CN112039914A - Network attack chain efficiency modeling method - Google Patents
Network attack chain efficiency modeling method Download PDFInfo
- Publication number
- CN112039914A CN112039914A CN202010930453.XA CN202010930453A CN112039914A CN 112039914 A CN112039914 A CN 112039914A CN 202010930453 A CN202010930453 A CN 202010930453A CN 112039914 A CN112039914 A CN 112039914A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- efficiency
- chain
- atomic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
A network attack chain efficiency modeling method belongs to the technical field of network security, and comprises the following steps: modeling atomic attack efficiency, network attack efficiency and network attack chain efficiency; on the basis of constructing an atomic attack efficiency model, a network attack efficiency model is established; the method comprises the steps of establishing a network host information safety integrity test tree by taking loopholes existing in each host in a target network as leaf nodes of the tree, taking a loophole utilization attack mode as edges between the nodes, expressing intermediate nodes of the tree by using an attack result generated by loopholes of child nodes, and taking a network host information safety integrity test as a root node of the tree; and finally, constructing a network attack chain efficiency model according to the optimal network host information safety integrity test efficiency.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network attack chain efficiency modeling method.
Background
The integrity of the information security of the network host refers to the characteristic that the network information is not added, deleted or modified by illegal users. Ensuring the integrity of information is a basic requirement of information security, and destroying the integrity of information is one of the purposes of launching network attacks on an information system and is a common means for influencing the information security. For authorized network users, obtaining the write authority of a host in the network can write information to the host in a legal identity, but for unauthorized users, obtaining the write authority of a host through network attack and other means that the network information is added, deleted and modified by illegal users, that is, the integrity of the information network is damaged (the illegally obtained security integrity authority of the host information is divided into Root write authority and User write authority from high to low).
Modeling and simulation techniques have been widely used in the field of computer network security for the purpose of network attacks or for the purpose of network/host information security (including mainly confidentiality, integrity and availability) attack testing and evaluation. Computer network attacks are known to be targeted system specific destructive actions performed by attackers, and the complexity, timeliness and variability of the subjects and objects of the network attacks determine the uncertainty and complexity of the network attack process. At present, the main methods for modeling and simulating network attack efficiency are an attack tree, an attack graph and an attack network method, although the methods well describe the network attack process and are helpful for researching and understanding the time sequence and logic relationship of the network attack, when the single safety integrity of a host in a certain network is examined, the traditional modeling method lacks pertinence when implementing network attack scheme selection, and has the defects that the method is difficult to overcome:
(1) disorder of attack model generation. The time efficiency and the achievement efficiency of an attack method are not fully considered in the traditional attack modeling generation algorithm, and an attack model lacks orderliness, so that the cost of executing a complex attack model search algorithm is required for implementing efficient testing.
(2) Disregarding the probabilistic nature of the network attack. Due to the complexity and variability of the network and the experience of a network attack implementation subject, each network attack has probability of success, so that the probability problem of the network attack is considered in the attack implementation times when an attack scheme is established, and the attack cannot be executed all the time.
(3) Attack scheme selection lacks pertinence. The attack tree, the attack graph and the attack network are used for attacking the whole network whether for the purpose of network security test or network attack, and when the security integrity of a certain host needs to be checked in a targeted manner, the traditional attack tree modeling method is lack of pertinence when the network attack scheme is selected.
In order to solve the problem of network attack efficiency modeling, the invention establishes a network attack efficiency model on the basis of establishing network atom attack efficiency, generates a network host information safety integrity test vulnerability chain, establishes a network attack chain efficiency model and efficiently realizes the attack test on the network host information safety integrity. The network attack efficiency modeling method provided by the invention can be widely applied to the field of computer network security aiming at network security attack testing and network security evaluation.
Disclosure of Invention
The invention provides a network attack chain efficiency modeling method aiming at the problems of weak pertinence and lack of effectiveness of the traditional network attack efficiency modeling method when implementing network host information safety integrity attack test scheme selection, and the specific steps are as follows:
The atomic attack efficiency represents the time consumed to complete a successful atomic attack in an ideal attack scenario. Thus, the atomic attack efficiency model is: efficiencyatomTime/probability (time represents the time it takes to complete a successful atomic attack and probability represents the probability of completing an atomic attack).
The one-time network attack is a combination of a plurality of atom attacks, and according to the relationship among the atom attacks, a network attack efficiency model is as follows:
(1) if the relationship between the i atomic attacks of the network attack is logical OR ", then the i atomic attack cost is chosen to be the smallest as the network attack efficiency:
(2) if the relation between the i atomic attacks of the network attack is logical AND, selecting the i atomic attacks with the largest cost as the network attack efficiency:
(3) if the relation between the i atomic attacks of the network attack is the sequence and operation 'SAND', the sum of the i atomic attack costs is selected as the network attack efficiency:
The network attack chain efficiency is defined as the sum of all network attack efficiencies on the vulnerability chain.
Modeling the efficiency of the network attack chain:and n is the number of network attacks on the vulnerability chain.
In particular, after step 3, it also includes: and 4, constructing a Network Host information Security Integrity Test Tree (NHSITT), starting from a leaf node of the Test Tree to a root node of the Tree, and forming a vulnerability chain by the experienced middle node vulnerability and the side representing the attack mode.
Particularly, the method further includes step 5, constructing a network host information security integrity test vulnerability chain according to an efficiency priority principle, wherein a generation rule is as follows:
(1) if two vulnerability chains are the same after a certain node, in the test tree, the same parts of the two vulnerability chains are combined, and different parts are combined according to a logic OR 'OR' relationship;
(2) the relationship between the vulnerability nodes is logical OR, then the atomic attack cost efficiencyatomThe smaller atomic attack is located on the left branch of the node; the relation between the bug nodes is logical AND, AND then the atomic attack cost efficiencyatomThe larger atom attack is located on the left branch of the node; the relation between the bug nodes is the sequence and operation 'SAND', and the sequence of the atom attack is executed according to the attack sequence;
(3) and in the network attack, the obtained vulnerability chain with higher control authority is positioned at the left branch of the tree.
Drawings
FIG. 1 is a flow chart of an implementation of the present invention;
FIG. 2 is a diagram illustrating relationships between nodes of a network host information security integrity test tree according to the present invention;
FIG. 3 is a tree structure for testing the information security integrity of a network host according to the present invention;
FIG. 4 is a diagram of a test network topology according to the present invention;
fig. 5 is a network host information security integrity test tree for a core database server according to the present invention.
Detailed Description
Referring to fig. 1, an implementation flow chart of the present invention, and the specific implementation of each part is as follows:
The atomic attack efficiency represents the time consumed to complete a successful atomic attack in an ideal attack scenario.
Thus, the atomic attack efficiency model is: efficiencyatom=time/probability,efficiencyatomThe atomic attack cost is represented, time represents the time consumed by completing one successful atomic attack, and probability represents the probability of completing the atomic attack.
The network attack is a combination of a plurality of atom attacks, and according to the logic relation among the atom attacks, the network attack efficiency model is as follows:
(1) if the relationship between the i atomic attacks of the network attack is OR operation 'OR', the i atomic attack cost is the minimum to be selected as the network attack efficiency:
(2) if the relation between the i atomic attacks of the network attack is AND operation 'AND', the i atomic attacks with the largest cost are selected as the network attack efficiency:
(3) if the relation between the i atomic attacks of the network attack is the sequence and operation 'SAND', the sum of the i atomic attack costs is selected as the network attack efficiency:
The network attack chain efficiency is defined as the sum of all network attack efficiencies on the vulnerability chain.
Modeling the efficiency of the network attack chain:(n is the number of network attacks on the vulnerability chain).
The network host information safety integrity test tree aims at destroying the integrity of a host in a target network and serves as a root node of the tree, the rest nodes represent loopholes of all hosts in the network utilized by the root node (leaf nodes represent loopholes existing in the network, middle nodes represent attack results generated by utilizing loopholes of child nodes), and edges between the nodes represent atomic attacks of the loopholes of the child nodes utilized by the child nodes for reaching a father node.
In the network host information security integrity test tree, from the attack process, in order to realize a root target, a vulnerability chain is formed from the leaf node of the test tree to the root node of the tree, and the middle node vulnerability experienced and the side representing the attack mode.
Through the assignment of each node attribute, some basic calculations can be performed according to the tree structure to describe various vulnerability utilization modes aiming at the general target. According to a given test tree, an attack link which can reach a root target can be found from a certain leaf node, so that a high attack effect is achieved, and meanwhile, the cost is low.
In the network host information security integrity test tree, the completion of one target depends on the completion of several sub-targets, AND the relationship between the sub-targets can be one of three relationships of OR (OR), AND (AND) AND (SAND). The OR node can select one of a plurality of methods to reach the target; the AND node indicates that the parent node target can be completed only after all the child node targets are completed; an "ordered and" node means that all child node targets must complete in order for the parent node target to complete.
The relationship between network host information security integrity test tree nodes (TTN, TestTree Node) is shown in fig. 2.
Modeling is carried out according to the purpose and effect of the network attack, and the network host information safety integrity test tree model provides a target-oriented traversal method for describing multi-stage vulnerability exploitation attacks. The network host information security integrity test tree determines the sub-targets for realizing the final attack targets in the simplest form, AND all attack modes can be divided into sequences of ' OR ', ' AND ' AND in Sequence (SAND) ' respectively, AND relevant AND irrelevant attack conditions can be found out from the sequences. Each vulnerability exploiting mode can reflect the attack success probability or time efficiency by setting a weight.
The network host information security integrity test tree structure is shown in fig. 3. Leaf nodes are vulnerabilities present in the network system, and intermediate nodes are the outcomes of the attacks that result in a more deep level of exploitation.
It can be expressed as NHSITT (IP _ addr), where IP _ addr is the IP address of the target host in the network, and the return value of the execution function NHSITT (IP _ addr) is the value to get the write right to the target host.
The edges between the nodes of the network host information safety integrity test tree represent attack modes utilizing vulnerabilities, and for convenience, the attack modes can be described in node attributes, so that the network host information safety integrity test tree node attribute quintuple structure is defined as follows:
TTN=(source_IP,dest_IP,precondition,relation,attack)
source address (source _ IP) is used to represent the host IP address that owns the node vulnerability.
Destination address (dest _ IP) is used to indicate the IP address of the attacked target host in the network.
And the precondition (precondition) is used for representing the vulnerability or attack effect of the tree node (the result of the last attack is used as the condition of the deeper attack).
Vulnerabilities of the same type on different hosts should be treated differently on the host information security integrity test tree, for which the preconditions can be represented by a binary structure:
precondition ═ source _ IP, vulnerability denotes vulnerabilities.
The network scanning system scans a target network, and a Vulnerability library Vulnerability _ set is formed by a duplet consisting of all scanned network vulnerabilities (including attack effects) and network addresses of hosts with the vulnerabilities, and the precondition belongs to the Vulnerability _ set.
Relationship (relationship) is used to indicate the relationship between this node AND other nodes under the same father node, AND is one of "OR", "AND" OR "SAND": the relationship ∈ ("OR", "AND", "SAND").
Attack (attack) is used to represent the network attack mode using precondition (precondition).
The Attack mode library Attack _ mode is formed by some commonly used network Attack modes with typical representative meanings, the Attack _ mode must ensure that all vulnerabilities in Vulnerability _ set have Attack modes corresponding to the vulnerabilities, and if an Attack test mode of a certain Vulnerability is not in the Attack _ mode, test codes need to be downloaded or written on the internet.
Attack ∈ Attack _ mode, and Attack can be represented by a six-membered group structure as:
attack=(precondition,postcondition,time,probability,relation,attackrelating[])
the precondition (precondition) is consistent with the precondition in the TTN, and refers to a vulnerability exploited by the attack.
There is a relation: TTN- > attack- > precondition ═ TTN- > precondition.
And secondly, a posterior condition (postcondition) is used for expressing the effect which the node needs to obtain after the attack is finished, if the obtained effect is the final target which the attack needs to reach, namely the attack obtains the read authority and the write authority or enables the host to refuse service, at the moment, the node points to the root node of the tree.
The final goal is defined as taking the host's read rights, write rights, or having the host deny service.
If the obtained effect is not the final target to be reached by the attack, the attack using the node Vulnerability can obtain the effect of a springboard of a deeper attack, at this time, the node points to a tree node with a posterior condition as a Precondition, and the posterior condition is added into a Vulnerability library Vulnerability _ set, and the Precondition- > Vulnerability _ set is greater than postcondition, and the Precondition- > source _ IP is greater than dest _ IP.
The whole test tree is built by taking the posterior condition as a link.
Time (time) is used to represent the time consumed by a successful attack. Is an empirical statistic.
Probability (probability) is used to represent the probability of success of the attack. Is an empirical statistic.
The relation (relationship) is used to indicate that the relation between the attack AND other atom attacks is "OR", "AND" OR "SAND".
There is the relationship: TTN- > attack- > relationship ═ TTN- > relationship.
Association attack array (array) is used to represent the attack AND its atom attack with "OR", "AND" OR "SAND" relationship, AND is expressed by array.
When the relationship is "OR", the array is empty;
when the relation is AND, the atom attack is stored in the array according to the high AND low order of the atom attack cost;
when the relationship is "SAND", the atomic attacks are stored in the array in the order in which the attacks occurred.
there are two implications to the efficiency of the generation of the test vulnerability chain, time efficiency and outcome efficiency: time efficiency is that the time required to complete an attack is as short as possible; the efficiency of the effort is that the right obtained by the attack is as high as possible. Starting from attack efficiency, the test chain generation rule is as follows:
(1) if two vulnerability chains are the same after a certain node, in the test tree, the same parts of the two vulnerability chains are combined, and different parts are combined according to an 'OR' relationship;
(2) the relationship between the vulnerability nodes is "OR", then the atomic attack cost efficiencyatomThe smaller atomic attack is located on the left branch of the node; the relation between the vulnerability nodes is 'AND', then the atomic attack cost efficiencyatomThe larger atom attack is located on the left branch of the node; the relation between the vulnerability nodes is 'SAND', and the sequence of the atomic attack is executed according to the attack sequence;
(3) in the network attack, the vulnerability chain with higher control authority is located in the left branch of the tree, and the control authority includes: operation control authority for reading, writing, adding, deleting and the like;
(4)efficiencylinkthe smaller chain of holes is located at the left branch of the tree, which is weaker than rule (3).
According to the above rules, the host information security attribute test tree algorithm with priority on efficiency is described as follows: [ Algorithm 1 ] Efficiency-First network host information security attribute Test Tree Generation (EFTTG)
EFTTG(IP_addr,attribute,VL_set)
while(VL_set≠NULL)
{
Firstly, taking a vulnerability chain link from a vulnerability chain set VL _ set;
if the root target network address of the loophole link is not the IP _ addr, turning to the sixth step;
③ attribute e { Confidentiality/Confidentiality, Integrity/Integrity, availabilitity/Availability }
When attribute is Integrity, a host information security Integrity test tree HSITT (IP _ addr) is generated.
Fourthly, according to the root target authority of the vulnerability chain link:
when the root target authority is the write authority, the vulnerability chain link is added to the NHSITT (IP _ addr).
According to the height of the root target authority of the vulnerability chain link, in the corresponding vulnerability tree:
merging the vulnerability chains with the same rear part in the vulnerability tree, and combining different parts according to an OR relation;
the vulnerability chain with higher authority is positioned at the left branch of the tree;
efficiencylinkthe smaller chain of holes is located at the left branch of the tree.
⑥return;
}
Generating a complete test vulnerability chain of the network host information safety: constructing a network host information safety integrity test tree according to an efficiency priority principle, wherein the time for carrying out attack test on the target host information safety integrity by a leftmost test chain of the test tree is shortest, the obtained result is highest, and vulnerabilities existing in the test chain and network addresses attached to the vulnerabilities form binary (vulnerab)Reliability, source _ IP), the test chain generates a network host information security integrity test vulnerability chain from the binary group arranged in sequence from the leaf node to the root node: (Vulnerability)1,source_IP1)->(vulnerability2,source_IP2)->…->(vulnerabilityn,source_IPn)。
Due to the dynamic variability of the information network, new vulnerabilities may appear, old vulnerabilities may be patched, in which case the test tree will change, and the insertion algorithm and deletion algorithm of vulnerability precondition are described in the following as a simple example of HSITT with the host address IP _ addr.
[ Algorithm 2 ] InsertVulnerability (NHSITT (IP _ addr), precondition)
{
Firstly, constructing all new vulnerability chain links according to an Attack mode library Attack _ mode by taking vulnerability prediction as leaf nodes of a vulnerability chain to form a vulnerability chain set VL _ set;
secondly, traversing the vulnerability chain set VL _ set, if the root target of the vulnerability chain link is a read right and the network address of the root target is IP _ addr:
adding the vulnerability chain link into NHSITT (IP _ addr);
according to the height of the root target authority of the vulnerability chain link, in the corresponding vulnerability tree:
merging vulnerability chains with the same later parts in the test tree, and combining different parts according to an OR relation;
the vulnerability chain with higher authority is positioned at the left branch of the tree;
efficiencylinkthe smaller vulnerability chain is located at the left branch of the tree;
}
[ Algorithm 3 ] DeleteVulnerability (NHSITT (IP _ addr), precondition)
do{
Firstly, taking out a node from HSITT (IP _ addr);
when the vulnerability of the node is precondition:
if the branch where the node is located does not have the node with the OR relation, cutting off the branch;
if the branch where the node is located has a node with an OR relationship, the OR branch containing the node is cut off;
uhile (NHSITT (IP _ addr) with uncompared nodes)
In order to verify the performance of the host information security integrity test vulnerability chain, a network platform of a certain information network is used as a test environment, and the network topology structure is shown in fig. 4.
In fig. 4, a router 1 is connected to the Internet and a firewall, the firewall uses three network interfaces, a network port 1 is connected to the router 1, a network port 2 is connected to a switch 1 in a dmz (minimized zone) area, and a network port 3 is connected to an intranet router 2. Since building a network requires different levels of security protection for different resources, the network is divided into 3 segments by configuring the firewall: an outer net, a DMZ zone, and an inner net. DMZ may be understood as a special network region other than an extranet or an intranet. Public servers without confidential information, such as Web, Mail, FTP, etc., are typically placed within the DMZ so that visitors to the extranet can access the services in the DMZ, but not the company's confidential or private information stored in the intranet. Even if the server in the DMZ is damaged, the confidential information in the intranet cannot be influenced.
The intranet has deployed WEB server 2 and the core database server that only supply inside user to visit, and office host and administrator's host computer can both visit it, but the authority is different, and office host computer only has WEB server 2's the permission of reading, and administrator's host computer has the configuration permission of reading and writing to WEB server 2, and the permission of reading and writing of core database only allows WEB server 2 to visit, and administrator must long-range login WEB server 2, then manages the core database through WEB server 2.
The firewall sets the following six access control policies:
(1) the intranet may access the extranet: the users of the intranet obviously need to freely access the extranet. In this policy, the firewall needs to do source address translation.
(2) The intranet can access the DMZ: this policy is to facilitate intranet users to use and manage the servers in the DMZ.
(3) The extranet cannot access the intranet: it is clear that the intranet stores data internal to the company that is not accessible to users of the extranet.
(4) The extranet has access to the DMZ: the servers in the DMZ themselves are intended to provide services to the outside world, so the external network must have access to the DMZ. Meanwhile, when the external network accesses the DMZ, the firewall needs to complete the conversion from the external address to the actual address of the server.
(5) DMZ cannot access the intranet: if this policy is violated, important data of the intranet can be further attacked when an intruder attacks the DMZ.
(6) The DMZ cannot access the extranet: there are exceptions to this strategy, such as when a mail server is placed in the DMZ, it is necessary to access the extranet, otherwise it will not work properly.
The network vulnerabilities and attack rights are shown in table 1.
TABLE 1 testing vulnerability and attack authority of network
Network device | Exploitable leak | Attack mode | Obtaining rights | probability | time |
FTP server | Serv-U overflow vulnerability | Overflow attack | System read-write permission | 50% | |
WEB server | |||||
1 | Sql empty cipher | Direct utilization of | System read-write permission | 40% | 80s |
Administrator host | Browser overflow | Overflow planting reverse Trojan | User's right of reading and writing | 50% | 120s |
Office host | Telnet | Network monitoring | System read permission | 50% | |
WEB server | |||||
2 | Running files with virus | Virus infected reverse Trojan | System read-write permission | 40% | |
WEB server | |||||
2 | WEB hanging horse | WEB hanging reverse trojan | User write authority | 50% | 80s |
Core database server | Directory rights management | Directory traversal attacks | System read-write permission | 50% | 280s |
An attack on the integrity of the core database server is made and the host information security integrity test tree generated by the NHSITT (192.168.1.3) is shown in fig. 5.
Wherein, the Attack _ mode (1) is an Sql empty password Attack mode; the attach _ mode (2) is an overflow planting reverse Trojan Attack mode; attack _ mode (3) is a virus infection reverse Trojan horse Attack mode; attack _ mode (4) is a root directory traversal Attack mode; attack _ mode (5) is a Serv-U overflow Attack mode; attack _ mode (6) is a network monitoring Attack mode; the attach _ mode (7) is a WEB-hung reverse Trojan Attack mode; attack _ mode (8) is a user directory write authority management Attack mode; attack _ mode (9) is a root directory read permission management Attack mode; attack _ mode (10) is a root directory rights management Attack mode; attack _ mode (11) is an unrecoverable denial of service Attack; attack _ mode (12) is a user directory rights management Attack mode; attack _ mode (13) is a recoverable denial of service Attack.
In fig. 5, according to the principle of efficiency priority, from an attacker, the maximum integrity access right of the core database server can be obtained, and the attack sequence is shown in table 2.
TABLE 2 attack sequences List
The network attack testing algorithm is performed on the NHSITT (192.168.1.3), and obviously, the attack sequence 1-2-3-4 is the highest in both outcome efficiency and time efficiency in the attack of obtaining the core database server integrity access right. The host information safety integrity test vulnerability chain is as follows: (Sql empty password, 192.168.0.2) - > (browser overflow, 192.168.1.5) - > (run poison file, 192.168.1.2) - > (directory rights management, 192.168.1.3).
The attack tree, the attack graph and the attack network constructed by the traditional method are also the test tree proposed by the patent, and the aim is to perform network security test or network attack. In the modeling methods of the attack tree, the attack graph and the attack network, traversal search is needed to be carried out in order to find out an attack scheme with the maximum success probability; all attacks must be traversed in order to assess the security of the network; in order to obtain the control authority of a certain host, an attack scheme with the minimum cost cannot be selected in a targeted manner. The method for generating the network host information safety integrity test vulnerability chain constructed on the basis of the test tree can pointedly obtain the maximum access right value of the network host integrity with the highest efficiency according to a network attack or network safety test scheme, and model and attack the integrity of a single network host to complete the attack or safety test on a target host.
Those skilled in the art will appreciate that all or part of the processes for implementing the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium, to instruct associated hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.
Claims (4)
1. A network attack chain efficiency modeling method is characterized by comprising the following steps:
step 1, modeling of atomic attack efficiency
Establishing an atomic attack efficiency model: efficiencyatomTime/probability, where time represents the time it takes to complete a successful atomic attack and probability represents the probability of completing an atomic attack;
step 2, modeling network attack efficiency
The one-time network attack is a combination of a plurality of atom attacks, and according to the relationship among the atom attacks, a network attack efficiency model is as follows:
(1) if the relationship between the i atomic attacks of the network attack is logical OR ", then the i atomic attack cost is chosen to be the smallest as the network attack efficiency:
(2) if the relation between the i atomic attacks of the network attack is logical AND, selecting the i atomic attacks with the largest cost as the network attack efficiency:
(3) if the relation between the i atomic attacks of the network attack is the sequence and operation 'SAND', the sum of the i atomic attack costs is selected as the network attack efficiency:
step 3, network attack chain efficiency modeling
The network attack chain efficiency is defined as the sum of all network attack efficiencies on the vulnerability chain;
2. The network attack chain efficiency modeling method according to claim 1, further comprising after step 3:
and 4, constructing a Network Host information Security Integrity Test Tree (NHSITT), starting from a leaf node of the Test Tree to a root node of the Tree, and forming a vulnerability chain by the experienced middle node vulnerability and the side representing the attack mode.
3. The network attack chain efficiency modeling method according to claim 2,
the network host information safety integrity test tree aims at destroying the integrity of a host in a target network and serves as a root node of the tree, other nodes represent vulnerabilities of all hosts in the network utilized by the root node, leaf nodes represent vulnerabilities existing in the network, middle nodes represent attack results generated by utilizing vulnerabilities of child nodes, and edges between the nodes represent atomic attacks of the vulnerabilities of the child nodes utilized by the child nodes to reach father nodes.
4. The network attack chain efficiency modeling method according to claim 2, characterized in that the method further comprises the step 5:
constructing a network host information safety integrity test vulnerability chain according to an efficiency priority principle, wherein the generation rule is as follows:
(1) if two vulnerability chains are the same after a certain node, in the test tree, the same parts of the two vulnerability chains are combined, and different parts are combined according to a logic OR 'OR' relationship;
(2) the relationship between the vulnerability nodes isLogical OR, then the atomic attack cost efficiencyatomThe smaller atomic attack is located on the left branch of the node; the relation between the bug nodes is logical AND, AND then the atomic attack cost efficiencyatomThe larger atom attack is located on the left branch of the node; the relation between the bug nodes is the sequence and operation 'SAND', and the sequence of the atom attack is executed according to the attack sequence;
(3) the vulnerability chain with higher control authority acquired in the network attack is positioned on the left branch of the tree;
wherein, on the premise of ensuring the step (3), the efficiencylinkThe smaller chain of holes is located at the left branch of the test tree.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010930453.XA CN112039914A (en) | 2020-09-07 | 2020-09-07 | Network attack chain efficiency modeling method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010930453.XA CN112039914A (en) | 2020-09-07 | 2020-09-07 | Network attack chain efficiency modeling method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112039914A true CN112039914A (en) | 2020-12-04 |
Family
ID=73585439
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010930453.XA Pending CN112039914A (en) | 2020-09-07 | 2020-09-07 | Network attack chain efficiency modeling method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112039914A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113591092A (en) * | 2021-06-22 | 2021-11-02 | 中国电子科技集团公司第三十研究所 | Attack chain construction method based on vulnerability combination |
CN113792296A (en) * | 2021-08-24 | 2021-12-14 | 中国电子科技集团公司第三十研究所 | Vulnerability combination method and system based on clustering |
CN113965469A (en) * | 2021-09-27 | 2022-01-21 | 西安交通大学 | Construction method of network data analysis model |
CN114257423A (en) * | 2021-12-03 | 2022-03-29 | 中国人民解放军63891部队 | Penetration test comprehensive effect evaluation method and system based on attack tree |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050138413A1 (en) * | 2003-12-11 | 2005-06-23 | Richard Lippmann | Network security planning architecture |
CN110602135A (en) * | 2019-09-25 | 2019-12-20 | 北京金山安全软件有限公司 | Network attack processing method and device and electronic equipment |
-
2020
- 2020-09-07 CN CN202010930453.XA patent/CN112039914A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050138413A1 (en) * | 2003-12-11 | 2005-06-23 | Richard Lippmann | Network security planning architecture |
CN110602135A (en) * | 2019-09-25 | 2019-12-20 | 北京金山安全软件有限公司 | Network attack processing method and device and electronic equipment |
Non-Patent Citations (2)
Title |
---|
焦波等: "基于攻击源激发和攻击原子筛选的攻击图构建方法", 《计算机应用研究》 * |
鲁智勇等: "效率优先的主机安全属性漏洞树建模研究", 《计算机工程与科学》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113591092A (en) * | 2021-06-22 | 2021-11-02 | 中国电子科技集团公司第三十研究所 | Attack chain construction method based on vulnerability combination |
CN113591092B (en) * | 2021-06-22 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | Attack chain construction method based on vulnerability combination |
CN113792296A (en) * | 2021-08-24 | 2021-12-14 | 中国电子科技集团公司第三十研究所 | Vulnerability combination method and system based on clustering |
CN113792296B (en) * | 2021-08-24 | 2023-05-30 | 中国电子科技集团公司第三十研究所 | Cluster-based vulnerability combining method and system |
CN113965469A (en) * | 2021-09-27 | 2022-01-21 | 西安交通大学 | Construction method of network data analysis model |
CN113965469B (en) * | 2021-09-27 | 2023-01-13 | 西安交通大学 | Construction method of network data analysis model |
CN114257423A (en) * | 2021-12-03 | 2022-03-29 | 中国人民解放军63891部队 | Penetration test comprehensive effect evaluation method and system based on attack tree |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112039914A (en) | Network attack chain efficiency modeling method | |
CN111371758B (en) | Network spoofing efficiency evaluation method based on dynamic Bayesian attack graph | |
Applebaum et al. | Intelligent, automated red team emulation | |
Zhuang et al. | Towards a theory of moving target defense | |
Van Gundy et al. | Catch Me, If You Can: Evading Network Signatures with Web-based Polymorphic Worms. | |
Vignau et al. | The evolution of IoT Malwares, from 2008 to 2019: Survey, taxonomy, process simulator and perspectives | |
US11418528B2 (en) | Dynamic best path determination for penetration testing | |
Hansman | A taxonomy of network and computer attack methodologies | |
Brown et al. | GRAVITAS: Graphical reticulated attack vectors for Internet-of-Things aggregate security | |
Jajodia et al. | Share: A stackelberg honey-based adversarial reasoning engine | |
Moskal et al. | Context model fusion for multistage network attack simulation | |
Lin et al. | Effective proactive and reactive defense strategies against malicious attacks in a virtualized honeynet | |
CN113965469B (en) | Construction method of network data analysis model | |
Khosravi-Farmad et al. | Moving target defense against advanced persistent threats for cybersecurity enhancement | |
Baiardi et al. | Application Vulnerabilities in Risk Assessment and Management. | |
Baiardi et al. | A scenario method to automatically assess ict risk | |
Jiang et al. | Optimal network security strengthening using attack-defense game model | |
Zhang et al. | WGT: Thwarting web attacks through web gene tree-based moving target defense | |
Reti et al. | Deep down the rabbit hole: On references in networks of decoy elements | |
Liu et al. | A goal-oriented approach for modeling and analyzing attack graph | |
Aggarwal et al. | A Comparative Study of Directory Fuzzing Tools | |
Bajic | Simulation-based Evaluation of Dynamic Attack and Defense in Computer Networks | |
Bilar et al. | Using a novel behavioral stimuli-response framework to defend against adversarial cyberspace participants | |
Moskal et al. | CyberEvo: evolutionary search of knowledge-based behaviors in a cyber attack campaign | |
Haseeb | Deception-Based Security Framework for IoT: An Empirical Study |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201204 |
|
RJ01 | Rejection of invention patent application after publication |