CN112804231B - Distributed construction method, system and medium for attack graph of large-scale network - Google Patents

Distributed construction method, system and medium for attack graph of large-scale network Download PDF

Info

Publication number
CN112804231B
CN112804231B CN202110042899.3A CN202110042899A CN112804231B CN 112804231 B CN112804231 B CN 112804231B CN 202110042899 A CN202110042899 A CN 202110042899A CN 112804231 B CN112804231 B CN 112804231B
Authority
CN
China
Prior art keywords
sub
network
attack
graph
attack graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110042899.3A
Other languages
Chinese (zh)
Other versions
CN112804231A (en
Inventor
蒋来源
李树栋
吴晓波
韩伟红
方滨兴
田志宏
殷丽华
顾钊铨
张倩青
秦丹一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202110042899.3A priority Critical patent/CN112804231B/en
Publication of CN112804231A publication Critical patent/CN112804231A/en
Application granted granted Critical
Publication of CN112804231B publication Critical patent/CN112804231B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a distributed construction method, a system and a medium of an attack graph facing a large-scale network, comprising the following steps: dividing a large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and sparsely connected with one another; establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network; and fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks. When the attack graph is established for a large-scale network, the method of community discovery is used for dividing the large network into a plurality of sub-networks, then the attack graphs are established in parallel, and finally, in the merging process, due to the characteristics of the community structure, the sub-networks are connected less, so that the sub-attack graphs are merged more quickly, and the time for establishing the large-scale network attack graph is greatly reduced.

Description

Distributed construction method, system and medium for attack graph of large-scale network
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a distributed construction method, a distributed construction system and a distributed construction medium for an attack graph facing a large-scale network.
Background
With the development of information technology, the security problem of network is in endless, and the network attack behavior is developing towards complication, multistep and synergetics, and the network security situation is becoming more severe.
An attacker often achieves the purpose of attack by using the relevance between the vulnerabilities, the traditional defense method is difficult to find the potential attack behavior with the relevance relationship, the attack graph can be modeled from the perspective of the attacker, the dependency relevance relationship between the vulnerabilities in the network is visually described, the attack path of the attacker is shown, a network administrator can be helped to accurately identify the attack behavior, the influence of the attack on the system is quantified, the network protection is reinforced, the network protection level is improved, and the network protection cost is reduced. Therefore, it is necessary to study how to construct the attack graph.
Initially, the construction of the attack graph was manually based, however, as the network scale becomes larger, the work of manually constructing the attack graph becomes cumbersome and less accurate. Therefore, the current research on the attack graph is based on automatic construction.
In 2006, Ou proposed an attack graph construction method, which adopts Datalog language to describe an attack model and develops Mulval software to automatically generate an attack graph, and the time complexity is approximately O (N)3)。
In 2014, in order to measure the uncertainty of the attack, the Chen-Xiao Jun improves on the basis of Ou, and introduces three conditional probability transition tables to represent the possibility of the attack, the success possibility of the attack and the confidence degree of the abnormal alarm of the security system, effectively deduces the attack intention and the attack path, and reduces the times of the false alarm.
In 2016, Ganni proposed a dynamic security risk assessment model based on a Bayesian attack graph, firstly, a static attack graph is generated based on network topology, vulnerability information and the like, then, on the basis, the probability of intrusion occurrence is modified according to real-time intrusion time observed by Snort, a dynamic attack graph is generated, and the security situation of a network is assessed in real time.
In 2019, Qinhu et al adopt a matrix to describe the process of authority promotion of an attacker in the attack process, and generate an attack graph by using an authority promotion matrix, wherein the time complexity of an algorithm is about O (N)3)。
The above-described methods have high time complexity, and generally build an attack graph model for the whole network, and continuously give away rights to the whole network from the initial state of an attacker, so as to build an attack graph. When the network size is small, the method is feasible, and when a large-scale network is faced, the time complexity required for constructing the attack graph is high, and the time cost is unacceptable.
Disclosure of Invention
The invention mainly aims to overcome the defects of the prior art and provide a distributed construction method, a distributed construction system and a distributed construction medium for an attack graph facing a large-scale network.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides a distributed construction method of an attack graph facing a large-scale network, which comprises the following steps:
dividing a large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and sparsely connected with one another;
establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks.
Preferentially, the community planning algorithm is a FastNewman algorithm, and the large-scale network division by adopting the FastNewman algorithm specifically comprises the following steps:
modeling the topological structure of the network, wherein the nodes in the model represent the IP of the host, the directed edges connected between the nodes are represented as < sourceIP, destIP >, which means that the source IP points to the destIP,
the method for improving the modularity formula of the FastNewman algorithm adopts a method for converting a directed graph into a weighted graph, and the modularity calculation method of the weighted graph is as follows:
Figure GDA0002977901650000021
wherein WijRepresenting the weights of node i and node j, W representing the total weight of the network;
the detected network topological structure is abstracted into a graph structure and is input into a FastNewman algorithm, and a community division result when the modularity is the maximum is obtained, so that the topological structure of each sub-network is obtained.
Preferentially, the establishing of the attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network specifically includes:
modeling network elements, and respectively modeling attack behaviors and host information;
obtaining host vulnerability information to obtain vulnerability, a precursor set and an effect set of each host on each sub-graph;
each sub-network structure can build a sub-attack graph according to the topological structure of the sub-network, the vulnerability set, the vulnerability precursor set and the vulnerability consequence set,
preferentially, the modeling of the network element specifically includes:
the attack behavior modeling comprises the steps that firstly, a model is established for the attack behavior of an attacker, the attack behavior is represented in the form of a triple, the triple is < CveId, Precondition and Postcondition >, wherein the CveId represents a number set of vulnerabilities used by the attacker at this time, the Precondition represents a Precondition set using the vulnerability set, and the Postcondition represents a consequence set generated after the vulnerability set is successfully used;
modeling host information, namely establishing a model aiming at host information configured in a network, and describing the host information by adopting a binary group < Ipadaddress and CveId >, wherein the Ipadaddress represents an ip address of the host, and the CveId represents a vulnerability set on the host.
Preferentially, a vulnerability scanner based on OVAL is adopted to scan vulnerability sets existing on the hosts, Nessus vulnerability scanning software is selected to scan the hosts to obtain the vulnerability sets of the hosts, and according to the premise sets and the resulting effect sets of the vulnerabilities obtained in the public process, the premise sets and the resulting effect sets of the vulnerabilities are described by a uniform language to obtain the vulnerabilities of each host on each subgraph and the premise sets and the resulting effect sets of the host.
Preferably, the topology G of the sub-networkiIn addition to { V, E }, where V denotes the set of Ip addresses of all hosts of a subnet and E denotes the set of edges connecting between Ip addresses, G is obtainediEach node v in the graphijAnd CveId of the vulnerabilityijAnd CveIdijPresence set PreijAnd consequence set Postij
Inputting an algorithm: subgraph set { G1,G2,...,Gi,...,Gn}, sub-graph Gi={Vi,EiVulnerability set { CveId) of each node on the }i1,CveIdi2,...,CveIdij,...,CveIdimAnd a set of preconditions { Pre }i1,Prei2,...,Preij,...,PreimAnd the consequence set { Post }i1,Posti2,...,Postij,...,Postim}
And (3) outputting an algorithm: sub attack graph set { AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
Preferably, the step of establishing the sub-attack graph includes:
acquiring all node sets V connected with external subgraphs in Giio={vi1,vi2,...,vij,...,vik};
Suppose VioThe preconditions of the vulnerability sets of all nodes in the system are all satisfied, VioEach node in the attack graph is respectively used as a starting point of the attack graph to establish k sub-attack graphs, and v is selected as the starting point of the attack graph because the establishment processes of the k sub-attack graphs are consistentijAs a starting point, an attack graph AG is establishedij
With vijAs a starting point, obtain vijIf v is a set of neighboring nodesijCan satisfy any node v in the neighbor node setiaThen a set of CveId is establishedijPointing direction CveIdiaAnd then from these neighbors v that establish the edge relationshipiaStarting, acquiring a neighbor node set, and judging whether a result set meets the requirementA precondition set of neighbor nodes, if v is satisfiedibIf the premise set is set, a vulnerability set CveId is establishediaPointing direction CveIdibThus, traverse G in a breadth-first manneriAnd establishing connection between the vulnerability sets while traversing all the nodes. After the traversal is completed, the sub attack graph AGijCompleting construction;
obtaining sub attack graph set (AG) in the same way11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
Preferentially, a node of a network where an attacker is located at the beginning is called an initial state node of the attacker, and a network where the initial node is located is called an initial sub-network; existing subnetwork G1,G2,...,Gi,...,GnIn which G isiIs the originating subnetwork;
the specific method for fusing the sub-attack graphs comprises the following steps:
acquisition and initiation subnetwork GiSet of connected sub-networks Gneighbor1={G1,G2,...,GkIf G1And GiAre connected, and the connected edge set is Ei1,(via,v1b) Is one of the edges, judges viaWhether the result set of (1) satisfies v1bSet of preconditions, if satisfied, at AGiaAnd AG1bA formula CveId is established betweeniaPointing direction CveId1bBy merging the AGiaAnd AG1bThen sub-network G1And GiCombining the two parts; in this manner, G is judgediCombining the sub attack graph and the network with the relationship of all the neighbor sub networks;
a merged network G is obtained{1,...,j,...,i},G{1,...,j,...,i}Represents merge G1,Gj,GiNetwork of sub-network, and neighbor network set G for acquiring the networkneighbor2Merging the sub-attack graph and the network in the same way;
the sub-attack graph and sub-networks are merged in this breadth-first manner until the merged network can no longer be merged with all the sub-networks to which it is connected.
The invention provides a distributed construction system of the attack graph facing the large-scale network, which is applied to the distributed construction method of the attack graph facing the large-scale network and comprises a network dividing module, a sub-network construction module and a sub-attack graph fusion module;
the network dividing module is used for dividing a large-scale network into sub-networks by adopting a community discovery algorithm, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with one another;
the sub-network construction module is used for establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and the sub-attack graph fusion module is used for fusing the sub-attack graphs of each sub-network into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
Still another aspect of the present invention provides a storage medium storing a program, where the program, when executed by a processor, implements the distributed construction method for an attack graph for a large-scale network.
Compared with the prior art, the invention has the following advantages and beneficial effects:
when the attack graph is established for a large-scale network, the method of community discovery is used for dividing the large network into a plurality of sub-networks, then the attack graphs are established in parallel, and finally, in the merging process, due to the characteristics of the community structure, the sub-networks are connected less, so that the sub-attack graphs are merged more quickly, and the time for establishing the large-scale network attack graph is greatly reduced.
Drawings
FIG. 1 is a flow chart of a distributed construction method of an attack graph facing a large-scale network according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a large-scale network-oriented attack graph distributed construction system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Examples
In the distributed construction method of the attack graph facing the large-scale network, the method for constructing the large-scale network attack graph in a distributed manner is adopted, the method divides the large-scale network into sub-networks by adopting an algorithm of community discovery, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with each other; then, establishing an attack graph of each sub-network on each sub-network according to the incidence relation among the vulnerabilities; and finally, fusing the attack graphs of the sub-networks into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
As shown in fig. 1, the distributed construction method of the attack graph for the large-scale network in the embodiment includes the following steps:
s1, dividing the large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and the sub-networks are sparsely connected with each other.
The community discovery algorithm has various relations which can be divided into a split-based relation and a condensed-based relation according to hierarchical division, the classical algorithm based on the split-type division is a GN algorithm, but the time consumption is long when a large-scale network is faced, and the method is not suitable, the classical algorithm based on the condensed-type division is a FastNewman algorithm, the algorithm is a greedy algorithm based on the maximization of modularity, and communities can be quickly divided in the large-scale network. Therefore, the FastNewman algorithm is selected for dividing communities for the large-scale network in the embodiment.
The FastNewman algorithm is a greedy algorithm based on modularity maximization, and the modularity is one of the standards for measuring community discovery results. The tighter the internal connection of the communities is, the sparser the connection between the communities is, the greater the modularity is, and the calculation formula of the modularity is as follows:
Figure GDA0002977901650000051
wherein k isiDegree, k, representing node ijDegree of node j, m total number of edges in network, aijRepresenting the connection relation between the node i and the node j, if connection exists, the value is 1, otherwise, the value is 0; delta (c)i,cj) The value of the node i and the node j is 1 if the node i and the node j are in the same community, and is 0 if the node i and the node j are in the same community.
The core idea of the FastNewman algorithm is to initially regard each node in the network as a single community, and then select the point with the largest or smallest added modularity value for community merging until the nodes of the whole network are merged into the same community, wherein the merging result with the largest modularity is regarded as the best community division result.
Further, in this embodiment, the FastNewman algorithm is applied to the technical solution of the present invention to perform large-scale network division, which is specifically as follows:
firstly, a network topology structure needs to be modeled, nodes in the model represent the IP of a host, and directed edges connected between the nodes are represented as < sourceIP, destIP >, which means that sourceIP points to destIP. Because the network topology is a directed graph, a calculation formula of the modularity is needed to be improved, and a method for converting the directed graph into a weighted graph is adopted, wherein the calculation method of the modularity of the weighted graph is as follows:
Figure GDA0002977901650000061
wherein WijRepresenting the weights of node i and node j, W representing the total weight of the network.
Here, the detected network topology is abstracted to a graph structure, and the graph structure is input into the FastNewman algorithm, so as to obtain the community division result when the modularity is the maximum, and obtain the topology structure of each sub-network.
S2, establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
s2.1, modeling network elements:
(a) modeling of attack behavior
Firstly, a model is established for the attack behavior of an attacker, the attack behavior is represented in the embodiment by adopting a triple form, the triple is < CveId, Precondition and Postcondition >, wherein the CveId represents a number set of the vulnerability exploited by the attack at this time, the Precondition represents a Precondition set for exploiting the vulnerability set, and the Postcondition represents a result set generated after the vulnerability set is successfully exploited.
(b) Modeling host information:
in this embodiment, a model is established for host information configured in a network, and the host information is described by using a binary set < Ipaddress, CveId >, where the Ipaddress represents an ip address of a host, and the CveId represents a vulnerability set on the host.
S2.2, acquiring host vulnerability information;
the vulnerability scanner based on the OVAL can be adopted to scan vulnerability sets existing on the hosts, and Nessus vulnerability scanning software is selected to scan the hosts to obtain the vulnerability sets of the hosts.
And acquiring a vulnerability precondition set and a resultant set according to the common vulnerability disclosure CVE, the national information security vulnerability sharing platform CVND, the national vulnerability library NVD and the like, and describing the vulnerability precondition set and the resultant set by adopting a uniform language. The vulnerability of each host on each sub-graph and its antecedent and consequence sets can be obtained.
S2.3, constructing a sub-attack graph by each sub-network:
the topology G of the sub-network has been obtainediWhere V denotes the Ip address set of all hosts of the subnet and E denotes the Ip address of the Ip addressThe set of edges connected between. In addition thereto also obtain GiEach node v in the graphijAnd CveId of the vulnerabilityijAnd CveIdijPresence set PreijAnd consequence set Postij
The input of the algorithm is as follows: subgraph set { G1,G2,...,Gi,...,Gn}, sub-graph Gi={Vi,EiVulnerability set { CveId) of each node on the }i1,CveIdi2,...,CveIdij,...,CveIdimAnd a set of preconditions { Pre }i1,Prei2,...,Preij,...,PreimAnd the consequence set { Post }i1,Posti2,...,Postij,...,Postim}
And (3) outputting an algorithm: sub attack graph set { AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}
Since the steps of creating the attack graph for all the subgraphs are performed uniformly and simultaneously, the embodiment only gives the subgraph GiThe steps of other subgraphs are consistent with the process of constructing the sub-attack graph, which is specifically as follows:
(a) acquiring all node sets V connected with external subgraphs in Giio={vi1,vi2,...,vij,...,vik};
(b) Suppose VioThe preconditions of the vulnerability sets of all nodes in the system are all satisfied, VioEach node in the attack graph is respectively used as a starting point of the attack graph to establish k sub-attack graphs, and v is selected as the starting point of the attack graph because the establishment processes of the k sub-attack graphs are consistentijAs a starting point, an attack graph AG is establishedij
(c) With vijAs a starting point, obtain vijIf v is a set of neighboring nodesijCan satisfy any node v in the neighbor node setiaThen a set of CveId is establishedijPointing direction CveIdiaAnd then from these neighbors v that establish the edge relationshipiaStarting to obtain its neighbor node setAnd if the result set meets the precondition set of the neighbor node, judging whether the result set meets the precondition set of the neighbor node, and if the result set meets vibIf the premise set is set, a vulnerability set CveId is establishediaPointing direction CveIdibThus, traverse G in a breadth-first manneriEstablishing connection between vulnerability sets while traversing all nodes; after the traversal is completed, the sub attack graph AGijAnd (5) completing construction.
Acquiring a sub-attack graph set { AG) by adopting the modes of (a), (b) and (c)11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
And S3, fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks.
The node of the network where the attacker is located at the beginning is called the initial state node of the attacker, and the network where the initial node is located is called an initial sub-network; existing subnetwork G1,G2,...,Gi,...,GnIn which G isiTo initiate a subnetwork.
(a) Acquisition and initiation subnetwork GiSet of connected sub-networks Gneighbor1={G1,G2,...,GkIf G1And GiAre connected, and the set of edges connected by them is Ei1,(via,v1b) Is one of the edges, judges viaWhether the result set of (1) satisfies v1bSet of preconditions, if satisfied, at AGiaAnd AG1bA formula CveId is established betweeniaPointing direction CveId1bBy merging the AGiaAnd AG1bThen sub-network G1And GiAnd (4) combining. In this way, G will be judgediThe sub-attack graph and the network are merged in the above-described manner in relation to all its neighboring subnetworks.
(b) Through step (a), a merged network G is obtained{1,...,j,...,i},G{1,...,j,...,i}Represents merge G1,Gj,GiWaiting for the network of the sub-network, and then acquiring the neighbor network set G of the networkneighbor2Merging the sub-attack graph and the network in the manner in (a).
(c) In this way, the sub-attack graph and the sub-networks are merged in such a breadth-first manner in step (a) (b) until the merged network can no longer be merged with all the sub-networks connected thereto.
As shown in fig. 2, in another embodiment, a distributed attack graph construction system facing a large-scale network is provided, and the system includes a network partitioning module, a sub-network construction module, and a sub-attack graph fusion module;
the network dividing module is used for dividing a large-scale network into sub-networks by adopting a community discovery algorithm, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with one another;
the sub-network construction module is used for establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and the sub-attack graph fusion module is used for fusing the sub-attack graphs of each sub-network into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
It should be noted that the system provided in the above embodiment is only illustrated by the division of the functional modules, and in practical applications, the function allocation may be completed by different functional modules according to needs, that is, the internal structure is divided into different functional modules to complete all or part of the functions described above.
As shown in fig. 3, in another embodiment of the present application, a storage medium is further provided, where a program is stored, and when the program is executed by a processor, the method for implementing distributed construction of an attack graph for a large-scale network is implemented, specifically:
dividing a large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and sparsely connected with one another;
establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.

Claims (8)

1. The distributed construction method of the attack graph facing to the large-scale network is characterized by comprising the following steps:
dividing a large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and sparsely connected with one another;
establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network; the steps of establishing the sub-attack graph are as follows:
topology G of the sub-networki= V, E, where V denotes the set of Ip addresses of all hosts of a subnetwork and E denotes the set of edges connecting between the Ip addresses, in addition to which G is obtainediEach node v in the graphijAnd CveId of the vulnerabilityijAnd CveIdijPresence set PreijAnd consequence set Postij
Inputting an algorithm: subgraph set { G1,G2,...,Gi,...,Gn}, sub-graph Gi = {Vi,EiVulnerability set { CveId) of each node on the }i1,CveIdi2,...,CveIdij,...,CveIdimAnd a set of preconditions { Pre }i1,Prei2,...,Preij,...,PreimAnd the consequence set { Post }i1,Posti2,...,Postij,...,Postim}
And (3) outputting an algorithm: sub attack graph set { AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk};
Fusing the sub attack graphs of each sub network into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks;
the node of the network where the attacker is located at the beginning is called the initial state node of the attacker, and the network where the initial node is located is called an initial sub-network; existing subnetwork G1,G2,...,Gi,...,GnIn which G isiIs the originating subnetwork;
the specific method for fusing the sub-attack graphs comprises the following steps:
acquisition and initiation subnetwork GiSet of connected sub-networks Gneighbor1={G1,G2,...,GkIf G1And GiAre connected, and the connected edge set is Ei1,(via,v1b) Is one of the edges, judges viaWhether the result set of (1) satisfies v1bSet of preconditions, if satisfied, in the sub-attack graph AGiaAnd attack graph AG1bA formula CveId is established betweeniaPointing direction CveId1bBy merging the AGiaAnd AG1bThen sub-network G1And GiCombining the two parts; in this manner, G is judgediCombining the sub attack graph and the network with the relationship of all the neighbor sub networks;
a merged network G is obtained{1,...,j,...,i},G{1,...,j,...,i}Represents merge G1,Gj,GiNetwork of sub-network, and neighbor network set G for acquiring the networkneighbor2Merging the sub-attack graph and the network in the same way;
the sub-attack graph and sub-networks are merged in this breadth-first manner until the merged network can no longer be merged with all the sub-networks to which it is connected.
2. The distributed construction method of the attack graph facing the large-scale network according to claim 1, wherein the community discovery algorithm is a FastNewman algorithm, and the large-scale network partitioning by using the FastNewman algorithm specifically comprises:
modeling the topological structure of the network, wherein the nodes in the model represent the IP of the host, the directed edges connected between the nodes are represented as < sourceIP, destIP >, which means that the source IP points to the destIP,
the method for improving the modularity formula of the FastNewman algorithm adopts a method for converting a directed graph into a weighted graph, and the modularity calculation method of the weighted graph is as follows:
Figure DEST_PATH_IMAGE001
wherein represents the weight of node i and node j, and W represents the total weight of the network;
the detected network topological structure is abstracted into a graph structure and is input into a FastNewman algorithm, and a community division result when the modularity is the maximum is obtained, so that the topological structure of each sub-network is obtained.
3. The distributed construction method of the attack graph facing the large-scale network according to claim 1, wherein the attack graph is built on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network, specifically:
modeling network elements, and respectively modeling attack behaviors and host information;
obtaining host vulnerability information to obtain vulnerability, a precursor set and an effect set of each host on each sub-graph;
each sub-network structure can build a sub-attack graph according to the topological structure of the sub-network, the vulnerability set, the vulnerability precondition set and the consequence set.
4. The distributed construction method of the attack graph facing the large-scale network according to claim 3, wherein the network element modeling specifically comprises:
the attack behavior modeling comprises the steps that firstly, a model is established for the attack behavior of an attacker, the attack behavior is represented in the form of a triple, the triple is < CveId, Precondition and Postcondition >, wherein the CveId represents a number set of vulnerabilities used by the attacker at this time, the Precondition represents a Precondition set using the vulnerability set, and the Postcondition represents a consequence set generated after the vulnerability set is successfully used;
modeling host information, namely establishing a model aiming at host information configured in a network, and describing the host information by adopting a binary group < Ipadaddress and CveId >, wherein the Ipadaddress represents an ip address of the host, and the CveId represents a vulnerability set on the host.
5. The distributed construction method of the attack graph facing the large-scale network according to claim 3, characterized in that vulnerability scanners based on OVAL are adopted to scan vulnerability sets existing on the hosts, Nessus vulnerability scanning software is selected to scan the hosts to obtain vulnerability sets of the hosts, and according to the premise sets and the resulting consequence sets of vulnerabilities obtained in public, unified language is adopted to describe the premise sets and the resulting consequence sets of vulnerabilities, and vulnerabilities of each host on each sub-graph and the premise sets and the resulting consequence sets thereof are obtained.
6. The distributed construction method of the attack graph facing the large-scale network according to claim 1, wherein the step of establishing the sub-attack graph is as follows:
acquiring all node sets V connected with external subgraphs in Giio={vi1,vi2,...,vij,...,vik};
Suppose VioThe preconditions of the vulnerability sets of all nodes in the system are all satisfied, VioEach node in the attack graph is respectively used as a starting point of the attack graph to establish k sub-attack graphs, and v is selected as the starting point of the attack graph because the establishment processes of the k sub-attack graphs are consistentijAs a starting point, an attack graph AG is establishedij
With vijAs a starting point, obtain vijIf v is a set of neighboring nodesijCan satisfy any node v in the neighbor node setiaThen a set of CveId is establishedijPointing direction CveIdiaAnd then from these neighbors v that establish the edge relationshipiaStarting, acquiring a neighbor node set, judging whether a consequence set meets a precondition set of the neighbor node, and if so, acquiring a neighbor node set, and if so, judging whether the consequence set meets a precondition set of the neighbor node setibIf the premise set is set, a vulnerability set CveId is establishediaPointing direction CveIdibThus, traverse G in a breadth-first manneriEstablishing connection between vulnerability sets while traversing all nodes; after the traversal is completed, the sub attack graph AGijCompleting construction;
obtaining sub attack graph set (AG) in the same way11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
7. The distributed construction system of the attack graph facing the large-scale network is characterized by being applied to the distributed construction method of the attack graph facing the large-scale network, which comprises a network dividing module, a sub-network construction module and a sub-attack graph fusion module, wherein the sub-network construction module is used for constructing the attack graph facing the large-scale network;
the network dividing module is used for dividing a large-scale network into sub-networks by adopting a community discovery algorithm, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with one another;
the sub-network construction module is used for establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and the sub-attack graph fusion module is used for fusing the sub-attack graphs of each sub-network into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
8. A storage medium storing a program, wherein the program, when executed by a processor, implements the distributed construction method of the attack graph for a large-scale network according to any one of claims 1 to 6.
CN202110042899.3A 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network Active CN112804231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110042899.3A CN112804231B (en) 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110042899.3A CN112804231B (en) 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network

Publications (2)

Publication Number Publication Date
CN112804231A CN112804231A (en) 2021-05-14
CN112804231B true CN112804231B (en) 2021-09-24

Family

ID=75810440

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110042899.3A Active CN112804231B (en) 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network

Country Status (1)

Country Link
CN (1) CN112804231B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8566269B2 (en) * 2006-08-01 2013-10-22 George Mason Intellectual Properties, Inc. Interactive analysis of attack graphs using relational queries
CN109218276A (en) * 2017-08-01 2019-01-15 全球能源互联网研究院 A kind of network attack drawing generating method and system
CN108123962B (en) * 2018-01-19 2020-07-10 北京理工大学 Method for generating BFS algorithm to attack graph by utilizing Spark
CN109948658B (en) * 2019-02-25 2021-06-15 浙江工业大学 Feature diagram attention mechanism-oriented anti-attack defense method and application
CN110138764B (en) * 2019-05-10 2021-04-09 中北大学 Attack path analysis method based on hierarchical attack graph
CN111680863A (en) * 2020-04-26 2020-09-18 南京南数数据运筹科学研究院有限公司 Network environment safety condition evaluation method based on analytic hierarchy process

Also Published As

Publication number Publication date
CN112804231A (en) 2021-05-14

Similar Documents

Publication Publication Date Title
US11706246B2 (en) IOT device risk assessment and scoring
Filiol et al. Combinatorial optimisation of worm propagation on an unknown network
US8914320B2 (en) Graph generation method for graph-based search
Wu et al. Network security assessment using a semantic reasoning and graph based approach
US20220086070A1 (en) Apparatus and process for monitoring network behaviour of internet-of-things (iot) devices
Bringhenti et al. Improving the formal verification of reachability policies in virtualized networks
Zhou et al. Collaborative prediction and detection of DDoS attacks in edge computing: A deep learning-based approach with distributed SDN
CN113347059B (en) In-band network telemetering optimal detection path planning method based on fixed probe position
CN112532408B (en) Method, device and storage medium for extracting fault propagation condition
US20230208724A1 (en) Methods and systems for distributed network verification
CN112448954A (en) Distributed access control policy-oriented configuration vulnerability analysis method and system
Li et al. Searching forward complete attack graph generation algorithm based on hypergraph partitioning
CN114513325B (en) Unstructured P2P botnet detection method and device based on SAW community discovery
Kadri et al. Survey and classification of Dos and DDos attack detection and validation approaches for IoT environments
CN108322454B (en) Network security detection method and device
Al-Musawi et al. Identifying OSPF LSA falsification attacks through non-linear analysis
CN112804231B (en) Distributed construction method, system and medium for attack graph of large-scale network
Tariq et al. The industrial internet of things (iiot): An anomaly identification and countermeasure method
Zhao et al. K-core-based attack to the internet: Is it more malicious than degree-based attack?
CN112039696B (en) Method, device, equipment and medium for generating network topology structure
CN112491801B (en) Incidence matrix-based object-oriented network attack modeling method and device
Anbarsu et al. Software-Defined Networking for the Internet of Things: Securing home networks using SDN
Nanda et al. A highly scalable model for network attack identification and path prediction
Pei et al. Intrusion Detection for Internet of things Using Self-supervised Pre-training on GRU
Din et al. Anomaly free on demand stateful software defined firewalling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant