CN115242507A - Attack graph generation system and method based on set parameter maximum value - Google Patents
Attack graph generation system and method based on set parameter maximum value Download PDFInfo
- Publication number
- CN115242507A CN115242507A CN202210867530.0A CN202210867530A CN115242507A CN 115242507 A CN115242507 A CN 115242507A CN 202210867530 A CN202210867530 A CN 202210867530A CN 115242507 A CN115242507 A CN 115242507A
- Authority
- CN
- China
- Prior art keywords
- attack
- information
- vulnerability
- graph
- difficulty
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an attack graph generating system and method for setting parameter maximum value, the system comprises an asset collecting module, a host information module, a network information module, an attack rule base and an attack graph generating module, the asset collecting module collects network information of a test target through manpower or tools and divides the network information into two parts of host information and network information, the host information comprises vulnerability information and service information, the network information comprises configuration information, topology information and connection information, and the attack rule base is used for storing the basis required by the generation of the attack graph. The system and the method can enable the generation of the attack graph to be more flexible and have more pertinence.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an attack graph generation system and method based on a set parameter maximum value.
Background
Network Security (Cyber Security) means that hardware, software and data in the system of a network system are protected and are not damaged, changed and leaked due to accidental or malicious reasons, the system continuously, reliably and normally operates, and network service is not interrupted. In order to discover the network security loopholes in the system, understand the threats faced by the services in the network environment, and find the vulnerable parts vulnerable to hacker attacks, security experts have proposed various security assurance methods, and penetration testing is one of them, and is also one of the most ideal methods at present. Penetration testing personnel can simulate the attack of real hackers on the premise of ensuring the safety of the whole system, and realize unauthorized access by using various methods. Finally, according to the test condition, a test report which can be used for further establishing important guidelines of system security defense strategy is created
Currently, the commonly used penetration test models include attack tree-based, attack graph-based, petri net-based and the like. The most used method for research in the whole penetration test process is based on an attack graph model, the existing research on the attack graph mainly focuses on automatic generation and algorithm improvement of a network attack graph, for example, a generation method based on breadth first and Bayesian algorithm, and then a visualization tool expresses the paths to form a complete attack graph. However, the existing models have problems that the scale of the attack graph is too large, the space complexity and the time complexity are high, the intuitive analysis of the penetration personnel is not facilitated, it is very difficult to directly find a path with a large damage degree from the attack graph, the attack graph lacks pertinence, the generation efficiency is low, and valuable guidance cannot be provided for the implementation of the subsequent penetration test.
Disclosure of Invention
In order to solve the technical problems, the attack graph generation system and method based on the set parameter maximum value carry out simultaneous detection and screening on the attack paths by limiting the attack step number, the difficulty index of vulnerability exploitation and the acceptable high-difficulty vulnerability number, generate the attack paths with relatively low cost and find out relatively weak links in a target network. Meanwhile, the method can also enable the generation of the attack graph to be more flexible and more targeted.
In order to achieve the technical effects, the invention provides the following technical scheme:
the utility model provides a set up most worth attack map generating system of parameter, includes asset collection module, host computer information module, network information module, attack rule base and attack map generation module, asset collection module is collected the network information of test target through manual work or instrument to divide into host computer information and network information two parts with it, host computer information includes leak information and service information, network information includes configuration information, topology information and linking information, attack rule base is used for storing the required foundation of the generation of attack map.
The asset collection module collects the domain name and IP address related information of a test target through analysis of test requirements by penetration testing personnel, and also comprises the steps of scanning the target through an open source tool, detecting the network topology condition, and defining the connection relation between hosts and the configuration information and vulnerability of the hosts.
The further technical scheme is that the attack rule base is based on the host computer weakness base, the rule mapping is carried out by the attack mode, and the attack rule is abstractly analyzed.
The further technical scheme is that the attack rule base comprises attack difficulty, a hazard index, cve and cnnvd vulnerability numbers, authority required for implementing the vulnerability and influence brought by the vulnerability.
The further technical scheme is that the attack graph comprises an attack path element, an attack node element, a cost element required by the attack and a parameter maximum value limiting element.
The further technical scheme is that the parameter maximum limiting element comprises a maximum attack step length, a maximum attack difficulty coefficient and the number of difficult and high holes.
The further technical scheme is that the attack step length refers to the length of an attack path, the longer the length is, the greater the attack difficulty is, the greater the utilization difficulty is, a maximum value Lmax is set, and when the attack path exceeds the Lmax, the path is abandoned; the large attack difficulty coefficient refers to the difficulty of the utilization condition of the vulnerability, and a certain difficulty coefficient value Dmax is set by an infiltrator; the number of the high difficulty holes refers to the number of holes exceeding Dmax on one attack edge of the attack graph, and the number is assumed to be X, and when the detected number exceeds X, the edge can be ignored in the generation of the attack graph.
The further technical scheme is that the generation method of the attack graph comprises the steps of abandoning a path when a high-difficulty vulnerability of a certain attack edge exceeds X or the length of the path of the attack exceeds Lmax, and otherwise, generating the edge of the corresponding attack graph.
The invention also provides an attack graph generating method for setting the parameter maximum value, which comprises the steps of collecting available information during attack by an asset collecting module, distributing the information to a host information module and a network information module, combining rules of an attack rule base to generate the attack graph, carrying out rule mapping by an attack mode on the basis of a host weakness base in the attack rule base to abstract and analyze the attack rule, wherein the parameter maximum value comprises the maximum attack step length Lmax, the maximum attack difficulty coefficient Dmax and the number X of the difficult and high holes, and the corresponding attack graph can be generated by setting the three values of Lmax, dmax and X.
Compared with the prior art, the invention has the following beneficial effects: the invention provides an attack graph generation system and method based on set parameter maximum value, which can detect and screen attack paths at the same time by limiting attack steps, difficulty indexes of vulnerability utilization and acceptable high-difficulty vulnerability numbers, generate relatively low-cost attack paths and find relatively weak links in a target network.
Drawings
FIG. 1 is a schematic diagram of an attack graph generation based on a set parameter maximum value;
FIG. 2 is a schematic diagram of attack rule base generation;
FIG. 3 is a diagram of an enterprise network topology;
fig. 4 is a list of services and corresponding ports used by the surviving host in example 2.
Detailed Description
The invention will be further explained and explained with reference to the drawings and the embodiments.
Example 1
The invention provides an attack graph generation system for setting parameter maximum values, which comprises an asset collection module, a host information module, a network information module, an attack rule base and an attack graph generation module, and is shown in figure 1. The asset collection is to collect the network information of the test target by manpower or tools and divide the network information into host information and network information. The host information mainly comprises vulnerability information and service information. The network information mainly comprises configuration information, topology information and connection information. And the information enters the attack graph generation module and is combined with the attack rule base to generate an attack graph. The asset collection module collects relevant information such as a domain name, an IP address and the like of a test target through analysis of test requirements by penetration testing personnel. The demand analysis relies primarily on communicating with the customer. The asset collection module scans targets through an open source tool, detects network topology conditions, and makes clear the connection relation among the hosts and the configuration information and vulnerability of the hosts. The host information module comprises the incoming vulnerability information and the service information. The network information module comprises the transmitted configuration information, the topology information and the connection information. The attack rule base is used for storing the basis required by the generation of the attack graph. The rules of the Attack rules are established by performing abstract analysis on the host vulnerabilities collected by the two information modules on the basis of Common Attack Pattern Enumeration and Classification (CAPEC), as shown in fig. 2. The host Vulnerability is obtained by comparing two leakage libraries of CVE (Common Vulnerabilities & Exposuers) and CNNVD (China National Vulnerability Database of Information Security) with the Information collection module. The attack rules comprise attack difficulty, hazard indexes, cve and cnnvd vulnerability numbers, permissions required for implementing the vulnerabilities, influences brought by the vulnerabilities and the like. The attack graph generating module is used for generating according to the attack rule base. The attack graph comprises the path of the attack, the attack node, the cost required by the attack and the parameter most value limitation. The most significant limitation of the parameters is the focus of the invention. The invention screens and enumerates the attack graph by setting the mode of the most value of the parameter, and the set parameter comprises the maximum attack step length, the maximum attack difficulty coefficient and the number of the difficult and high holes. The attack step length refers to the length of an attack path, the longer the length is, the greater the attack difficulty is, the greater the utilization difficulty is, the maximum value Lmax is set, and when the attack path is ultrahigh Lmax, the path can be abandoned. The attack difficulty coefficient refers to the difficulty of the utilization condition of the vulnerability, the simplest condition is that a beginner can achieve the difficulty, and the most difficult condition is that a hacker with rich experience is needed and the utilization condition is harsh. The permeator sets a certain difficulty coefficient value Dmax, and when the value Dmax is exceeded, the change of the attack mode is difficult to achieve. The number of the high difficulty holes refers to the number of holes exceeding Dmax on one attack edge of the attack graph, and the number is assumed to be X, and when the detected number exceeds X, the edge can be ignored in the generation of the attack graph. And generating and judging an attack graph, namely when a high-difficulty vulnerability of a certain attack edge exceeds X or the length of the attack path exceeds Lmax, abandoning the path, and otherwise, generating the edge of the corresponding attack graph. By setting the three values of Lmax, dmax and X, a path with low value can be screened out within a certain reasonable range, and a more simplified low-cost attack graph can be generated.
Example 2
An attack graph generation method based on the set parameter maximum value is used for generating an attack graph used in a penetration test process, taking a local area network shown in a fig. 3 penetrating a certain enterprise as an example, and comprises the following steps:
step 1.1, information collection is carried out on the network environment of an enterprise, 7 host computers are provided, wherein hackpc is an attacker used by penetrants, and the IP address is 192.168.30.1;
step 1.2, through the detection scanning of the local area network, 6 survival addresses are also provided, which are 192.168.35.1, 192.168.35.3, 192.168.39.1, 192.168.39.2 and 192.168.39.3 respectively;
step 1.3, in the collecting process, it is also detected that the service and the corresponding port used by the surviving host are as shown in fig. 4;
step 2.1, classifying and sorting the known information into host information and network information;
step 2.2, further, the host information is refined into vulnerability information and service information, the network information is refined into configuration information, topology information and connection information, for example, two sub-network segments of 35 and 39 exist, and opened services which may exist have remote access and the like;
step 3.1, comparing the cve library according to the collected information, and mapping out an attack rule;
step 3.2, 192.168.35.1 and 192.168.35.2 are all provided with 445 ports, so that a vulnerability attacking the SMB service exists in the CVE library, the vulnerability is numbered as CVE-2017-0146, the utilization difficulty is small, the risk coefficient is extremely high, and the influence range is huge;
step 3.3, 192.168.35.1 starts the remote desktop service in the 35 network segment, and CVE-2019-0708, CVE-2016-2183 and the like may exist; 192.168.35.2 open 21 ports and ftp service, possibly CVE-2013-4730;192.168.35.3 opens two http direct access attempts, further analyzes what vulnerability exists, the attack path is increased than the direct vulnerability length, and 192.168.35.3 opens 3306, and possible high-order vulnerabilities include CVE-2018-2696, CVE-2018-2591 and CVE-2018-2562;
step 3.4, in the network segment 39, three HTTP services exist, after further access is needed, the vulnerability is analyzed, and the attack path is increased; 192.168.39.2 opens 1433, three utilization modes of blasting \ injection \ SA weak passwords may exist, which are all simpler and have small difficulty coefficient, but the password set by an enterprise is not easy to be attacked as long as the password is complex, so the damage degree is smaller than the vulnerability mentioned in the step 3.2; 192.168.39.3 opens a 7001 port, deploys weblogic service, and can map a plurality of loopholes with different damage degrees in CVE, such as CVE-2017-3506, CVE-2017-10271, CVE-2017-3248, CVE-2019-2725, CVE-2020-14645, CVE-2020-14883, CVE-2020-2551 and the like, so that a plurality of attack paths can be generated, and the breadth of an attack graph is increased;
step 4.1, under the laying of the previous step, corresponding asset information and a corresponding attack rule base exist, and an attack graph starts to be generated at present;
step 4.2, setting the maximum attack step length Lmax = a, the maximum attack difficulty coefficient Dmax = b, and the number X = c of the difficult and high holes;
and 4.3, after the information in the previous three steps is collected, the penetrant can know the topological information and the connection relation and obtain the number of times of jumping from each host node to the target host. Storing the connection relation into a database by using a data structure of an adjacent matrix, and generating an attack graph by using the connection relation as a prototype;
and 4.4, executing the operation of path generation on the basis of the prototype diagram. Scanning and detecting the next host on the premise of the authority of the current host for each edge, and screening whether a feasible attack path exists according to the attack rule base generated in the step;
step 4.5, after matching, a certain attack path exists, and the current attack difficulty coefficient and the attack step length are recorded; if there is no match, the edge of this adjacency matrix is discarded. When Lmax > a or when x > c, the path is discarded;
and 4.6, repeating the steps, finding all matched edges which accord with the parameter setting, namely finishing the generation of the attack graph.
Although the present invention has been described herein with reference to the illustrated embodiments thereof, which are intended to be preferred embodiments of the present invention, it is to be understood that the invention is not limited thereto, and that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure.
Claims (9)
1. The system is characterized by comprising an asset collection module, a host information module, a network information module, an attack rule base and an attack graph generation module, wherein the asset collection module collects network information of a test target through manpower or tools and divides the network information into two parts of host information and network information, the host information comprises vulnerability information and service information, the network information comprises configuration information, topology information and connection information, and the attack rule base is used for storing a basis required by the generation of the attack graph.
2. The system for generating the attack graph with the set parameter maximum value according to claim 1, wherein the asset collection module is used for collecting the domain name and the IP address related information of the test target by analyzing the test requirements of penetration testers, and further comprises the steps of scanning the target by an open source tool, detecting the network topology condition, and defining the connection relationship between hosts, the configuration information of the hosts and vulnerability.
3. The system for generating the attack graph with the set parameter maximum value according to claim 1, wherein the attack rule base is obtained by mapping the rules by an attack mode on the basis of a host vulnerability base and abstracting and analyzing the attack rules.
4. The system for generating the attack graph with the set parameter maximum value according to claim 1, wherein the attack rule base includes an attack difficulty level, a hazard index, cve and cnnvd vulnerability numbers, permissions required for implementing the vulnerability, and an influence caused by the vulnerability.
5. The system according to claim 1, wherein the attack graph includes a path element of the attack, an attack node element, a cost element required for the attack, and a parameter maximum value defining element.
6. The system according to claim 5, wherein the parameter maximum value limiting element includes a maximum attack step size, a maximum attack difficulty coefficient, and a number of vulnerability.
7. The system according to claim 6, wherein the attack step length is a length of an attack path, and the longer the length is, the greater the difficulty of the attack is, and the maximum Lmax is set, and when the attack path exceeds Lmax, the path is discarded; the large attack difficulty coefficient refers to the difficulty of the utilization condition of the vulnerability, and a certain difficulty coefficient value Dmax is set by an infiltrator, when the difficulty of the utilization condition of the vulnerability exceeds the value Dmax, the attack mode is difficult to achieve; the number of the difficult and high holes refers to the number of holes exceeding Dmax on one attack edge of the attack graph, the number is assumed to be X, and when the detected number exceeds X, the edge can be ignored in the generation of the attack graph.
8. The system according to claim 7, wherein the method for generating the attack graph includes, when a high-difficulty vulnerability of a certain attack edge exceeds X or the length of the attack path exceeds Lmax, discarding the path, otherwise, generating the corresponding attack graph edge.
9. An attack graph generating method for setting parameter maximum values is characterized in that an asset collecting module collects available information during attack, the information is divided into a host information module and a network information module, an attack graph is generated by combining rules of an attack rule base, the attack rule base is based on a host vulnerability base, rule mapping is carried out by an attack mode, the attack rule is abstracted and analyzed, the parameter maximum values comprise a maximum attack step length Lmax, a maximum attack difficulty coefficient Dmax and the number X of difficult vulnerabilities, and corresponding attack graphs can be generated by setting three values of Lmax, ax Dmax and X.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210867530.0A CN115242507A (en) | 2022-07-22 | 2022-07-22 | Attack graph generation system and method based on set parameter maximum value |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210867530.0A CN115242507A (en) | 2022-07-22 | 2022-07-22 | Attack graph generation system and method based on set parameter maximum value |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115242507A true CN115242507A (en) | 2022-10-25 |
Family
ID=83674683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210867530.0A Pending CN115242507A (en) | 2022-07-22 | 2022-07-22 | Attack graph generation system and method based on set parameter maximum value |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115242507A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453403A (en) * | 2016-11-21 | 2017-02-22 | 国家电网公司 | Vulnerability restructuring sequence determining method and system based on attack links |
| US20170286690A1 (en) * | 2016-03-31 | 2017-10-05 | International Business Machines Corporation | Automatic Generation of Data-Centric Attack Graphs |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
-
2022
- 2022-07-22 CN CN202210867530.0A patent/CN115242507A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170286690A1 (en) * | 2016-03-31 | 2017-10-05 | International Business Machines Corporation | Automatic Generation of Data-Centric Attack Graphs |
| CN106453403A (en) * | 2016-11-21 | 2017-02-22 | 国家电网公司 | Vulnerability restructuring sequence determining method and system based on attack links |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
Non-Patent Citations (1)
| Title |
|---|
| 孙彦臣: ""基于低代价攻击图的渗透测试方法研究"", 《信息科技》, no. 8, pages 1 - 2 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kiran et al. | Building a intrusion detection system for IoT environment using machine learning techniques | |
| Wang et al. | An efficient flow control approach for SDN-based network threat detection and migration using support vector machine | |
| Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
| Tupper et al. | VEA-bility security metric: A network security analysis tool | |
| CN111641620A (en) | Novel cloud honeypot method and framework for detecting evolution DDoS attack | |
| Zhu | Attack pattern discovery in forensic investigation of network attacks | |
| CN114398643A (en) | Penetration path planning method, device, computer and storage medium | |
| CN113901475A (en) | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment | |
| CN111049828B (en) | Network attack detection and response method and system | |
| Musa et al. | Analysis of complex networks for security issues using attack graph | |
| Debashi et al. | Sonification of network traffic for detecting and learning about botnet behavior | |
| Yadav et al. | Comparative study of datasets used in cyber security intrusion detection | |
| Neri | Mining TCP/IP traffic for network intrusion detection by using a distributed genetic algorithm | |
| CN116488923A (en) | Network attack scene construction method based on openstack | |
| CN115242507A (en) | Attack graph generation system and method based on set parameter maximum value | |
| CN113132335A (en) | Virtual transformation system and method, network security system and method | |
| Mahajan et al. | Performance Analysis of Honeypots Against Flooding Attack | |
| Barhoom et al. | Adaptive worm detection model based on multi classifiers | |
| Arabo | Distributed ids using agents: an agent-based detection system to detect passive and active threats to a network | |
| Ariffin et al. | IoT attacks and mitigation plan: A preliminary study with Machine Learning Algorithms | |
| Nizam et al. | Forensic analysis on false data injection attack on IoT environment | |
| Slamet et al. | Campus hybrid intrusion detection system using snort and c4. 5 algorithm | |
| Bouafia et al. | Automatic Protection of Web Applications Against SQL Injections: An Approach Based On Acunetix, Burp Suite and SQLMAP | |
| Li et al. | IoT Honeypot Scanning and Detection System Based on Authorization Mechanism | |
| Dhar | An advanced intrusion detection system for the networking using data mining approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |