CN114189364A - Network node path reduction and prediction method based on Markov chain - Google Patents

Abstract

The invention discloses a network node path reduction and prediction method based on a Markov chain, which comprises the following specific steps: calculating an attack path probability statistical table; establishing an attack path matrix; selecting Markov chain characteristics according to the sequence characteristics of the network nodes contained in the beacon detected by the current network node, determining the establishment principle of an attack path reduction matrix, and calculating the attack path reduction matrix; restoring a network node path; extracting nodes corresponding to all non-zero data in the attack path restoration matrix so as to restore the current network node path; predicting a network node path; and predicting the occurrence probability of connecting from one node to the next node in the attack paths based on the probability of each attack path in the attack path restoration matrix. Aiming at the situation that the prediction of the network attack path is inaccurate, the invention provides the method for processing the statistical result by using the characteristics of the Markov chain, so that the adaptability of the prediction model is wider.

Description

Network node path reduction and prediction method based on Markov chain

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a network node path restoration and prediction method based on a Markov chain.

Background

Typically, a network node is subject to a network attack, and network traffic from the attack source to the attacked node may traverse many paths. The paths are all formed by connecting one network node with another network node, and the whole attack path is like a chain. However, because the span of a network node path is long, there are many network routing nodes, the traffic on the network node is huge, and it is impossible to implant a beacon into each traffic packet on each node, so it is extremely difficult to restore the network node path completely by using the beacon, and the whole network node path cannot be grasped completely, which causes great difficulty in tracing the network attack. Meanwhile, if the incomplete network path statistical data is used to predict the network node path, the attack path prediction may be further inaccurate.

Disclosure of Invention

Aiming at the problems that the statistical data of the nodes of the attack path is incomplete and the prediction deviation is large in the process of using the beacons to restore the network node paths, and simultaneously, according to the characteristic requirement of the network node paths, the network node paths are transferred to the next node (state) and are only related to the current node (state) and are not related to the previous node (state), the invention discloses a method for restoring and predicting the network node paths based on the Markov chain. The method adopts a network node path matrix based on a Markov chain to carry out attack path statistics, and then utilizes a statistical result to carry out prediction. The method is used for counting the detected beacon in the network flow according to the state transition in the Markov chain, establishing an attack path reduction matrix, properly correcting the statistical result according to the characteristics of the attack path reduction matrix, and then predicting the path of the following possible attack based on the attack path reduction matrix by using the Markov chain. Therefore, the method can effectively avoid the problems of incomplete path data and large subsequent prediction deviation in the network attack.

The invention discloses a network node path reduction and prediction method based on a Markov chain, which comprises the following specific steps:

s1, calculating an attack path probability statistical table; analyzing network nodes passed by the beacon before entering the network node from the beacon received by the attacked network node to obtain a network node path formed by the network nodes passed by the beacon, establishing a Markov chain state transfer matrix of the nodes in the network node path, carrying out probability statistics on the connection of every two nodes in the network node path based on the Markov chain state transfer matrix, and establishing an attack path probability statistical table.

S2, establishing an attack path matrix; and selecting the Markov chain characteristic according to the sequence characteristic of the network nodes contained in the beacon detected by the current network node, determining the establishment principle of the attack path reduction matrix, and calculating the attack path reduction matrix.

S3, restoring the network node path; and extracting nodes corresponding to all non-zero data in the attack path restoration matrix, thereby restoring the current network node path.

S4, predicting a network node path; and predicting the occurrence probability of connecting from one node to the next node in the attack paths based on the probability of each attack path in the attack path restoration matrix.

The step S1 of establishing an attack path probability statistical table based on the markov chain state transition matrix includes:

s11, extracting and analyzing the beacon; and on the attacked network node, capturing, identifying and analyzing the beacon in the network node flow by using flow analysis software, and extracting the information of the network node flowing through the beacon.

S12, associating the network nodes through which the beacons flow; and associating the corresponding network nodes according to the sequence of the information of the network nodes flowing through the extracted beacons, so as to extract and obtain a complete beacon flowing path which comprises the network node path of the attacked network node.

S13, carrying out probability statistics on the connection of every two nodes in the network node path; and calculating the occurrence probability of each extracted beacon in all beacons when the traffic of each beacon flowing through one network node in the path flows to the next network node, namely the two network nodes are connected, and counting the probability of the connection of each two nodes.

The step S13 specifically includes:

numbering network nodes flowing through in the beacon according to the sequence of the flowing time, wherein the number of the network nodes flowing through in the beacon is N; note that the event of the traffic flow of the ith network node to the jth network node is e_i,jIt also means that a node path e exists from the ith network node to the jth node_i,jThen node path e_i,jThe calculation process of the occurrence probability of (2) is as follows:

traversing all the detected beacons and the connection conditions among the network nodes flowing through the beacons, and counting the node paths e_i,jNumber of occurrences C_i,j(ii) a Calculating the set of all the occurring flows flowing into the ith node

Simplifying the data of the generated flow set by an extreme method, wherein the process is as follows:

thereby obtaining a node path e_i,jNormalized value of occurrence probability of (1H'_i,j，H_jRepresenting the set of all occurring traffic flowing into the jth node.

S14, based on the probability statistically obtained in step S13, creating an attack path probability statistical table conforming to the Markov chain state transition characteristic, wherein the line directory and column targets in the table are node numbers, and the data H'_i,jFilling the corresponding spaces of the node i and the node j in the table.

The step S2 specifically includes:

s21, screening the characteristics of the Markov chain; and analyzing the Markov chain state transition matrix established in the step S1, and selecting the Markov characteristics applicable to the matrix, wherein the Markov chain characteristics specifically comprise interoperability, periodicity, transient state, constant return, ergodicity or absorption state.

S22, according to the Markov character selected in the step S21, the establishment principle of the attack path reduction matrix is determined.

S23, according to the established principle of the attack path reduction matrix, the missing data in the attack path probability statistical table is completed, and the original establishment which does not accord with the attack path reduction matrix in the attack path probability statistical table is completedOptimizing and adjusting the data items, and establishing an attack path reduction matrix P according to the Markov chain state transition matrix, wherein the elements of the ith row and the jth column in the P are | P_i，j|，1≤i≤N，1≤j≤N，

p_i,jRepresents a node path e_i,jThe probability of the occurrence of the event is,

the step S3 specifically includes: and selecting elements with values larger than 0 in the attack path restoration matrix according to the column, and sequentially connecting the nodes corresponding to the elements according to the row so as to restore the current network node path. Recording a set of all elements with values larger than zero in a j column of an attack path reduction matrix as nos (j), wherein j is more than or equal to 1 and less than or equal to N, recording ANY element in the set as ANY (nos (j)), namely ANY (nos (j)) epsilon nos (j), and simultaneously satisfying the condition ANY (nos (j)) greater than 0, and recording a reduced current network node path as: ANY (nodes (1)) → ANY (nodes (2)) → … → ANY (nodes (n)), and the symbol → indicates that the network node from which it is ahead flows to the network node from which it is behind.

The step S4 specifically includes:

and S41, predicting the next node of the network node path, and selecting the node corresponding to the maximum value element of the current network node in the next column of the attack path restoration matrix according to the attack path restoration matrix as the next node of the predicted network node path. Recording j (j) of the current NODE in the j-th column of the attack path reduction matrix, recording as NODE (j),1 ≦ j ≦ N, belonging to the set nos (j), wherein the next NODE of the predicted network NODE path is located in the j + 1-th column of the attack path reduction matrix, recording as NODE (j +1), the NODE (j +1) belongs to the N + 1-th column of the attack path reduction matrix, and 1 ≦ j ≦ N, then the probability that the next NODE appears in the i-th row and the j + 1-th column of the attack path reduction matrix is represented as p'_i,j+1The calculation method comprises the following steps:

wherein p is_i,j+1＞0，p_i,j+1And the probability that the current node appears in the ith row and the (j +1) th column of the attack path reduction matrix is represented, and i is more than or equal to 1 and less than or equal to N.

And S42, constructing an attack path restoration matrix, and establishing an attack path prediction matrix according to the attack path restoration matrix. And selecting the network node with the maximum probability in each column of the attack path restoration matrix as the network node predicted by the network node path in the current column of the attack path prediction matrix, wherein the path formed by the network nodes is the predicted network node path. Constructing an attack path reduction matrix, wherein the expression of the attack path reduction matrix P' is as follows:

and S43, comparing the network node path predicted in the step S42 with the actually detected network node path for verification, and evaluating the effect of the network node path restoration and prediction method.

The invention has the beneficial effects that:

the invention discloses a network node path reduction and prediction method based on a Markov chain, which combines a widely used network attack chain and a Markov chain, improves the network node path statistical prediction method, and enables the network node path statistics to be more suitable for being applied to prediction, thereby improving the accuracy of network node path prediction.

The invention improves the existing network attack path prediction method, so that the network attack path prediction result is closer to the practical application; meanwhile, aiming at the situation that the prediction of the network attack path is inaccurate, the characteristic of a Markov chain is used for processing a statistical result, so that the adaptability of a prediction model is wider.

Drawings

FIG. 1 is a flow chart of an implementation of the method of the present invention.

Detailed Description

For a better understanding of the present disclosure, an example is given here. FIG. 1 is a flow chart of an implementation of the method of the present invention.

The invention discloses a network node path reduction and prediction method based on a Markov chain, which comprises the following specific steps:

s1, calculating an attack path probability statistical table; analyzing network nodes passed by the beacon before entering the network node from the beacon received by the attacked network node to obtain a network node path formed by the network nodes passed by the beacon, establishing a Markov chain state transfer matrix of the nodes in the network node path, carrying out probability statistics on the connection of every two nodes in the network node path based on the Markov chain state transfer matrix, and establishing an attack path probability statistical table.

S2, establishing an attack path matrix; and selecting the Markov chain characteristic according to the sequence characteristic of the network nodes contained in the beacon detected by the current network node, determining the establishment principle of the attack path reduction matrix, and calculating the attack path reduction matrix.

S3, restoring the network node path; and extracting nodes corresponding to all non-zero data in the attack path restoration matrix, thereby restoring the current network node path.

S4, predicting a network node path; and predicting the occurrence probability of connecting from one node to the next node in the attack paths based on the probability of each attack path in the attack path restoration matrix.

The step S1 of establishing an attack path probability statistical table based on the markov chain state transition matrix includes:

s11, extracting and analyzing the beacon; and on the attacked network node, capturing, identifying and analyzing the beacon in the network node flow by using flow analysis software, and extracting the information of the network node flowing through the beacon.

S12, associating the network nodes through which the beacons flow; and associating the corresponding network nodes according to the sequence of the information of the network nodes flowing through the extracted beacons, so as to extract and obtain a complete beacon flowing path which comprises the network node path of the attacked network node.

S13, carrying out probability statistics on the connection of every two nodes in the network node path; and calculating the occurrence probability of each extracted beacon in all beacons when the traffic of each beacon flowing through one network node in the path flows to the next network node, namely the two network nodes are connected, and counting the probability of the connection of each two nodes.

The step S13 specifically includes:

numbering network nodes flowing through in the beacon according to the sequence of the flowing time, wherein the number of the network nodes flowing through in the beacon is N; note that the event of the traffic flow of the ith network node to the jth network node is e_i,jIt also means that a node path e exists from the ith network node to the jth node_i,jThen node path e_i,jThe calculation process of the occurrence probability of (2) is as follows:

traversing all the detected beacons and the connection conditions among the network nodes flowing through the beacons, and counting the node paths e_i,jNumber of occurrences C_i,j(ii) a Calculating the set of all the occurring flows flowing into the ith node

Simplifying the data of the generated flow set by an extreme method, wherein the process is as follows:

thereby obtaining a node path e_i,jNormalized value of occurrence probability of (1H'_i,j，H_jRepresenting the set of all occurring traffic flowing into the jth node.

S14, establishing an attack path probability statistical table according with the Markov chain state transition characteristic according to the probability statistically obtained in the step S13, wherein the row directory and the column target in the tableAll are node numbers, data H'_i,jFilling the corresponding spaces of the node i and the node j in the table. Note that if event e_i,jIf not, the (i, j) data in the table is not filled.

The step S2 specifically includes:

s21, screening the characteristics of the Markov chain; and analyzing the Markov chain state transition matrix established in the step S1, and selecting the Markov characteristics applicable to the matrix, wherein the Markov chain characteristics specifically comprise interoperability, periodicity, transient state, constant return, ergodicity or absorption state.

S22, according to the Markov character selected in the step S21, the establishment principle of the attack path reduction matrix is determined. The establishment principle of the attack path restoration matrix comprises that the sum of each row element is 1, and the sum of each column element is 1.

S23, according to the establishment principle of the attack path reduction matrix, the data missing in the attack path probability statistical table is completed, the data item which is not in accordance with the establishment principle of the attack path reduction matrix in the attack path probability statistical table is optimized and adjusted, and according to the Markov chain state transition matrix, the attack path reduction matrix P is established, wherein the ith row and jth column elements in P are | P_i，j|，1≤i≤N，1≤j≤N，

p_i,jRepresents a node path e_i,jThe probability of the occurrence of the event is,

and the optimization adjustment is carried out on the data items which do not conform to the establishment principle of the attack path reduction matrix in the attack path probability statistical table, and the optimization adjustment comprises the normalization treatment on the elements of which the summation of a certain row or a certain column is not 1.

The step S3 specifically includes: and selecting elements with values larger than 0 in the attack path restoration matrix according to the column, and sequentially connecting the nodes corresponding to the elements according to the row so as to restore the current network node path. Recording a set of all elements with values larger than zero in a j column of an attack path reduction matrix as nos (j), wherein j is more than or equal to 1 and less than or equal to N, recording ANY element in the set as ANY (nos (j)), namely ANY (nos (j)) epsilon nos (j), and simultaneously satisfying the condition ANY (nos (j)) greater than 0, and recording a reduced current network node path as: ANY (nodes (1)) → ANY (nodes (2)) → … → ANY (nodes (n)), and the symbol → indicates that the network node from which it is ahead flows to the network node from which it is behind.

The step S4 specifically includes:

and S41, predicting the next node of the network node path, and selecting the node corresponding to the maximum value element of the current network node in the next column of the attack path restoration matrix according to the attack path restoration matrix as the next node of the predicted network node path. Recording j (j) of the current NODE in the j-th column of the attack path reduction matrix, recording as NODE (j),1 ≦ j ≦ N, belonging to the set nos (j), wherein the next NODE of the predicted network NODE path is located in the j + 1-th column of the attack path reduction matrix, recording as NODE (j +1), the NODE (j +1) belongs to the N + 1-th column of the attack path reduction matrix, and 1 ≦ j ≦ N, then the probability that the next NODE appears in the i-th row and the j + 1-th column of the attack path reduction matrix is represented as p'_i,j+1The calculation method comprises the following steps:

wherein p is_i,j+1＞0，p_i,j+1And the probability that the current node appears in the ith row and the (j +1) th column of the attack path reduction matrix is represented, and i is more than or equal to 1 and less than or equal to N.

And S42, constructing an attack path restoration matrix, and establishing an attack path prediction matrix according to the attack path restoration matrix. And selecting the network node with the maximum probability in each column of the attack path restoration matrix as the network node predicted by the network node path in the current column of the attack path prediction matrix, wherein the path formed by the network nodes is the predicted network node path. Constructing an attack path reduction matrix, wherein the expression of the attack path reduction matrix P' is as follows:

and S43, comparing the network node path predicted in the step S42 with the actually detected network node path for verification, and evaluating the effect of the network node path restoration and prediction method.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present application shall be included in the scope of the claims of the present application.

Claims (6)

1. A network node path reduction and prediction method based on a Markov chain is characterized by comprising the following specific steps:

s1, calculating an attack path probability statistical table; analyzing network nodes passed by the beacon before entering the network node from the beacon received by the attacked network node to obtain a network node path formed by the network nodes passed by the beacon, establishing a Markov chain state transfer matrix of the nodes in the network node path, carrying out probability statistics on the connection of every two nodes in the network node path based on the Markov chain state transfer matrix, and establishing an attack path probability statistical table;

s2, establishing an attack path matrix; selecting Markov chain characteristics according to the sequence characteristics of the network nodes contained in the beacon detected by the current network node, determining the establishment principle of an attack path reduction matrix, and calculating the attack path reduction matrix;

s3, restoring the network node path; extracting nodes corresponding to all non-zero data in the attack path restoration matrix so as to restore the current network node path;

s4, predicting a network node path; and predicting the occurrence probability of connecting from one node to the next node in the attack paths based on the probability of each attack path in the attack path restoration matrix.

2. The markov chain-based network node path restoration and prediction method of claim 1, wherein the specific steps comprise:

the step S1 of establishing an attack path probability statistical table based on the markov chain state transition matrix includes:

s11, extracting and analyzing the beacon; on the attacked network node, using flow analysis software to capture, identify and analyze the beacon in the network node flow, and extracting the information of the network node flowing through the beacon;

s12, associating the network nodes through which the beacons flow; associating corresponding network nodes according to the sequence of the information of the network nodes flowing through the extracted beacons, so as to extract and obtain a complete beacon flowing path which comprises the network node path of the attacked network node;

s13, carrying out probability statistics on the connection of every two nodes in the network node path; calculating the occurrence probability of an event that each extracted beacon from all beacons flows to the next network node through the traffic of one network node in the path, namely the connection between the two network nodes, and counting the probability of the connection between each two nodes;

s14, according to the probability obtained by statistics in step S13, establishing an attack path probability statistical table in accordance with Markov chain state transition characteristics, wherein the row directory and column targets in the table are node numbers, and data H is processed_i′_，jFilling the corresponding spaces of the node i and the node j in the table.

3. The Markov chain-based network node path restoration and prediction method of claim 2,

the step S13 specifically includes:

numbering network nodes flowing through in the beacon according to the sequence of the flowing time, wherein the number of the network nodes flowing through in the beacon is N; note the ith network sectionThe event that the point's traffic flows to the jth network node is e_i，jIt also means that a node path e exists from the ith network node to the jth node_i,jThen node path e_i,jThe calculation process of the occurrence probability of (2) is as follows:

traversing all the detected beacons and the connection conditions among the network nodes flowing through the beacons, and counting the node paths e_i,jNumber of occurrences C_i,j(ii) a Calculating the set of all the occurring flows flowing into the ith node

Simplifying the data of the generated flow set by an extreme method, wherein the process is as follows:

thereby obtaining a node path e_i,jNormalized value of occurrence probability of (1H'_i,j，H_jRepresenting the set of all occurring traffic flowing into the jth node.

4. The Markov chain-based network node path restoration and prediction method of claim 1,

the step S2 specifically includes:

s21, screening the characteristics of the Markov chain; analyzing the Markov chain state transition matrix established in the step S1, and selecting a Markov characteristic suitable for the matrix, wherein the Markov chain characteristic specifically comprises interoperability, periodicity, transient state, constant return, ergodicity or absorption state;

s22, determining the establishment principle of the attack path reduction matrix according to the Markov characteristic selected in the step S21;

s23, according to the established principle of the attack path reduction matrix, the missing data in the attack path probability statistical table is completed, and the number which does not accord with the established principle of the attack path reduction matrix in the attack path probability statistical tableOptimizing and adjusting according to the items, and establishing an attack path reduction matrix P according to the Markov chain state transition matrix, wherein the ith row and jth column elements in P are | P_i，j|,1≤i≤N，1≤j≤N，

p_i,jRepresents a node path e_i,jThe probability of the occurrence of the event is,

5. the Markov chain-based network node path restoration and prediction method of claim 1,

the step S3 specifically includes: selecting elements with values larger than 0 in the attack path reduction matrix according to the column, and sequentially connecting nodes corresponding to the elements according to the row so as to reduce the current network node path; recording a set of all elements with values larger than zero in a j column of an attack path reduction matrix as nos (j), wherein j is more than or equal to 1 and less than or equal to N, recording ANY element in the set as ANY (nos (j)), namely ANY (nos (j)) epsilon nos (j), and simultaneously satisfying the condition ANY (nos (j)) greater than 0, and recording a reduced current network node path as: ANY (nodes (1)) → ANY (nodes (2)) → … → ANY (nodes (n)), and the symbol → indicates that the network node from which it is ahead flows to the network node from which it is behind.

6. The Markov chain-based network node path restoration and prediction method of claim 1,

the step S4 specifically includes:

s41, predicting the next node of the network node path, and selecting the node corresponding to the maximum value element of the current network node in the next column of the attack path restoration matrix according to the attack path restoration matrix as the next node of the predicted network node path; recording the j column of the current node in the attack path reduction matrix, recording as NODE (j), where j is more than or equal to 1 and less than or equal to N, which belongs to the set nodes (j), and predicting the obtainedThe next NODE of the network NODE path is located in the j +1 th column of the attack path restoration matrix and is marked as NODE (j +1), NODE (j +1) belongs to NODEs (j +1), j is more than or equal to 1 and less than or equal to N, and then the probability that the next NODE appears in the ith row and the j +1 th column in the attack path restoration matrix is represented as p'_i,j+1The calculation method comprises the following steps:

wherein p is_i,j+1＞0，p_i,j+1Representing the probability that the current node appears in the ith row and the (j +1) th column of the attack path reduction matrix, wherein i is more than or equal to 1 and is less than or equal to N;

s42, constructing an attack path reduction matrix, and establishing an attack path prediction matrix according to the attack path reduction matrix; selecting the network node with the maximum probability in each column of the attack path restoration matrix as the network node predicted by the network node path in the current column of the attack path prediction matrix, wherein the path formed by the network nodes is the predicted network node path; constructing an attack path reduction matrix, wherein the expression of the attack path reduction matrix P' is as follows:

and S43, comparing the network node path predicted in the step S42 with the actually detected network node path for verification, and evaluating the effect of the network node path restoration and prediction method.

Images