CN115225338A - Knowledge graph-based vulnerability association graph generation method and storage medium - Google Patents
Knowledge graph-based vulnerability association graph generation method and storage medium Download PDFInfo
- Publication number
- CN115225338A CN115225338A CN202210742246.0A CN202210742246A CN115225338A CN 115225338 A CN115225338 A CN 115225338A CN 202210742246 A CN202210742246 A CN 202210742246A CN 115225338 A CN115225338 A CN 115225338A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- node
- graph
- data
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000010586 diagram Methods 0.000 claims abstract description 42
- 238000007781 pre-processing Methods 0.000 claims abstract description 23
- 238000011156 evaluation Methods 0.000 claims abstract description 15
- 230000008439 repair process Effects 0.000 claims abstract description 7
- 239000011159 matrix material Substances 0.000 claims description 42
- 230000009191 jumping Effects 0.000 claims description 22
- 238000010276 construction Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012800 visualization Methods 0.000 abstract description 4
- 230000008520 organization Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 8
- 239000002699 waste material Substances 0.000 description 4
- 238000004140 cleaning Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a vulnerability correlation diagram generation method based on a knowledge graph and a storage medium, which comprises the steps of obtaining original vulnerability information and actual network data and carrying out data preprocessing; constructing a vulnerability knowledge graph according to a pre-designed vulnerability knowledge graph body model; and generating a vulnerability association diagram according to a preset vulnerability association diagram generation algorithm, and using the vulnerability association diagram for subsequent vulnerability association evaluation, vulnerability repair and vulnerability management. According to the method, the knowledge graph is adopted to organize and store data, and the ability of graphically storing knowledge is utilized, so that the incidence relation among the holes can be visually displayed, and the problems of poor visualization degree and poor readability of the hole library are solved. By utilizing the entities and the relations of the knowledge graph, the vulnerability and the attack as well as the existing relations between the attacks, the relation between the attack and the vulnerability and the relation between the vulnerability and the vulnerability can be utilized to organize the data, obtain the incidence relation of the vulnerability in an ideal state and realize the high-efficiency organization and reasoning of the relevant data of the vulnerability.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a vulnerability association diagram generation method based on a knowledge graph and a storage medium.
Background
Researches on how to better manage and repair vulnerabilities are becoming important research points in the security field. How to evaluate the harmfulness of different vulnerabilities helps enterprises solve the priority problem of vulnerability repair, and the problem of pain in repairing and solving high-harmfulness vulnerabilities which are easy to attack and have more serious consequences and loss after being attacked is the problem of researching repair work.
The united states common vulnerability assessment system (CVSS) is a vulnerability assessment system which is currently common in the industry, but the assessment system only assesses the hazard of a single vulnerability from a technical level, and does not consider the existence of an incidence relation between leaks.
There is a need to study the relevance assessment of vulnerabilities when assessing their criticality. With the improvement of network defense capability, the goal of intrusion can be achieved only by means of single-step attack, and the multi-step attack becomes a main means of network attack. The multi-step attack is often combined by a series of typical single-step attack means, and the attack is launched by utilizing the incidence relation among different vulnerabilities in the attack process.
Before the relevance evaluation of the vulnerabilities is researched, the relevance relation among the vulnerabilities (namely, the utilization sequence relation of the vulnerabilities in the multi-step attack) needs to be obtained. The vulnerability association graph can establish a relatively complete vulnerability attack model and can reflect the association relation of each vulnerability node in the system on an attack path.
The existing mainstream vulnerability association diagram generation method is to generate an attack diagram by using a traditional attack diagram generation algorithm and then simplify the attack diagram into a vulnerability association diagram according to vulnerability association rules. A commonly used vulnerability association rule is an authority promotion rule, i.e. promotion of authority on the victim host owned by the attacker before and after exploitation of the vulnerability.
The quality of the vulnerability association graph generated by the process not only depends on the quality of an attack graph generation algorithm, but also is related to the defined vulnerability association rule, and more errors are introduced. Moreover, association rules among the vulnerabilities are artificially defined, and the interpretability of association relations among the vulnerabilities is poor; the resource waste problem also exists in the process of simplifying the attack graph into the vulnerability association graph.
The traditional vulnerability correlation evaluation data is stored in a vulnerability database, the vulnerabilities, vulnerability attributes and the incidence relations among the vulnerabilities are expressed in a text form, the information visualization degree is poor, the readability is poor, the potential correlation among the vulnerabilities is difficult to express visually, the accuracy of generating a vulnerability correlation diagram is difficult to judge, and the interpretability of a vulnerability evaluation process is poor.
The national vulnerability library (NVD) shown in fig. 1 corresponds vulnerabilities and vulnerabilities, the Common Attack Pattern and Enumeration (CAPEC) shown in fig. 2 associates attack patterns and vulnerabilities, and the vulnerabilities can be associated using the common attack patterns and vulnerabilities. Firstly, correlating attacks by using Relationships of a CAPEC data set to obtain an attack order in the multi-step attack; associating the attack and the vulnerability by using the Related Weakness of the CAPEC data set to obtain a vulnerability sequence used in the multi-step attack; and then associating the vulnerability with the vulnerability by using the relationship between the vulnerability and the vulnerability in the NVD data set, and obtaining the utilization sequence of the vulnerability in the multi-step attack, so as to obtain the vulnerability association relationship in an ideal state.
Disclosure of Invention
The invention provides a knowledge graph-based vulnerability association graph generation method, which can solve the technical problem.
In order to realize the purpose, the invention adopts the following technical scheme:
a vulnerability association diagram generation method based on a knowledge graph comprises the following steps,
s1, acquiring original vulnerability information, acquiring actual network data of a network to be evaluated, and extracting data required by an evaluation scheme for data preprocessing;
s2, constructing a vulnerability knowledge graph based on the data obtained in the step S1 and according to a pre-designed vulnerability knowledge graph body model;
and S3, generating a vulnerability association diagram based on the vulnerability knowledge diagram constructed in the step S2 according to a preset vulnerability association diagram generation algorithm, wherein the vulnerability association diagram is used for subsequent vulnerability association evaluation, vulnerability repair and vulnerability management.
Further, the original vulnerability information in the step S1 includes an american national vulnerability library NVD data set in json format, an attack mode in csv format, original data in a Chinese national information security sharing platform CNVD data set which enumerates a CAPEC data set and an xml format;
the actual network data comprises a network topology structure, vulnerability scanning information of network nodes and asset importance information of the network nodes.
Further, the data preprocessing comprises preprocessing the acquired original data in the united states cave library NVD data set in json format, the attack mode in csv format, the enumerated CAPEC data set and the Chinese country information security sharing platform CNVD data set in xml format, extracting data required for evaluation, wherein the extracted data comprises vulnerability CVE numbers, vulnerability CWE numbers, attack mode numbers, relationships, related Weakness and the like, generating corresponding csv files, and facilitating the subsequent introduction of the data into a graph database by utilizing a construction algorithm;
the data preprocessing also needs to preprocess the acquired actual network data, obtain a network node relationship matrix, a network node vulnerability relationship and network node asset importance information, generate network nodes and csv files corresponding to vulnerabilities, and facilitate the subsequent introduction of the data into a graph database by utilizing a construction algorithm.
Further, the constructing the vulnerability knowledge graph comprises the following steps:
the first step is as follows: and designing a vulnerability knowledge graph body model. Designing a vulnerability knowledge graph body model, wherein the body comprises four categories of assets, vulnerabilities and attacks, and the relationship comprises five categories of vulnerability pointing asset affect, vulnerability pointing vulnerability relative, vulnerability pointing attack utilize, childof pointing the next attack step in multi-step attack, and PeerOf pointing to the same level attack; the attributes of the asset, namely the nodes where the vulnerabilities are located, comprise price of the asset and roles played by the asset in a network, namely a client/server, and the two attributes reflect the importance of the asset;
the second step: selecting a graph database;
the third step: designing a vulnerability knowledge graph construction algorithm, and organizing vulnerability data set data, a network node set, a network node vulnerability relation matrix and a network node asset importance attribute obtained by a data preprocessing module according to a vulnerability knowledge graph body model; and calling a Py2Neo library provided by Python to operate Neo4j by a knowledge graph construction algorithm of the vulnerability knowledge graph construction module, and constructing and storing the vulnerability knowledge graph.
Further, the generating of the vulnerability association graph comprises:
generating a vulnerability association diagram by utilizing a designed vulnerability association diagram generation algorithm based on the vulnerability knowledge diagram, an actual network node adjacent matrix and a network node vulnerability relation;
the vulnerability association graph generation algorithm is to obtain the relationship between nodes and the relationship between the nodes and the vulnerabilities according to actual network data, traverse the nodes and the vulnerabilities on the nodes, inquire whether the nodes where the two vulnerabilities are located are associated in node relationship data, and inquire whether attack up-and-down relationship exists between the two vulnerabilities in vulnerability knowledge graph leakage, so that a vulnerability association graph is generated.
Further, the generating of the vulnerability association graph comprises:
the first step is as follows: acquiring a node set, a vulnerability set, a network node adjacency matrix and a network node vulnerability relation matrix which are obtained by a data preprocessing module; specifically, based on an actual network topology structure, acquiring a network node set Nodes: [ host1 host2 host3 host4 host5]And a network node Adjacent matrix node _ Adjacent corresponding to the network:
Nodes_Adjacent[i][j]the value of 1 represents that the (i + 1) th node and the (j + 1) th node in the network node set Nodes are adjacent,Nodes_Adjacent[i][j]The value of 0 represents that the (i + 1) th node and the (j + 1) th node in the network node set Nodes are not adjacent; when the node vulnerability scanning information shows that the host1 has the vulnerability vul1, the node host2 has the vulnerabilities vul1 and vul2, the node host3 has the vulnerability vul3, the node host4 has the vulnerability vul4, and the node host5 has the vulnerability vul4, a vulnerability set Vuls can be obtained: [ vul1 vul2 vul3 vul4]The network node vulnerability relation matrix node _ Vuls:
Nodes_Vuls[i][j]the value of 1 represents that the (j + 1) th vulnerability in the vulnerability set Vuls exists on the (i + 1) th node in the network node set Nodes;
the second step is that: generating a host: vulnerability vul nodes; traversing the network node set Nodes and the vulnerability set Vuls, inquiring a vulnerability relation matrix node s _ Vuls of the network node, judging whether a jth vulnerability exists on the ith network node, and if yes, generating a node [ i ] and Vuls [ j ] vertex;
the third step: creating a host: correlation edges between vulnerability vertices;
(8) Traversing the row of the node adjacency matrix node _ Adjacent, namely the ith node in the ith column/row corresponding node set;
(9) For the ith row, if i = n, ending the traversal, and outputting a vulnerability knowledge graph; otherwise, traversing the column of j > = i in the node adjacency matrix from j = i;
(10) For the ith node, traversing the vulnerability set from 0, if i _ vul < m, the traversal is not completed, and executing the step (4); otherwise j +1, jumping into (7);
(11) For the jth node, traversing the vulnerability set from 0, if j _ vul < m, the traversal is not completed, and executing the step (5); otherwise, jumping to the step (3) by i _ vul + 1;
(12) Inquiring a node vulnerability relation matrix node _ Vuls, and if an ith _ vul vulnerability on an ith node and a jth _ vul vulnerability on a jth node exist at the same time, executing the step (5); otherwise, j _ vul +1, jumping to the step (4);
(13) Inquiring a vulnerability knowledge graph, if the vulnerability Vuls [ i _ vul ] and the vulnerability Vuls [ j _ vul ] in the vulnerability knowledge graph have an attack up-and-down step relation, connecting a directed edge between the top Nodes [ i ] of the vulnerability association graph, vuls [ i _ vul ], nodes [ j ] and Vuls [ j _ vul ], wherein the direction of the directed edge is the same as the direction between attack modes a1 and a2 respectively associated with the vulnerability Vuls [ i _ vul ] and the Vuls [ j _ vul ] in the vulnerability knowledge graph, and jumping into the step (4); otherwise, directly j _ vul +1, and jumping to the step (4);
(14) If j is less than n, inquiring the node adjacency matrix, and if the ith node is adjacent to the jth node, jumping into the step (3); otherwise j +1, jumping to step (7), and if j = n, i +1, jumping to step (2).
In another aspect, the present invention also discloses a computer readable storage medium storing a computer program, which when executed by a processor causes the processor to perform the steps of the method as described above.
According to the technical scheme, the vulnerability association graph generating method based on the vulnerability knowledge graph is provided, vulnerabilities and attacks in an NVD data set and a CAPEC data set are organized by the vulnerability knowledge graph, and the relationships of the vulnerabilities, the vulnerabilities and the attacks are stored in a visualized mode to obtain the association relationship of the vulnerabilities in an ideal state. And combining the asset information and vulnerability information of the actual network nodes, and associating the vulnerability with the nodes (assets) by using the asset entities and the vulnerability entities in the vulnerability knowledge graph. And finally, traversing a node adjacency matrix and a node vulnerability relation matrix which are obtained according to the actual network topology structure and vulnerability scanning data, inquiring whether attack up-and-down relations exist among vulnerabilities in a vulnerability knowledge graph, and generating a vulnerability correlation graph corresponding to the actual network. And laying a foundation for the subsequent association evaluation of the vulnerability.
According to the knowledge graph-based vulnerability association graph generation method, the knowledge graph is adopted to organize and store data, the knowledge graph is used for graphically storing knowledge, the association relation among vulnerabilities can be visually displayed, and the problems that a vulnerability library is poor in visualization degree and readability are poor are solved. By utilizing the entities and the relations of the knowledge graph, the vulnerability and the attack as well as the existing relations between the attacks, the relation between the attack and the vulnerability and the relation between the vulnerability and the vulnerability can be utilized to organize the data, obtain the incidence relation of the vulnerability in an ideal state and realize the high-efficiency organization and reasoning of the relevant data of the vulnerability.
When the knowledge graph is constructed, firstly, a vulnerability knowledge graph is preliminarily constructed by using structural knowledge acquired from an NVD data set, a CNVD data set and a CAPEC data set; and finally, generating an asset (node) entity according to the node information of the network, the asset information and the safety protection measure information installed and deployed in the system, and completing the vulnerability knowledge graph. The incidence relation between the vulnerabilities obtained through inference according to the data set is the vulnerability incidence relation under an ideal state that the assumed system is infinite and the vulnerabilities are infinite. And finally, based on the vulnerability association relationship in an ideal state in the knowledge graph, combining with an actual network topology structure to generate a vulnerability association graph corresponding to the actual network.
In summary, based on NVD and CAPEC data sets, the invention fully excavates the relation between the existing typical databases by using a knowledge graph to obtain the vulnerability association relation in an ideal state, directly generates the vulnerability association graph by combining an actual network topology structure and vulnerability scanning data, does not need to be processed by a traditional attack graph generation algorithm and a vulnerability association rule, and improves the problems of more errors and resource waste introduced in the process of generating the association graph by using a traditional association vulnerability graph generation method. And the vulnerability knowledge graph can visually show the incidence relation of the vulnerabilities, whether the incidence relation really exists between adjacent vulnerabilities in the generated vulnerability correlation graph can be verified in the knowledge graph, how the adjacent vulnerabilities are associated can be definitely found out, and the quality of a vulnerability correlation graph generation algorithm and the interpretability of the correlation graph are improved.
Drawings
FIG. 1 is an example of a national cave repository (NVD); wherein, cve _ data _ meta indicates the cve number of the vulnerability, and promemetype indicates the vulnerability related to the vulnerability;
FIG. 2 is a generic attack pattern and enumeration (CAPEC) example; among them, relationships: displaying other attack modes related to the attack mode; the relationships between attack patterns include: childOf (Canfollow), parentof (CanPrecede), and a similar relationship of the same level as this attack pattern — PeerOf (CanAlsobe); relatedleakness: a vulnerability associated with the attack pattern;
FIG. 3 is an overall frame diagram of the present invention;
FIG. 4 is an example of a vulnerability knowledge graph ontology model of an embodiment of the present invention;
FIG. 5 is an example of a constructed vulnerability knowledge graph screenshot of an embodiment of the present invention;
FIG. 6 is an example of a vulnerability correlation diagram according to an embodiment of the present invention;
fig. 7 is a flowchart of a vulnerability association graph generation algorithm according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention.
The embodiment of the invention organizes the vulnerabilities, the attacks, the relationship between the vulnerabilities and the vulnerabilities, the relationship between the vulnerabilities and the attacks and the relationship between the attacks based on the constructed vulnerability knowledge graph, and obtains the association relationship between the vulnerabilities by using the reasoning capability of the knowledge graph; and finally, generating a vulnerability association diagram by combining the actual network topology structure and the vulnerability information on the nodes. Knowledge graphs have great potential in the field of network security. By utilizing the powerful data organizing capability of the knowledge graph, the network security data from different data sources can be uniformly organized, stored and managed according to the construction scheme designed by the invention. Secondly, by utilizing the powerful reasoning capability of the knowledge graph, the incidence relation between the vulnerabilities in an ideal state can be obtained through reasoning according to the existing data, and the existing vulnerability database NVD and the attack database CAPEC are fully utilized. And finally, by utilizing the visualization capability of the knowledge graph, the interpretability of the relationship between the vulnerabilities in the generated vulnerability association graph can be improved. The problems of large error, poor interpretability and resource waste of the traditional vulnerability correlation diagram generation method are solved.
Specifically, as shown in fig. 3, the method for generating a knowledge-graph-based vulnerability association graph according to this embodiment includes the following steps,
s1, acquiring reliable original vulnerability information, such as acquired Json-format American national vulnerability library NVD data sets, csv-format attack patterns, enumerated CAPEC data sets, xml-format Chinese national information security sharing platform CNVD data sets and the like; and acquiring actual network data of the network to be evaluated, such as a network topology structure, vulnerability scanning information of network nodes, asset importance information of the network nodes and the like. And extracting data required by the evaluation scheme, cleaning and sorting the data so as to construct a vulnerability knowledge graph based on the data.
And S2, constructing the vulnerability knowledge graph based on the data obtained in the S1 and according to the vulnerability knowledge graph body model designed by the scheme, so that a vulnerability association graph can be generated based on the vulnerability knowledge graph in the following step.
And S3, generating a vulnerability association diagram based on the vulnerability knowledge diagram constructed in the S2 and the network node association relationship and the node vulnerability relationship obtained after the preprocessing in the S1 according to a designed vulnerability association diagram generation algorithm. The vulnerability association diagram can be used for subsequent vulnerability association evaluation, vulnerability repair, vulnerability management and other work.
The following are described separately:
integral frame
As shown in FIG. 3, the vulnerability knowledge graph building method mainly comprises a data preprocessing module, a vulnerability knowledge graph building module and a vulnerability association graph generating module. The construction data source of the vulnerability knowledge graph comprises two parts: the method comprises the steps of collecting an American national cave library NVD data set in a json format, an attack mode and enumeration CAPEC data set in a csv format, and a Chinese national information security sharing platform CNVD data set in an xml format and actual network data. The original data is subjected to data cleaning, data extraction and other operations through a data preprocessing module; inputting the preprocessed data into a vulnerability knowledge graph building module to build a vulnerability knowledge graph; and finally, inputting a node adjacency matrix, a node set and a node vulnerability relation matrix obtained after preprocessing the vulnerability knowledge graph and actual network information into a vulnerability correlation graph generation module, and calling a vulnerability correlation graph generation algorithm to generate a vulnerability correlation graph. And calculating the vulnerability relevance (an important factor for relevance evaluation of the vulnerability) based on the generated vulnerability relevance graph, and laying a foundation for subsequent vulnerability relevance evaluation.
Data preprocessing module
The data preprocessing module preprocesses the acquired original data in the United states national cave library NVD data set in json format, the attack mode in csv format, the CNVD data set which enumerates the CAPEC data set and the China national information security sharing platform in xml format, extracts vulnerability data set data (such as vulnerability CVE number, vulnerability CWE number, attack mode number, relationship shifts, related Weakness and the like) required by evaluation, generates corresponding csv files, and facilitates subsequent introduction of the data into a graph database by using a construction algorithm.
The data preprocessing module is also required to preprocess the acquired actual network data to obtain a network node set, a network node asset importance attribute, a vulnerability set and a network node vulnerability relationship matrix, generate a network node and a csv file corresponding to the vulnerability and conveniently import the data into a database by utilizing a construction algorithm in the subsequent process; and obtaining a network node adjacency matrix, and facilitating the subsequent generation of the vulnerability correlation diagram by utilizing a vulnerability correlation diagram generation algorithm.
Vulnerability knowledge map construction module
The vulnerability knowledge graph building module organizes a data structure based on the designed vulnerability knowledge graph body model and the selected graph database, writes a building algorithm and generates a vulnerability knowledge graph.
The first step is as follows: and designing a vulnerability knowledge graph body model. Designing a vulnerability knowledge graph ontology model as shown in fig. 4, wherein the ontology comprises four categories of assets, vulnerabilities and attacks, and the relationship comprises five categories of affect (vulnerability points to assets), relationship (vulnerability points to vulnerabilities), utilize (attack points to vulnerabilities), childOf (attack points to attack next step from previous step in multi-step attack), and PeerOf (attack points to peer-level attack). The attributes of the asset (the node where the vulnerability is located) include the price (price) of the asset, and the role (client/server) that the asset plays in the network, and reflect the importance of the asset to some extent.
The second step: a graph database is selected. The usage graph database Neo4j is selected.
The third step: and designing a vulnerability knowledge graph construction algorithm. Organizing vulnerability data set data, a network node set, a network node vulnerability relation matrix and network node asset importance attributes (node price, role and the like) obtained by a data preprocessing module according to a vulnerability knowledge graph body model; and calling a Py2Neo library provided by Python to operate Neo4j by a knowledge graph construction algorithm of the vulnerability knowledge graph construction module, and constructing and storing the vulnerability knowledge graph shown in FIG. 5.
Vulnerability correlation diagram generation module
The vulnerability correlation diagram generation module generates a vulnerability correlation diagram by using a designed vulnerability correlation diagram generation algorithm based on the vulnerability knowledge diagram, an actual network node adjacent matrix and a network node vulnerability relation matrix. Taking fig. 6 as an example, when the actual network topology is as shown in the left graph, based on the data and the vulnerability knowledge graph obtained by preprocessing the actual network information, the vulnerability association graph generation algorithm shown in fig. 7 is invoked to generate the right graph vulnerability association graph.
And directional arrows in the generated vulnerability association graph point to vulnerabilities exploited by the next step of attack from vulnerabilities exploited by the previous step of multi-step attack. The directed edge is represented by the importance of the asset where the two vulnerabilities connected by the directed edge are located:
reflecting the importance of the asset (network node) of the two vulnerabilities connected by the directed edge. The weight of the directed edge is represented by the average value of the importance of the assets where the two vulnerabilities connected by the directed edge are located:
because an attacker tends to attack more important vulnerabilities, the same vulnerability points to different vulnerabilities, the higher the importance of the pointed vulnerability is, the more likely the attacker will select the vulnerability as a next attack target, and the importance of the asset where the vulnerability is located reflects the importance of the vulnerability to a certain extent.
The idea of the vulnerability association graph generation algorithm is to obtain the relationship between nodes and the relationship between the nodes and the vulnerabilities according to actual network data, traverse the nodes and the vulnerabilities on the nodes (depth-first), and inquire whether the attack up-down relationship exists between the two vulnerabilities in vulnerability knowledge graph leakage, so that a vulnerability association graph is generated. The flowchart of the vulnerability correlation graph generation algorithm is shown in fig. 7.
The first step is as follows: and acquiring a node set, a vulnerability set, a network node adjacency matrix and a network node vulnerability relation matrix which are obtained by the data preprocessing module. Based on the actual network topology structure shown in the figure, acquiring a network node set Nodes: [ host1 host2 host3 host4 host5 ]]And a network node Adjacent matrix node _ Adjacent corresponding to the network:
Nodes_Adjacent[i][j]the value of 1 represents that the (i + 1) th node and the (j + 1) th node in the network node set node are Adjacent, and the node _ Adjacent [ i ] is][j]A value of 0 indicates that the (i + 1) th node and the (j + 1) th node in the network node set Nodes are not adjacent. When the node vulnerability scanning information shows that the host1 has the vulnerability vul1, the node host2 has the vulnerabilities vul1 and vul2, the node host3 has the vulnerability vul3, the node host4 has the vulnerability vul4, and the node host5 has the vulnerability vul4, a vulnerability set Vuls can be obtained: [ vul1 vul2 vul3 vul4]And a network node vulnerability relation matrix node _ Vuls:
Nodes_Vuls[i][j]the value of 1 represents that the (j + 1) th vulnerability in the vulnerability set Vuls exists on the (i + 1) th node in the network node set Nodes.
The second step is that: and generating (host: vulnerability vul) nodes. Traversing the network node set Nodes and the vulnerability set Vuls, inquiring the vulnerability relation matrix node s _ Vuls of the network node, judging whether the ith network node has the jth vulnerability, and if so, generating a (node i: vuls j) vertex.
The third step: associative edges between (host: vulnerability) vertices are created.
(15) The rows of the node adjacency matrix node _ Adjacent are traversed. (the ith column/row corresponds to the ith node in the node set).
(16) For the ith row, if i = n, ending traversal, and outputting a vulnerability knowledge graph; otherwise, the column of j > = i in the node adjacency matrix is traversed starting from j = i.
(17) For the ith node, traversing the vulnerability set from 0, if i _ vul < m, the traversal is not completed, and executing the step (4); otherwise j +1, jump (7)
(18) For the jth node, traversing the vulnerability set from 0, if j _ vul < m, the traversal is not completed, and executing the step (5); otherwise i _ vul +1, skip step (3)
(19) Inquiring a node vulnerability relation matrix node s _ Vuls, and if the ith _ vul vulnerability on the ith node and the jth _ vul vulnerability on the jth node exist at the same time, executing the step (5); otherwise, j _ vul +1, jumping to the step (4).
(20) Inquiring a vulnerability knowledge graph, if the vulnerability Vuls [ i _ vul ] and the vulnerability Vuls [ j _ vul ] in the vulnerability knowledge graph have attack up-and-down step relations, connecting a directed edge between vertexes (node [ i ]: vuls [ i _ vul ]), (node [ j ]: vuls [ j _ vul ]), wherein the direction of the directed edge is the same as the direction between attack modes a1 and a2 respectively associated with the vulnerabilits Vuls [ i _ vul ] and Vuls [ j _ vul ] in the knowledge graph, j _ vul +1, and jumping into the step (4); otherwise, directly j _ vul +1, and jumping to the step (4).
(21) If j is less than n, inquiring the node adjacency matrix, and if the ith node is adjacent to the jth node, jumping into the step (3); otherwise j +1, jumping to the step (7). And (5) if j = n, i +1, jumping to the step (2).
In general, based on NVD and CAPEC data sets, the relation between the existing typical databases is fully excavated by using the knowledge graph to obtain the vulnerability correlation relation in an ideal state, the vulnerability correlation graph is directly generated by combining the actual network topology structure and vulnerability scanning data, the traditional attack graph generation algorithm and the vulnerability correlation rule are not required to be processed, and the problems of more errors and resource waste in the process of generating the correlation graph by using the traditional correlation graph generation method are solved. And the vulnerability knowledge graph can visually show the incidence relation of the vulnerabilities, whether the incidence relation really exists between adjacent vulnerabilities in the generated vulnerability association graph can be verified in the knowledge graph, how the adjacent vulnerabilities are associated can be definitely found out, and the quality of a vulnerability association graph generation algorithm and the interpretability of the association graph are improved.
In yet another aspect, the present invention also discloses a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of any of the methods described above.
In yet another aspect, the present invention also discloses a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of any of the methods described above.
In a further embodiment provided by the present application, there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of any of the methods of the above embodiments.
It is understood that the system provided by the embodiment of the present invention corresponds to the method provided by the embodiment of the present invention, and the explanation, the example and the beneficial effects of the related contents can refer to the corresponding parts in the method.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by a computer program, which may be stored in a non-volatile computer readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. A vulnerability association diagram generation method based on knowledge graph is characterized by comprising the following steps,
s1, acquiring original vulnerability information, acquiring actual network data of a network to be evaluated, and extracting data required by an evaluation scheme for data preprocessing;
s2, constructing a vulnerability knowledge graph based on the data obtained in the step S1 and according to a pre-designed vulnerability knowledge graph body model;
and S3, generating a vulnerability association diagram based on the vulnerability knowledge diagram constructed in the step S2 according to a preset vulnerability association diagram generation algorithm, wherein the vulnerability association diagram is used for subsequent vulnerability association evaluation, vulnerability repair and vulnerability management.
2. The knowledge-graph-based vulnerability association graph generation method of claim 1, wherein:
the original vulnerability information in the step S1 comprises an American national vulnerability library NVD data set in a json format, an attack mode in a csv format, original data in a Chinese national information security sharing platform CNVD data set in an enumerated CAPEC data set and an xml format;
the actual network data comprises a network topology structure, vulnerability scanning information of network nodes and asset importance information of the network nodes.
3. The knowledge-graph-based vulnerability correlation graph generation method according to claim 2, wherein: the data preprocessing comprises preprocessing acquired NVD data sets of the United states national cave library in json format, attack modes in csv format, enumerated CAPEC data sets and original data in CNVD data sets of the Chinese national information security sharing platform in xml format, extracting data required for evaluation, including vulnerability CVE numbers, vulnerability CWE numbers, attack mode numbers, relationships, related Weakness and the like, generating corresponding csv files, and facilitating the subsequent introduction of the data into a graph database by utilizing a construction algorithm;
the data preprocessing also needs to preprocess the acquired actual network data, obtain a network node relationship matrix, a network node vulnerability relationship and network node asset importance information, generate network nodes and csv files corresponding to vulnerabilities, and facilitate the subsequent introduction of the data into a graph database by utilizing a construction algorithm.
4. The knowledge-graph-based vulnerability correlation graph generation method according to claim 1, wherein: the constructing of the vulnerability knowledge graph comprises the following steps:
the first step is as follows: and designing a vulnerability knowledge graph body model. Designing a vulnerability knowledge graph body model, wherein the body comprises four categories of assets, vulnerabilities and attacks, and the relationship comprises five categories of vulnerability pointing to asset affect, vulnerability pointing to vulnerability relationship, attack pointing to vulnerability utize, attack pointing to attack next step Childof in multi-step attack, attack pointing to peer level attack PeerOf; the attributes of the assets, namely the nodes where the vulnerabilities are located, comprise price of the assets and roles of the assets in a network, namely a client/server, and the two attributes reflect the importance of the assets;
the second step is that: selecting a graph database;
the third step: designing a vulnerability knowledge graph construction algorithm, and organizing vulnerability data set data, a network node set, a network node vulnerability relation matrix and a network node asset importance attribute which are obtained by a data preprocessing module according to a vulnerability knowledge graph body model; and calling a Py2Neo library provided by Python to operate Neo4j by a knowledge graph construction algorithm of the vulnerability knowledge graph construction module, and constructing and storing the vulnerability knowledge graph.
5. The knowledge-graph-based vulnerability association graph generation method of claim 1, wherein: the generation of the vulnerability association graph comprises the following steps:
generating a vulnerability association diagram by utilizing a designed vulnerability association diagram generation algorithm based on the vulnerability knowledge diagram, an actual network node adjacent matrix and a network node vulnerability relation;
the vulnerability association graph generation algorithm is to obtain the relationship between nodes and the relationship between the nodes and the vulnerabilities according to actual network data, traverse the nodes and the vulnerabilities on the nodes, inquire whether the nodes where the two vulnerabilities are located are associated in node relationship data, and inquire whether attack up-and-down relationship exists between the two vulnerabilities in vulnerability knowledge graph leakage, so that a vulnerability association graph is generated.
6. The knowledge-graph-based vulnerability correlation graph generation method of claim 5, wherein: the generation of the vulnerability association graph comprises the following steps:
the first step is as follows: acquiring a node set, a vulnerability set, a network node adjacency matrix and a network node vulnerability relation matrix which are obtained by a data preprocessing module; specifically, based on an actual network topology structure, acquiring a network node set Nodes:
[host1 host2 host3 host4 host5]and a network node Adjacent matrix node _ Adjacent corresponding to the network:
Nodes_Adjacent[i][j]the value of 1 represents that the (i + 1) th node and the (j + 1) th node in the network node set Nodes are adjacent, and the node set _ Adjacent[i][j]The value of 0 represents that the (i + 1) th node and the (j + 1) th node in the network node set Nodes are not adjacent; when the node vulnerability scanning information shows that the host1 has the vulnerability vul1, the node host2 has the vulnerabilities vul1 and vul2, the node host3 has the vulnerability vul3, the node host4 has the vulnerability vul4, and the node host5 has the vulnerability vul4, a vulnerability set Vuls can be obtained: [ vul1 vul2 vul3 vul4]And a network node vulnerability relation matrix node _ Vuls:
Nodes_Vuls[i][j]the value of 1 represents that the (j + 1) th vulnerability in the vulnerability set Vuls exists on the (i + 1) th node in the network node set Nodes;
the second step: generating a host: vulnerability vul nodes; traversing the network node set Nodes and the vulnerability set Vuls, inquiring a vulnerability relation matrix node s _ Vuls of the network node, judging whether a jth vulnerability exists on the ith network node, and if yes, generating a node [ i ] and Vuls [ j ] vertex;
the third step: creating a host: correlation edges between vulnerability vertices;
(1) Traversing the row of the node adjacency matrix node _ Adjacent, namely the ith node in the ith column/row corresponding node set;
(2) For the ith row, if i = n, ending traversal, and outputting a vulnerability knowledge graph; otherwise, traversing the column of j > = i in the node adjacency matrix from j = i;
(3) For the ith node, traversing the vulnerability set from 0, if i _ vul is less than m, not completing the traversal, and executing the step (4); otherwise j +1, jumping into (7);
(4) For the jth node, traversing the vulnerability set from 0, if j _ vul is less than m, not completing the traversal, and executing the step (5); otherwise, jumping to the step (3) by i _ vul + 1;
(5) Inquiring a node vulnerability relation matrix node s _ Vuls, and if the ith _ vul vulnerability on the ith node and the jth _ vul vulnerability on the jth node exist at the same time, executing the step (5); otherwise j _ vul +1, jumping to the step (4);
(6) Inquiring a vulnerability knowledge graph, if the vulnerability Vuls [ i _ vul ] and the vulnerability Vuls [ j _ vul ] in the vulnerability knowledge graph have an attack up-and-down step relation, connecting a directed edge between the top Nodes [ i ] of the vulnerability association graph, vuls [ i _ vul ], nodes [ j ] and Vuls [ j _ vul ], wherein the direction of the directed edge is the same as the direction between attack modes a1 and a2 respectively associated with the vulnerability Vuls [ i _ vul ] and the Vuls [ j _ vul ] in the vulnerability knowledge graph, and jumping into the step (4); otherwise, directly j _ vul +1, and jumping to the step (4);
(7) If j is less than n, inquiring the node adjacency matrix, and if the ith node is adjacent to the jth node, jumping into the step (3); otherwise j +1, jumping to step (7), and if j = n, i +1, jumping to step (2).
7. A computer-readable storage medium, storing a computer program which, when executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210742246.0A CN115225338B (en) | 2022-06-28 | 2022-06-28 | Knowledge graph-based vulnerability association graph generation method and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210742246.0A CN115225338B (en) | 2022-06-28 | 2022-06-28 | Knowledge graph-based vulnerability association graph generation method and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115225338A true CN115225338A (en) | 2022-10-21 |
| CN115225338B CN115225338B (en) | 2023-12-12 |
Family
ID=83609061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210742246.0A Active CN115225338B (en) | 2022-06-28 | 2022-06-28 | Knowledge graph-based vulnerability association graph generation method and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225338B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106549950A (en) * | 2016-11-01 | 2017-03-29 | 南京理工大学 | A kind of matrix method for visualizing based on state attacking and defending figure |
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| US20180048661A1 (en) * | 2016-08-15 | 2018-02-15 | International Business Machines Corporation | Cognitive offense analysis using contextual data and knowledge graphs |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN109948911A (en) * | 2019-02-27 | 2019-06-28 | 北京邮电大学 | A kind of appraisal procedure calculating networking products Information Security Risk |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
| US10496678B1 (en) * | 2016-05-12 | 2019-12-03 | Federal Home Loan Mortgage Corporation (Freddie Mac) | Systems and methods for generating and implementing knowledge graphs for knowledge representation and analysis |
| KR102079687B1 (en) * | 2019-07-12 | 2020-02-20 | 한화시스템(주) | System and method for cyber prediction based on attack graph |
| CN111163086A (en) * | 2019-12-27 | 2020-05-15 | 北京工业大学 | Multi-source heterogeneous network security knowledge graph construction and application method |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN112613038A (en) * | 2020-11-27 | 2021-04-06 | 中山大学 | Security vulnerability analysis method based on knowledge graph |
| CN113051575A (en) * | 2021-03-25 | 2021-06-29 | 深圳市联软科技股份有限公司 | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
| CN114357189A (en) * | 2021-12-29 | 2022-04-15 | 广州大学 | Vulnerability utilization relation determining method, device, equipment and storage medium |
-
2022
- 2022-06-28 CN CN202210742246.0A patent/CN115225338B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10496678B1 (en) * | 2016-05-12 | 2019-12-03 | Federal Home Loan Mortgage Corporation (Freddie Mac) | Systems and methods for generating and implementing knowledge graphs for knowledge representation and analysis |
| US20180048661A1 (en) * | 2016-08-15 | 2018-02-15 | International Business Machines Corporation | Cognitive offense analysis using contextual data and knowledge graphs |
| CN106549950A (en) * | 2016-11-01 | 2017-03-29 | 南京理工大学 | A kind of matrix method for visualizing based on state attacking and defending figure |
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN109948911A (en) * | 2019-02-27 | 2019-06-28 | 北京邮电大学 | A kind of appraisal procedure calculating networking products Information Security Risk |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
| KR102079687B1 (en) * | 2019-07-12 | 2020-02-20 | 한화시스템(주) | System and method for cyber prediction based on attack graph |
| CN111163086A (en) * | 2019-12-27 | 2020-05-15 | 北京工业大学 | Multi-source heterogeneous network security knowledge graph construction and application method |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN112613038A (en) * | 2020-11-27 | 2021-04-06 | 中山大学 | Security vulnerability analysis method based on knowledge graph |
| CN113051575A (en) * | 2021-03-25 | 2021-06-29 | 深圳市联软科技股份有限公司 | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
| CN114357189A (en) * | 2021-12-29 | 2022-04-15 | 广州大学 | Vulnerability utilization relation determining method, device, equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 叶子维;郭渊博;李涛;琚安康;: "一种基于知识图谱的扩展攻击图生成方法", 计算机科学, no. 12 * |
| 王丽敏: "漏洞知识图谱的构建及漏洞态势感知技术研究", 中国优秀硕士学位论文全文数据库 信息科技辑, pages 15 - 50 * |
| 陈泽 等: "基于知识图谱的电网安全漏洞扩展攻击图研究", 信息技术, pages 30 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115225338B (en) | 2023-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108933793B (en) | Attack graph generation method and device based on knowledge graph | |
| CN112131882A (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
| WO2021242288A1 (en) | Solution automation | |
| CN104408584B (en) | The analysis method and system of a kind of transaction association | |
| KR102232641B1 (en) | Method for searching using data structure supporting multiple search in blockchain based IoT environment, and apparatus thereof | |
| Pastukhov et al. | On maximum degree‐based‐quasi‐clique problem: Complexity and exact approaches | |
| CN105630988A (en) | Method and system for rapidly detecting space data changes and updating data | |
| CN110909364B (en) | Source code bipolar software security vulnerability map construction method | |
| CN108268645A (en) | Big data processing method and system | |
| CN114615063A (en) | Attack tracing method and device based on log correlation analysis | |
| Vörös et al. | Bounded saturation-based CTL model checking | |
| CN115408186A (en) | Root cause positioning method and device, computer equipment and storage medium | |
| Song et al. | Querying process models based on the temporal relations between tasks | |
| Wortman et al. | Translation of AADL model to security attack tree (TAMSAT) to SMART evaluation of monetary security risk | |
| Zhou et al. | DAppHunter: Identifying Inconsistent Behaviors of Blockchain-based Decentralized Applications | |
| CN115225338A (en) | Knowledge graph-based vulnerability association graph generation method and storage medium | |
| CN102982282B (en) | The detection system of bug and method | |
| Petrucci et al. | Squeezing state spaces of (attack-defence) trees | |
| CN115102796A (en) | Vulnerability correlation assessment method and system based on knowledge graph and random walk strategy | |
| Polyvyanyy et al. | Untanglings: a novel approach to analyzing concurrent systems | |
| Abu-Saleem | Retractions and homomorphisms on some operations of graphs | |
| CN114462859A (en) | Workflow processing method and device, computer equipment and storage medium | |
| Lyu et al. | Analyzing Ethereum Smart Contract Vulnerabilities at Scale Based on Inter-Contract Dependency. | |
| Boltenhagen et al. | An A*-Algorithm for Computing Discounted Anti-Alignments in Process Mining | |
| Wei et al. | Optimal pruned tree-cut mapping-based fast shielding for large-scale networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |