CN115801591B - Quantitative calculation method for network security vulnerability assessment - Google Patents
Quantitative calculation method for network security vulnerability assessment Download PDFInfo
- Publication number
- CN115801591B CN115801591B CN202310114390.4A CN202310114390A CN115801591B CN 115801591 B CN115801591 B CN 115801591B CN 202310114390 A CN202310114390 A CN 202310114390A CN 115801591 B CN115801591 B CN 115801591B
- Authority
- CN
- China
- Prior art keywords
- node
- network
- nodes
- vulnerability
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of computer application, and particularly relates to a quantitative calculation method for network security vulnerability assessment. The invention provides a quantitative calculation method for network security vulnerability assessment, which selects nodes arranged in the front row to solve intersection through ranking the influence magnitude of each node and ranking the K-shell value of each node, further effectively determines high-risk nodes, ensures the propagation influence of the high-risk nodes, further solves the defensive power and the maximum connectivity of a network on the basis of the high-risk nodes, further effectively determines the vulnerability of the network, thereby effectively assessing the network and improving the reliable basis for the subsequent improvement.
Description
Technical Field
The invention belongs to the technical field of computer application, and particularly relates to a quantitative calculation method for network security vulnerability assessment.
Background
Since security issues are not considered in the internet design, vulnerability in the network becomes an attribute of the network itself, and an important reason that the network is difficult to effectively control and manage is the vulnerability of the network itself. Discovering and protecting vulnerable parts of a network is an important task for network administrators. The safe and effective network control and management means covers three aspects: a prevention means before the network attack occurs, a defense means in the network attack process and a compensation means after the network attack occurs. Common security means, such as firewalls, intrusion detection, bug fixes, and the like, belong to defense means in network attacks or compensation means after attacks occur, and the security means belong to passive security policies. Although these security policies can reduce the loss to some extent, they do not provide decision suggestions for network intrusion prevention, which helps to discover and protect vulnerable parts in the network. In order to prevent network attacks and improve the security of a network system, researchers propose a strategy for analyzing network vulnerability. Therefore, how to effectively determine the vulnerability of the network security is a current important research direction.
Disclosure of Invention
Aiming at the technical problems existing in the network security vulnerability determination, the invention provides a network security vulnerability assessment quantitative calculation method which is reasonable in design, simple in method and capable of effectively assessing the network security vulnerability.
In order to achieve the above object, the present invention adopts a technical solution that the present invention provides a quantitative calculation method for network security vulnerability assessment, comprising the following steps:
a. firstly, acquiring a topological structure of a network, and determining each node and the direction among the nodes;
b. then determining the influence of each node and sequencing, wherein the determination formula is as follows:
wherein the content of the first and second substances,is node->In a number of cells in the test cell or in a number of cells in the test cell>Is node->To node->Is counted for the shortest distance, is taken as>Is node->To node>In shortest path past node->Is greater than or equal to>Is node->To node->Via the side line in the shortest path>Is greater than or equal to>For the number of all nodes in the network, </or>Is node->The tightness factor of (c);
c. obtaining nodes by adopting K-shell decomposition methodThe K-shell values are sorted according to the size of the K-shell values;
d. selecting the first fifth of the sorted sizes in the steps b and c to obtain intersection nodes, and obtaining high-risk nodes;
e. and d, carrying out a simulation harmful information propagation experiment according to the high-risk nodes selected in the step d, and determining the defense force of the high-risk nodes, wherein the determination formula of the defense force is as follows:
wherein the content of the first and second substances,is a high risk node>In the defense sector of>Is the sum of the node degrees of all nodes in the network, is greater than or equal to>Is due to node->Node degree sum of partial failure nodes caused by failure, based on the sum of node degrees of partial failure nodes>Is due to node->The sum of node degrees of fully failed nodes caused by failure;
f. and determining the vulnerability of the network according to the defensive power of the high-risk node.
wherein, the first and the second end of the pipe are connected with each other,is node->Is greater than or equal to the number of neighbor nodes>Is node->The number of the network end nodes in the neighbor nodes of (1).
Preferably, in the step f, the method for the network to perform the simulation harmful information propagation experiment includes:
f1, taking the high-risk node determined in any step d as an initial node, and carrying out harmful information propagation simulation;
f2, calculating the maximum connectivity of the network by taking a time unit as a unit;
f3, if the maximum connectivity of the network is lower than a threshold value, performing vulnerability calculation to determine the vulnerability of the network, wherein the network vulnerability determination formula is as follows:
wherein the content of the first and second substances,for a network vulnerability value, </or>For the number of nodes that have propagated, is counted->The number of all nodes in the network.
Preferably, in the step f2, the maximum connectivity of the network is calculated by the following formula:
wherein the content of the first and second substances,is the maximum connectivity value of the network, is->Is->Number of nodes in the time network that are normal, based on the status of the node, and/or the status of the node>Is a node>Is on the defense force of->Is node->Is at>The load at that moment is taken>Is a node>Is initially loaded, is greater than>Is->The number of affected nodes in the network at the moment.
Compared with the prior art, the invention has the advantages and positive effects that,
the invention provides a quantitative calculation method for network security vulnerability assessment, which selects nodes arranged in the front row to solve intersection through ranking the influence magnitude of each node and ranking the K-shell value of each node, further effectively determines high-risk nodes, ensures the propagation influence of the high-risk nodes, further solves the defensive power and the maximum connectivity of a network on the basis of the high-risk nodes, further effectively determines the vulnerability of the network, thereby effectively assessing the network and improving the reliable basis for the subsequent improvement.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, the present invention will be further described with reference to the following examples. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and thus the present invention is not limited to the specific embodiments of the present disclosure.
The embodiment provides a quantitative calculation method for network security vulnerability assessment.
By analyzing the existing network, it can be clearly understood that both the existing industrial internet and the government and enterprise network belong to an obvious complex network, and for the complex network, nodes and edges are the most basic and meaningful structures, and the relationship between the nodes and edges is known, so that the flowing characteristics of information in the network can be further known.
Firstly, a topological structure of a network is obtained, the directions of all nodes and among the nodes are determined, and the topological structure of the network reflects the connection relation among all entities in the network, and is one of characteristic information which is easy to be obtained by a network attacker. The vulnerability analysis based on the structural characteristics is beneficial to discovering and protecting the vulnerable part in the network structure in advance, and is an important ring for realizing effective network control and management. The vulnerability on the network structure level is mainly reflected in that part of nodes have large influence on information propagation in the network, and the nodes can propagate harmful information at a higher speed. Therefore, identifying the node set with large influence on information propagation in the network topology is the main purpose of vulnerability analysis based on the topological characteristics.
Taking the existing common internet, the internet generally has a four-layer structure, i.e., an end layer, an access layer node, a convergence layer node, and a backbone layer node. The end layer is a user layer which can be an operation platform or a printer, the nodes of the access layer directly face the user and directly provide access service for the user, and represented equipment comprises a router, a host and the like; the function of the node of the convergence layer is to converge the user flow of the access layer, and carry out convergence, forwarding and switching of data packet transmission, and the represented equipment has a high-performance switch; the most core backbone layer has the function of realizing the optimized transmission of the flow between backbone networks, belongs to the final undertaker of the network flow, and the nodes usually represent a large data center.
Thus, the propagation range of each node is different, most of the nodes do not have the propagation capability as far as the end layer is concerned, nodes at different levels in the network may face different network attacks, and common network attack modes can be roughly divided into two categories, namely, an authority acquisition type attack and a performance degradation type attack. The purpose of the right acquisition type attack is to cause the right in the router to be used by an illegal user, the security of a data packet in the router is reduced, and common right acquisition type attacks comprise Simple Network Management Protocol (SNMP) attacks, network worm invasion, man-in-the-middle attacks and the like; the main purpose of the performance-degrading type attack is to make it difficult to meet the requirements of normal network services by occupying a link queue or exhausting node resources, and a common performance-degrading type attack is Dos (Denial of service) attack. Thus, the influence of the nodes of the end layer is very small, and for this reason, such nodes need to be first discarded and then calculated.
Therefore, in this embodiment, the influence size of each node is determined and sorted, and the determination formula is:
wherein the content of the first and second substances,is node->To node->In the shortest distance amount of>Is a node>To node->Via node->Is greater than or equal to>Is node->To node->Via the side line in the shortest path>In a number of>For the number of all nodes in the network, </or>Is a node>The tightness factor of (c).
Although the nodes of the end layers are drained off, they likewise lead to an influence, for which it is necessary to first drain off such nodes, for which reason the tightness factorComprises the following steps:
wherein, the first and the second end of the pipe are connected with each other,is a node>Is greater than or equal to the number of neighbor nodes>Is node->The number of the network end nodes in the neighbor nodes of (4). Thus, a>The maximum value of (a) is 1,the closer the compaction factor is to the nodes of the end tier, the lower its impact value ranks.
In order to ensure the accuracy of the sorting, in this embodiment, a K-shell decomposition method is further used to obtain nodesAnd sorting the K-shell values according to the size of the K-shell values. The K-shell decomposition is a classic algorithm in graph theory, the K-shell decomposition divides nodes into different levels, the nodes are separated layer by layer according to the degrees of the nodes, and the more important the separated nodes are, the closer the separated nodes are to the core position of the graph.
Therefore, the importance of the nodes is determined through two aspects, then the intersection node is obtained by taking the first fifth of the sequencing size of the sequencing of the two results, and the high-risk node is obtained.
The defense capability of different network devices against network attacks is considered to be different. If the defense power of a certain high-influence node in the network is high enough, the energy resisting the risk is correspondingly increased, for this reason, the high-risk node needs to be calculated to determine the defense power of the high-risk node, and the determination formula of the defense power is as follows:
wherein the content of the first and second substances,for the sum of the node degrees of all nodes of the network>Is due to node->Node degree sum of partial failure nodes caused by failure, based on the sum of node degrees of partial failure nodes>Is due to node->The sum of the node degrees of the complete failure nodes caused by failure, certainly, the determination formula of the defense force needs to carry out a network simulation harmful information propagation experiment.
And after the defense power of each high-risk node is determined, the vulnerability of the network can be determined. Specifically, any high-risk node is used as an initial node to perform harmful information propagation simulation.
Calculating the maximum connectivity of the network by taking a time unit as a unit, wherein the calculation formula of the maximum connectivity of the network is as follows:
wherein the content of the first and second substances,is->Number of nodes in the time network that are normal, based on the status of the node, and/or the status of the node>Is node->In the defense sector of>Is a node>In thatLoad at a moment in time>Is a node>Is initially loaded, is greater than>Is->The number of affected nodes in the network at the moment. In this embodiment, considering that the distribution affected nodes may not have completely failed, for this reason, the normal number of nodes and the node degree of the partially failed nodes need to be calculated, and since the efficiency of the number of partially failed nodes is reduced, for this reason, the efficiency is determined by combining the defense force and the load ratio.
And finally, if the maximum connectivity of the network is lower than the threshold, setting the threshold according to experience, calculating the vulnerability, and determining the vulnerability of the network, wherein the network vulnerability determination formula is as follows:
wherein the content of the first and second substances,for the number of nodes that have propagated, is counted->The number of all nodes in the network.
Therefore, the network can be effectively judged by determining the vulnerability, thereby achieving the purpose of prevention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the present invention in other forms, and any person skilled in the art may apply the above modifications or changes to the equivalent embodiments with equivalent changes, without departing from the technical spirit of the present invention, and any simple modification, equivalent change and change made to the above embodiments according to the technical spirit of the present invention still belong to the protection scope of the technical spirit of the present invention.
Claims (2)
1. A quantitative calculation method for network security vulnerability assessment is characterized by comprising the following steps:
a. firstly, acquiring a topological structure of a network, and determining each node and the direction among the nodes;
b. then determining the influence of each node and sequencing, wherein the determination formula is as follows:
wherein NI is the influence value of node i, σ ij The number of shortest distances, σ, from node i to node j ij (e) For the number, σ, of nodes e in the shortest path from node i to node j ij (v) The number of the edge lines v passing through the shortest path from the node i to the node j is shown, N is the number of all nodes in the network, and lambda is the compact coefficient of the node i;
c. obtaining a K-shell value of the node i by adopting a K-shell decomposition method and sequencing according to the size of the K-shell value;
d. selecting the first fifth of the sorted sizes in the steps b and c to obtain intersection nodes, and obtaining high-risk nodes;
e. and d, carrying out a simulation harmful information propagation experiment according to the high-risk nodes selected in the step d, and determining the defense force of the high-risk nodes, wherein the determination formula of the defense force is as follows:
wherein ND i Is the defense of the high risk node i, ND is the sum of the node degrees of all the nodes in the network, S i 1 Is the sum of the node degrees of partially failed nodes due to the failure of node i,the sum of the node degrees of the completely failed nodes caused by the failure of the node i;
f. and determining the vulnerability of the network according to the defensive power of the high-risk node, wherein in the step f, the method for simulating the harmful information propagation experiment by the network comprises the following steps:
f1, taking the high-risk node determined in any step d as an initial node, and carrying out harmful information propagation simulation;
f2, calculating the maximum connectivity of the network by taking a time unit as a unit;
f3, if the maximum connectivity of the network is lower than a threshold value, performing vulnerability calculation to determine the vulnerability of the network, wherein the network vulnerability determination formula is as follows:
wherein Cr is a network vulnerability value, NP is the number of nodes which have been propagated, and N is the number of all nodes in the network;
in the step f2, a calculation formula of the maximum connectivity of the network is as follows:
wherein G is the maximum connectivity value of the network, S is the number of normal nodes in the network at the moment t, and ND i Is the defense force of node i, f i (t) is the load of node i at time t, C i (t 0 ) Is the initial load of node I, I is the number of affected nodes in the network at time t.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310114390.4A CN115801591B (en) | 2023-02-15 | 2023-02-15 | Quantitative calculation method for network security vulnerability assessment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310114390.4A CN115801591B (en) | 2023-02-15 | 2023-02-15 | Quantitative calculation method for network security vulnerability assessment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115801591A CN115801591A (en) | 2023-03-14 |
CN115801591B true CN115801591B (en) | 2023-04-18 |
Family
ID=85430996
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310114390.4A Active CN115801591B (en) | 2023-02-15 | 2023-02-15 | Quantitative calculation method for network security vulnerability assessment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115801591B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015070466A1 (en) * | 2013-11-18 | 2015-05-21 | 国家电网公司 | Security risk assessment method and apparatus |
AU2020103195A4 (en) * | 2020-11-03 | 2021-01-14 | East China University Of Science And Technology | A Method for Detecting Vulnerability of Large-scale Power Grid Based On Complex Network |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180315083A1 (en) * | 2015-01-09 | 2018-11-01 | Research Foundation Of The City University Of New York | Method to maximize message spreading in social networks and find the most influential people in social media |
CN105991521B (en) * | 2015-01-30 | 2019-06-21 | 阿里巴巴集团控股有限公司 | Network risk assessment method and device |
CN111950155A (en) * | 2020-08-14 | 2020-11-17 | 江苏师范大学 | Vulnerability assessment method for urban public transport system |
CN111950153A (en) * | 2020-08-14 | 2020-11-17 | 江苏师范大学 | Power network vulnerability assessment method based on multiple attack strategies |
CN112615365B (en) * | 2020-12-08 | 2022-04-19 | 国网四川省电力公司经济技术研究院 | Smart power grid vulnerability key point identification method and device |
CN112633649A (en) * | 2020-12-11 | 2021-04-09 | 国网辽宁省电力有限公司经济技术研究院 | Power grid multi-attribute important node evaluation and planning method |
CN114665498A (en) * | 2020-12-23 | 2022-06-24 | 南京邮电大学 | Active power distribution network fragile node identification method considering new energy influence |
CN115515098A (en) * | 2022-08-22 | 2022-12-23 | 西北工业大学 | Unmanned aerial vehicle cluster vulnerability node identification method |
CN115577292A (en) * | 2022-10-25 | 2023-01-06 | 黄河交通学院 | Vulnerable line identification method based on abstract dual network and cascading failure super network |
-
2023
- 2023-02-15 CN CN202310114390.4A patent/CN115801591B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015070466A1 (en) * | 2013-11-18 | 2015-05-21 | 国家电网公司 | Security risk assessment method and apparatus |
AU2020103195A4 (en) * | 2020-11-03 | 2021-01-14 | East China University Of Science And Technology | A Method for Detecting Vulnerability of Large-scale Power Grid Based On Complex Network |
Non-Patent Citations (2)
Title |
---|
Kong Jiang-Tao 等.Evaluation methods of node importance in undirected weighted networks based on complex network dynamics models.《物理学报》.2018,全文. * |
Ruan Yi-Run等.Node importance measurement based on neighborhood similarity in complex network.《物理学报》.2017,全文. * |
Also Published As
Publication number | Publication date |
---|---|
CN115801591A (en) | 2023-03-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
Roy et al. | Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees | |
CN112819300B (en) | Power distribution network risk assessment method based on random game network under network attack | |
CN111031003B (en) | Intelligent evaluation system of cross-network isolation safety system | |
CN107682195B (en) | Communication network robustness evaluation method based on combination of complex network and big data | |
CN103152345A (en) | Network safety optimum attacking and defending decision method for attacking and defending game | |
CN110210229B (en) | Method and system for evaluating vulnerability of power grid information physical system and storage medium | |
Hirayama et al. | Fast target link flooding attack detection scheme by analyzing traceroute packets flow | |
Li | Network security evaluation and optimal active defense based on attack and defense game model | |
Ankali et al. | Detection architecture of application layer DDoS attack for internet | |
CN112261042B (en) | Anti-seepage system based on attack hazard assessment | |
Jiang et al. | BSD‐Guard: A Collaborative Blockchain‐Based Approach for Detection and Mitigation of SDN‐Targeted DDoS Attacks | |
Wang et al. | Threat Analysis of Cyber Attacks with Attack Tree+. | |
Valizadeh et al. | Ddos attacks detection in multi-controller based software defined network | |
CN115801591B (en) | Quantitative calculation method for network security vulnerability assessment | |
Le et al. | A threat computation model using a Markov Chain and common vulnerability scoring system and its application to cloud security | |
Alhamami et al. | DDOS attack detection using machine learning algorithm in SDN network | |
Heenan et al. | A survey of Intrusion Detection System technologies | |
CN113032782A (en) | Virus transmission inhibition method | |
Ghafari et al. | SDN-based Deep Anomaly Detection for Securing Cloud Gaming Servers | |
Bu et al. | Trading resiliency for security: Model and algorithms | |
SA et al. | In-network probabilistic monitoring primitives under the influence of adversarial network inputs | |
Sahu et al. | Score: A security-oriented cyber-physical optimal response engine | |
Ahmed et al. | Towards autonomic risk-aware security configuration | |
Rakshitha et al. | A survey on detection and mitigation of zombie attacks in cloud environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |