CN115278681B - 5G communication network attack graph generation method and system based on regional collaboration - Google Patents
5G communication network attack graph generation method and system based on regional collaboration Download PDFInfo
- Publication number
- CN115278681B CN115278681B CN202210735593.0A CN202210735593A CN115278681B CN 115278681 B CN115278681 B CN 115278681B CN 202210735593 A CN202210735593 A CN 202210735593A CN 115278681 B CN115278681 B CN 115278681B
- Authority
- CN
- China
- Prior art keywords
- attack
- vulnerability
- current
- communication
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 225
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000005192 partition Methods 0.000 claims abstract description 117
- 230000009191 jumping Effects 0.000 claims abstract description 48
- 230000005012 migration Effects 0.000 claims abstract description 23
- 238000013508 migration Methods 0.000 claims abstract description 23
- 239000011159 matrix material Substances 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 12
- 230000001960 triggered effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 abstract description 7
- 230000035515 penetration Effects 0.000 description 5
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012512 characterization method Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a 5G communication network attack graph generation method and system based on regional collaboration, comprising the following steps: s1: determining the topology of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises security vulnerabilities and empty vulnerabilities; s2: migrating the current vulnerability to the next associated security vulnerability in the same communication node according to the current information attack permission of the attacker; s3: judging whether the current communication node has an associated security hole, if so, jumping to S2, and if not, generating an attack path in the current partition; s4: according to the current information attack permission of an attacker, migrating the attacker from the current vulnerability to the associated vulnerability in the next partition, and generating a cross-region attack path between two adjacent partitions; s5: and judging whether the target attack node is reached, if not, jumping to S2, and if so, outputting a 5G communication network attack graph. By combining internal attack path search and cross-region attack path search and introducing empty holes to perform path migration, a more comprehensive attack path diagram can be obtained.
Description
Technical Field
The invention belongs to the technical field of 5G communication network information security, and particularly relates to a 5G communication network attack graph generation method and system based on regional collaboration.
Background
The 5G communication network is used as an emerging information communication technology and is widely applied to the fields of smart power grids, smart medical treatment, smart manufacturing and the like. However, due to the flexibility of the 5G communication network topology, the characteristics of communication service differentiation and the like, the application scene based on 5G exposes more weak points. Meanwhile, the network attack behavior is gradually complicated and intelligent, and the security threat of the communication network is further aggravated.
At present, when the information system or the network is oriented to attack penetration, an attacker often gradually invades nodes of the system by utilizing the association characteristic among security vulnerabilities, and finally, the attack target is reached. The existing system attack modeling and attack path identification method is mainly realized based on an attack graph generation method, the method identifies the association relation of network vulnerabilities by judging whether the authority of an attacker after vulnerability utilization is improved, the utilized vulnerabilities are vulnerabilities capable of directly launching attacks to nodes, the next attack state is determined, and finally the attack path of multi-step behaviors is formed.
However, 5G communication networks are an open, flexible system where network penetration is possible by an attacker at any location or communication service phase of the network. Compared with the traditional information system or network, the vulnerability of the 5G communication network is independent, the vulnerability migration requirement is different from that of the traditional information network, and the attack path of the 5G communication network cannot be comprehensively identified by the traditional attack graph generation method applied to the information network.
Disclosure of Invention
Aiming at the defects or improvement demands of the prior art, the invention provides a 5G communication network attack graph generation method and a system based on regional collaboration, and aims to comprehensively identify a 5G communication network attack path.
In order to achieve the above object, according to one aspect of the present invention, there is provided a 5G communication network attack graph generation method based on regional collaboration, including:
Step S1: determining a topological structure of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises security vulnerabilities and null vulnerabilities, the security vulnerabilities are used for directly attacking the communication nodes, and the null vulnerabilities are vulnerabilities which are migrated based on a communication relation;
step S2: according to the current information attack permission of the attacker, migrating the current vulnerability to the next associated security vulnerability in the same communication node, taking the new attack vulnerability as the current vulnerability and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability;
step S3: judging whether the current communication node has an associated security hole, if so, jumping to the step S2, and if not, generating an attack path in the current partition;
step S4: the last security vulnerability of the attack path in the current partition is used as the current vulnerability, and a cross-region attack path between two adjacent partitions is generated according to the current information attack permission of an attacker and the migration of the current vulnerability to the associated vulnerability in the next partition;
Step S5: judging whether the target attack node is reached, if not, taking the new attack vulnerability as the current vulnerability, updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, jumping to the step S2, and if so, outputting a 5G communication network attack graph.
In one embodiment, in step S2, a current partition internal attack path is generated by using a partition internal attack graph model sag= < Attpri, SAT, SAGsrc, SAGdest, SAGAttpath > where Attpri represents the current information attack right of an attacker, sat= < v i,vj > represents a state migration process of the attacker from the current vulnerability v i to the next vulnerability v j, v j is the next vulnerability associated with v i and v i and v j are both in the same partition, SAGsrc and SAGdest represent node positions before and after the state migration respectively, SAGATTPATH represents a partition internal attack path sequence for storing the current vulnerability and the searched associated vulnerability to generate the current partition internal attack path.
In one embodiment, in step S4, a cross-zone attack path is generated by constructing a network cross-zone attack graph model cag= < Compri, CAT, CAGsrc, CAGdest, CAGAttpath > wherein Compri represents the current information attack right of the attacker; CAT= < CAGsrc, CAGdest, v i,vj > represents a state migration process of an attacker from a vulnerability v i in a current partition node CAGsrc to a vulnerability v j in a next partition node CAGdest, wherein v j is a next vulnerability associated with v i and v i and v j are both in different partitions, SAGATTPATH represents a cross-region attack path sequence for storing the current vulnerability and the searched associated vulnerabilities to generate a cross-region attack path.
In one embodiment, the 5G communication network includes four partitions including a terminal including n communication nodes, an access network including m communication nodes, a bearer network including k communication nodes, and a core network including w communication nodes;
in step S1, the topology of the 5G communication network is represented as:
G=<NE,NA,NB,NR,EA,AB,BR>,
NE={e1,e2,…,en},NA={a1,a2,…,am},NB={b1,b2,…,bk},NR={r1,r2,…,rw},
Wherein N E,NA,NB,NR represents a terminal communication node set, an access network communication node set, a carrier network communication node set and a core network communication node set, e n represents a terminal nth communication node, a m represents an access network mth communication node, b k represents a carrier network kth communication node, and r w represents a core network kth communication node;
Wherein EA, AB, BR represent respectively a terminal-to-access network cross-zone connectivity matrix, an access network-to-bearer network cross-zone connectivity matrix, and a bearer network-to-core network cross-zone connectivity matrix, wherein C (X, Y) represents connectivity between communication node X and communication node Y, when communication node X and communication node Y are connected, C (X, Y) =1, otherwise, C (X, Y) =0.
In one embodiment, a communication link table of a network communication node is first constructed, and the cross-region connectivity matrix is established based on the communication link table.
In one embodiment, the information for each vulnerability includes a pre-condition Precon and a post-condition Postcon;
In step S2:
Migrating the current vulnerability to the next associated security vulnerability in the same communication node according to the current information attack permission of the attacker, wherein the method comprises the following steps: defining the current information attack permission of an attacker as Attpri, and taking the security hole meeting Attpri more than or equal to Precon in the current communication node as the next associated hole;
Updating the current information attack permission of the attacker according to the information acquired from the vulnerability of the new attack, wherein the current information attack permission is obtained by taking the vulnerability of the new attack as the current vulnerability and taking the post condition of the vulnerability of the new attack as the current information attack permission;
In step S4:
Migrating the current vulnerability from the current vulnerability to the associated vulnerability in the next partition according to the current information attack right of the attacker, wherein the method comprises the following steps: defining the current information attack permission of an attacker as Compri, and taking all vulnerabilities meeting Compri being more than or equal to Precon in the communication node of the next partition as associated vulnerabilities in the next partition;
Updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, comprising: taking the loophole of the new attack as the current loophole and taking the post condition of the next loophole as the current information attack permission.
In one embodiment, step S4 includes:
Step S41: judging the type of the communication node at present, if the communication node is a terminal communication node, jumping to the step S42, if the communication node is an access network communication node, jumping to the step S45, and if the communication node is a bearing network communication node, jumping to the step S46;
Step S42: judging whether the current terminal communication node is unregistered, if not, jumping to the step S43, and if so, jumping to the step S44;
step S43: judging whether Compri is greater than or equal to the precondition of the next partition empty vulnerability, if yes, attacking the vulnerability of which the precondition is less than or equal to Compri in the next partition as the associated vulnerability, jumping to the step S5, and if not, jumping to the step S47;
Step S44: judging whether Compri is greater than or equal to the precondition of the security hole of the next partition, if yes, attacking the security hole of which the precondition is less than or equal to Compri in the next partition as the associated hole, jumping to the step S5, and if not, jumping to the step S47;
step S45: judging whether the current access network communication node is communicated with the next partition, if so, jumping to the step S43, and if not, jumping to the step S47;
Step S46: judging whether the current bearing network communication node is communicated with the next partition, if so, jumping to the step S43, and if not, jumping to the step S47;
step S47: and (5) ending.
In one embodiment, in step S4, when the next associated vulnerability cannot be searched, the search is ended.
In one embodiment, before step S2, the method further includes an initialization step, in which the network attack graph is cleared, an attacker is given information about the attack initiation authority, and the first attack node and the target attack node are determined.
According to another aspect of the present invention, there is provided a 5G communication network attack graph generation system based on regional collaboration, including:
the information collection unit is used for obtaining a topological structure of the 5G communication network, a communication node set and a vulnerability set, wherein the vulnerability set comprises security vulnerabilities and empty vulnerabilities, the security vulnerabilities are used for directly attacking the communication nodes, and the empty vulnerabilities are vulnerabilities which are migrated based on a communication relation;
the partition internal attack path searching unit is used for migrating the current information attack permission of the attacker from the current vulnerability to the next associated security vulnerability in the same communication node, taking the new attack vulnerability as the current vulnerability and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability;
The first judging unit is used for judging whether the current communication node has an associated security vulnerability, if so, the partition internal attack path searching unit is continuously triggered to search for a new vulnerability, and if not, the current partition internal attack path is generated;
The cross-region attack path searching unit is used for taking the last security vulnerability of the attack path in the current partition as the current vulnerability, and generating a cross-region attack path between two adjacent partitions according to the fact that the current information attack authority of an attacker is migrated from the current vulnerability to the associated vulnerability in the next partition;
And the second judging unit is used for judging whether the target attack node is reached, if not, taking the new attack vulnerability as the current vulnerability, and continuously triggering the intra-partition attack path searching unit to search the new vulnerability after updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, and if so, outputting a 5G communication network attack graph.
In general, the above technical solutions conceived by the present invention, compared with the prior art, enable the following beneficial effects to be obtained:
Firstly, according to the 5G communication network attack graph generation method based on region collaboration, researchers can carry out vulnerability migration based on connectivity of adjacent partition nodes when network attack cross-region migration occurs according to the particularity of network architecture, when the next partition node is communicated with the current node, the next partition node is defined to have an empty vulnerability, the empty vulnerability is an invalid vulnerability, the attacker can migrate from the current node to the next partition based on the empty vulnerability, but cannot attack a system, the authority of the attacker cannot be improved, the migration of the vulnerability of the traditional scheme is based on the effective vulnerability, whether the authority of the attacker is improved or not is judged to be the associated vulnerability or not by judging whether the authority of the attacker is improved, namely the security vulnerability defined by the application.
Meanwhile, the application divides the path generation into two basic processes, namely an internal attack path and a cross-region attack path, and can quickly generate a more comprehensive attack path diagram by carrying out comprehensive scanning according to the hierarchical order in the searching process through the circulation process of internal searching, cross-region searching and internal searching.
Drawings
FIG. 1 is a flowchart illustrating steps of a method for generating a 5G communication network attack graph based on region collaboration according to an embodiment;
FIG. 2 is a 5G communication network topology of an embodiment;
FIG. 3 is a simplified topology of a 5G communication network according to one embodiment;
FIG. 4 is a flow diagram of network partition internal attack graph generation, according to one embodiment;
fig. 5 is a flowchart of generating a network cross-zone attack graph according to an embodiment.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
As shown in fig. 1, in an embodiment, the method for generating a 5G communication network attack graph based on region collaboration includes the following steps:
Step S100: determining a topological structure of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises security vulnerabilities and null vulnerabilities, the security vulnerabilities are used for directly attacking the communication nodes, and the null vulnerabilities are vulnerabilities which are migrated based on a communication relation.
As shown in fig. 2, which is a basic structure diagram of a 5G communication network, the environment based on the basic structure diagram includes four partitions of a terminal, an access network, a bearer network and a core network, each partition has 1 or more communication nodes, and each communication node may have one or more vulnerabilities. Before generating an attack path, it is necessary to first know the topology of the target communication network and scan for vulnerabilities in the network.
In one embodiment, the topology of a 5G communication network may be characterized mathematically. Specifically, when the terminal has n communication nodes, the access network has m communication nodes, the bearer network has k communication nodes, and the core network has w communication nodes, the topology of the 5G communication network may be characterized as:
G=<NE,NA,NB,NR,EA,AB,BR>
Where N E is a terminal communication node set, and e i represents an ith communication node in the terminal partition, the terminal communication node set may be expressed as:
NE={e1,e2,…,en}
Where N A is a set of access network communication nodes, denoted as a i as the ith communication node in the access network partition, the set of access network communication nodes may be denoted as:
NA={a1,a2,…,am}
Where N B is an access network communication node set, and b i represents an ith communication node in a bearer network partition, the bearer network communication node set may be expressed as:
NB={b1,b2,…,bk}
Wherein N R is a core network communication node set, r i is used to represent the ith communication node in the core network partition, and the core network communication node set may be expressed as:
NR={r1,r2,…,rw}
Wherein EA is a terminal-to-access network cross-zone connectivity matrix, C (X, Y) represents connectivity between communication node X and communication node Y, when communication node X and communication node Y are connected, C (X, Y) =1, otherwise, C (X, Y) =0, the terminal-to-access network cross-zone connectivity matrix may be represented as
Wherein AB is a cross-zone connectivity matrix from an access network to a bearing network, expressed as
Wherein BR is a cross-region connectivity matrix from the bearer network to the core network, expressed as
The network topology is characterized in the mathematical form, so that the cross-region connectivity of the nodes in the adjacent subareas is judged by a mathematical calculation method, the null vulnerability of the cross-region attack is identified, when the current node is communicated with the cross-region node, the null vulnerability exists in the corresponding cross-region node, and if the current node is not communicated with the cross-region node, the null vulnerability does not exist in the corresponding cross-region node.
Taking n=3, m=3, k= 4,w =1 as an example, i.e., as shown in fig. 2, the terminal area includes three communication terminals C1, C2, and C3; the access network comprises three base stations BS1, BS2 and BS 3; the carrier network comprises four relay nodes LN1, LN2, LN3 and LN4 as forwarding links; the virtual network elements in the core network are uniformly covered by the CN nodes.
In one embodiment, the process of performing mathematical characterization includes:
And S1.1, according to a basic topological structure of the 5G communication network, decomposing the functional nodes of the network based on topology, and simplifying a model.
In this embodiment, a simplified architecture diagram of the network topology model is shown in fig. 3.
And S1.2, establishing a communication link table of the network communication nodes according to the connection relation among different nodes in the communication network.
In this embodiment, the communication link table of the network communication node is shown in table 1 below.
Table 1 communication link table of network communication nodes
| C1 | C2 | C3 | BS1 | BS2 | BS3 | LN1 | LN2 | LN3 | LN4 | CN | |
| C1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| C2 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| C3 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 |
| BS1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| BS2 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 |
| BS3 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 |
| LN1 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 1 |
| LN2 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 |
| LN3 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 1 |
| LN4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
| CN | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
And S1.3, carrying out mathematical characterization on the topology structure of the 5G communication network according to a communication link table of the network communication node.
In this embodiment, the topology of the 5G communication network is specifically characterized as:
G=<NE,NA,NB,NR,EA,AB,BR>
NE={C1,C2,C3}
NA={BS1,BS2,BS3}
NB={LN1,LN2,LN3,LN4}
NR={CN}
BR=[C(LN1,CN)C(LN2,CN)C(LN3,CN)C(LN4,CN)]4×1
Meanwhile, in step S100, network vulnerability information including an empty vulnerability and a security vulnerability needs to be grasped. The information of each vulnerability includes a precondition Precon and a postconditions Postcon, where the precondition is a right required for attacking the vulnerability, and the postconditions are new rights acquired after attacking the vulnerability. And according to the vulnerability attribute information of different nodes of the network, unified expression of network vulnerability knowledge is carried out through a vulnerability set V. The set of communication network vulnerabilities represents a vulnerability or defect that exists for all communication device nodes of the network. Specifically, the vulnerability set may be defined as v= { V 1,v2,…,vz }, and for any vulnerability V i, V i = < VId, VIn, VTy, inf, precon, postcon >, where VId is a unique identifier of a vulnerability node, VIn represents a unified standard number of the vulnerability in the public vulnerability library, VTy represents the vulnerability exploitation type, and Inf is a specific description of vulnerability content.
In the application, the precondition of the empty vulnerability is that the cross-regional connectivity with the current node is satisfied, and the precondition of the empty vulnerability is that the attacker can migrate the path through the empty vulnerability from the current node to the next node, but the next node cannot be subjected to substantial attack, and the new authority cannot be acquired based on the empty vulnerability. The identifying of the empty holes may be determined based on the node connection relationships described above.
Besides the clear loopholes, the security loopholes of the network are required to be scanned to acquire the security loophole information. The security hole is a hole which can be directly used for attacking the node by an attacker, and the attacker can cause substantial attack on the network and decipher useful information based on the security hole, so that the attack right of the attacker is enlarged. Specifically, table 2 is a security hole table in an embodiment, where security hole information about a 5G communication network in the table is a reasonability assumption made to ensure that the security hole information is not lost.
Table 2 network security vulnerability information table
In one embodiment, the communication nodes and corresponding vulnerabilities of the entire network may be unified through the communication node attribute set Comtrib,
Comtrib={cb1,cb2,…,cb(n+m+k+w)}
Wherein cb i is an attribute of a communication node i in the network, and for any communication node there is
cbi=<Id,Vuls,Ast,Serv>
Where Id is the identity of the communication node i, vuls represents the set of security vulnerabilities existing inside the node, ash is the asset value or importance of the communication node in the network, and Serv is a description of the specific communication service provided by the communication node.
Step S200: and migrating the current information attack permission of the attacker from the current vulnerability to the next associated security vulnerability in the same communication node according to the current information attack permission of the attacker, and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability.
In the initialization phase, an initial attack vulnerability and a target attack node are determined. After the initial attack vulnerability is determined, taking the vulnerability as the current vulnerability, and searching an attack path inside the partition. Meanwhile, during the search of the attack path inside the partition, path migration is performed only based on security holes.
In a specific embodiment, a partition internal attack graph model is built:
SAG=<Attpri,SAT,SAGsrc,SAGdest,SAGAttpath>
Wherein Attpri represents the current information attack right of the attacker, that is, the updated right after the attacker attacks the current vulnerability v i. Sat= < v i,vj > represents the state migration process of an attacker from the current vulnerability v i to the next vulnerability v j, v j is the next vulnerability associated with v i and v i and v j are both within the same partition, in this model v j is only a security vulnerability. SAGsrc and SAGdest represent node locations before and after state migration, respectively, in which model the nodes represented by SAGsrc and SAGdest in the same partition are identical. SAGATTPATH is used for storing the current vulnerability and the searched associated vulnerability to generate a current attack path in the partition, and adding the associated vulnerability to SAGATTPATH once the associated vulnerability is searched, taking the associated vulnerability as the current vulnerability, and taking the authority acquired from the attack associated vulnerability as the current attack authority.
Step S300: and judging whether the current communication node has the association vulnerability, if so, jumping to the step S220, and if not, generating an attack path inside the current partition, and jumping to the step S300.
Fig. 4 is a schematic diagram of a process of generating a partition internal attack path in an embodiment, where SAGsrc vulnerability sets are empty, which indicates that if an initial attack node does not have a vulnerability, an attack cannot be implemented on the network, and the search is ended. SAGsrc all vulnerabilities are accessed, which means that no associated vulnerability exists in the current node, and the search is ended. Through the above-described step S200 and step S300, the current partition internal attack path can be generated.
Step S400: and taking the last security vulnerability of the attack path in the current partition as the current vulnerability, and generating a cross-region attack path between two adjacent partitions according to the fact that the current information attack permission of an attacker is migrated from the current vulnerability to the associated vulnerability in the next partition.
In the step, the last security hole of the attack path in the current partition is taken as the current hole, the attack authority obtained from the last security hole of the attack path in the current partition is taken as the current attack authority, whether the next partition has the associated hole or not is identified, if yes, the hole migration is carried out, and if not, the search is ended.
In a specific embodiment, a partition internal attack graph model is built:
CAG=<Compri,CAT,CAGsrc,CAGdest,CAGAttpath>
Wherein Compri represents the current information attack right of the attacker; CAT= < CAGsrc, CAGdest, v i,vj > represents a state migration process of an attacker from a vulnerability v i in a current partition node CAGsrc to a vulnerability v j in a next partition node CAGdest, wherein v j is a next vulnerability associated with v i and v i and v j are both in different partitions, SAGATTPATH represents a cross-region attack path sequence for storing the current vulnerability and the searched associated vulnerabilities to generate a cross-region attack path.
In this embodiment, a cross-region attack constraint CAGconstrain may be established, and the migration from the current security hole to the associated security hole in the next partition according to the current information attack right of the attacker, so as to satisfy the following requirements:
Wherein Compri represents the current information attack right of the attacker;
When the current node CAGsrc is at the terminal N E and the next partition CAGdest is the access network N A:
If the current terminal node is not registered, namely EA, AB, BR, false, the preconditions of the current attack authority and the next associated vulnerability are only satisfied Migration can be performed, and attack is performed by taking the security holes with preconditions smaller than or equal to Compri in the next partition as associated holes;
If the current terminal node is registered, namely EA.AB.BR.true, the current attack permission and the precondition of the next associated vulnerability can be migrated as long as Compri is more than or equal to v null [ Precon ], v null is an empty vulnerability, and the vulnerability of which the precondition in the next partition is less than or equal to Compri is taken as the associated vulnerability to attack, at the moment, the security vulnerability and the empty vulnerability conforming to the conditions are taken as the associated vulnerability, and various possible cross-region attack paths are generated, so that the attack path search is more comprehensive.
When the current node CAGsrc is in the access network N A and the next partition CAGdest is the bearer network N B:
If the current node is communicated with the carrier network N B, namely AB→true, migration can be performed as long as the preconditions of the current attack permission and the next associated vulnerability are satisfied as long as Compri is greater than or equal to v null [ Precon ], v null is an empty vulnerability, and vulnerabilities with the preconditions smaller than or equal to Compri in the next partition are used as associated vulnerabilities for attack, at this time, both the security vulnerabilities and the empty vulnerabilities conforming to the conditions are used as the associated vulnerabilities, and various possible cross-region attack paths are generated, so that the attack path search is more comprehensive.
When the current node CAGsrc is in the bearer network N B and the next partition CAGdest is the access network N R:
If the current node is communicated with the access network N R, namely BR- & gt True, migration can be performed as long as the preconditions of the current attack permission and the next associated vulnerability are satisfied as long as Compri is greater than or equal to v null [ Precon ], v null is an empty vulnerability, and vulnerabilities with the preconditions smaller than or equal to Compri in the next partition are used as associated vulnerabilities for attack, at this time, both the security vulnerabilities and the empty vulnerabilities conforming to the conditions are used as related vulnerabilities, and various possible cross-region attack paths are generated, so that the attack path search is more comprehensive.
Based on the above analysis, in one embodiment, as shown in fig. 5, the step S400 specifically includes the following sub-steps:
step S410: and judging the type of the communication node currently located, if the communication node is a terminal communication node, jumping to the step S420, if the communication node is an access network communication node, jumping to the step S450, and if the communication node is a bearing network communication node, jumping to the step S460.
It can be appreciated that, before step S410, the attack initiating node CAGsrc and the target attack node CAGdest' are determined, where the attack initiating node CAGsrc is the node where the last security hole of the attack path in the current partition is located, and the target attack node is the node that is initially set and finally needs to be attacked.
Specifically, as shown in fig. 5, in step S410, it may be determined whether CAGsrc is a terminal communication node, if yes, the process goes to step S420;
If not, continuing to judge whether the communication node is an access network communication node, if so, jumping to a step S450;
if not, continuing to judge whether the network is a bearing network, if so, jumping to the step S460; if not, the search is ended.
Step S420: and judging whether the current terminal communication node is unregistered, namely judging whether EA, AB, BR and False are met, if not, jumping to the step S430, and if so, jumping to the step S440.
Step S430: judging whether Compri is greater than or equal to the precondition of the next partition empty vulnerability, namely judging whether Compri is greater than or equal to v null [ Precon ], if yes, attacking the vulnerability of which the precondition is less than or equal to Comp in the next partition as the associated vulnerability, realizing state migration < src, dest, v src, vdest >. To CAT, and jumping to step S500, if no, jumping to step S470.
Step S440: determining Compri whether the precondition for the next partition security hole is greater than or equal to, i.e., determining whetherIf yes, attack the security hole with the precondition less than or equal to Compri in the next partition as the associated hole, realize state transition < src, dest, v src, vdest > →CAT and jump to step S500, if not, jump to step S470.
Step S450: and judging whether the current access network communication node is communicated with the next partition, namely judging whether AB & gttrue is met, if so, jumping to the step S430, and if not, jumping to the step S470.
Step S460: and judging whether the current access network communication node is communicated with the next partition, namely judging whether BR- & gt True is met, if so, jumping to the step S430, and if not, jumping to the step S470.
In summary, when the attack starting node is a terminal area communication node, if the node is not registered in the network, namely EAsrc ·ab·br→false, the cross-area attack from the terminal to the access network is realized, and the access network vulnerability is needed to be utilized to realize illegal invasion of the node (the attacker communication authority is greater than the access area vulnerability precondition). If the node is registered in the network, namely EAsrc, AB, BR, true, then the attacker only needs to meet the communication of the trans-regional communication node to realize the trans-regional penetration from the terminal to the access network; further, when the initiating node is an access network area or a bearing network communication node, the partition loopholes can be traversed as long as the inter-area communication node connection is satisfied so as to realize gradual penetration of the attack. On the basis of the network partition attack path sequence, the target attack node and the starting node in adjacent areas are used as the starting node and the target node of the cross attack path sequence, and the starting node CAGsrc is added in the cross attack path sequence CAGATTPATH. Taking a terminal area and an access network area as examples, taking a target node of a terminal area attack sequence as an initial node CAGsrc of a cross-area attack graph, and taking the initial node of the access network area attack sequence as a target node CAGdes of the cross-area attack graph. If the cross-region attack graph constraint CAGconstrain is satisfied between the cross-region starting node and the target node, adding a cross-region target node CAGdest to the cross-region attack path sequence, and ending the attack path search; otherwise, the search path is continued.
Step S500: judging whether the target attack node is reached, if not, taking the new attack vulnerability as the current vulnerability, updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, jumping to the step S200, and if yes, outputting a 5G communication network attack graph.
Through the steps S100 to S500, a comprehensive 5G communication network attack graph can be generated.
Correspondingly, the application also relates to a 5G communication network attack graph generation system based on regional collaboration, which corresponds to the method, and the system specifically comprises the following steps:
The information collection unit is used for obtaining a topological structure of the 5G communication network, a communication node set and a loophole set, wherein the loophole set comprises security loopholes and empty loopholes, the security loopholes are used for directly attacking the communication nodes, and the empty loopholes are loopholes which are migrated based on a communication relation;
the partition internal attack path searching unit is used for migrating the current information attack permission of the attacker from the current vulnerability to the next associated security vulnerability in the same communication node, taking the new attack vulnerability as the current vulnerability and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability;
The first judging unit is used for judging whether the current communication node has an associated security vulnerability, if so, the partition internal attack path searching unit is continuously triggered to search for a new vulnerability, and if not, the current partition internal attack path is generated;
the cross-region attack path searching unit is used for taking the last security vulnerability of the attack path in the current partition as the current vulnerability, migrating the current information attack permission of an attacker from the current vulnerability to the associated vulnerability in the next partition, taking the new attack vulnerability as the current vulnerability, and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability to generate a cross-region attack path between two adjacent partitions;
And the second judging unit is used for judging whether the target attack node is reached, if not, taking the new attack vulnerability as the current vulnerability, and continuously triggering the intra-partition attack path searching unit to search the new vulnerability after updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, and if so, outputting a 5G communication network attack graph.
It should be noted that, the 5G communication network attack graph generating system based on region collaboration is used to implement the above 5G communication network attack graph generating method based on region collaboration, and each unit is used to execute a corresponding step, and has a function of implementing a corresponding step, and specific details thereof are described above, and are not repeated.
In a word, the 5G communication network attack graph generation method and the system based on regional collaboration provided by the invention realize the identification of the network attack path by improving the traditional attack generation method and the abstract network topology structure, thereby being beneficial to strengthening the safety deployment of the 5G communication network. Meanwhile, the invention provides a network partition topology abstract expression method based on an incidence matrix for 5G communication network end-to-end service transmission characteristics and topology characteristics, and the network is divided into a terminal area, an access network area, a bearing network area and a core network area, so that mathematical description of connectivity of communication nodes in adjacent areas is realized by utilizing the incidence matrix, and a unified topology framework is provided for constructing a network attack graph model. In addition, the invention provides a regional collaborative attack graph generation method aiming at the specificity of a 5G communication network attack penetration mechanism, and the security constraint of the network cross-domain attack is designed by defining a partition attack graph model and a cross-region attack graph model, so that a corresponding attack path identification method is provided for different attack scenes of the network.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. The 5G communication network attack graph generation method based on the regional collaboration is characterized by comprising the following steps of:
Step S1: determining a topological structure of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises security vulnerabilities and null vulnerabilities, the security vulnerabilities are used for directly attacking the communication nodes, and the null vulnerabilities are vulnerabilities which are migrated based on a communication relation;
step S2: according to the current information attack permission of the attacker, migrating the current vulnerability to the next associated security vulnerability in the same communication node, taking the new attack vulnerability as the current vulnerability and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability;
step S3: judging whether the current communication node has an associated security hole, if so, jumping to the step S2, and if not, generating an attack path in the current partition;
step S4: the last security vulnerability of the attack path in the current partition is used as the current vulnerability, and a cross-region attack path between two adjacent partitions is generated according to the current information attack permission of an attacker and the migration of the current vulnerability to the associated vulnerability in the next partition;
Step S5: judging whether the target attack node is reached, if not, taking the new attack vulnerability as the current vulnerability, updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, jumping to the step S2, and if so, outputting a 5G communication network attack graph.
2. The method of claim 1, wherein in step S2, a current intra-partition attack path is generated by using a partition internal attack graph model sag= < Attpri, SAT, SAGsrc, SAGdest, SAGAttpath > wherein Attpri represents a current information attack right of an attacker, sat= < v i,vj > represents a state migration process of the attacker from a current vulnerability v i to a next vulnerability v j, v j is the next vulnerability associated with v i and v i and v j are both in the same partition, SAGsrc and SAGdest represent node positions before and after the state migration, respectively, SAGATTPATH represents a partition internal attack path sequence for storing the current vulnerability and the searched associated vulnerability to generate the current partition internal attack path.
3. The method for generating a 5G communication network attack graph according to claim 1, wherein in step S4, a cross-zone attack path is generated by constructing a network cross-zone attack graph model cag= < Compri, CAT, CAGsrc, CAGdest, CAGAttpath > wherein Compri represents the current information attack right of an attacker; CAT= < CAGsrc, CAGdest, v i,vj > represents a state migration process of an attacker from a vulnerability v i in a current partition node CAGsrc to a vulnerability v j in a next partition node CAGdest, wherein v j is a next vulnerability associated with v i and v i and v j are both in different partitions, SAGATTPATH represents a cross-region attack path sequence for storing the current vulnerability and the searched associated vulnerabilities to generate a cross-region attack path.
4. The method for generating a 5G communication network attack graph according to claim 1, wherein the 5G communication network includes four partitions including a terminal including n communication nodes, an access network including m communication nodes, a bearer network including k communication nodes, and a core network including w communication nodes;
in step S1, the topology of the 5G communication network is represented as:
G=<NE,NA,NB,NR,EA,AB,BR>,
NE={e1,e2,…,en},NA={a1,a2,…,am},NB={b1,b2,…,bk},NR={r1,r2,…,rw},
Wherein N E,NA,NB,NR represents a terminal communication node set, an access network communication node set, a carrier network communication node set and a core network communication node set, e n represents a terminal nth communication node, a m represents an access network mth communication node, b k represents a carrier network kth communication node, and r w represents a core network kth communication node;
Wherein EA, AB, BR represent respectively a terminal-to-access network cross-zone connectivity matrix, an access network-to-bearer network cross-zone connectivity matrix, and a bearer network-to-core network cross-zone connectivity matrix, wherein C (X, Y) represents connectivity between communication node X and communication node Y, when communication node X and communication node Y are connected, C (X, Y) =1, otherwise, C (X, Y) =0.
5. The method of claim 4, wherein a communication link table of network communication nodes is first constructed, and the cross-region connectivity matrix is established based on the communication link table.
6. The method for generating a 5G communication network attack graph according to claim 1, wherein the information of each vulnerability includes a pre-condition Precon and a post-condition Postcon;
In step S2:
Migrating the current vulnerability to the next associated security vulnerability in the same communication node according to the current information attack permission of the attacker, wherein the method comprises the following steps: defining the current information attack permission of an attacker as Attpri, and taking the security hole meeting Attpri more than or equal to Precon in the current communication node as the next associated hole;
Updating the current information attack permission of the attacker according to the information acquired from the vulnerability of the new attack, wherein the current information attack permission is obtained by taking the vulnerability of the new attack as the current vulnerability and taking the post condition of the vulnerability of the new attack as the current information attack permission;
In step S4:
Migrating the current vulnerability from the current vulnerability to the associated vulnerability in the next partition according to the current information attack right of the attacker, wherein the method comprises the following steps: defining the current information attack permission of an attacker as Compri, and taking all vulnerabilities meeting Compri being more than or equal to Precon in the communication node of the next partition as associated vulnerabilities in the next partition;
Updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, comprising: taking the loophole of the new attack as the current loophole and taking the post condition of the next loophole as the current information attack permission.
7. The method for generating a 5G communication network attack graph according to claim 4, wherein step S4 comprises:
Step S41: judging the type of the communication node at present, if the communication node is a terminal communication node, jumping to the step S42, if the communication node is an access network communication node, jumping to the step S45, and if the communication node is a bearing network communication node, jumping to the step S46;
Step S42: judging whether the current terminal communication node is unregistered, if not, jumping to the step S43, and if so, jumping to the step S44;
step S43: judging whether Compri is greater than or equal to the precondition of the next partition empty vulnerability, if yes, attacking the vulnerability of which the precondition is less than or equal to Compri in the next partition as the associated vulnerability, jumping to the step S5, and if not, jumping to the step S47;
Step S44: judging whether Compri is greater than or equal to the precondition of the security hole of the next partition, if yes, attacking the security hole of which the precondition is less than or equal to Compri in the next partition as the associated hole, jumping to the step S5, and if not, jumping to the step S47;
step S45: judging whether the current access network communication node is communicated with the next partition, if so, jumping to the step S43, and if not, jumping to the step S47;
Step S46: judging whether the current bearing network communication node is communicated with the next partition, if so, jumping to the step S43, and if not, jumping to the step S47;
step S47: and (5) ending.
8. The method for generating a 5G communication network attack graph according to claim 1, wherein in step S4, when a next associated vulnerability cannot be searched, the search is ended.
9. The method for generating a 5G communication network attack graph according to claim 1, further comprising, before step S2, an initializing step of clearing the communication network attack graph, giving an attacker information attack initial authority, and determining a first attack node and a target attack node.
10. A 5G communication network attack graph generation system based on regional collaboration, comprising:
the information collection unit is used for obtaining a topological structure of the 5G communication network, a communication node set and a vulnerability set, wherein the vulnerability set comprises security vulnerabilities and empty vulnerabilities, the security vulnerabilities are used for directly attacking the communication nodes, and the empty vulnerabilities are vulnerabilities which are migrated based on a communication relation;
the partition internal attack path searching unit is used for migrating the current information attack permission of the attacker from the current vulnerability to the next associated security vulnerability in the same communication node, taking the new attack vulnerability as the current vulnerability and updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability;
The first judging unit is used for judging whether the current communication node has an associated security vulnerability, if so, the partition internal attack path searching unit is continuously triggered to search for a new vulnerability, and if not, the current partition internal attack path is generated;
The cross-region attack path searching unit is used for taking the last security vulnerability of the attack path in the current partition as the current vulnerability, and generating a cross-region attack path between two adjacent partitions according to the fact that the current information attack authority of an attacker is migrated from the current vulnerability to the associated vulnerability in the next partition;
And the second judging unit is used for judging whether the target attack node is reached, if not, taking the new attack vulnerability as the current vulnerability, and continuously triggering the intra-partition attack path searching unit to search the new vulnerability after updating the current information attack permission of the attacker according to the information acquired from the new attack vulnerability, and if so, outputting a 5G communication network attack graph.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210735593.0A CN115278681B (en) | 2022-06-27 | 2022-06-27 | 5G communication network attack graph generation method and system based on regional collaboration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210735593.0A CN115278681B (en) | 2022-06-27 | 2022-06-27 | 5G communication network attack graph generation method and system based on regional collaboration |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115278681A CN115278681A (en) | 2022-11-01 |
| CN115278681B true CN115278681B (en) | 2024-04-19 |
Family
ID=83764845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210735593.0A Active CN115278681B (en) | 2022-06-27 | 2022-06-27 | 5G communication network attack graph generation method and system based on regional collaboration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115278681B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695033A (en) * | 2009-09-25 | 2010-04-14 | 上海交通大学 | Network fragility analyzing system based on privilege lift |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102143786B1 (en) * | 2018-09-21 | 2020-08-28 | 한국전자통신연구원 | Method and apparatus for generating semantic attack graph |
-
2022
- 2022-06-27 CN CN202210735593.0A patent/CN115278681B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695033A (en) * | 2009-09-25 | 2010-04-14 | 上海交通大学 | Network fragility analyzing system based on privilege lift |
Non-Patent Citations (4)
| Title |
|---|
| Automated Attack and Defense Framework toward 5G Security;Yanbin Sun Et.AL;《 IEEE Network》;20200330;247 - 253 * |
| 基于贝叶斯攻击图的工控系统动态风险评估;常昊;秦元庆;周纯杰;;信息技术;20181023(10);全文 * |
| 网络攻击节点路径高效检测模型仿真研究;张波;周诚;李伟伟;李千目;;计算机仿真;20170815(08);全文 * |
| 计算机网络攻击图的生成研究与探索;金丽娜;;长春大学学报;20091230(12);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115278681A (en) | 2022-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wu et al. | A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities | |
| CN109800573B (en) | Social network protection method based on degree anonymity and link disturbance | |
| CN112819300B (en) | Power distribution network risk assessment method based on random game network under network attack | |
| Tang et al. | When reputation enforces evolutionary cooperation in unreliable MANETs | |
| US8122505B2 (en) | Method and apparatus for detection of malicious behavior in mobile ad-hoc networks | |
| CN109284296A (en) | A kind of big data PB grades of distributed informationm storage and retrieval platforms | |
| CN114326403A (en) | Multi-agent system security convergence control method based on node information privacy protection | |
| Vatambeti et al. | Identifying and detecting black hole and gray hole attack in MANET using gray wolf optimization | |
| CN115278681B (en) | 5G communication network attack graph generation method and system based on regional collaboration | |
| Santos et al. | Assessment of connectivity-based resilience to attacks against multiple nodes in SDNs | |
| CN110324415A (en) | A kind of route implementation method of peer-to-peer network, device, equipment and medium | |
| Grace et al. | A distributed architecture meta-model for self-managed middleware | |
| Ahmed et al. | A distributed trust mechanism for malicious behaviors in VANETs | |
| CN106357661B (en) | A kind of distributed refusal service attack defending method based on interchanger rotation | |
| Patel et al. | Study of Denial of Service Attack On AODV Routing Protocol in Mobile Ad-hoc Network | |
| Nazari et al. | Blocking in fully connected networks of arbitrary size | |
| CN113395183B (en) | Virtual node scheduling method and system for network simulation platform VLAN interconnection | |
| Sonekar et al. | Enhanced route optimization technique and design of threshold-T for malicious node detection in ad hoc networks | |
| Inverardi et al. | Distributed IDSs for enhancing security in mobile wireless sensor networks | |
| Yan et al. | Efficient dynamic service function chain combination of network function virtualization | |
| Xia et al. | Consensus-based filtering under false data injection attacks | |
| Yang et al. | BLCS: brain-like based distributed control security in cyber physical systems | |
| Benjamin | Analysis of connection survivability in complex strategic communications networks | |
| Zangeneh et al. | A Novel Approach for Protecting RPL Routing Protocol against Blackhole Attacks in IoT Networks | |
| Zhang et al. | A survivability quantitative analysis model for network system based on attack graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |