CN114726620A - SDN attack intention analysis method based on Bayesian attack graph - Google Patents

SDN attack intention analysis method based on Bayesian attack graph Download PDF

Info

Publication number
CN114726620A
CN114726620A CN202210364993.5A CN202210364993A CN114726620A CN 114726620 A CN114726620 A CN 114726620A CN 202210364993 A CN202210364993 A CN 202210364993A CN 114726620 A CN114726620 A CN 114726620A
Authority
CN
China
Prior art keywords
attack
sdn
node
equipment
cost
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210364993.5A
Other languages
Chinese (zh)
Inventor
张玉
王青
罗智勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin University of Science and Technology
Original Assignee
Harbin University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin University of Science and Technology filed Critical Harbin University of Science and Technology
Priority to CN202210364993.5A priority Critical patent/CN114726620A/en
Publication of CN114726620A publication Critical patent/CN114726620A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an SDN attack intention analysis method based on a Bayesian attack graph. The invention relates to the technical field of network security, and provides an SDN attack intention assessment method based on a Bayesian attack graph, aiming at the problem that attack cost is not considered in the existing software-defined network (SDN) security prediction method and the influence of a controller bug on the SDN security is not considered. The method comprises the steps of solving equipment criticality by using a PageRank algorithm, constructing an attack graph by combining vulnerability value, attack cost, attack income and a preference function, and establishing a risk assessment model to predict an intrusion path. Experimental results show that the proposed model can predict the intrusion path more accurately, the accuracy of safety prediction is effectively guaranteed, and a basis is provided for defense of the controller.

Description

SDN attack intention analysis method based on Bayesian attack graph
Technical Field
The invention relates to the technical field of network security, in particular to an SDN attack intention analysis method based on a Bayesian attack graph.
Background
The SDN is a novel network innovation architecture, can define and control a network by using a software programming form, separates a control plane from a forwarding plane, and makes the network more flexible by using the characteristic of openness programmable, and is adopted by various application fields, so the SDN is regarded as a historical revolution in the network field, provides a new experimental approach for the research of a novel internet system structure, and accelerates the development speed of the next generation of network. But security issues, risks and threats become more of a haste due to this SDN framework. New network components are introduced into the SDN to support new network functions, such as SDN controllers and switches, which makes the SDN have a vulnerability that is not considered in the conventional network. The research on network security based on game theory at home and abroad has made some progress, but most of the research is carried out on the premise of complete information and completeness, and has specific professional requirements on attackers and defenders, and the early research on attack and defense games mostly focuses on single-stage games and multi-stage complete information games.
The invention content is as follows:
in order to protect controller equipment which is easy to ignore, quantify network security risks aiming at attack intentions and provide security policy support for an SDN network security administrator, the invention provides an SDN attack intention analysis method based on a Bayesian attack graph. The invention provides the following technical scheme:
an SDN attack intention analysis method based on a Bayesian attack graph comprises the following steps:
the method comprises the steps of firstly, establishing an SDN image, calculating the equipment importance by using a PR algorithm in order to more accurately calculate the attacked probability and possible attack paths of each vertex in the SDN attack image, and carrying out risk assessment to predict the attack paths.
And secondly, in order to make the security of the SDN more comprehensively evaluated by the experiment, by giving the vulnerability value of the SDN equipment and the definition of the criticality of the SDN equipment, the importance of each network equipment in the SDN is evaluated by combining newly-proposed attack cost and attack income with a PR algorithm.
And step three, analyzing the vulnerability value, wherein the vulnerability value of the node is related to the difficulty degree of the vulnerability used by an attacker and the influence of the vulnerability on the node, the vulnerability is generally quantified by using a vulnerability scoring system, and six indexes of an attack path, attack complexity, authority requirement, confidentiality, integrity and usability are measured by using the CVSS.
Analyzing the importance of the SDN equipment, wherein the SDN is different from a traditional network structure, and a control plane and a data plane in the SDN are separated, so that the calculation modes of the SDN importance are different, each equipment has a specific function according to the characteristics of the SDN, so that the importance is light and heavy, the controller plays a core role in the whole SDN, so that the importance is highest, and then the switches, the servers and the host utilize a PageRank algorithm to analyze the equipment criticality.
And step five, analyzing the attack cost.
And step six, analyzing the attack income, wherein the more important the leaked information is, the higher the obtained income is.
Analyzing attack preference, wherein the preference function represents the preference degree of an attacker attacking the target equipment node, and the higher the preference degree is, the higher the possibility of the attacker attacking the target equipment node is.
Step eight, analyzing the attack probability of the equipment, and according to the analysis on the importance of the equipment, the attack cost and the result of quantifying the equipment, obtaining the probability that an attacker attacks the node to be attacked, namely the attacked probability of the node, wherein the range of the attacked probability is [0,1], and the higher the probability is, the higher the attacked probability is.
And step nine, analyzing the conditional probability, and calculating the possibility that each equipment attribute node is attacked under the influence of the equipment parent node.
Further, the following steps are included in step three.
Step three, quantifying the vulnerability value according to the indexes, and solving a corresponding vulnerability score, wherein the corresponding calculation is shown as the following formula:
Grade=Min(Exp+Impact,10)
wherein:
Exp=8.22*AV*AC*PR
Impact=6.42*ISCbase
ISCbase=1-((1-C)*(1-I)*(1-A))
wherein, Impact represents a vulnerability influence factor, the scope of which is fixed by default, Exp represents a vulnerability utilization factor, the size of which represents the difficulty degree of attack, and ISCBase is a temporary intermediate variable.
Step two, because the substance range of the CVSS scoring standard is [0,10], the leak value is quantified by using the Worth, and the calculation is shown as the following formula:
Worth=Grade/10*100%
further, the fourth step includes the following steps.
Step four, the criticality PR of the SDN equipment is set to be an integer between [1 and 10] due to the particularity of the SDN.
In the initial stage, the PR value of the host is set to 4, the PR values of the exchanger and the server are set to 7, the PR value of the controller is set to 10, the criticality of the equipment is recalculated according to the PR algorithm, and the network equipment BjPR (B) of (j ═ 1.., n)j) The values are calculated as follows:
Figure BDA0003586720650000021
wherein the damping coefficient d is 0.85 by default, N represents the number of devices, PR (B)i) Presentation apparatus BjOf a parent node BiEquipment criticality of (1), O (B)i) Presentation apparatus BiIs connected to a device BjNumber of (A), M (B)j) Is the parent node to device BjTotal number of devices.
Step four, establishing an initialization matrix S of the equipment nodes according to the SDN topological relationN×NIn which S isxyRepresenting the attack probability from the x parent node to the y child node, taking e as a column vector with all components being 1, and calculating the obtained transition matrix K as shown in the following formula:
Figure BDA0003586720650000022
setting a unit column vector X, carrying out iteration, and ending the iteration if the values of X and Y are similar or the same to obtain the final key degree of all equipment, namely | Y-X | < tau, wherein tau is infinite small, and the iterative computation is as follows:
Y=KX
computing device importance EIm from device criticality and vulnerability valuejThe calculation needs to be quantified, the quantified device importance EImjThe calculation is shown below:
EIm(Bj)=PR(Bj)×Worth(Bj)/10
further, the following steps are included in the step five.
When an attacker attacks a node in a network, the attacker pays human resources and material resources and also bears attack cost brought by the attack, the attack cost mainly comprises a probability coefficient, namely a risk coefficient beta, discovered by security software of the attacked network when the attacker starts the attack, and attack experience of the attacker on the node. The risk factor β is determined by the importance EIm (B) of the attacked devicej) It is decided that the greater the importance of the node, the higher the probability of being discovered and the greater the risk factor. From the above analysis, the facility risk factor β (B) can be derivedj) Is calculated as follows:
β(Bj)=EIm(Bj)*ζ(Bj)
cost of device attack cost (B)j): representing the cost that an attacker needs to pay to launch an attack on a device in the target network. Since the attack experience is gradually increased when an attacker attacks the device node, the coefficient f is increased, and the expert gives different values according to different network environments. Defaults to the attack cost HrACost (B) of the human and material resources required for attacking each devicej) From a comprehensive analysis of risk factors and attack experiences, a calculation of the cost of equipment attack can be found as shown below, at 0.01:
cost(Bj)=fn-1*β(Bj)+HrACost(Bj)
further, the seventh step includes the following steps.
The preference function is judged mainly by attack cost and attack income, the size of the preference function is judged according to the ratio of the attack cost and the attack income, the higher the ratio is, the lower the preference function is, the lower the possibility of attacking the target equipment node is, otherwise, the higher the possibility is. The ratio of cost to benefit is expressed as λ, and λ is calculated as follows:
Figure BDA0003586720650000031
the preference function PF is calculated as follows:
Figure BDA0003586720650000032
PF(Bj)∈[0,1]when the lambda is larger than or equal to 1, the preference function is 0, the cost is far larger than the benefit, and an attacker cannot attack the node; when λ is 0, the gain is much larger than the cost, and the preference function is 1, at which time the attacker must attack the node.
Further, the following steps are included in the step nine.
And step nine, the conditional probability of each node is called a local conditional probability distribution function. For device attributes node BjIts local conditional probability can be expressed as Pc(Bj|Pa(Bj) P) of the device parent node seta(Bj),vjRepresenting an attack from a device parent node to a device child node. When S ═ S<Bj,dj=AND>Then, the device parent node must all reach the device child node, and the attack is successful, at this time, the following calculation is shown:
Figure BDA0003586720650000033
step nine two, when S ═ S<Bj,dj=OR>In the meantime, the device parent node only needs to have one reachable device child node, and the attack can be successful, and at this time, the following calculation is shown:
Figure BDA0003586720650000034
ninthly, equipment node prior probability: the reachable probability of each device attribute node represented in the SDN is the joint conditional probability of the node passed by the attacked initial node in the current device attribute nodes, that is, for the node Bj∈Bprocess∪BtargetDevice Attribute node BjThe prior probability calculation of the device node is shown as follows:
Figure BDA0003586720650000035
wherein, Pa(Bj) Is a device attribute node BjOf a device parent node set, Pc(Bj|Pa(Bj) Represents the device attribute node BjPrior probability under attack.
The invention has the following beneficial effects:
the invention provides an SDN attack intention evaluation method based on a Bayesian attack graph, aiming at the problem that attack cost and the influence of a controller bug on SDN safety are not considered in the existing software defined network safety prediction method. The method comprises the steps of solving equipment criticality by using a PageRank algorithm, constructing an attack graph by combining vulnerability value, attack cost, attack income and a preference function, and establishing a risk assessment model to predict an intrusion path. Experimental results show that the proposed model can predict the intrusion path more accurately, the accuracy of safety prediction is effectively guaranteed, and a basis is provided for defense of the controller.
Drawings
Fig. 1 is a flowchart of an SDN attack intention analysis method based on a bayesian attack graph;
figure 2 is a diagram including an SDN control plane and a data plane and an external network;
fig. 3 is an attack graph generated according to data such as vulnerability information and SDN network relationship.
Detailed Description
The present invention will be described in detail with reference to specific examples.
As shown in fig. 1 to 3, a specific optimized technical solution adopted to solve the above technical problems is: the invention relates to an SDN attack intention analysis method based on a Bayesian attack graph, which comprises the following steps:
the method comprises the steps of firstly, establishing an SDN image, calculating the equipment importance by using a PR algorithm in order to more accurately calculate the attacked probability and possible attack paths of each vertex in the SDN attack image, and carrying out risk assessment to predict the attack paths.
And secondly, in order to make the security of the SDN more comprehensively evaluated by the experiment, by giving the vulnerability value of the SDN equipment and the definition of the criticality of the SDN equipment, the importance of each network equipment in the SDN is evaluated by combining newly-proposed attack cost and attack income with a PR algorithm.
And step three, analyzing the vulnerability value, wherein the vulnerability value of the node is related to the difficulty degree of the vulnerability used by an attacker and the influence of the vulnerability on the node, the vulnerability is generally quantified by using a vulnerability scoring system, and six indexes of an attack path, attack complexity, authority requirement, confidentiality, integrity and usability are measured by using the CVSS.
Specifically, firstly, the vulnerability value is quantified according to the indexes, and a corresponding vulnerability score is obtained, and the corresponding calculation is shown as the following formula:
Grade=Min(Exp+Impact,10)
wherein:
Exp=8.22*AV*AC*PR
Impact=6.42*ISCbase
ISCbase=1-((1-C)*(1-I)*(1-A))
wherein, Impact represents a vulnerability influence factor, the scope of which is fixed by default, Exp represents a vulnerability utilization factor, the size of which represents the difficulty degree of attack, and ISCBase is a temporary intermediate variable.
Since the CVSS score criteria were in the substance range of [0,10], leak values were quantified using Worth, and calculated as follows:
Worth=Grade/10*100%
and step four, analyzing the importance of the SDN equipment, wherein the SDN is different from the traditional network structure, and a control plane and a data plane in the SDN are separated, so that the calculation modes of the SDN importance are different, and according to the characteristics of the SDN, each piece of equipment has a specific function, so that the importance is light and heavy, and the controller plays a core role in the whole SDN, so that the importance is highest, and secondly, the switch, the server and the host utilize a PageRank algorithm to analyze the equipment criticality.
Specifically, due to the specificity of SDN, the criticality of the initial device is set to [1, 10%]The initial stage, the PR value of the host is set to 4, the PR values of the exchanger and the server are set to 7, the PR value of the controller is set to 10, the equipment criticality is recalculated according to the PR algorithm, and the network equipment BjPR (B) of (j ═ 1.., n)j) The values are calculated as follows:
Figure BDA0003586720650000051
wherein the damping coefficient d is 0.85 by default, N represents the number of devices, PR (B)i) Presentation apparatus BjOf a parent node BiEquipment criticality of (1), O (B)i) Presentation apparatus BiIs connected to a device BjNumber of (A), M (B)j) Is the parent node to device BjTotal number of devices.
Then, an initialization matrix S of the equipment nodes is constructed according to the SDN topological relationN×NIn which S isxyRepresenting the attack probability from the x parent node to the y child node, taking e as a column vector with all components being 1, and calculating the obtained transition matrix K as shown in the following formula:
Figure BDA0003586720650000052
setting a unit column vector X, carrying out iteration, and ending the iteration if the values of X and Y are similar or the same to obtain the final key degree of all equipment, namely | Y-X | < tau, wherein tau is infinite small, and the iterative computation is as follows:
Y=KX
computing device importance EIm from device criticality and vulnerability valuejThe calculation needs to quantify it, the quantified device importance EImjThe calculation is shown below:
EIm(Bj)=PR(Bj)×Worth(Bj)/10
and step five, analyzing attack cost, wherein when an attacker attacks the node in the network, the attacker not only pays human resources and material resources, but also bears attack cost brought by the attack, and the attack cost mainly comprises a probability coefficient, namely a risk coefficient beta, discovered by security software of the attacked network when the attacker starts the attack, and attack experience of the attacker on the node. The risk factor β is determined by the importance EIm (B) of the attacked devicej) It is decided that the greater the importance of the node, the higher the probability of being discovered and the greater the risk factor. The equipment risk coefficient beta (B) can be obtained by the analysisj) Is calculated as follows:
β(Bj)=EIm(Bj)*ζ(Bj)
cost of device attack cost (B)j): representing the cost that an attacker needs to pay to launch an attack on a device in the target network. Since the attack experience is gradually increased when an attacker attacks the device node, the coefficient f is increased, and the expert gives different values according to different network environments. Defaults to the attack cost HrACost (B) of the human and material resources required for attacking each devicej) From a comprehensive analysis of the risk factors and attack experience, a calculation of the cost of the device attack can be found as follows:
cost(Bj)=fn-1*β(Bj)+HrACost(Bj)
analyzing the attack income, wherein the equipment attack income is confirmed: the method and the device represent the gains obtained when an attacker attacks the equipment in the target network once, the attack gains are determined according to the measured information, and an accurate gain value is obtained according to the information leakage. The more important the information that is revealed, the higher the gain that is obtained.
Analyzing attack preference, judging the preference function mainly by the attack cost and the attack income, and judging the size of the preference function according to the ratio of the attack cost and the attack income, wherein the higher the ratio is, the lower the preference function is, the lower the possibility of attacking the target equipment node is, and otherwise, the higher the possibility is. The ratio of cost to benefit is expressed as λ, and λ is calculated as follows:
Figure BDA0003586720650000061
the preference function PF is calculated as follows:
Figure BDA0003586720650000062
PF(Bj)∈[0,1]when the lambda is larger than or equal to 1, the preference function is 0, the cost is far larger than the benefit, and an attacker cannot attack the node; when λ is 0, the gain is much larger than the cost, and the preference function is 1, at which time the attacker must attack the node.
Step eight, analyzing the attack probability of the equipment, and according to the analysis of the importance, the attack cost and the attack cost of the equipment and the result of quantifying the equipment, obtaining the probability that an attacker attacks the node to be attacked, namely the attack probability of the node, wherein the scope of the attack probability is [0,1], and the higher the probability is, the higher the attack probability is.
And step nine, analyzing the conditional probability, and calculating the possibility that each equipment attribute node is attacked under the influence of the equipment parent node.
Specifically, the conditional probability of each node is called a local conditional probability distribution function. For device attributesNode BjIts local conditional probability can be expressed as Pc(Bj|Pa(Bj) P) of the device parent node seta(Bj),vjRepresenting an attack from a device parent node to a device child node. When S ═ S<Bj,dj=AND>Then, the device parent node must all reach the device child node, and the attack is successful, at this time, the following calculation is shown:
Figure BDA0003586720650000063
when S ═<Bj,dj=OR>In the meantime, the device parent node only needs to have one reachable device child node, and the attack can be successful, and at this time, the following calculation is shown:
Figure BDA0003586720650000064
device node prior probability: the reachable probability of each device attribute node represented in the SDN is the joint conditional probability of the node passed by the attacked initial node in the current device attribute nodes, that is, for the node Bj∈Bprocess∪BtargetDevice Attribute node BjThe device node prior probability calculation is shown as follows:
Figure BDA0003586720650000065
wherein, Pa(Bj) Is a device attribute node BjOf a device parent node set, Pc(Bj|Pa(Bj) Represents the device attribute node BjPrior probability under attack.
In summary, the SDN attack intention analysis method based on the bayesian attack graph provided by the embodiment of the invention is provided. Aiming at the problem that attack cost and the influence of a controller bug on SDN (software-defined network) security are not considered in the existing software-defined network (SDN) security prediction method, an SDN attack intention evaluation method based on a Bayesian attack graph is provided. The method comprises the steps of solving equipment criticality by using a PageRank algorithm, constructing an attack graph by combining vulnerability value, attack cost, attack income and a preference function, and establishing a risk assessment model to predict an intrusion path. Experimental results show that the proposed model can predict the intrusion path more accurately, the accuracy of safety prediction is effectively guaranteed, and a basis is provided for defense of the controller.
The foregoing is only a preferred embodiment of the SDN attack intention analysis method based on the bayesian attack graph, and the protection range of the SDN attack intention analysis method based on the bayesian attack graph is not limited to the foregoing embodiment, and all technical solutions belonging to the idea belong to the protection range of the present invention. It should be noted that modifications and variations which do not depart from the gist of the invention will be those skilled in the art to which the invention pertains and which are intended to be within the scope of the invention.

Claims (6)

1. An SDN attack intention analysis method based on a Bayesian attack graph comprises the following steps:
step 1: and establishing an SDN (software defined network) graph, calculating the equipment importance by using a PR (procedure response) algorithm in order to more accurately calculate the attacked probability and possible attack paths of each vertex in the SDN attack graph, and performing risk assessment and prediction on the attack paths.
And 2, step: in order to enable the security of the SDN to be more comprehensively evaluated by an experiment, by giving out vulnerability value and SDN equipment criticality definition of the SDN equipment, the importance of each network equipment in the SDN is evaluated by combining newly-proposed attack cost and attack profit with a PR algorithm.
And step 3: analyzing the value of the vulnerability, wherein the value of the vulnerability of the node is related to the difficulty degree of the vulnerability used by an attacker and the influence of the vulnerability on the node, quantifying the vulnerability by using a vulnerability scoring system, and measuring six indexes of an attack path, attack complexity, authority requirement, confidentiality, integrity and usability by using a CVSS.
And 4, step 4: the method comprises the steps of analyzing the importance of SDN equipment, wherein the SDN is different from a traditional network structure, and a control plane and a data plane in the SDN are separated, so that the calculation mode of the SDN importance is different, and according to the characteristics of the SDN, each piece of equipment has a specific function, so that the importance is light and heavy, and a controller plays a core role in the whole SDN, so that the importance is highest, and secondly, a switch, a server and a host utilize a PageRank algorithm to analyze the equipment criticality.
And 5: and analyzing the attack cost.
Step 6: and analyzing the attack profit, wherein the more important the leaked information is, the higher the obtained profit is.
And 7: and analyzing attack preference, wherein the preference function represents the preference degree of an attacker attacking the target equipment node, and the higher the preference degree is, the higher the possibility that the attacker attacks the target equipment node is.
And 8: analyzing the attack probability of the equipment, and according to the analysis on the importance, the attack cost and the attack cost of the equipment and the result of quantifying the equipment, obtaining the probability that an attacker attacks the node to be attacked, namely the attack probability of the node, wherein the range of the attack probability is [0,1], and the higher the probability is, the higher the attack probability is.
And step 9: and analyzing the conditional probability, and calculating the possibility that each device attribute node is attacked under the influence of the device parent node.
2. The SDN attack intention analysis method based on the Bayesian attack graph as recited in claim 1, wherein the SDN attack intention analysis method comprises the following steps: the step 3 specifically comprises the following steps:
firstly, quantifying the vulnerability value according to the indexes, and solving a corresponding vulnerability score, wherein the corresponding calculation is shown as the following formula:
Grade=Min(Exp+Impact,10)
wherein:
Exp=8.22*AV*AC*PR
Impact=6.42*ISCbase
ISCbase=1-((1-C)*(1-I)*(1-A))
wherein, Impact represents a vulnerability influence factor, the scope of which is defaulted to be fixed, Exp represents a vulnerability utilization factor, the size of which represents the difficulty of being attacked, ISCBase is a temporary intermediate variable, and the substance range of CVSS is [0,10], and the vulnerability value is quantified by using Worth, and the calculation is shown as the following formula:
Worth=Grade/10*100%
3. the SDN attack intention analysis method based on the Bayesian attack graph as recited in claim 1, wherein the SDN attack intention analysis method comprises the following steps: the step 4 specifically comprises the following steps:
due to the specificity of SDN, the criticality of the initial device is set to [1, 10%]The initial stage, the PR value of the host is set to 4, the PR values of the exchanger and the server are set to 7, the PR value of the controller is set to 10, the equipment criticality is recalculated according to the PR algorithm, and the network equipment BjPR (B) of (j ═ 1.., n)j) The values are calculated as follows:
Figure FDA0003586720640000021
wherein the damping coefficient d is 0.85 by default, N represents the number of devices, PR (B)i) Presentation apparatus BjOf a parent node BiEquipment criticality of (1), O (B)i) Presentation apparatus BiIs connected to a device BjNumber of (A), M (B)j) Is the parent node to device BjTotal number of devices.
Then, an initialization matrix S of the equipment nodes is constructed according to the SDN topological relationN×NIn which S isxyRepresenting the attack probability from the x parent node to the y child node, taking e as a column vector with all components being 1, and calculating the obtained transition matrix K as shown in the following formula:
Figure FDA0003586720640000022
setting a unit column vector X, carrying out iteration, and ending the iteration if the values of X and Y are similar or the same to obtain the final key degree of all equipment, namely | Y-X | < tau, wherein tau is infinite small, and the iterative computation is as follows:
Y=KX
computing device importance EIm from device criticality and vulnerability valuejThe calculation needs to be quantified, the quantified device importance EImjThe calculation is shown below:
EIm(Bj)=PR(Bj)×Worth(Bj)/10
4. the SDN attack intention analysis method based on the Bayesian attack graph as recited in claim 1, wherein the SDN attack intention analysis method comprises the following steps: the step 5 specifically comprises the following steps:
when an attacker attacks a node in a network, the attacker pays human resources and material resources and also bears attack cost brought by the attack, the attack cost mainly comprises a probability coefficient, namely a risk coefficient beta, discovered by security software of the attacked network when the attacker starts the attack, and attack experience of the attacker on the node. The risk factor β is determined by the importance EIm (B) of the attacked devicej) It is decided that the greater the importance of the node, the higher the probability of being discovered and the greater the risk factor. The equipment risk coefficient beta (B) can be obtained by the analysisj) Is calculated as follows:
β(Bj)=EIm(Bj)*ζ(Bj)
cost of device attack cost (B)j): representing the cost that an attacker needs to pay to launch an attack on a device in the target network. Since the attack experience increases gradually when an attacker attacks the device node, the coefficient f is increased, and the expert gives different values according to different network environments. Defaults to the attack cost HrACost (B) of the human and material resources required for attacking each devicej) 0.01, based on the total experience with risk factors and attacksThe calculation of the device attack cost can be obtained by surface analysis as follows:
cost(Bj)=fn-1*β(Bj)+HrACost(Bj)
5. the SDN attack intention analysis method based on the Bayesian attack graph as recited in claim 1, wherein the SDN attack intention analysis method comprises the following steps: the step 7 specifically comprises the following steps:
analyzing attack preference, judging the preference function mainly by attack cost and attack income, judging the size of the preference function according to the ratio of the attack cost and the attack income, wherein the higher the ratio is, the lower the preference function is, the lower the possibility of attacking the target equipment node is, otherwise, the higher the possibility is. The ratio of cost to benefit is expressed as λ, and λ is calculated as follows:
Figure FDA0003586720640000023
the preference function PF is calculated as follows:
Figure FDA0003586720640000031
PF(Bj)∈[0,1]when the lambda is larger than or equal to 1, the preference function is 0, the cost is far larger than the benefit, and an attacker cannot attack the node; when λ is 0, the gain is much larger than the cost, and the preference function is 1, at which time the attacker must attack the node.
6. The SDN attack intention analysis method based on the Bayesian attack graph as recited in claim 1, wherein the SDN attack intention analysis method comprises the following steps: the step 9 specifically comprises:
the conditional probability of each node is called the local conditional probability distribution function. For device attributes node BjIts local conditional probability can be expressed as Pc(Bj|Pa(Bj) P) of the device parent node seta(Bj),vjRepresenting an attack from a device parent node to a device child node. When S ═<Bj,dj=AND>Then, the device parent node must all reach the device child node, and the attack is successful, at this time, the following calculation is shown:
Figure FDA0003586720640000032
when S ═ S<Bj,dj=OR>In the meantime, the device parent node only needs to have one reachable device child node, and the attack can be successful, and at this time, the following calculation is shown:
Figure FDA0003586720640000033
device node prior probability: the reachable probability of each device attribute node represented in the SDN is the joint conditional probability of the node passed by the attacked initial node in the current device attribute nodes, that is, for the node Bj∈Bprocess∪BtargetDevice Attribute node BjThe prior probability calculation of the device node is shown as follows:
Figure FDA0003586720640000034
wherein, Pa(Bj) Is a device attribute node BjOf a device parent node set, Pc(Bj|Pa(Bj) Represents the device attribute node BjPrior probability under attack.
CN202210364993.5A 2022-04-08 2022-04-08 SDN attack intention analysis method based on Bayesian attack graph Pending CN114726620A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210364993.5A CN114726620A (en) 2022-04-08 2022-04-08 SDN attack intention analysis method based on Bayesian attack graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210364993.5A CN114726620A (en) 2022-04-08 2022-04-08 SDN attack intention analysis method based on Bayesian attack graph

Publications (1)

Publication Number Publication Date
CN114726620A true CN114726620A (en) 2022-07-08

Family

ID=82241077

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210364993.5A Pending CN114726620A (en) 2022-04-08 2022-04-08 SDN attack intention analysis method based on Bayesian attack graph

Country Status (1)

Country Link
CN (1) CN114726620A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915500A (en) * 2023-09-05 2023-10-20 武汉万数科技有限公司 Security detection method and system for access equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915500A (en) * 2023-09-05 2023-10-20 武汉万数科技有限公司 Security detection method and system for access equipment
CN116915500B (en) * 2023-09-05 2023-11-17 武汉万数科技有限公司 Security detection method and system for access equipment

Similar Documents

Publication Publication Date Title
Hu et al. Optimal network defense strategy selection based on incomplete information evolutionary game
Huang et al. Markov differential game for network defense decision-making method
US11765196B2 (en) Attack scenario simulation device, attack scenario generation system, and attack scenario generation method
CN111625820A (en) Federal defense method based on AIoT-oriented security
CN116112278A (en) Q-learning-based network optimal attack path prediction method and system
Moskal et al. Context model fusion for multistage network attack simulation
CN114726620A (en) SDN attack intention analysis method based on Bayesian attack graph
Zhong et al. An efficient parallel reinforcement learning approach to cross-layer defense mechanism in industrial control systems
CN110868376A (en) Method and device for determining vulnerable asset sequence in network environment
Zhang et al. Optimal Decision‐Making Approach for Cyber Security Defense Using Game Theory and Intelligent Learning
CN110138778B (en) Game theory-based network attack risk control method and system
Fei et al. A quantifiable Attack-Defense Trees model for APT attack
CN116451234A (en) Dynamic trust evaluation algorithm for operating system terminal
CN112491801B (en) Incidence matrix-based object-oriented network attack modeling method and device
CN115333806A (en) Penetration test attack path planning method and device, electronic equipment and storage medium
Guan et al. A Bayesian Improved Defense Model for Deceptive Attack in Honeypot-Enabled Networks
Moskal et al. Simulating attack behaviors in enterprise networks
Huang et al. Network defense strategy selection based on best-response dynamic evolutionary game model
CN114139374A (en) Industrial robot system attack chain modeling method based on Petri network
Liu et al. Efficient Defense Decision‐Making Approach for Multistep Attacks Based on the Attack Graph and Game Theory
Wang et al. Optimal network defense strategy selection based on Bayesian game
Ge et al. Defense Strategy Selection Method for Stackelberg Security Game Based on Incomplete Information
Shukla et al. On the evaluation of user privacy in deep neural networks using timing side channel
Wang et al. Network security metrics: From known vulnerabilities to zero day attacks
Gaza et al. Epistemic Games With Conditional Believes For Modelling Security Threats Defence In Cloud Computing Systems.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination