cost efficiencyatomThe smaller atomic attack is located on the left branch of the node; the relation between the bug nodes is logical AND, AND then the atomic attack cost efficiencyatomThe larger atom attack is located on the left branch of the node; the relation between the bug nodes is the sequence and operation 'SAND', and the sequence of the atom attack is executed according to the attack sequence;
(3) the vulnerability chain with higher control authority acquired in the network attack is positioned on the left branch of the tree;
wherein, on the premise of ensuring the step (3), the efficiencylinkThe smaller chain of holes is located at the left branch of the test tree.
CN202010930453.XA 2020-09-07 2020-09-07 Network attack chain efficiency modeling method Pending CN112039914A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010930453.XA CN112039914A (en) 2020-09-07 2020-09-07 Network attack chain efficiency modeling method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010930453.XA CN112039914A (en) 2020-09-07 2020-09-07 Network attack chain efficiency modeling method

Publications (1)

Publication Number Publication Date
CN112039914A true CN112039914A (en) 2020-12-04

Family

ID=73585439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010930453.XA Pending CN112039914A (en) 2020-09-07 2020-09-07 Network attack chain efficiency modeling method

Country Status (1)

Country Link
CN (1) CN112039914A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591092A (en) * 2021-06-22 2021-11-02 中国电子科技集团公司第三十研究所 Attack chain construction method based on vulnerability combination
CN113792296A (en) * 2021-08-24 2021-12-14 中国电子科技集团公司第三十研究所 Vulnerability combination method and system based on clustering
CN113965469A (en) * 2021-09-27 2022-01-21 西安交通大学 Construction method of network data analysis model
CN114257423A (en) * 2021-12-03 2022-03-29 中国人民解放军63891部队 Penetration test comprehensive effect evaluation method and system based on attack tree

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050138413A1 (en) * 2003-12-11 2005-06-23 Richard Lippmann Network security planning architecture
CN110602135A (en) * 2019-09-25 2019-12-20 北京金山安全软件有限公司 Network attack processing method and device and electronic equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050138413A1 (en) * 2003-12-11 2005-06-23 Richard Lippmann Network security planning architecture
CN110602135A (en) * 2019-09-25 2019-12-20 北京金山安全软件有限公司 Network attack processing method and device and electronic equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
焦波等: "基于攻击源激发和攻击原子筛选的攻击图构建方法", 《计算机应用研究》 *
鲁智勇等: "效率优先的主机安全属性漏洞树建模研究", 《计算机工程与科学》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591092A (en) * 2021-06-22 2021-11-02 中国电子科技集团公司第三十研究所 Attack chain construction method based on vulnerability combination
CN113591092B (en) * 2021-06-22 2023-05-09 中国电子科技集团公司第三十研究所 Attack chain construction method based on vulnerability combination
CN113792296A (en) * 2021-08-24 2021-12-14 中国电子科技集团公司第三十研究所 Vulnerability combination method and system based on clustering
CN113792296B (en) * 2021-08-24 2023-05-30 中国电子科技集团公司第三十研究所 Cluster-based vulnerability combining method and system
CN113965469A (en) * 2021-09-27 2022-01-21 西安交通大学 Construction method of network data analysis model
CN113965469B (en) * 2021-09-27 2023-01-13 西安交通大学 Construction method of network data analysis model
CN114257423A (en) * 2021-12-03 2022-03-29 中国人民解放军63891部队 Penetration test comprehensive effect evaluation method and system based on attack tree

Similar Documents

Publication Publication Date Title
CN112039914A (en) Network attack chain efficiency modeling method
CN111371758B (en) Network spoofing efficiency evaluation method based on dynamic Bayesian attack graph
Applebaum et al. Intelligent, automated red team emulation
Zhuang et al. Towards a theory of moving target defense
Van Gundy et al. Catch Me, If You Can: Evading Network Signatures with Web-based Polymorphic Worms.
Vignau et al. The evolution of IoT Malwares, from 2008 to 2019: Survey, taxonomy, process simulator and perspectives
US11418528B2 (en) Dynamic best path determination for penetration testing
Hansman A taxonomy of network and computer attack methodologies
Brown et al. GRAVITAS: Graphical reticulated attack vectors for Internet-of-Things aggregate security
Jajodia et al. Share: A stackelberg honey-based adversarial reasoning engine
Moskal et al. Context model fusion for multistage network attack simulation
Lin et al. Effective proactive and reactive defense strategies against malicious attacks in a virtualized honeynet
CN113965469B (en) Construction method of network data analysis model
Khosravi-Farmad et al. Moving target defense against advanced persistent threats for cybersecurity enhancement
Baiardi et al. Application Vulnerabilities in Risk Assessment and Management.
Baiardi et al. A scenario method to automatically assess ict risk
Jiang et al. Optimal network security strengthening using attack-defense game model
Zhang et al. WGT: Thwarting web attacks through web gene tree-based moving target defense
Reti et al. Deep down the rabbit hole: On references in networks of decoy elements
Liu et al. A goal-oriented approach for modeling and analyzing attack graph
Aggarwal et al. A Comparative Study of Directory Fuzzing Tools
Bajic Simulation-based Evaluation of Dynamic Attack and Defense in Computer Networks
Bilar et al. Using a novel behavioral stimuli-response framework to defend against adversarial cyberspace participants
Moskal et al. CyberEvo: evolutionary search of knowledge-based behaviors in a cyber attack campaign
Haseeb Deception-Based Security Framework for IoT: An Empirical Study

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201204

RJ01 Rejection of invention patent application after publication