CN113536573B - Simulation modeling method and device for network attack and defense process and network turn wargame - Google Patents

Simulation modeling method and device for network attack and defense process and network turn wargame Download PDF

Info

Publication number
CN113536573B
CN113536573B CN202110815835.2A CN202110815835A CN113536573B CN 113536573 B CN113536573 B CN 113536573B CN 202110815835 A CN202110815835 A CN 202110815835A CN 113536573 B CN113536573 B CN 113536573B
Authority
CN
China
Prior art keywords
attack
defense
network
modeling
simulation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110815835.2A
Other languages
Chinese (zh)
Other versions
CN113536573A (en
Inventor
刘斌
王云飞
王文浩
朱承
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202110815835.2A priority Critical patent/CN113536573B/en
Publication of CN113536573A publication Critical patent/CN113536573A/en
Application granted granted Critical
Publication of CN113536573B publication Critical patent/CN113536573B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation
    • AHUMAN NECESSITIES
    • A63SPORTS; GAMES; AMUSEMENTS
    • A63FCARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
    • A63F3/00Board games; Raffle games
    • A63F3/04Geographical or like games ; Educational games
    • A63F3/0457Geographical or like games ; Educational games concerning science or technology, e.g. geology, chemistry, statistics, computer flow charts, radio, telephone
    • AHUMAN NECESSITIES
    • A63SPORTS; GAMES; AMUSEMENTS
    • A63FCARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
    • A63F9/00Games not otherwise provided for
    • A63F9/0076Games representing technical, industrial or scientific activities, e.g. oil exploration, space ship navigation games
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/20Education
    • G06Q50/205Education administration or guidance

Abstract

The application relates to a simulation modeling method and device for a network attack and defense process and a network turn wargame. The method comprises the following steps: acquiring a logical relationship between objects, and object attributes and data attributes of the objects in a network attack and defense process; the object includes: attackers, defenders, attack and defense steps, attack and defense modes, attack effects and resource consumption; the network defense combat simulation is carried out by adopting a network turn game mode based on an attack path of a Rockschid Martin killer chain model and an ATT & CK framework, and a knowledge graph is used as a data structure organization mode, so that game participants, namely attackers, defenders and audiences can learn a network attack paradigm and know the application stage and the generation effect of attack defense technical means, the educational training purpose is finally achieved, the security consciousness and interest of the participants on network defense are improved, and the technical support is provided for the attack defense technical effect evaluation.

Description

Simulation modeling method and device for network attack and defense process and network turn wargame
Technical Field
The application relates to the technical field of network information security and simulation modeling, in particular to a simulation modeling method and device for a network attack and defense process and a network turn wargame.
Background
The network space is used as a new battle field, namely a junction space connecting natural spaces such as land, sea, air and sky, and is also an information bearing space for human production and life such as economy, finance, traffic and social contact, so that the trend of developing is along the pursuit of war and chess to make network security decisions, make network security decisions and deduce the network space confrontation process through a network defense and attack process simulation system, and train the safety consciousness and the skill and tactical level of personnel.
The existing network simulation, network exercise or network threat modeling has large volume, high cost and poor repeatability, and is difficult to meet the requirements of operators on carrying out a large number of repeatability experiments to improve the operation skills, verify the effectiveness of the technical and tactical defense effect, the effectiveness of system protection and quantitative evaluation.
Disclosure of Invention
Therefore, it is necessary to provide a simulation modeling method and device for network defense and attack process and a network turn wargame aiming at the above technical problems.
A simulation modeling method of a network attack and defense process, the method comprising:
acquiring a logical relationship between objects, and object attributes and data attributes of the objects in a network attack and defense process; the object includes: attacker, defender, attack and defense steps, attack and defense mode, attack effect and resource consumption.
And modeling the logical relationship between the objects by adopting the ontology knowledge graph.
And modeling the object attributes and the data attributes of the object by adopting the entity knowledge graph, and establishing the relation between the body knowledge graph and the entity knowledge graph.
And carrying out attack modeling based on a Rockschid Martin killer chain model and an ATT & CK framework.
Constructing a simulation scene of the network attack and defense process according to the established logical relationship model, the object attribute model, the data attribute model and the relationship between the ontology knowledge graph and the instance knowledge graph;
and in the simulation scene, according to the established attack model, obtaining simulation interaction data in the life cycle of the network attack and defense process by adopting a dynamic deduction mode.
In one embodiment, the attack modeling is performed based on a Rockschid Martin killer chain model and an ATT & CK framework, and comprises the following steps:
a Rockschid Martin killing chain is used as an attack path of network attack and defense, the attack and defense technology is classified by adopting a killing chain stage and an ATT & CK framework, and 6 steps are set in two adjacent stages to obtain a killing chain stage and a corresponding attack defense mode.
And taking the killing chain stage and the attack defense mode as examples, setting corresponding object attributes and data attributes, and carrying out consistency and completeness detection on the body.
Setting Lockschid Martin killing chain, tactical decision, attack and defense technology, tactical classification, the position of the killing chain where an attacker is located and resources as classes in the body, filling tactical use stage, attack effect and resource consumption as examples in the body, and using the body file as a model configuration file.
In one embodiment, in the simulation scene, simulation interaction data in the life cycle of the network attack and defense process is obtained by adopting a dynamic deduction mode according to the established attack model. The method also comprises the following steps:
the identity, goal and principal of the attacker are not disclosed to the defender, and the enemy and purpose faced by the defender are unknown.
The attacker and the defender can only see the used attack mode and defense mode, the cards and the residual funds in the opponent are unknown, the opponent plays the confrontation game based on incomplete information, and the round system alternately plays the cards and records the cards.
In one embodiment, the object further comprises: officials and other personnel. The attacker and defender can only see the used attack mode and defense mode, the cards and the residual funds in the opponent are unknown, the opponent plays the confrontation game based on incomplete information, the round system alternately plays the cards and records, and the method further comprises the following steps:
the referee and other personnel select the audience to enter the simulation system, watch the whole process of network attack and defense deduction, and achieve the aim of network space safety education and training for both the participants and the audience.
In one embodiment, the method further comprises: in the network attack and defense simulation process, an attacker and a defender alternately attack and defend, and each attack or defense can adjust the strategy of the attacker and the defender according to the updated information on the field.
A simulation modeling apparatus of a network defense process, the apparatus comprising:
the data acquisition module required by simulation modeling is used for acquiring the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process; the object includes: attacker, defender, attack and defense steps, attack and defense mode, attack effect and resource consumption.
The knowledge graph-based modeling module is used for modeling the logical relationship between the objects by adopting the ontology knowledge graph; and modeling the object attributes and the data attributes of the object by adopting the entity knowledge graph, and establishing the relation between the body knowledge graph and the entity knowledge graph.
The modeling module of the attack and defense process is used for carrying out attack modeling based on a Rockschid Martin killer chain model and an ATT & CK framework; constructing a simulation scene of the network attack and defense process according to the established logical relationship model, the object attribute model, the data attribute model and the relationship between the ontology knowledge graph and the instance knowledge graph;
and in the simulation scene, according to the established attack model, obtaining simulation interaction data in the life cycle of the network attack and defense process by adopting a dynamic deduction mode.
An implementation method for network-turn wargame comprises the following steps:
decomposing the network turn wargame to obtain the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process; the object includes: attacker, defender, attack and defense steps, attack and defense mode, attack effect and resource consumption.
And modeling the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process by adopting any one of the simulation modeling methods of the network attack and defense process to obtain the network troop system network chess.
The simulation modeling method and device for the network attack and defense process and the network turn wargame making method comprise the following steps: acquiring a logical relationship between objects, and object attributes and data attributes of the objects in a network attack and defense process; the object includes: attackers, defenders, attack and defense steps, attack and defense modes, attack effects and resource consumption; the attack path based on the Rockschid Martin killing chain model and the ATT & CK framework are adopted to simulate the network attack and defense combat, and the knowledge graph is used as a data structure organization mode, so that participants, namely attackers, defenders and audiences can learn a network attack paradigm and know the application stage and the generation effect of attack and defense technical means, the aim of education and training is finally achieved, the security consciousness and interest of the participants on the network attack and defense are improved, and the technical support is provided for the evaluation of the attack and defense technical effect.
Drawings
FIG. 1 is a schematic flow chart diagram illustrating a simulation modeling method for a network defense and attack process in one embodiment;
FIG. 2 is a block diagram showing the structure of a simulation modeling apparatus for a network defense and attack process according to an embodiment;
FIG. 3 is a schematic diagram of another embodiment of a process for setting body classes of a turn-based networked chess;
FIG. 4 is a schematic diagram of a turn-based cyber chess process according to another embodiment;
FIG. 5 is a flow of action selection in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In one embodiment, as shown in fig. 1, a simulation modeling method for a network defense and attack process is provided, which includes the following steps:
step 100: acquiring a logical relationship between objects, and object attributes and data attributes of the objects in a network attack and defense process; the object includes: attacker, defender, attack and defense steps, attack and defense mode, attack effect and resource consumption.
Step 102: and modeling the logical relationship between the objects by adopting the ontology knowledge graph.
Step 104: and modeling the object attributes and the data attributes of the object by adopting the entity knowledge graph, and establishing the relation between the body knowledge graph and the force knowledge graph.
Step 106: and carrying out attack modeling based on a Rockschide Martin killing chain model and an ATT & CK framework.
Step 108: and constructing a simulation scene of the network defense and attack process according to the established logical relationship model, the object attribute model, the data attribute model and the relationship between the ontology knowledge graph and the instance knowledge graph.
Step 110: and in the simulation scene, according to the established attack model, obtaining simulation interaction data in the life cycle of the network attack and defense process by adopting a dynamic deduction mode.
The interactive data refers to the interaction between a user and a background, the user operates at the front end, the front end returns the user operation, the background judges whether the user operation is reasonable or not, and correspondingly generates data changes including the position of the user, the residual fund of the user and the like, and the data changes are returned to the front end for page display, so that the user can conveniently perform the next operation.
In the simulation modeling method of the network defense and attack process, the method comprises the following steps: acquiring a logical relationship between objects, and object attributes and data attributes of the objects in a network attack and defense process; the object includes: attackers, defenders, attack and defense steps, attack and defense modes, attack effects and resource consumption; the network defense combat simulation is carried out by adopting a network turn game mode based on an attack path of a Rockschid Martin killer chain model and an ATT & CK framework, and a knowledge graph is used as a data structure organization mode, so that game participants, namely attackers, defenders and audiences can learn a network attack paradigm and know the application stage and the generation effect of attack defense technical means, the educational training purpose is finally achieved, the security consciousness and interest of the participants on network defense are improved, and the technical support is provided for the attack defense technical effect evaluation.
In one embodiment, step 106 further comprises: adopting a Rockschid Martin killing chain as an attack path of network attack and defense, classifying attack and defense technology by adopting a killing chain stage and an ATT & CK framework, and setting 6 steps in two adjacent stages to obtain a killing chain stage and a corresponding attack defense mode; taking a killer chain stage and an attack defense mode as examples, setting corresponding object attributes and data attributes, and carrying out consistency and completeness detection on the body; setting Lockschid Martin killing chain, tactical decision, attack and defense technology, tactical classification, the position of the killing chain where an attacker is located and resources as classes in the body, filling tactical use stage, attack effect and resource consumption as examples in the body, and using the body file as a model configuration file.
In one embodiment, step 106 is followed by: the identity, target and principal of the attacker are not disclosed to the defender, and the enemy and purpose of the enemy confronted by the defender are unknown; the attacker and the defender can only see the used attack mode and defense mode, cards and residual funds in the opponent are unknown, the opponent plays the game against the cards based on incomplete information, and the cards are alternately played in rounds and recorded.
In one embodiment, the object further comprises: officials and other personnel. The attacker and defender can only see the used attack mode and defense mode, the cards and the residual funds in the opponent are unknown, the opponent plays the confrontation game based on incomplete information, the round system alternately plays the cards and records, and the method further comprises the following steps: the referee and other personnel select the audience to enter the simulation system, watch the whole process of network attack and defense deduction, and achieve the aim of network space safety education and training for both the participants and the audience.
In one embodiment, the method further comprises: in the network attack and defense simulation process, an attacker and a defender alternately attack and defend, and each attack or defense can adjust the strategy of the attacker and the defender according to the updated information on the field.
It should be understood that, although the steps in the flowchart of fig. 1 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 1 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 2, there is provided a simulation modeling apparatus for a network attack and defense process, including: the simulation modeling system comprises a data acquisition module required by simulation modeling, a knowledge graph-based modeling module and a attacking and defending process modeling module, wherein:
the data acquisition module required by simulation modeling is used for acquiring the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process; the object includes: attacker, defender, attack and defense steps, attack and defense mode, attack effect and resource consumption.
The knowledge graph-based modeling module is used for modeling the logical relationship between the objects by adopting the ontology knowledge graph; and modeling the object attributes and the data attributes of the object by adopting the entity knowledge graph, and establishing the relation between the body knowledge graph and the force knowledge graph.
The modeling module of the attack and defense process is used for carrying out attack modeling based on a Rockschid Martin killer chain model and an ATT & CK framework; constructing a simulation scene of the network attack and defense process according to the established logical relationship model, the object attribute model, the data attribute model and the relationship between the ontology knowledge graph and the instance knowledge graph; and in the simulation scene, according to the established attack model, obtaining simulation interaction data in the life cycle of the network attack and defense process by adopting a dynamic deduction mode.
In one embodiment, the modeling module of the attack and defense process is further used for adopting a Rockschid Martin killing chain as an attack path of network attack and defense, classifying the attack and defense technology by adopting a killing chain stage and an ATT & CK framework, and setting 6 steps in two adjacent stages to obtain a killing chain stage and a corresponding attack and defense mode; taking a killer chain stage and an attack defense mode as examples, setting corresponding object attributes and data attributes, and carrying out consistency and completeness detection on the body; setting Lockschid Martin killing chain, tactical decision, attack and defense technology, tactical classification, the position of the killing chain where an attacker is located and resources as classes in the body, filling tactical use stage, attack effect and resource consumption as examples in the body, and using the body file as a model configuration file.
In one embodiment, the modeling module of the defense process also comprises an inter-participant data authority limit module, the identity, the target and the principal of an attacker are not disclosed to a defender, and the enemy and the purpose of the enemy confronted by the defender are unknown; the attacker and the defender can only see the used attack mode and defense mode, the cards and the residual funds in the opponent are unknown, the opponent plays the confrontation game based on incomplete information, and the round system alternately plays the cards and records the cards.
In one embodiment, the object further comprises: officials and other personnel. After the data permission limiting module among the participants is used, the referee and other personnel select the audience to enter the simulation system, and the network attack and defense deduction process is watched, so that the purpose of network space safety education and training is achieved for both the participants and the audience.
In one embodiment, the device further comprises an attack and defense limiting module, wherein the attack and defense limiting module is used for enabling an attacker and a defender to alternately attack and defend in the network attack and defense simulation process, and the strategy of the attacker and the defender can be adjusted according to the updated information on the field each time.
For specific limitations of the simulation modeling apparatus for the network defense and attack process, reference may be made to the above limitations of the simulation modeling method for the network defense and attack process, which are not described herein again. All or part of each module in the simulation modeling device of the network defense and attack process can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
An implementation method for network turn wargame comprises the following steps: decomposing the network turn wargame to obtain the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process; the object includes: attacker, defender, attack and defense steps, attack and defense mode, attack effect and resource consumption.
And modeling the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process by adopting any simulation modeling method of the network attack and defense process to obtain the network troop system network chess.
The network troop chess locks the use environment of the troop chess in a network space, and the adopted attack mode is different from the big gun of the traditional troop chess, but is common network attack means such as phishing mails, TCP SYN denial of service attacks, virus trojans and the like. However, the cyber chess is not isolated and closed absolutely, and political, economic and social psychological factors must be considered when designing the cyber chess. Meanwhile, the network troop chess is more in practice in the field of enterprise defense, real atmosphere and environment are created by simulating the defense and attacking actions in the network space and combining social, political, public opinion, psychology and other factors possibly existing in the real world, the actual combat capability of operators and the command and emergency management capability of managers are improved, and meanwhile, the network troop chess is willing to be popularized as business software, so that the network safety awareness of the whole society is improved.
The network chess is used as a systematic, repeatable and measurable network war game model, can feed back the battle scheme in real time, can also verify and evaluate the scheme improvement effect through a large number of repeated experiments, and provides additional training opportunities for operators.
The network troop chess can be used as a embodying form of network attack and defense, and is applied to network space attack and defense combat simulation with the advantages of immersion experience, low cost and the like. The effective defense means of the verification through the network troops can also be used in the network attack and defense exercises. Meanwhile, the professional talents and related directing and judging experiences after the network troop training can provide talent reserve and rule maintenance experiences for the network attack and defense exercises. When the network space related exercises are subjected to task decomposition, each small task or scene can be regarded as a network chess to be carried out.
The turn-based network troop can provide technical support for network security education and training, large military exercise network space embodiment, network attack defense technology and tactical assessment and the like.
In another embodiment, there is provided a modeling step of a cyber-turn wargame:
step 1: the network troop elements are analyzed, the integrated network attack and defense modeling is carried out, the elements existing in the attack and defense process and the key performance attributes are modeled from the network attack and defense angle, such as attackers, defenders, attack and defense steps, attack and defense modes, effects, resource consumption and the like, the overall consideration is given, and each deduction is an abstraction of a complete network attack process.
Step 2: the method comprises the steps of adopting a knowledge graph as a data organization form, carrying out abstract modeling on a network attack and defense process, combing logical relations in the network attack and defense process, expressing the logical relations among various types in an ontology, taking a killing chain stage and an attack defense mode as examples, setting corresponding object attributes and data attributes, and carrying out consistency and completeness detection on the ontology.
And step 3: a Rockschid Martin killing chain is used as an attack path of the chess game, attack and defense techniques are classified by adopting a killing chain stage and an ATT & CK framework, and 6 steps are set in two adjacent stages to represent that certain measures are required to be taken to reach the attack and defense techniques.
And 4, step 4: the method is characterized in that a killing chain, a tactical decision, an attack defense tactic, a tactical classification, a killing chain position where an attacker is located, fund and the like are arranged in the body as classes, a tactical use stage, an attack effect and cost consumption are filled in the body as examples, and the body file is used as a game configuration file, so that the next game deepening is facilitated.
And 5: the identity, target and principal of the attacker are not disclosed to the defender, and the enemy and purpose of the enemy confronted by the defender are unknown; both parties can only see the used attack mode and defense mode, cards and residual funds in the hands of the opposite parties are unknown, and the two parties play the confrontation game based on incomplete information, and alternately play the cards in the round and record the cards.
Step 6: the referee and other personnel can choose the 'audience' to enter the game, and watch the chess and deduce the whole course from the view angle of the emperor, thereby achieving the purpose of network space safety education and training for both the game participants and the audience.
And 7: interactive fighting game network combat simulation, two parties play cards alternately, and each card play can adjust own strategy according to updated information on the field.
In another embodiment, when the knowledge graph is used for constructing the network chess, Protage is used as an ontology creation tool. When the ontology is constructed, necessary concepts comprise purposes and targets, roles of game players, killing chain stages, tactical types, actions taken, funds and positions, relevant data attributes and object attributes are set, and corresponding game rules are defined. The process of setting the ontology class is shown in fig. 3.
According to the setting of the turn-based network chess, 53 instances AT001-AT053 are set in the attack action, and 54 instances DT001-DT053 are set in the defense action.
The description of classes is as follows:
position } { next position, current position }
Action { (attack action, defense action })
Tactics is { host enumeration, credential access, snapshot, persistence, command and control of battle skills, opportunity network, authority promotion, lateral movement }
Role } attacker role, defender role
Capital ═ current capital, remaining capital }
Network killer chain stage ═ target achievement, command and control, weapon delivery, vulnerability exploitation, installation implantation, investigation and tracking, weapon construction }
Attacker target { shared space, denial of service, data pollution, data leakage, implantation, data theft, network destruction, network humiliation, fake data, software lanyard, money lanyard }
Remarking: network humiliation refers to spreading rumors or other people negative news to arouse masses to have network violence, cause people to have psychological trauma and stop life; the public rumors or the community of the socially known people are scattered and smelled, which causes the loss of the public trust and even the social turbulence.
The object properties are set as follows:
takeaction (A, X) role A takes action X
utilizedIn (X, Y) action X is used in the network killer chain stage Y
At belongto (Z, Y) position Z in the killing chain stage Y
locatedin (A, Z) character A at the Z position
The deployment of (B, A) purpose B is the goal role A needs to achieve in this network attack
The killing chain stage C of the precede (C, D) is located before the killing chain stage D
The data attributes are set as follows:
cost (X, C) Using action X is C
currentcalital (A, M) role A has a current fund of M
moves (X, N) move back and forth N steps using action X
Number of rounds R that movesSound (X, R) motion X can exert an effect
principal (A, P) role A principal is P
Restcapital (A, RP) role A has the remaining funds RP
step (Z, S) position Z belongs to S stage
Number of moving steps U in the number of rounds that upsweep (X, U) action X can continue to use
Number of rounds that upscalepwround (X, UR) action X can continue to use
win (A) role A success or failure
And carrying out structural description on the ontology by adopting SWRL language.
The sequence relationship exists between the stages of the network killing chain:
a chain phase of cyber killing (
->precede(?A,?B)or precede(?B,?A)
Defenders can only take defensive actions:
defender role (
An attacker can only take attack actions:
attacker role (
When the target is reached, the attacker wins:
belongto (
After the role takes a certain legal measure, the attacker moves corresponding steps:
next position (
Role (
After the role takes some measure, the fund is changed from the current fund to the residual fund:
remaining funds (
When the remaining funds are 0 and the attacker is located at a position other than the target achievement, the attacker fails:
residual funds (
When the remaining funds are less than 0 and the attacker is located at a position other than the target, the attacker fails:
residual funds (
Describing other rules of the turn-based network chess: when the chess starts, the player first selects the identities of 'attacker', 'defender' and 'audience'. The spectator watches the game at 'emperor view angle' to go on, the attacker selects the target of the attacker, the attacker and the defender both initially have 7 cards randomly issued in a system, the identity and the target of the attacker are unknown to the defender, and the hands of the attacker and the defender are unknown to each other. The two parties play cards alternately, an attacker only can attack the cards and a defender only can use the defending actions, when one party selects one card, the system judges whether the selected card is suitable for the current stage or not when the player selects 'playing cards', if the card can be used, the player can play the cards, and the attacker moves forward or backward by the corresponding steps of the card; if the card cannot be used, the card selection method prompts 'please select the card of the corresponding stage', and the card can be reselected at the moment. If all cards in the hand can not be used in the stage, the player can select one card, click 'replace', the system can replace the card with a random card in the action library, and the card can be replaced for multiple times. If the player decides that the round does not play cards for reasons such as cost and tactics, the player may select the "skip" button to skip the round to play cards and play cards from the other party. When the attacker reaches the end point, or the money of the attacker is consumed or the action times of any one of the two parties exceed 50 times, the game is ended, and the win-or-loss is judged according to the rule. The system records the actions of the two parties in the game process and reflects the actions in the log, the player can reply the game actions according to the log, the overall improvement is achieved, the chess flow is shown in figure 4, and the action selection flow is shown in figure 5.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (6)

1. A simulation modeling method for a network attack and defense process is characterized by comprising the following steps:
acquiring a logical relationship between objects, and object attributes and data attributes of the objects in a network attack and defense process; the object includes: attackers, defenders, attack and defense steps, attack and defense modes, attack effects and resource consumption;
modeling the logical relationship between the objects by adopting an ontology knowledge graph;
modeling the object attributes and the data attributes of the object by adopting an entity knowledge graph, and establishing a relation between an ontology knowledge graph and an instance knowledge graph;
performing attack modeling based on a Rockschid Martin killer chain model and an ATT & CK framework;
constructing a simulation scene of the network attack and defense process according to the established logical relationship model, the object attribute model, the data attribute model and the relationship between the ontology knowledge graph and the instance knowledge graph;
in the simulation scene, according to the established attack model, simulation interaction data in the life cycle of the network attack and defense process are obtained in a dynamic deduction mode;
wherein, attack modeling is carried out based on a Rockschid Martin killer chain model and an ATT & CK framework, and the method comprises the following steps:
adopting a Rockschid Martin killing chain as an attack path of network attack and defense, classifying attack and defense technology by adopting a killing chain stage and an ATT & CK framework, and setting 6 steps in two adjacent stages to obtain a killing chain stage and a corresponding attack defense mode;
taking the killing chain stage and the attack defense mode as examples, setting corresponding object attributes and data attributes, and carrying out consistency and completeness detection on the body;
setting Lockschid Martin killing chain, tactical decision, attack and defense technology, tactical classification, the position of the killing chain where an attacker is located and resources as classes in the body, filling tactical use stage, attack effect and resource consumption as examples in the body, and using the body file as a model configuration file.
2. The method according to claim 1, wherein in the simulation scenario, simulation interaction data in a life cycle of a network attack and defense process is obtained by adopting a dynamic deduction mode according to the established attack model, and the steps further include:
the identity, target and principal of the attacker are not disclosed to the defender, and the enemy and purpose of the enemy confronted by the defender are unknown;
the attacker and the defender can only see the used attack mode and defense mode, the cards and the residual funds in the opponent are unknown, the opponent plays the confrontation game based on incomplete information, and the round system alternately plays the cards and records the cards.
3. The method of claim 2, wherein the object further comprises: officials and other personnel;
the attacker and defender can only see the used attack mode and defense mode, the cards and the residual funds in the opponent are unknown, the opponent plays the confrontation game based on incomplete information, the round system alternately plays the cards and records, and the method further comprises the following steps:
the referee and other personnel select the audience to enter the simulation system, watch the whole process of network attack and defense deduction, and achieve the aim of network space safety education and training for both the participants and the audience.
4. The method according to any one of claims 1-3, further comprising:
in the network attack and defense simulation process, an attacker and a defender alternately attack and defend, and each attack or defense can adjust the strategy of the attacker and the defender according to the updated information on the field.
5. A simulation modeling apparatus for a network attack and defense process, the apparatus comprising:
the data acquisition module required by simulation modeling is used for acquiring the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process; the object includes: attackers, defenders, attack and defense steps, attack and defense modes, attack effects and resource consumption;
the knowledge graph-based modeling module is used for modeling the logical relationship between the objects by adopting the ontology knowledge graph; modeling object attributes and data attributes of an object by adopting an entity knowledge graph, and establishing a relation between the body knowledge graph and the entity knowledge graph;
the modeling module of the attack and defense process is used for carrying out attack modeling based on a Rockschid Martin killer chain model and an ATT & CK framework; establishing a simulation scene of the network attack and defense process according to the established logical relationship model, the object attribute model, the data attribute model and the relationship between the ontology knowledge graph and the instance knowledge graph; in the simulation scene, according to the established attack model, simulation interaction data in the life cycle of the network attack and defense process are obtained in a dynamic deduction mode;
the modeling module of the attack and defense process is also used for adopting a Rockschid Martin killing chain as an attack path of network attack and defense, classifying the attack and defense technology by adopting a killing chain stage and an ATT & CK framework, and setting 6 steps in two adjacent stages to obtain a killing chain stage and a corresponding attack and defense mode; taking the killing chain stage and the attack defense mode as examples, setting corresponding object attributes and data attributes, and carrying out consistency and completeness detection on the body; setting Lockschid Martin killing chain, tactical decision, attack and defense technology, tactical classification, the position of the killing chain where an attacker is located and resources as classes in the body, filling tactical use stage, attack effect and resource consumption as examples in the body, and using the body file as a model configuration file.
6. An implementation method for network-turn warchess is characterized in that the implementation method for network-turn warchess comprises the following steps:
decomposing the network turn wargame to obtain the logical relationship among the objects, the object attribute and the data attribute of the objects in the network attack and defense process; the object includes: attackers, defenders, attack and defense steps, attack and defense modes, attack effects and resource consumption;
and modeling the logical relationship among the objects, the object attributes and the data attributes of the objects in the network attack and defense process by adopting the simulation modeling method of the network attack and defense process of any one of claims 1 to 4 to obtain the network troop system network troop.
CN202110815835.2A 2021-07-19 2021-07-19 Simulation modeling method and device for network attack and defense process and network turn wargame Active CN113536573B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110815835.2A CN113536573B (en) 2021-07-19 2021-07-19 Simulation modeling method and device for network attack and defense process and network turn wargame

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110815835.2A CN113536573B (en) 2021-07-19 2021-07-19 Simulation modeling method and device for network attack and defense process and network turn wargame

Publications (2)

Publication Number Publication Date
CN113536573A CN113536573A (en) 2021-10-22
CN113536573B true CN113536573B (en) 2022-06-14

Family

ID=78128798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110815835.2A Active CN113536573B (en) 2021-07-19 2021-07-19 Simulation modeling method and device for network attack and defense process and network turn wargame

Country Status (1)

Country Link
CN (1) CN113536573B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095262B (en) * 2021-11-19 2024-01-02 北京安天网络安全技术有限公司 Network attack and defense deduction method and device, computing equipment and storage medium
CN113824736B (en) * 2021-11-22 2022-02-25 杭州安恒信息技术股份有限公司 Asset risk handling method, device, equipment and storage medium
CN115329613B (en) * 2022-10-17 2022-12-23 中国电子科技集团公司信息科学研究院 Simulation method and device for photoelectric transceiving module, electronic equipment and storage medium
CN116346466B (en) * 2023-03-28 2023-11-10 永信至诚科技集团股份有限公司 Method, system and equipment for complex disk deduction based on network target range scene

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108733897A (en) * 2018-04-28 2018-11-02 上海烜翊科技有限公司 Attack-defense Confrontation Simulation System based on architectural framework model and emulation mode
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN112104514A (en) * 2020-11-18 2020-12-18 中国人民解放军国防科技大学 Multi-view network attack and defense simulation system
CN112118272A (en) * 2020-11-18 2020-12-22 中国人民解放军国防科技大学 Network attack and defense deduction platform based on simulation experiment design

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014066500A1 (en) * 2012-10-23 2014-05-01 Hassell Suzanne P Cyber analysis modeling evaluation for operations (cameo) simulation system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108733897A (en) * 2018-04-28 2018-11-02 上海烜翊科技有限公司 Attack-defense Confrontation Simulation System based on architectural framework model and emulation mode
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN112104514A (en) * 2020-11-18 2020-12-18 中国人民解放军国防科技大学 Multi-view network attack and defense simulation system
CN112118272A (en) * 2020-11-18 2020-12-22 中国人民解放军国防科技大学 Network attack and defense deduction platform based on simulation experiment design

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
LiuBin ; YaoLi ; DingZheyuan ; XuJunyi ; WuJunfeng.Combining ontology and reinforcement learning for zero-shot classification.《Knowledge-Based Systems》.2018,第144卷 *
基于OPNET的赛博网络防御建模仿真;钱京梅等;《通信技术》;20180310;第51卷(第03期);705-711 *
基于树型结构的APT攻击预测方法;张小松等;《电子科技大学学报》;20160730;第45卷(第04期);582-588 *
基于非零和博弈的多路径组合攻击防御决策方法;孙骞等;《西北大学学报(自然科学版)》;20190604;第49卷(第03期);343-350 *
网络安全知识图谱研究综述;丁兆云;刘凯;刘斌;朱席席;《华中科技大学学报( 自然科学版)》;20210715;第49卷(第7期);79-91 *
面向用户交互场景的信息欺骗分类及其威胁抑制机制;刘秀文等;《武汉大学学报(理学版)》;20190311;第65卷(第02期);126-138 *

Also Published As

Publication number Publication date
CN113536573A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN113536573B (en) Simulation modeling method and device for network attack and defense process and network turn wargame
Valeriano et al. Cyber strategy: The evolving character of power and coercion
Nagarajan et al. Exploring game design for cybersecurity training
Hussain US-Pakistan engagement: The war on terrorism and beyond
CN109543933A (en) A kind of net peace personnel technical ability evaluation system
Rubin et al. The End of Strategic Stability?: Nuclear Weapons and the Challenge of Regional Rivalries
King Generic womanhood: Gendered depictions in cop action cinema
Reynolds Performing information manoeuvre through persistent engagement
Mulvenon PLA computer network operations: Scenarios, doctrine, organizations, and capability
Fitzpatrick et al. Information Warfare: Lessons in Inoculation to Disinformation
Shapiro Formal approaches to the study of terrorism
Reddie et al. Cyber Wargaming: Research and Education for Security in a Dangerous Digital World
Curry et al. Developments in state level cyber wargaming
Shaw et al. Fusion nodes: the next step in combating the global terrorist threat
Curry Wargaming national cyber emergencies
Bajaj Detect Cheater in Online Gaming using AI
Newhouse et al. Digital Games as Vehicles for Extremist Recruitment and Mobilization
Ruef et al. Measuring cyber attribution in games
Simon Asymmetric Proliferation and Nuclear War: The Limited Usefulness of an Experimental Test
Montgomery et al. The End of Strategic Stability?: Nuclear Weapons and the Challenge of Regional Rivalries
Poindexter Government Issued Opinion: The Dark Science of Manipulating Perceptions and Policies
Jensen et al. Cyber Escalation Dynamics: Results from War Game Experiments International Studies Association, Annual Meeting Panel: War Gaming and Simulations in International Conflict March 27, 2019
Andres Air Power and Cyber
Chifu 2 Informational Warfare: A Theoretical Approach
Silva From Counter-Strike to Counterterrorism: How the Cheater Reconfigures Our Understanding of Asymmetric Warfare

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant