CN114095262B - Network attack and defense deduction method and device, computing equipment and storage medium - Google Patents
Network attack and defense deduction method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN114095262B CN114095262B CN202111399665.0A CN202111399665A CN114095262B CN 114095262 B CN114095262 B CN 114095262B CN 202111399665 A CN202111399665 A CN 202111399665A CN 114095262 B CN114095262 B CN 114095262B
- Authority
- CN
- China
- Prior art keywords
- attack
- deduction
- defense
- information asset
- technical means
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 177
- 238000000034 method Methods 0.000 title claims abstract description 90
- 230000009471 action Effects 0.000 claims abstract description 120
- 238000013507 mapping Methods 0.000 claims abstract description 61
- 238000012876 topography Methods 0.000 claims abstract description 27
- 230000008569 process Effects 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 11
- 230000003042 antagnostic effect Effects 0.000 claims description 6
- 239000000758 substrate Substances 0.000 claims 1
- 238000004088 simulation Methods 0.000 abstract description 18
- 230000000875 corresponding effect Effects 0.000 description 28
- 230000001276 controlling effect Effects 0.000 description 7
- 238000001514 detection method Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000153 supplemental effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a network attack and defense deduction method, a device, a computing device and a storage medium, wherein the method comprises the following steps: the guiding control is based on the constructed network attack and defense deduction topography, and corresponding operator attributes are configured for the deduction operators for carrying out network attack and defense deduction, so that a mapping relation between the deduction operators is formed; the operator includes: information asset nodes, security equipment nodes, vulnerabilities, credentials, targets, attack technical means and defense technical means; the attack party and the defending party conduct countermeasure type dynamic deduction in the network attack and defense deduction topography, and when the judging condition of the attack action is reached, the guiding party generates the judging result of the current attack action according to the mapping relation; and when the countermeasure dynamic deduction meets the ending condition, generating a network attack and defense deduction result by the guide and control. According to the scheme, the countermeasure logic in the real network attack and defense countermeasure scene can be restored to a high degree, so that the simulation degree of network attack and defense deduction is improved, and the obtained network attack and defense deduction result has a reference value.
Description
Technical Field
The embodiment of the invention relates to the technical field of security, in particular to a network attack and defense deduction method, a device, computing equipment and a storage medium.
Background
The deduction of the chess is to abstract and calculate each factor of the war by a great number of mathematical methods, to deduct the process of the war into a data model, to simulate, simulate and deduct the whole process of the war, and to study and calculate the situation of the war according to rules.
In the aspect of network attack and defense deduction, the existing network attack and defense deduction method is based on simple contrast logic between vulnerability characteristics and attack technical means to perform attack and defense simulation and deduction. However, the topology structure of the network attack and defense deduction topography is complex, and the factors influencing the attack and defense countermeasures are complex, so that the existing network attack and defense deduction method has low simulation degree, cannot represent a real attack and defense countermeasures scene, and has low reference value of deduction results.
Disclosure of Invention
Based on the problems that the existing network attack and defense deduction method is low in degree of authenticity, a real attack and defense countermeasure scene cannot be represented, and the reference value of a deduction result is low, the embodiment of the invention provides the network attack and defense deduction method, device, computing equipment and storage medium, which can represent the real attack and defense countermeasure scene, improve the degree of authenticity and improve the reference value of the deduction result.
In a first aspect, an embodiment of the present invention provides a network attack and defense deduction method, including:
the guiding control is based on the constructed network attack and defense deduction topography, corresponding operator attributes are configured for the deduction operators for carrying out network attack and defense deduction, and a mapping relation between the deduction operators is formed according to the configured operator attributes; the operator includes: information asset nodes, security equipment nodes, vulnerabilities, credentials, targets, attack technical means and defense technical means;
the attacker and the defender conduct countermeasure dynamic deduction in the network attack and defense deduction topography, and when the judgment condition of the attack action is reached in the countermeasure dynamic deduction process, the lead-control generates the judgment result of the current attack action according to the mapping relation;
and when the countermeasure dynamic deduction meets the ending condition, generating a network attack and defense deduction result by the guide and control according to the judging result of each attack action.
Preferably, in the antagonistic dynamic deduction process, the visible range of information asset nodes in the network attack and defense deduction terrain exposed to the attacker is controlled by the guide and control party, so that the attacker attacks the information asset nodes in the visible range.
Preferably, after the director generates the determination result of the current attack action according to the mapping relationship, the method further includes: updating the controlled state of the information asset node attacked by the current attack action according to the judging result;
the director controlling the visible range of information asset nodes in the network attack and defense deduction terrain exposed to the attacker, comprising:
and the guide and control party determines the controlled state of each information asset node in the network attack and defense deduction terrain, and calculates the visible range of the information asset node in the network attack and defense deduction terrain exposed to the attacker according to the controlled state of each information asset node.
Preferably, the operator attribute of the attack technical means comprises a pre-attack condition; the pre-attack condition includes: the preamble attack technical means implemented before the attack technical means is implemented is successfully implemented, and/or the attacked information asset node is in a target controlled state before the attack technical means is implemented to attack the attacked information asset node;
before the guide party generates the judging result of the current attack action according to the mapping relation, the method further comprises the following steps:
Determining a target attack technical means correspondingly implemented by the current attack action;
determining whether a pre-attack condition of the target attack technical means is met; if yes, executing the judgment result of the current attack action generated according to the mapping relation; otherwise, generating a judging result that the current attack action is unsuccessful.
Preferably, after the determining the target attack technical means corresponding to the implementation of the current attack action, before determining whether the pre-attack condition of the target attack technical means is met, the method further includes:
and determining whether the target attack technical means is a known attack technical means, and if not, manually inputting a judging result of the current attack action by a guide party.
Preferably, the generating, by the director, a determination result of the current attack action according to the mapping relationship includes:
determining that the current attack action corresponds to the attacked target information asset node;
determining a target security equipment node for protecting the target information asset node according to the mapping relation;
determining whether the current attack action is blocked according to the protection capability of the target security equipment node; if not, calculating a judging result of the current attack action according to the vulnerability mapped with the target information asset node and the operator attribute of the target attack technical means correspondingly implemented by the current attack action.
Preferably, the method for generating the network attack and defense deduction result by the guide party according to the determination result of each attack action includes:
determining key information asset nodes with mapping relation with the targets according to the mapping relation;
determining a controlled state of each key information asset node according to the determination result of each attack action;
determining key information asset nodes of the acquired targets according to the controlled state of each key information asset node;
and calculating the total target score for representing the network attack and defense deduction result according to the target score preset for the key information asset node of the acquired target.
In a second aspect, an embodiment of the present invention further provides a network attack and defense deduction device, including:
the guiding control is used for configuring corresponding operator attributes for the deduction operators for performing network attack and defense deduction based on the constructed network attack and defense deduction topography, and forming a mapping relation between the deduction operators according to the configured operator attributes; the operator includes: information asset nodes, security equipment nodes, vulnerabilities, credentials, targets, attack technical means and defense technical means;
the attacker and the defender respectively carry out countermeasure type dynamic deduction in the network attack and defense deduction topography, and each time the judgment condition of the attack action is reached in the countermeasure type dynamic deduction process, the lead-control generates the judgment result of the current attack action according to the mapping relation;
And the guide and control part is also used for generating a network attack and defense deduction result according to the judging result of each attack action when the countermeasure type dynamic deduction meets the ending condition.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method according to any embodiment of the present specification when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a network attack and defense deduction method, a device, a computing device and a storage medium, wherein a deduction operator for performing network attack and defense deduction comprises information asset nodes, safety equipment nodes, vulnerability, credentials, targets, attack technical means and defense technical means, the deduction operators reflect core elements in a real network attack and defense countermeasure scene, the corresponding operator attributes are configured for the deduction operators to form a mapping relation between the deduction operators, and attack actions in a countermeasure dynamic deduction process are judged by utilizing the mapping relation, so that countermeasure logic in the real network attack and defense countermeasure scene is restored to a high degree, the simulation degree of the network attack and defense deduction is improved, and the obtained network attack and defense deduction result has a reference value.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network attack and defense deduction method according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for generating a deduction result of network attack and defense according to an embodiment of the present invention;
FIG. 3 is a hardware architecture diagram of a computing device according to one embodiment of the present invention;
fig. 4 is a block diagram of a network attack and defense deduction device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As described above, in the aspect of network attack and defense deduction, the existing network attack and defense deduction method performs attack and defense simulation and deduction based on the vulnerability characteristics and simple countermeasure logic of the attack means. However, the network attack and defense deduction topology has a complex structure, and the factors influencing the attack and defense countermeasures are complex, and the actual attack and defense countermeasures can not be represented by simulating deduction only by means of simple countermeasures logic, so that the simulation degree is low, and the reference value of the deduction result is low.
If the simulation degree needs to be improved, the network attack and defense deduction process can represent a real attack and defense countermeasure scene, a deduction operator capable of reflecting core elements of the real network attack and defense countermeasure scene needs to be selected to participate in the whole deduction process, and the deduction process adopts a countermeasure type dynamic deduction process to simulate the real countermeasure scene.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a network attack and defense deduction method, which includes:
step 100, the guiding and controlling party configures corresponding operator attributes for the deducting operators for carrying out network attack and defense deduction based on the constructed network attack and defense deduction topography, and forms a mapping relation between the deducting operators according to the configured operator attributes; the operator includes: information asset nodes, security device nodes, vulnerabilities, credentials, targets, attack techniques, and defense techniques.
Step 102, the attacker and defender conduct countermeasure dynamic deduction in the network attack and defense deduction topography, and when the judgment condition of the attack action is reached in the countermeasure dynamic deduction process, the lead generates the judgment result of the current attack action according to the mapping relation.
And 104, when the countermeasure dynamic deduction meets the end condition, generating a network attack and defense deduction result by the guide and control according to the judging result of each attack action.
In the embodiment of the invention, the deductors for performing the network attack and defense deduction comprise information asset nodes, safety equipment nodes, vulnerability, credentials, targets, attack technical means and defense technical means, the deductors reflect core elements in a real network attack and defense deduction scene, the corresponding operator attributes are configured for the deductors to form a mapping relation between the deductors, and attack actions in the process of the countermeasure dynamic deduction are judged by utilizing the mapping relation, so that countermeasure logic in the real network attack and defense countermeasure scene is restored to a high degree, the simulation degree of the network attack and defense deduction is improved, and the obtained network attack and defense deduction result has a higher reference value.
The manner in which the individual steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, a guiding and controlling party configures corresponding operator attributes for an operator for performing network attack and defense deduction based on constructed network attack and defense deduction topography, and forms a mapping relation between the operators according to the configured operator attributes; the operator includes: information asset nodes, security device nodes, vulnerabilities, credentials, targets, attack techniques, and defense techniques.
The network attack and defense deduction topography is constructed based on a network topology, wherein the network topology can be a real topology or a topology to be laid out. The network attack and defense deduction is carried out to evaluate the security performance of the network topology, so that the network topology is adjusted according to the network attack and defense deduction result, and the maximum security performance of the adjusted network topology can be ensured.
The nodes in the network attack and defense deduction terrain comprise information asset nodes and safety equipment nodes.
In the embodiment of the present invention, in order to reflect the core elements in the real network attack and defense countermeasure scenario, the deduction operator for performing the network attack and defense deduction may include: information asset nodes, security device nodes, vulnerabilities, credentials, targets, attack techniques, and defense techniques.
Operator attributes corresponding to the respective operator configurations are described below.
1. Information asset nodes.
The information asset node is an asset device in a simulated attack and defense scene, such as a server, a client, a printer and the like.
The operator attribute of the information asset node is attribute information of the corresponding asset device, and may include: at least one of IP address, MAC address, security domain, operating system and version, process, application and version.
Wherein the security domain is used to characterize the domain to which the information asset node belongs, the same security domain may comprise at least one information asset node. An association between information asset nodes may be formed from the security domain. For example, an information asset node may be successfully attacked, and other information asset nodes belonging to the same security domain as the information asset node may be attacked.
The information asset node is used as an attacked node, and can respectively establish mapping relation with the computation operators of vulnerability, credentials, targets and the like.
2. Vulnerability.
Vulnerability is weak configuration and vulnerability in the simulated attack and defense scenario. Thus, operator attributes for vulnerability configuration may include: corresponding attack technical means and the success probability of attack by the attack technical means.
In one embodiment of the present invention, in order to make the network attack and defense deduction process closer to the real attack and defense scene, the following two types of vulnerability configurations can be provided: known vulnerabilities and unknown vulnerabilities. The known vulnerability can be scanned and found by an attacker and a defender, the attacker can attack by adopting an attack technical means with high success probability according to the known vulnerability, and the defender can repair the known vulnerability. The unknown vulnerability cannot be found by the scanning of an attacker and a defender, the attacker attacks the unknown vulnerability by trying various attack technical means, a certain success probability exists, and the defender cannot find the unknown vulnerability in advance because of the unknown vulnerability, and can repair the unknown vulnerability according to the abnormality in the attacked process or detect and defend the attack technical means causing the abnormality.
In the configuration phase of this step 100, a mapping relationship of information asset nodes and vulnerabilities may be established. And configuring corresponding vulnerability for each information asset node in the network attack and defense deduction topography.
3. A credential.
The credential refers to a credential when a user logs in to the information asset node in the simulated attack and defense scene, for example, the credential is a login user name and a login password. The credentials may be an aid to an attacker to extend the attack laterally and/or longitudinally. For example, after an attacker obtains a credential on a particular information asset node, the credential may include a credential of an information asset node in lateral relationship with the information asset node and/or a credential of an information asset node in longitudinal relationship with the information asset node.
Thus, in one embodiment of the invention, for the case where the operator is a credential, the operator attributes configured for the credential may include: the extent of the information asset node to which the credential corresponds and the controlled state of the corresponding information asset node. After the guiding party determines that the attacker acquires the evidence, the controlled state of the corresponding information asset node can be modified according to the operator attribute of the evidence.
As with vulnerability, at the configuration stage of this step 100, a mapping relationship of information asset nodes and credentials may be established. Namely, configuring corresponding credentials for each information asset node in the network attack and defense deduction topography.
4. A target.
The target is a high-value information asset node in a simulation attack and defense scene, and is an important attack target of an attacker. In one embodiment of the present invention, when the operator is a target, the operator attributes configured for the target may include: target score, the controlled status of information asset nodes from which the target can be obtained.
As with vulnerability, credentials, at the configuration stage of this step 100, a mapping relationship of information asset nodes to targets may be established. The corresponding targets are configured for a plurality of high-value information asset nodes in the network attack and defense deduction terrain.
5. A security device node.
The safety equipment node is equipment used for carrying out safety monitoring and safety protection on the information asset node in the simulation attack and defense scene. In one embodiment of the present invention, operator attributes configured for a security device node may include: protection scope and protection capability.
Wherein the scope of protection may be configured by selecting an inode asset or security domain. For example, information asset nodes with protection ranges of IP1 and IP 2; for another example, the scope of protection is an information asset node within security domain a. By configuring the protection range of the safety equipment node, the mapping relation between the safety equipment node and the information asset node is formed.
The protective capabilities may include: the protection probability of each attack technical means in the attack technical means set and the detection probability of each attack technical means in the attack technical means set. The attack technical means set can be a set formed by currently known attack technical means. For example, the attack technical means is integrated into each attack technical means in the ATT & CK threat framework.
6. Attack technical means.
The attack technical means are various technical means adopted by an attacker in the simulation attack and defense scene. In the embodiment of the invention, the attack technical means set can be generated in advance, and then the corresponding operator attribute is respectively configured for each attack technical means in the attack technical means set. Similarly, the attack technical means set may be a set formed by currently known attack technical means. For example, the attack technical means is integrated into each attack technical means in the ATT & CK threat framework.
In one embodiment of the present invention, operator attributes configured for attack techniques may include: at least one of a pre-attack condition, a success probability corresponding to each vulnerability of attack, action points and implementation results.
When the pre-attack condition is configured for the attack technical means, the pre-attack condition may include: the preamble attack technique implemented before the attack technique is implemented is successfully implemented and/or the attacked information asset node is in a target controlled state before the attack technique is implemented to attack the attacked information asset node.
In one embodiment of the invention, the preamble attack technical means can be one or a plurality of preamble attack technical means. When the number of the preamble attack technical means is plural, the order in which the plurality of preamble attack technologies are successfully implemented may also be set. Thus, the preamble attack technical means form an attack action chain. The precondition for successful implementation of the attack technique provided with the preamble attack condition is that each preamble attack technique has been successfully implemented in the order specified in the attack action chain. By configuring the preamble attack condition for the attack technical means, the successful implementation of the attack technical means is closer to the actual network attack and defense scene, and the reference value of the network attack and defense deduction result is further improved.
The success probability corresponding to each vulnerability of the attack in the operator attribute of the attack technical means can be related to the success probability of the attack technical means by the operator attribute in the operator vulnerability, so that the mapping relationship between the attack technical means and the vulnerability can be formed based on the operator attribute of the attack technical means and the operator attribute of the vulnerability. Due to
Action points are the time and resources corresponding to the implementation of the attack technique. In the network attack and defense deduction process, the attack and defense deduction is carried out by the attacker and the defender at the same time, so that the attack and defense amount between the attacker and the defender in the real attack and defense scene is reflected by limiting the action point number of the attack technical means.
The implementation results may include: feedback information, controlled status of information asset nodes, acquisition targets, etc. Is used for reflecting the effect achieved by the implementation of the attack technical means.
And the mapping relation between the attack technical means and the target can be formed according to the implementation result.
7. Means of defense technology.
The defense technical means are various means which can be adopted by a defender in the simulation attack and defense scene. On the one hand, based on the safety equipment node, safety defense technical means such as vulnerability monitoring, vulnerability restoration, blocking of attack technical means, checking and killing, isolation treatment, tracing and the like can be adopted for the information asset node. On the other hand, a mapping relationship can be formed with a matrix of a plurality of attack means, so that a defending means capable of coping with the attack means can be implemented.
In one embodiment of the present invention, operator attributes configured for defensive technical means may include: corresponding attack technical means, action points and action results.
The action points are the same as the action points in the attack technical means, and are not described herein.
The result of the action may include: feedback information, vulnerability restoration, reduction of success probability of attack technical means, and the like.
The description of the configuration of the corresponding operator attributes of each operator is completed, and the mapping relation between operators can be formed according to the configured operator attributes.
Then, for step 102, the attacker and defender conduct countermeasure dynamic deduction in the network attack and defense deduction terrain, and each time the determination condition of the attack action is reached in the countermeasure dynamic deduction process, the director generates the determination result of the current attack action according to the mapping relation.
After the stage of configuring the network attack and defense deduction topography is completed, the attack, defender and guide and control party participate in the network attack and defense deduction topography to perform countermeasure type dynamic deduction.
In the antagonistic dynamic deduction process, in order to simulate a real attack and defense scene, a deduction view angle provided for an attacker and a defender can be controlled by a guide and control party.
Specifically, in the embodiment of the present invention, at least two deduction viewing angles may be included:
the first kind, defender and attacker are all visible to the network attack and defense deduction topography.
The second kind, defending party are all visible to the network attack and defense deduction topography, the visible range of information asset node in the network attack and defense deduction topography that is controlled by the pilot control to the attacker and exposed.
Under this first deduction perspective, the attacker and defender can conduct a seminar deduction. In the discussion type deduction process, the dynamic deduction is still countermeasure type, an attacker optionally attacks an information asset node, and a defender repairs the vulnerability of the information asset node. The number of action points or rounds interacted by both parties is controlled by the guiding control to judge the attack action. In addition, when the attack action is determined, the attack technical means can be stated by an attacker, the defense technical means can be stated by a defender, and the guide party can perform manual determination according to the states of the two parties.
Under the second deduction view angle, an entrance of an attacker in the deduction process can be preset by a guide party, the entrance can be an initial visible range, and the attacker can attack an information asset node optionally in the initial visible range; the portal may also be a designated information asset node that an attacker attacks.
In the second deduction view, in one embodiment of the present invention, after the decision result of the current attack action is generated by the director in the antagonistic dynamic deduction process, the controlled state of the information asset node attacked by the current attack action can be updated according to the decision result; and then the guiding and controlling party determines the controlled state of each information asset node in the network attack and defense deduction terrain, and calculates the visible range of the information asset node in the network attack and defense deduction terrain exposed to the attacker according to the controlled state of each information asset node.
In particular, all information asset nodes in the security domain where information asset nodes whose controlled state is uncontrolled may be set to be visible to an attacker.
Because the second deduction view angle is a view angle simulation of the real attack and defense scene, the embodiment of the invention preferably adopts the second deduction view angle to conduct countermeasure type dynamic deduction.
Since the dynamic deduction is a countermeasure, the deduction can be performed by adopting round-robin. In the embodiment of the invention, the guiding controller can preset the total number of action points corresponding to one deduction round, the attacker and the defender alternately take technical means in the deduction round, and the time and the resources required by taking actions in the real attack and defense scene are simulated through the setting of the action points. According to the operator attribute configured for the deduction operator, corresponding action points are configured for both the attack technical means and the defense technical means, so that the attack party and the defender can distribute the action points of the real-time technical means into one or more rounds. When the action point of the technical means is distributed to the last round or the round is deduced to reach the set round amount, determining that the judgment condition of the attack action is reached.
When the judging condition of the attack action is reached, the lead generates the judging result of the current attack action according to the mapping relation.
Specifically, in one embodiment of the present invention, the generating, by the director, a determination result of the current attack action according to the mapping relationship in step 102 may include:
s1: and determining that the current attack action corresponds to the attacked target information asset node.
S2: determining a target security equipment node for protecting the target information asset node according to the mapping relation;
s3: determining whether the current attack action is blocked according to the protection capability of the target security equipment node; if not, calculating a judging result of the current attack action according to the vulnerability mapped with the target information asset node and the operator attribute of the target attack technical means correspondingly implemented by the current attack action.
In S3, according to the operator attribute configured for the security device node, the protection capability of the security device node includes a protection probability for each attack technical means in the attack technical means set, and a detection probability for each attack technical means in the attack technical means set. Therefore, the protection probability and the detection probability of each attack technical means in the attack technical means set by the target security device node can be utilized to determine the target detection probability and the target protection probability of the target attack technical means implemented for the current attack action. Further, a random calculation result can be generated according to the target detection probability and the target protection probability, and then whether the target attack technical means or the current attack action is blocked or not is determined according to the random calculation result.
In S3, if it is determined that the current attack is not blocked, the vulnerability of the target information asset node and the target attack technical means are further used to calculate the determination result of the current attack. Specifically, the mapping relation between the attack technical means and the vulnerability is utilized to determine the success probability of the target attack technical means on the vulnerability of the target information asset node, a random calculation result is further generated according to the success probability of the attack, and then whether the attack is successful or not is determined according to the random calculation result.
Further, when the determined result is that the attack is successful, the controlled state of the corresponding target information asset node can be determined according to the mapping relation between the attack technical means and the controlled state of the information asset node. According to the controlled state of the target information asset node, whether the current attack action can acquire a credential or a target can be further determined, so that a chain reaction is formed to represent a real attack and defense scene.
In S3, if it is determined that the current attack is blocked, feedback is given to the attacker and the defender that the determination result is that the attack is unsuccessful.
In one embodiment of the present invention, since the operator attribute of the attack technical means includes a pre-attack condition, in order to quickly determine the current attack action, the target attack technical means implemented corresponding to the current attack action may be determined before the guiding party in step 102 generates the determination result of the current attack action according to the mapping relationship; determining whether a pre-attack condition of a target attack technical means is met; if yes, executing the judgment result of the current attack action generated according to the mapping relation; otherwise, generating a judging result that the current attack action is unsuccessful.
In this embodiment, the pre-attack condition may be adjusted according to different deduction scenarios, deduction processes, appearance of novel attack technical means, and improvement of attack knowledge.
Further, in the antagonistic dynamic deduction process, an attacker may use an attack technical means other than the attack technical means set, so as to determine an unknown attack technical means, and in one embodiment of the present invention, before determining whether the pre-attack condition of the target attack technical means is satisfied, the method may further include: and determining whether the target attack technical means is a known attack technical means, and if not, manually inputting a judging result of the current attack action by a guide party.
Specifically, the guiding and controlling party can manually judge whether the current attack action is successful or not according to statement information uploaded by the attack party aiming at the unknown attack technical means and combining the related information of the target information asset node, the protection capability, the protection range, the probability data and the like of the target safety equipment node. Wherein, the stated information may include: details of technical means such as graphics, text or speech, or other supplemental information. Therefore, the diversity and the variability of the attack technical means can be ensured, the simulation attack and defense scene is more close to the real attack and defense scene, and the reference value of the network attack and defense deduction result is improved.
Finally, for step 104, when the countermeasure dynamic deduction meets the end condition, the director generates a network attack and defense deduction result according to the determination result of each attack action.
The end condition may include at least: the number of rounds completed, the number of determined attack actions, the success of the key information asset node being attacked, etc.
In one embodiment of the present invention, referring to fig. 2, the step 104 may include:
step 200, determining key information asset nodes with mapping relation with targets according to the mapping relation;
step 202, determining the controlled state of each key information asset node according to the determination result of each attack action;
step 204, determining key information asset nodes of the acquired targets according to the controlled state of each key information asset node;
and 206, calculating the total target score for representing the network attack and defense deduction result according to the target score preset for the key information asset node of the acquired target.
In the embodiment of the invention, because the information asset nodes configured with the targets are all key information asset nodes in the network attack and defense deduction topography, if an attacker acquires the targets after the key information asset nodes are attacked, the loss of the key information asset can bring great influence to the whole network topology, and therefore, the calculated total target score can more accurately represent the network attack and defense deduction result.
Further, a score threshold value can be preset, if the total target score is greater than the score threshold value, the attack of the attacker is successful, and the defender fails to defend; if the total target score is not greater than the score threshold, the attack of the attacker fails, and the defender defends successfully.
Further, vulnerability in the network attack and defense deduction topography can be obtained by using the network attack and defense deduction result, so that vulnerability restoration is performed on the network topology, and the network topology is updated, so that the updated network topology is safer.
As shown in fig. 3 and fig. 4, the embodiment of the invention provides a network attack and defense deduction device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 3, a hardware architecture diagram of a computing device where a network attack and defense deduction device is located according to an embodiment of the present invention is shown, where in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 3, the computing device where the device is located in an embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. Taking a software implementation as an example, as shown in fig. 4, as a device in a logic sense, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of a computing device where the device is located. The embodiment provides a network attack and defense deduction device, including:
The guiding and controlling part 401 configures corresponding operator attributes for the deduction operators for performing network attack and defense deduction based on the constructed network attack and defense deduction topography, and forms a mapping relation between the deduction operators according to the configured operator attributes; the operator includes: information asset nodes, security equipment nodes, vulnerabilities, credentials, targets, attack technical means and defense technical means;
an attacker 402 and a defender 403 respectively perform countermeasure dynamic deduction in the network attack and defense deduction topography, and each time a determination condition of an attack action is reached in the countermeasure dynamic deduction process, the lead generates a determination result of the current attack action according to the mapping relation;
the director 401 is further configured to generate a network attack and defense deduction result according to the determination result of each attack action when the countermeasure dynamic deduction meets the end condition.
In one embodiment of the present invention, the director 401 is further configured to control, in the antagonistic dynamic deduction process, a visible range of information asset nodes in the network attack-defense deduction terrain exposed to the attacker, so that the attacker attacks the information asset nodes in the visible range.
In one embodiment of the present invention, the director 401 is further configured to update the controlled state of the information asset node attacked by the current attack action according to the determination result;
the director 401, when controlling the visible range of the information asset node in the network attack and defense deduction terrain exposed to the attacker, specifically includes: and determining the controlled state of each information asset node in the network attack and defense deduction terrain, and calculating the visible range of the information asset node in the network attack and defense deduction terrain exposed to the attacker according to the controlled state of each information asset node.
In one embodiment of the present invention, the operator attribute of the attack technical means includes a pre-attack condition; the pre-attack condition includes: the preamble attack technical means implemented before the attack technical means is implemented is successfully implemented, and/or the attacked information asset node is in a target controlled state before the attack technical means is implemented to attack the attacked information asset node;
in one embodiment of the present invention, the director 401 is further configured to determine a target attack technical means correspondingly implemented by the current attack action; determining whether a pre-attack condition of the target attack technical means is met; if yes, executing the judgment result of the current attack action generated according to the mapping relation; otherwise, generating a judging result that the current attack action is unsuccessful.
In one embodiment of the present invention, the director 401 is further configured to determine whether the target attack technical means is a known attack technical means, and if not, the director manually inputs the determination result of the current attack action.
In one embodiment of the present invention, when generating the determination result of the current attack action according to the mapping relationship, the director 401 specifically includes: determining that the current attack action corresponds to the attacked target information asset node; determining a target security equipment node for protecting the target information asset node according to the mapping relation; determining whether the current attack action is blocked according to the protection capability of the target security equipment node; if not, calculating a judging result of the current attack action according to the vulnerability mapped with the target information asset node and the operator attribute of the target attack technical means correspondingly implemented by the current attack action.
In one embodiment of the present invention, when generating the network attack and defense deduction result according to the determination result of each attack action, the director 401 specifically includes: determining key information asset nodes with mapping relation with the targets according to the mapping relation; determining a controlled state of each key information asset node according to the determination result of each attack action; determining key information asset nodes of the acquired targets according to the controlled state of each key information asset node; and calculating the total target score for representing the network attack and defense deduction result according to the target score preset for the key information asset node of the acquired target.
It will be appreciated that the structure illustrated in the embodiments of the present invention does not constitute a specific limitation on a network attack and defense deduction device. In other embodiments of the invention, a network attack and defense deduction device may include more or less components than shown, or combine certain components, split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and when the processor executes the computer program, the network attack and defense deduction method in any embodiment of the invention is realized.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium is stored with a computer program, and when the computer program is executed by a processor, the processor is caused to execute the network attack and defense deduction method in any embodiment of the invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in one embodiment of the invention, the deductors for performing the network attack and defense deduction comprise information asset nodes, safety equipment nodes, vulnerability, credentials, targets, attack technical means and defense technical means, the deductors reflect core elements in a real network attack and defense countermeasure scene, the corresponding operator attributes are configured for the deductors to form a mapping relation between the deductors, and attack actions in the countermeasure dynamic deduction process are judged by utilizing the mapping relation, so that countermeasure logic in the real network attack and defense countermeasure scene is restored to improve the simulation degree of the network attack and defense deduction, and the obtained network attack and defense deduction result has a reference value.
2. In one embodiment of the invention, the network attack and defense deduction can provide two visual angles, wherein the defender is completely visible to the network attack and defense deduction topography, the guiding control controls the visible range of the information asset nodes in the network attack and defense deduction topography which is leaked to the attacker, the simulation of the real attack and defense scene is performed under the visual angle, the simulation degree can be improved, and the network attack and defense deduction result obtained under the visual angle has a reference value.
3. In one embodiment of the invention, when the attack technical means used by the attacker is an unknown attack technical means, the guiding party can manually judge whether the current attack action is successful or not according to statement information uploaded by the attacker aiming at the unknown attack technical means and combining the related information of the target information asset node, the protection capability, the protection range, the probability data and the like of the target safety equipment node. Therefore, the diversity and the variability of the attack technical means can be ensured, the simulation attack and defense scene is more close to the real attack and defense scene, and the reference value of the network attack and defense deduction result is improved.
4. In one embodiment of the invention, the pre-attack condition is configured for the attack technical means, and the attack action initiated by the attack technical means is judged only when the pre-attack condition is satisfied, and the pre-attack condition considers the logic relationship between the attack technical means in the real attack and defense scene, so that the attack and defense deduction is closer to the real attack and defense scene, and the reference value of the network attack and defense deduction result is further improved.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of additional identical elements in a process, method, article or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (9)
1. The network attack and defense deduction method is characterized by comprising the following steps of:
the guiding control is based on the constructed network attack and defense deduction topography, corresponding operator attributes are configured for the deduction operators for carrying out network attack and defense deduction, and a mapping relation between the deduction operators is formed according to the configured operator attributes; the operator includes: information asset nodes, security equipment nodes, vulnerabilities, credentials, targets, attack technical means and defense technical means;
the attacker and the defender conduct countermeasure dynamic deduction in the network attack and defense deduction topography, and when the judgment condition of the attack action is reached in the countermeasure dynamic deduction process, the lead-control generates the judgment result of the current attack action according to the mapping relation;
When the countermeasure dynamic deduction meets the ending condition, generating a network attack and defense deduction result by the guide and control according to the judging result of each attack action;
the guide party generates a judging result of the current attack action according to the mapping relation, and the method comprises the following steps: determining that the current attack action corresponds to the attacked target information asset node; determining a target security equipment node for protecting the target information asset node according to the mapping relation; determining whether the current attack action is blocked according to the protection capability of the target security equipment node; if not, calculating a judging result of the current attack action according to vulnerability mapped with the target information asset node and operator attributes of the target attack technical means implemented corresponding to the current attack action; and if the current attack action is blocked, feeding back that the judgment result is unsuccessful to the attacker and the defender.
2. The method of claim 1, wherein during the antagonistic dynamic deduction process, the visible range of information asset nodes in the network attack-defense deduction terrain exposed to the attacker is controlled by the director such that the attacker attacks information asset nodes within the visible range.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
after the guide party generates the judging result of the current attack action according to the mapping relation, the method further comprises the following steps: updating the controlled state of the information asset node attacked by the current attack action according to the judging result;
the director controlling the visible range of information asset nodes in the network attack and defense deduction terrain exposed to the attacker, comprising:
and the guide and control party determines the controlled state of each information asset node in the network attack and defense deduction terrain, and calculates the visible range of the information asset node in the network attack and defense deduction terrain exposed to the attacker according to the controlled state of each information asset node.
4. The method of claim 1, wherein operator attributes of the attack technique include pre-attack conditions; the pre-attack condition includes: the preamble attack technical means implemented before the attack technical means is implemented is successfully implemented, and/or the attacked information asset node is in a target controlled state before the attack technical means is implemented to attack the attacked information asset node;
before the guide party generates the judging result of the current attack action according to the mapping relation, the method further comprises the following steps:
Determining a target attack technical means correspondingly implemented by the current attack action;
determining whether a pre-attack condition of the target attack technical means is met; if yes, executing the judgment result of the current attack action generated according to the mapping relation; otherwise, generating a judging result that the current attack action is unsuccessful.
5. The method of claim 4, wherein after the determining the target attack means corresponding to the current attack action, determining whether a pre-attack condition of the target attack means is satisfied, further comprises:
and determining whether the target attack technical means is a known attack technical means, and if not, manually inputting a judging result of the current attack action by a guide party.
6. The method according to any one of claims 1-5, wherein the generating, by the director, a network attack-defense deduction result according to the determination result of each attack action includes:
determining key information asset nodes with mapping relation with the targets according to the mapping relation;
determining a controlled state of each key information asset node according to the determination result of each attack action;
Determining key information asset nodes of the acquired targets according to the controlled state of each key information asset node;
calculating a total target score for representing a network attack and defense deduction result according to a target score preset for a key information asset node of an acquired target; if the total target score is greater than a preset score threshold, the attack of the attacker is successful, and the defender fails to defend; if the total target score is not greater than the preset score threshold, the attack of the attacker fails, and the defender defends successfully.
7. The utility model provides a network attack and defense deduction device which is characterized in that the device comprises:
the guiding and controlling equipment configures corresponding operator attributes for the deductors for performing network attack and defense deduction based on the constructed network attack and defense deduction topography, and forms a mapping relation between the deductors according to the configured operator attributes; the operator includes: information asset nodes, security equipment nodes, vulnerabilities, credentials, targets, attack technical means and defense technical means;
the attack side equipment and the defending side equipment respectively carry out countermeasure type dynamic deduction in the network attack and defense deduction terrain, and the guiding and controlling equipment generates a judging result of the current attack action according to the mapping relation when the judging condition of the attack action is reached in the countermeasure type dynamic deduction process;
The guiding and controlling device is further used for generating a network attack and defense deduction result according to the judging result of each attack action when the countermeasure type dynamic deduction meets the ending condition;
the method specifically comprises the following steps when the guiding and controlling device generates a judging result of the current attack action according to the mapping relation: determining that the current attack action corresponds to the attacked target information asset node; determining a target security equipment node for protecting the target information asset node according to the mapping relation; determining whether the current attack action is blocked according to the protection capability of the target security equipment node; if not, calculating a judging result of the current attack action according to vulnerability mapped with the target information asset node and operator attributes of the target attack technical means implemented corresponding to the current attack action; and if the current attack action is blocked, feeding back that the judgment result is unsuccessful to the attacker device and the defender device.
8. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-6 when the computer program is executed.
9. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111399665.0A CN114095262B (en) | 2021-11-19 | 2021-11-19 | Network attack and defense deduction method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111399665.0A CN114095262B (en) | 2021-11-19 | 2021-11-19 | Network attack and defense deduction method and device, computing equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114095262A CN114095262A (en) | 2022-02-25 |
| CN114095262B true CN114095262B (en) | 2024-01-02 |
Family
ID=80303645
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111399665.0A Active CN114095262B (en) | 2021-11-19 | 2021-11-19 | Network attack and defense deduction method and device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095262B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108733898A (en) * | 2018-04-28 | 2018-11-02 | 上海烜翊科技有限公司 | Attack Defence Antagonism Simulation System method and analogue system based on architectural framework data |
| CN112073411A (en) * | 2020-09-07 | 2020-12-11 | 北京软通智慧城市科技有限公司 | Network security deduction method, device, equipment and storage medium |
| CN112118272A (en) * | 2020-11-18 | 2020-12-22 | 中国人民解放军国防科技大学 | Network attack and defense deduction platform based on simulation experiment design |
| CN113536573A (en) * | 2021-07-19 | 2021-10-22 | 中国人民解放军国防科技大学 | Simulation modeling method and device for network attack and defense process and network turn wargame |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10237300B2 (en) * | 2017-04-06 | 2019-03-19 | Microsoft Technology Licensing, Llc | System and method for detecting directed cyber-attacks targeting a particular set of cloud based machines |
-
2021
- 2021-11-19 CN CN202111399665.0A patent/CN114095262B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108733898A (en) * | 2018-04-28 | 2018-11-02 | 上海烜翊科技有限公司 | Attack Defence Antagonism Simulation System method and analogue system based on architectural framework data |
| CN112073411A (en) * | 2020-09-07 | 2020-12-11 | 北京软通智慧城市科技有限公司 | Network security deduction method, device, equipment and storage medium |
| CN112118272A (en) * | 2020-11-18 | 2020-12-22 | 中国人民解放军国防科技大学 | Network attack and defense deduction platform based on simulation experiment design |
| CN113536573A (en) * | 2021-07-19 | 2021-10-22 | 中国人民解放军国防科技大学 | Simulation modeling method and device for network attack and defense process and network turn wargame |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114095262A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chung et al. | Game theory with learning for cyber security monitoring | |
| CN110191120B (en) | Vulnerability risk assessment method and device for network system | |
| Shen et al. | Adaptive Markov game theoretic data fusion approach for cyber network defense | |
| US11677776B2 (en) | Dynamic attack path selection during penetration testing | |
| Fugate et al. | Artificial intelligence and game theory models for defending critical networks with cyber deception | |
| CN108200095B (en) | Method and device for determining vulnerability of Internet boundary security policy | |
| KR20190139642A (en) | Method and apparatus for security vulnerability quantification using game theory | |
| KR20180121459A (en) | Method and apparatus for security investment based on evaluating security risks | |
| Moskal et al. | Context model fusion for multistage network attack simulation | |
| CN114428962B (en) | Vulnerability risk priority processing method and device | |
| CN112003854A (en) | Network security dynamic defense decision method based on space-time game | |
| Lin et al. | Effective proactive and reactive defense strategies against malicious attacks in a virtualized honeynet | |
| Abri et al. | Markov decision process for modeling social engineering attacks and finding optimal attack strategies | |
| CN114095262B (en) | Network attack and defense deduction method and device, computing equipment and storage medium | |
| Ge et al. | GAZETA: GAme-Theoretic ZEro-Trust Authentication for Defense Against Lateral Movement in 5G IoT Networks | |
| Kanoun et al. | Towards dynamic risk management: Success likelihood of ongoing attacks | |
| CN114143052B (en) | Network defense system risk assessment method, device and storage medium based on controllable intrusion simulation | |
| CN114070632B (en) | Automatic penetration test method and device and electronic equipment | |
| James et al. | Situational awareness for smart home iot security via finite state automata based attack modeling | |
| CN115473677A (en) | Penetration attack defense method and device based on reinforcement learning and electronic equipment | |
| Figetakis et al. | Evolved prevention strategies for 6g networks through stochastic games and reinforcement learning | |
| Mayfield et al. | Petri nets with players, strategies, and cost: A formalism for modeling cyberattacks | |
| Hu et al. | A novel attack-and-defense signaling game for optimal deceptive defense strategy choice | |
| Makihara et al. | A proposal of patrol function by white-hat worm in botnet defense system | |
| Wang et al. | Optimal network defense strategy selection based on Bayesian game |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |