CN112804231B - Distributed construction method, system and medium for attack graph of large-scale network - Google Patents

Distributed construction method, system and medium for attack graph of large-scale network Download PDF

Info

Publication number
CN112804231B
CN112804231B CN202110042899.3A CN202110042899A CN112804231B CN 112804231 B CN112804231 B CN 112804231B CN 202110042899 A CN202110042899 A CN 202110042899A CN 112804231 B CN112804231 B CN 112804231B
Authority
CN
China
Prior art keywords
sub
network
attack
attack graph
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110042899.3A
Other languages
Chinese (zh)
Other versions
CN112804231A (en
Inventor
蒋来源
李树栋
吴晓波
韩伟红
方滨兴
田志宏
殷丽华
顾钊铨
张倩青
秦丹一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202110042899.3A priority Critical patent/CN112804231B/en
Publication of CN112804231A publication Critical patent/CN112804231A/en
Application granted granted Critical
Publication of CN112804231B publication Critical patent/CN112804231B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种面向大规模网络的攻击图分布式构建方法、系统和介质,包括下述步骤:采用社区发现算法将大规模网络划分成为一个个子网络,各子网络内部连接紧密,子网络之间连接稀疏;在各个子网络上根据子网络内部的漏洞的依赖关系建立子攻击图;通过子网络之间的漏洞依赖关系将各个子网络的子攻击图融合成为整个网络的攻击图。本发明在面对大规模网络建立攻击图的时候,首先使用社区发现的方法将大网络划分为多个子网络,然后并行构建攻击图,最后在合并的过程中,由于社区结构的特性,子网络之间连接较少,所以合并子攻击图更快,这样大大减少了构建大规模网络攻击图所用的时间。

Figure 202110042899

The invention discloses a large-scale network-oriented distributed attack graph construction method, system and medium, comprising the following steps: using a community discovery algorithm to divide the large-scale network into sub-networks, each sub-network is closely connected internally, and the sub-network is The connections between them are sparse; a sub-attack graph is established on each sub-network according to the dependencies of the vulnerabilities within the sub-networks; the sub-attack graphs of each sub-network are merged into the attack graph of the entire network through the vulnerability dependencies between the sub-networks. When faced with a large-scale network to build an attack graph, the present invention first uses the method of community discovery to divide the large network into multiple sub-networks, then builds the attack graph in parallel, and finally, in the process of merging, due to the characteristics of the community structure, the sub-network There are fewer connections between each other, so it is faster to merge sub-attack graphs, which greatly reduces the time it takes to build a large-scale network attack graph.

Figure 202110042899

Description

Distributed construction method, system and medium for attack graph of large-scale network
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a distributed construction method, a distributed construction system and a distributed construction medium for an attack graph facing a large-scale network.
Background
With the development of information technology, the security problem of network is in endless, and the network attack behavior is developing towards complication, multistep and synergetics, and the network security situation is becoming more severe.
An attacker often achieves the purpose of attack by using the relevance between the vulnerabilities, the traditional defense method is difficult to find the potential attack behavior with the relevance relationship, the attack graph can be modeled from the perspective of the attacker, the dependency relevance relationship between the vulnerabilities in the network is visually described, the attack path of the attacker is shown, a network administrator can be helped to accurately identify the attack behavior, the influence of the attack on the system is quantified, the network protection is reinforced, the network protection level is improved, and the network protection cost is reduced. Therefore, it is necessary to study how to construct the attack graph.
Initially, the construction of the attack graph was manually based, however, as the network scale becomes larger, the work of manually constructing the attack graph becomes cumbersome and less accurate. Therefore, the current research on the attack graph is based on automatic construction.
In 2006, Ou proposed an attack graph construction method, which adopts Datalog language to describe an attack model and develops Mulval software to automatically generate an attack graph, and the time complexity is approximately O (N)3)。
In 2014, in order to measure the uncertainty of the attack, the Chen-Xiao Jun improves on the basis of Ou, and introduces three conditional probability transition tables to represent the possibility of the attack, the success possibility of the attack and the confidence degree of the abnormal alarm of the security system, effectively deduces the attack intention and the attack path, and reduces the times of the false alarm.
In 2016, Ganni proposed a dynamic security risk assessment model based on a Bayesian attack graph, firstly, a static attack graph is generated based on network topology, vulnerability information and the like, then, on the basis, the probability of intrusion occurrence is modified according to real-time intrusion time observed by Snort, a dynamic attack graph is generated, and the security situation of a network is assessed in real time.
In 2019, Qinhu et al adopt a matrix to describe the process of authority promotion of an attacker in the attack process, and generate an attack graph by using an authority promotion matrix, wherein the time complexity of an algorithm is about O (N)3)。
The above-described methods have high time complexity, and generally build an attack graph model for the whole network, and continuously give away rights to the whole network from the initial state of an attacker, so as to build an attack graph. When the network size is small, the method is feasible, and when a large-scale network is faced, the time complexity required for constructing the attack graph is high, and the time cost is unacceptable.
Disclosure of Invention
The invention mainly aims to overcome the defects of the prior art and provide a distributed construction method, a distributed construction system and a distributed construction medium for an attack graph facing a large-scale network.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides a distributed construction method of an attack graph facing a large-scale network, which comprises the following steps:
dividing a large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and sparsely connected with one another;
establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks.
Preferentially, the community planning algorithm is a FastNewman algorithm, and the large-scale network division by adopting the FastNewman algorithm specifically comprises the following steps:
modeling the topological structure of the network, wherein the nodes in the model represent the IP of the host, the directed edges connected between the nodes are represented as < sourceIP, destIP >, which means that the source IP points to the destIP,
the method for improving the modularity formula of the FastNewman algorithm adopts a method for converting a directed graph into a weighted graph, and the modularity calculation method of the weighted graph is as follows:
Figure GDA0002977901650000021
wherein WijRepresenting the weights of node i and node j, W representing the total weight of the network;
the detected network topological structure is abstracted into a graph structure and is input into a FastNewman algorithm, and a community division result when the modularity is the maximum is obtained, so that the topological structure of each sub-network is obtained.
Preferentially, the establishing of the attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network specifically includes:
modeling network elements, and respectively modeling attack behaviors and host information;
obtaining host vulnerability information to obtain vulnerability, a precursor set and an effect set of each host on each sub-graph;
each sub-network structure can build a sub-attack graph according to the topological structure of the sub-network, the vulnerability set, the vulnerability precursor set and the vulnerability consequence set,
preferentially, the modeling of the network element specifically includes:
the attack behavior modeling comprises the steps that firstly, a model is established for the attack behavior of an attacker, the attack behavior is represented in the form of a triple, the triple is < CveId, Precondition and Postcondition >, wherein the CveId represents a number set of vulnerabilities used by the attacker at this time, the Precondition represents a Precondition set using the vulnerability set, and the Postcondition represents a consequence set generated after the vulnerability set is successfully used;
modeling host information, namely establishing a model aiming at host information configured in a network, and describing the host information by adopting a binary group < Ipadaddress and CveId >, wherein the Ipadaddress represents an ip address of the host, and the CveId represents a vulnerability set on the host.
Preferentially, a vulnerability scanner based on OVAL is adopted to scan vulnerability sets existing on the hosts, Nessus vulnerability scanning software is selected to scan the hosts to obtain the vulnerability sets of the hosts, and according to the premise sets and the resulting effect sets of the vulnerabilities obtained in the public process, the premise sets and the resulting effect sets of the vulnerabilities are described by a uniform language to obtain the vulnerabilities of each host on each subgraph and the premise sets and the resulting effect sets of the host.
Preferably, the topology G of the sub-networkiIn addition to { V, E }, where V denotes the set of Ip addresses of all hosts of a subnet and E denotes the set of edges connecting between Ip addresses, G is obtainediEach node v in the graphijAnd CveId of the vulnerabilityijAnd CveIdijPresence set PreijAnd consequence set Postij
Inputting an algorithm: subgraph set { G1,G2,...,Gi,...,Gn}, sub-graph Gi={Vi,EiVulnerability set { CveId) of each node on the }i1,CveIdi2,...,CveIdij,...,CveIdimAnd a set of preconditions { Pre }i1,Prei2,...,Preij,...,PreimAnd the consequence set { Post }i1,Posti2,...,Postij,...,Postim}
And (3) outputting an algorithm: sub attack graph set { AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
Preferably, the step of establishing the sub-attack graph includes:
acquiring all node sets V connected with external subgraphs in Giio={vi1,vi2,...,vij,...,vik};
Suppose VioThe preconditions of the vulnerability sets of all nodes in the system are all satisfied, VioEach node in the attack graph is respectively used as a starting point of the attack graph to establish k sub-attack graphs, and v is selected as the starting point of the attack graph because the establishment processes of the k sub-attack graphs are consistentijAs a starting point, an attack graph AG is establishedij
With vijAs a starting point, obtain vijIf v is a set of neighboring nodesijCan satisfy any node v in the neighbor node setiaThen a set of CveId is establishedijPointing direction CveIdiaAnd then from these neighbors v that establish the edge relationshipiaStarting, acquiring a neighbor node set, and judging whether a result set meets the requirementA precondition set of neighbor nodes, if v is satisfiedibIf the premise set is set, a vulnerability set CveId is establishediaPointing direction CveIdibThus, traverse G in a breadth-first manneriAnd establishing connection between the vulnerability sets while traversing all the nodes. After the traversal is completed, the sub attack graph AGijCompleting construction;
obtaining sub attack graph set (AG) in the same way11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
Preferentially, a node of a network where an attacker is located at the beginning is called an initial state node of the attacker, and a network where the initial node is located is called an initial sub-network; existing subnetwork G1,G2,...,Gi,...,GnIn which G isiIs the originating subnetwork;
the specific method for fusing the sub-attack graphs comprises the following steps:
acquisition and initiation subnetwork GiSet of connected sub-networks Gneighbor1={G1,G2,...,GkIf G1And GiAre connected, and the connected edge set is Ei1,(via,v1b) Is one of the edges, judges viaWhether the result set of (1) satisfies v1bSet of preconditions, if satisfied, at AGiaAnd AG1bA formula CveId is established betweeniaPointing direction CveId1bBy merging the AGiaAnd AG1bThen sub-network G1And GiCombining the two parts; in this manner, G is judgediCombining the sub attack graph and the network with the relationship of all the neighbor sub networks;
a merged network G is obtained{1,...,j,...,i},G{1,...,j,...,i}Represents merge G1,Gj,GiNetwork of sub-network, and neighbor network set G for acquiring the networkneighbor2Merging the sub-attack graph and the network in the same way;
the sub-attack graph and sub-networks are merged in this breadth-first manner until the merged network can no longer be merged with all the sub-networks to which it is connected.
The invention provides a distributed construction system of the attack graph facing the large-scale network, which is applied to the distributed construction method of the attack graph facing the large-scale network and comprises a network dividing module, a sub-network construction module and a sub-attack graph fusion module;
the network dividing module is used for dividing a large-scale network into sub-networks by adopting a community discovery algorithm, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with one another;
the sub-network construction module is used for establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and the sub-attack graph fusion module is used for fusing the sub-attack graphs of each sub-network into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
Still another aspect of the present invention provides a storage medium storing a program, where the program, when executed by a processor, implements the distributed construction method for an attack graph for a large-scale network.
Compared with the prior art, the invention has the following advantages and beneficial effects:
when the attack graph is established for a large-scale network, the method of community discovery is used for dividing the large network into a plurality of sub-networks, then the attack graphs are established in parallel, and finally, in the merging process, due to the characteristics of the community structure, the sub-networks are connected less, so that the sub-attack graphs are merged more quickly, and the time for establishing the large-scale network attack graph is greatly reduced.
Drawings
FIG. 1 is a flow chart of a distributed construction method of an attack graph facing a large-scale network according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a large-scale network-oriented attack graph distributed construction system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Examples
In the distributed construction method of the attack graph facing the large-scale network, the method for constructing the large-scale network attack graph in a distributed manner is adopted, the method divides the large-scale network into sub-networks by adopting an algorithm of community discovery, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with each other; then, establishing an attack graph of each sub-network on each sub-network according to the incidence relation among the vulnerabilities; and finally, fusing the attack graphs of the sub-networks into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
As shown in fig. 1, the distributed construction method of the attack graph for the large-scale network in the embodiment includes the following steps:
s1, dividing the large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and the sub-networks are sparsely connected with each other.
The community discovery algorithm has various relations which can be divided into a split-based relation and a condensed-based relation according to hierarchical division, the classical algorithm based on the split-type division is a GN algorithm, but the time consumption is long when a large-scale network is faced, and the method is not suitable, the classical algorithm based on the condensed-type division is a FastNewman algorithm, the algorithm is a greedy algorithm based on the maximization of modularity, and communities can be quickly divided in the large-scale network. Therefore, the FastNewman algorithm is selected for dividing communities for the large-scale network in the embodiment.
The FastNewman algorithm is a greedy algorithm based on modularity maximization, and the modularity is one of the standards for measuring community discovery results. The tighter the internal connection of the communities is, the sparser the connection between the communities is, the greater the modularity is, and the calculation formula of the modularity is as follows:
Figure GDA0002977901650000051
wherein k isiDegree, k, representing node ijDegree of node j, m total number of edges in network, aijRepresenting the connection relation between the node i and the node j, if connection exists, the value is 1, otherwise, the value is 0; delta (c)i,cj) The value of the node i and the node j is 1 if the node i and the node j are in the same community, and is 0 if the node i and the node j are in the same community.
The core idea of the FastNewman algorithm is to initially regard each node in the network as a single community, and then select the point with the largest or smallest added modularity value for community merging until the nodes of the whole network are merged into the same community, wherein the merging result with the largest modularity is regarded as the best community division result.
Further, in this embodiment, the FastNewman algorithm is applied to the technical solution of the present invention to perform large-scale network division, which is specifically as follows:
firstly, a network topology structure needs to be modeled, nodes in the model represent the IP of a host, and directed edges connected between the nodes are represented as < sourceIP, destIP >, which means that sourceIP points to destIP. Because the network topology is a directed graph, a calculation formula of the modularity is needed to be improved, and a method for converting the directed graph into a weighted graph is adopted, wherein the calculation method of the modularity of the weighted graph is as follows:
Figure GDA0002977901650000061
wherein WijRepresenting the weights of node i and node j, W representing the total weight of the network.
Here, the detected network topology is abstracted to a graph structure, and the graph structure is input into the FastNewman algorithm, so as to obtain the community division result when the modularity is the maximum, and obtain the topology structure of each sub-network.
S2, establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
s2.1, modeling network elements:
(a) modeling of attack behavior
Firstly, a model is established for the attack behavior of an attacker, the attack behavior is represented in the embodiment by adopting a triple form, the triple is < CveId, Precondition and Postcondition >, wherein the CveId represents a number set of the vulnerability exploited by the attack at this time, the Precondition represents a Precondition set for exploiting the vulnerability set, and the Postcondition represents a result set generated after the vulnerability set is successfully exploited.
(b) Modeling host information:
in this embodiment, a model is established for host information configured in a network, and the host information is described by using a binary set < Ipaddress, CveId >, where the Ipaddress represents an ip address of a host, and the CveId represents a vulnerability set on the host.
S2.2, acquiring host vulnerability information;
the vulnerability scanner based on the OVAL can be adopted to scan vulnerability sets existing on the hosts, and Nessus vulnerability scanning software is selected to scan the hosts to obtain the vulnerability sets of the hosts.
And acquiring a vulnerability precondition set and a resultant set according to the common vulnerability disclosure CVE, the national information security vulnerability sharing platform CVND, the national vulnerability library NVD and the like, and describing the vulnerability precondition set and the resultant set by adopting a uniform language. The vulnerability of each host on each sub-graph and its antecedent and consequence sets can be obtained.
S2.3, constructing a sub-attack graph by each sub-network:
the topology G of the sub-network has been obtainediWhere V denotes the Ip address set of all hosts of the subnet and E denotes the Ip address of the Ip addressThe set of edges connected between. In addition thereto also obtain GiEach node v in the graphijAnd CveId of the vulnerabilityijAnd CveIdijPresence set PreijAnd consequence set Postij
The input of the algorithm is as follows: subgraph set { G1,G2,...,Gi,...,Gn}, sub-graph Gi={Vi,EiVulnerability set { CveId) of each node on the }i1,CveIdi2,...,CveIdij,...,CveIdimAnd a set of preconditions { Pre }i1,Prei2,...,Preij,...,PreimAnd the consequence set { Post }i1,Posti2,...,Postij,...,Postim}
And (3) outputting an algorithm: sub attack graph set { AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}
Since the steps of creating the attack graph for all the subgraphs are performed uniformly and simultaneously, the embodiment only gives the subgraph GiThe steps of other subgraphs are consistent with the process of constructing the sub-attack graph, which is specifically as follows:
(a) acquiring all node sets V connected with external subgraphs in Giio={vi1,vi2,...,vij,...,vik};
(b) Suppose VioThe preconditions of the vulnerability sets of all nodes in the system are all satisfied, VioEach node in the attack graph is respectively used as a starting point of the attack graph to establish k sub-attack graphs, and v is selected as the starting point of the attack graph because the establishment processes of the k sub-attack graphs are consistentijAs a starting point, an attack graph AG is establishedij
(c) With vijAs a starting point, obtain vijIf v is a set of neighboring nodesijCan satisfy any node v in the neighbor node setiaThen a set of CveId is establishedijPointing direction CveIdiaAnd then from these neighbors v that establish the edge relationshipiaStarting to obtain its neighbor node setAnd if the result set meets the precondition set of the neighbor node, judging whether the result set meets the precondition set of the neighbor node, and if the result set meets vibIf the premise set is set, a vulnerability set CveId is establishediaPointing direction CveIdibThus, traverse G in a breadth-first manneriEstablishing connection between vulnerability sets while traversing all nodes; after the traversal is completed, the sub attack graph AGijAnd (5) completing construction.
Acquiring a sub-attack graph set { AG) by adopting the modes of (a), (b) and (c)11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。
And S3, fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks.
The node of the network where the attacker is located at the beginning is called the initial state node of the attacker, and the network where the initial node is located is called an initial sub-network; existing subnetwork G1,G2,...,Gi,...,GnIn which G isiTo initiate a subnetwork.
(a) Acquisition and initiation subnetwork GiSet of connected sub-networks Gneighbor1={G1,G2,...,GkIf G1And GiAre connected, and the set of edges connected by them is Ei1,(via,v1b) Is one of the edges, judges viaWhether the result set of (1) satisfies v1bSet of preconditions, if satisfied, at AGiaAnd AG1bA formula CveId is established betweeniaPointing direction CveId1bBy merging the AGiaAnd AG1bThen sub-network G1And GiAnd (4) combining. In this way, G will be judgediThe sub-attack graph and the network are merged in the above-described manner in relation to all its neighboring subnetworks.
(b) Through step (a), a merged network G is obtained{1,...,j,...,i},G{1,...,j,...,i}Represents merge G1,Gj,GiWaiting for the network of the sub-network, and then acquiring the neighbor network set G of the networkneighbor2Merging the sub-attack graph and the network in the manner in (a).
(c) In this way, the sub-attack graph and the sub-networks are merged in such a breadth-first manner in step (a) (b) until the merged network can no longer be merged with all the sub-networks connected thereto.
As shown in fig. 2, in another embodiment, a distributed attack graph construction system facing a large-scale network is provided, and the system includes a network partitioning module, a sub-network construction module, and a sub-attack graph fusion module;
the network dividing module is used for dividing a large-scale network into sub-networks by adopting a community discovery algorithm, the sub-networks are closely connected internally, and the sub-networks are sparsely connected with one another;
the sub-network construction module is used for establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and the sub-attack graph fusion module is used for fusing the sub-attack graphs of each sub-network into the attack graph of the whole network through the vulnerability dependency relationship among the sub-networks.
It should be noted that the system provided in the above embodiment is only illustrated by the division of the functional modules, and in practical applications, the function allocation may be completed by different functional modules according to needs, that is, the internal structure is divided into different functional modules to complete all or part of the functions described above.
As shown in fig. 3, in another embodiment of the present application, a storage medium is further provided, where a program is stored, and when the program is executed by a processor, the method for implementing distributed construction of an attack graph for a large-scale network is implemented, specifically:
dividing a large-scale network into sub-networks by adopting a community discovery algorithm, wherein the sub-networks are closely connected internally and sparsely connected with one another;
establishing a sub-attack graph on each sub-network according to the dependency relationship of the vulnerabilities inside the sub-network;
and fusing the sub attack graphs of the sub networks into an attack graph of the whole network through the vulnerability dependency relationship among the sub networks.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.

Claims (8)

1.面向大规模网络的攻击图分布式构建方法,其特征在于,包括下述步骤:1. The distributed construction method of attack graph for large-scale network, is characterized in that, comprises the following steps: 采用社区发现算法将大规模网络划分成为一个个子网络,各子网络内部连接紧密,子网络之间连接稀疏;The large-scale network is divided into sub-networks by using the community discovery algorithm, each sub-network is closely connected, and the connections between the sub-networks are sparse; 在各个子网络上根据子网络内部的漏洞的依赖关系建立子攻击图;建立子攻击图的步骤为:A sub-attack graph is established on each sub-network according to the dependencies of the vulnerabilities within the sub-network; the steps for establishing the sub-attack graph are: 所述子网络的拓扑结构Gi= {V,E},其中V表示子网络所有主机的Ip地址集合,E表示Ip地址之间连接的边集合,除此之外还获取了Gi图中每个节点vij的漏洞集合以及漏洞的CveIdij以及的CveIdij前提集Preij和后果集PostijThe topology of the sub-network Gi = {V, E}, where V represents the set of IP addresses of all hosts in the subnet, and E represents the set of edges connected between IP addresses. In addition, the graph of Gi is also obtained. The vulnerability set of each node v ij and the CveId ij of the vulnerability and the CveId ij of the premise set Pre ij and the consequence set Post ij ; 算法输入:子图集合{G1,G2,...,Gi,...,Gn},子图Gi = {Vi,Ei}上各节点的漏洞集合{CveIdi1,CveIdi2,...,CveIdij,...,CveIdim,}以及前提集{Prei1,Prei2,...,Preij,...,Preim}和后果集{Posti1,Posti2,...,Postij,...,Postim}Algorithm input: subgraph set {G 1 , G 2 ,...,G i ,...,G n }, subgraph G i = {V i , E i }, the vulnerability collection of each node on each node {CveId i1 , CveId i2 ,...,CveId ij ,...,CveId im ,} and premise sets {Pre i1 ,Pre i2 ,...,Pre ij ,...,Pre im } and consequence sets {Post i1 ,Post i2 ,...,Post ij ,...,Post im } 算法输出:子攻击图集合{AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk};Algorithm output: sub-attack graph set {AG 11 ,...,AG 1k ,AG 21 ,...,AG 2k ,...,AG n1 ,...,AG nk }; 通过子网络之间的漏洞依赖关系将各个子网络的子攻击图融合成为整个网络的攻击图;Integrate the sub-attack graph of each sub-network into the attack graph of the entire network through the vulnerability dependencies between sub-networks; 攻击者最开始处于的网络的节点称为攻击者的起始状态节点,起始节点所在的网络称为起始子网络;现有子网络{G1,G2,...,Gi,...,Gn},其中Gi为起始子网络;The node of the network where the attacker is initially located is called the starting state node of the attacker, and the network where the starting node is located is called the starting sub-network; the existing sub-network {G 1 , G 2 ,...,G i , ...,G n }, where G i is the starting subnet; 则所述子攻击图融合的具体方法为:Then the specific method of sub-attack graph fusion is: 获取与起始子网络Gi相连的子网络集合Gneighbor1={G1,G2,...,Gk},若G1与Gi相连,相连的边集合为Ei1,(via,v1b)是其中的一条边,判断via的后果集是否满足v1b前提集,若满足,则在子攻击图AGia和子攻击图AG1b之间建立一条由CveIdia指向CveId1b的边,即合并了AGia和AG1b,然后将子网络G1与Gi合并起来;依照这样的方式,判断Gi与它所有的邻居子网络的关系,合并子攻击图和网络;Obtain the sub-network set G neighbor1 ={G 1 ,G 2 ,...,G k } connected to the initial sub-network G i , if G 1 is connected to G i , the connected edge set is E i1 , (v ia , v 1b ) is one of the edges, judge whether the consequence set of v ia satisfies the premise set of v 1b , if so, establish an edge from CveId ia to CveId 1b between the sub-attack graph AG ia and the sub-attack graph AG 1b , that is, AG ia and AG 1b are merged, and then the sub-network G 1 and G i are merged; in this way, the relationship between G i and all its neighbor sub-networks is judged, and the sub-attack graph and network are merged; 获得了合并后的网络G{1,...,j,...,i},G{1,...,j,...,i}表示合并G1,Gj,Gi子网络的网络,再获取此网络的邻居网络集合Gneighbor2,按照相同方式来合并子攻击图和网络;The merged network G {1,...,j,...,i} is obtained, and G {1,...,j,...,i} represents the merged G 1 , G j , G i sub The network of the network, and then obtain the neighbor network set G neighbor2 of this network, and merge the sub-attack graph and the network in the same way; 按照这种广度优先的方式合并子攻击图和子网络,一直到合并后的网络与其相连的所有子网络不能再合并为止。The sub-attack graphs and sub-networks are merged in this breadth-first manner until all the sub-networks connected to the merged network can no longer be merged. 2.根据权利要求1所述面向大规模网络的攻击图分布式构建方法,其特征在于,所述社区发现算法为FastNewman算法,采用FastNewman算法进行大规模网络划分具体为:2. the attack graph distributed construction method oriented to large-scale network according to claim 1, is characterized in that, described community discovery algorithm is FastNewman algorithm, adopts FastNewman algorithm to carry out large-scale network division and is specially: 对网络的拓扑结构进行建模,模型中的节点表示主机的IP,节点之间连接的有向边表示为<SourceIP,DestIP>,表示由SourceIP指向DestIP,Model the topology of the network. The nodes in the model represent the IP of the host, and the directed edges connected between nodes are represented as <SourceIP, DestIP>, which means that SourceIP points to DestIP, 对FastNewman算法模块度的公式进行改进,采用将有向图转化为加权图的方法,加权图的模块度计算方法如下:The formula of the modularity of the FastNewman algorithm is improved, and the method of converting the directed graph into a weighted graph is adopted. The calculation method of the modularity of the weighted graph is as follows:
Figure DEST_PATH_IMAGE001
Figure DEST_PATH_IMAGE001
 其中表示节点i和节点j的权重,W表示网络的总权重;where represents the weight of node i and node j, and W represents the total weight of the network; 探测到的网络拓扑结构抽象为图结构,输入到FastNewman算法中,获取模块度最大时的社区划分结果,得到了各个子网络的拓扑结构。The detected network topology is abstracted into a graph structure, which is input into the FastNewman algorithm to obtain the community division result when the modularity is the largest, and the topology of each sub-network is obtained. 3.根据权利要求1所述面向大规模网络的攻击图分布式构建方法,其特征在于,所述在各个子网络上根据子网络内部的漏洞的依赖关系建立攻击图,具体为:3. the attack graph distributed construction method oriented to large-scale network according to claim 1, is characterized in that, described on each sub-network according to the dependency relation of the vulnerability inside sub-network to establish attack graph, is specially: 网络元素模型化,分别对攻击行为和主机信息进行建模;Network element modeling, modeling attack behavior and host information respectively; 获取主机漏洞信息,得到各个子图上的每个主机的漏洞、前提集和后果集;Obtain host vulnerability information, and obtain the vulnerability, premise set and consequence set of each host on each subgraph; 各子网络构依据子网络的拓扑结构、漏洞集合、漏洞的前提集和后果集够建子攻击图。Each sub-network constructs a sub-attack graph based on the sub-network topology, vulnerability set, vulnerability premise set and consequence set. 4.根据权利要求3所述面向大规模网络的攻击图分布式构建方法,其特征在于,所述网络元素模型化,具体为:4. the attack graph distributed construction method oriented to large-scale network according to claim 3, is characterized in that, described network element modeling, is specifically: 攻击行为建模,首先要对攻击者的攻击行为进行建立模型,采用三元组的形式表示攻击行为,三元组为<CveId,Precondition,Postcondition>,其中CveId表示此次攻击利用的漏洞的编号集合,Precondition表示利用此漏洞集合的前提条件集合,Postcondition表示此漏洞集合利用成功后产生的后果集合;Attack behavior modeling, first of all, build a model of the attacker's attack behavior. The attack behavior is represented in the form of triples. The triplet is <CveId, Precondition, Postcondition>, where CveId represents the number of the vulnerability exploited by this attack. Set, Precondition represents the set of preconditions for exploiting this vulnerability set, and Postcondition represents the set of consequences after successful exploitation of this vulnerability set; 主机信息建模,利针对网络中配置的主机信息进行建立模型,采用二元组<Ipaddress,CveId>描述主机信息,其中Ipaddress表示的是主机的ip地址,CveId表示主机上的漏洞集合。The host information modeling is to build a model for the host information configured in the network. The two-tuple <Ipaddress, CveId> is used to describe the host information, where Ipaddress represents the ip address of the host, and CveId represents the set of vulnerabilities on the host. 5.根据权利要求3所述面向大规模网络的攻击图分布式构建方法,其特征在于,采用基于OVAL的漏洞扫描器扫描主机上存在的漏洞集合,选用Nessus漏洞扫描软件对各主机进行扫描,获得各个主机的漏洞集合,并根据在公开中获取漏洞的前提集合和造成的后果集合,采用统一的语言来描述漏洞的前提集和后果集,获取各个子图上的每个主机的漏洞以及其前提集和后果集。5. according to the described attack graph distributed construction method of large-scale network according to claim 3, it is characterized in that, adopt the vulnerability set based on OVAL to scan the vulnerability set that exists on the mainframe, select Nessus vulnerability scanning software to scan each mainframe, Obtain the vulnerability set of each host, and use a unified language to describe the vulnerability premise set and consequence set according to the premise set and consequence set of the vulnerability obtained in the public, and obtain the vulnerability of each host on each subgraph and its consequences. Premise and Consequence sets. 6.根据权利要求1所述面向大规模网络的攻击图分布式构建方法,其特征在于,所述建立子攻击图的步骤为:6. the attack graph distributed construction method oriented to large-scale network according to claim 1 is characterized in that, the described step of establishing sub-attack graph is: 获取Gi中所有与外部子图相连的节点集合Vio={vi1,vi2,...,vij,...,vik};Get all the node sets in Gi connected to the external subgraph V io ={v i1 ,v i2 ,...,v ij ,...,v ik }; 假定Vio中所有节点的漏洞集合的前提条件都被满足,Vio中的每一个节点都分别作为攻击图的起点,建立k张子攻击图,由于k张图的建立过程是一致的,在此选用以vij为起点,建立攻击图AGijAssuming that the prerequisites for the vulnerability sets of all nodes in V io are satisfied, each node in V io is used as the starting point of the attack graph to establish k sub-attack graphs. Since the establishment process of k graphs is consistent, in This selection takes v ij as the starting point to establish an attack graph AG ij ; 以vij为起点,获取vij的邻居节点集合,如果vij的后果集能满足邻居节点集合中的任一节点via的前提集,那么就建立一条由CveIdij指向CveIdia的边,再从这些建立边关系的邻居via出发,获取其邻居节点集合,判断其后果集是否满足其邻居节点的前提集,若满足vib的前提集,则建立一条漏洞集合CveIdia指向CveIdib的边,这样,采用广度优先的方式遍历Gi的所有节点,一边遍历一边建立漏洞集合之间的连接;遍历完成后,子攻击图AGij构建完成;Taking v ij as the starting point, obtain the set of neighbor nodes of v ij , if the consequence set of v ij can satisfy the premise set of any node v ia in the set of neighbor nodes, then create an edge from CveId ij to CveId ia , and then Starting from these neighbors vi ia that establish edge relationships, obtain the set of its neighbor nodes, and determine whether the consequence set satisfies the premise set of its neighbor nodes. If it satisfies the premise set of vi ib , create a loophole set CveId ia pointing to the edge of CveId ib , in this way, all nodes of G i are traversed in a breadth-first manner, and connections between vulnerability sets are established while traversing; after the traversal is completed, the sub-attack graph AG ij is constructed; 采用同样的方式获取子攻击图集合{AG11,...,AG1k,AG21,...,AG2k,...,AGn1,...,AGnk}。The sub-attack graph sets {AG 11 ,...,AG 1k ,AG 21 ,...,AG 2k ,...,AG n1 ,...,AG nk } are obtained in the same way. 7.面向大规模网络的攻击图分布式构建系统,其特征在于,应用于权利要求1-6中任一项所述的面向大规模网络的攻击图分布式构建方法,包括网络划分模块、子网络构建模块以及子攻击图融合模块;7. Attack graph distributed construction system for large-scale network, it is characterized in that, be applied to the attack graph distributed construction method for large-scale network described in any one of claim 1-6, comprise network division module, sub-system. Network building module and sub-attack graph fusion module; 所述网络划分模块,用于采用社区发现算法将大规模网络划分成为一个个子网络,各子网络内部连接紧密,子网络之间连接稀疏;The network division module is used to divide a large-scale network into sub-networks by using a community discovery algorithm, and the internal connections of each sub-network are tight, and the connections between the sub-networks are sparse; 所述子网络构建模块,用于在各个子网络上根据子网络内部的漏洞的依赖关系建立子攻击图;The sub-network building module is used to establish a sub-attack graph on each sub-network according to the dependencies of the vulnerabilities in the sub-network; 所述子攻击图融合模块,用于通过子网络之间的漏洞依赖关系将各个子网络的子攻击图融合成为整个网络的攻击图。The sub-attack graph fusion module is used to fuse the sub-attack graphs of each sub-network into an attack graph of the entire network through the vulnerability dependencies between the sub-networks. 8.一种存储介质,存储有程序,其特征在于,所述程序被处理器执行时,实现权利要求1-6任一项所述的面向大规模网络的攻击图分布式构建方法。8 . A storage medium storing a program, wherein, when the program is executed by a processor, the distributed construction method for a large-scale network-oriented attack graph according to any one of claims 1 to 6 is implemented. 9 .
CN202110042899.3A 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network Active CN112804231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110042899.3A CN112804231B (en) 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110042899.3A CN112804231B (en) 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network

Publications (2)

Publication Number Publication Date
CN112804231A CN112804231A (en) 2021-05-14
CN112804231B true CN112804231B (en) 2021-09-24

Family

ID=75810440

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110042899.3A Active CN112804231B (en) 2021-01-13 2021-01-13 Distributed construction method, system and medium for attack graph of large-scale network

Country Status (1)

Country Link
CN (1) CN112804231B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8566269B2 (en) * 2006-08-01 2013-10-22 George Mason Intellectual Properties, Inc. Interactive analysis of attack graphs using relational queries
CN109218276A (en) * 2017-08-01 2019-01-15 全球能源互联网研究院 A kind of network attack drawing generating method and system
CN108123962B (en) * 2018-01-19 2020-07-10 北京理工大学 A method for generating attack graph using Spark to implement BFS algorithm
CN109948658B (en) * 2019-02-25 2021-06-15 浙江工业大学 Adversarial attack defense method and application for feature map attention mechanism
CN110138764B (en) * 2019-05-10 2021-04-09 中北大学 Attack path analysis method based on hierarchical attack graph
CN111680863A (en) * 2020-04-26 2020-09-18 南京南数数据运筹科学研究院有限公司 Network environment safety condition evaluation method based on analytic hierarchy process

Also Published As

Publication number Publication date
CN112804231A (en) 2021-05-14

Similar Documents

Publication Publication Date Title
Filiol et al. Combinatorial optimisation of worm propagation on an unknown network
US8914320B2 (en) Graph generation method for graph-based search
US8825838B2 (en) Identification of business process application service groups
WO2020133986A1 (en) Botnet domain name family detecting method, apparatus, device, and storage medium
CN101867498A (en) A network security situation assessment method
Bringhenti et al. Improving the formal verification of reachability policies in virtualized networks
CN112448954B (en) Configuration vulnerability analysis method and system for distributed access control policies
US20230208724A1 (en) Methods and systems for distributed network verification
CN112532408B (en) Method, device and storage medium for extracting fault propagation condition
CN106411576A (en) Method for generating attack graphs based on status transition network attack model
Li et al. Searching forward complete attack graph generation algorithm based on hypergraph partitioning
CN113282805A (en) IPv6 address pattern mining method and device, electronic equipment and storage medium
Li et al. Data poisoning attack against anomaly detectors in digital twin-based networks
Al-Musawi et al. Identifying OSPF LSA falsification attacks through non-linear analysis
CN112804231B (en) Distributed construction method, system and medium for attack graph of large-scale network
CN108322454B (en) Network security detection method and device
US20240267319A1 (en) Remote attestation method, apparatus, device, and system, and readable storage medium
CN112491801B (en) Incidence matrix-based object-oriented network attack modeling method and device
Din et al. Anomaly free on demand stateful software defined firewalling
US12206678B2 (en) Network reachability solving algorithm based on formal verification
CN109889515B (en) Botnet discovery method based on non-parametric statistics
Ramadan et al. A Distributed Cloud Architecture Based on General De Bruijn Overlay Network
Wang et al. Design and Implementation of Links Generation for Inter Domain Routing System
Sohn Update Filtering in BGP-based EVPN VXLAN Setups
Watson Towards autonomous network security using knowledge graphs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant