CN115913640A - Large-scale network attack deduction and risk early warning method based on attack graph - Google Patents
Large-scale network attack deduction and risk early warning method based on attack graph Download PDFInfo
- Publication number
- CN115913640A CN115913640A CN202211279389.9A CN202211279389A CN115913640A CN 115913640 A CN115913640 A CN 115913640A CN 202211279389 A CN202211279389 A CN 202211279389A CN 115913640 A CN115913640 A CN 115913640A
- Authority
- CN
- China
- Prior art keywords
- attack
- graph
- heterogeneous
- network
- community
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a large network attack deduction and risk early warning method based on an attack graph, which comprises the following steps: collecting vulnerability data and external connection relation of each server in a large network and constructing a network topological graph; mining communities in the network topological graph and generating corresponding community heterogeneous subgraphs; transforming heterogeneous subgraphs of various communities to generate a topological skeleton graph of a network topological graph; deducing the topological skeleton graph to generate a corresponding attack graph; clustering heterogeneous subgraphs of various communities to generate clustering clusters; randomly selecting a community heterogeneous subgraph from each cluster to deduce and generate a corresponding attack graph containing an attack path; after the attack event is detected, dynamically reasoning an attack path according to an attack graph, and simultaneously checking whether similar risks which are possibly attacked exist in community heterogeneous subgraphs in the same cluster; the method not only reduces the complexity of attack deduction calculation and improves the efficiency, but also can realize the whole network investigation and early warning of the security risk of the large-scale network.
Description
Technical Field
The invention relates to a large-scale network attack deduction and risk early warning method based on an attack graph, and belongs to the technical field of information security.
Background
With the continuous development of network security attack and defense technology, the security problems of the network faced by the national key information infrastructure are continuously increased, the network security risk is continuously increased, the network threat is developing towards intellectualization and automation, and the attack means often adopts a plurality of attack steps to form a complex attack process. Attackers often exploit existing vulnerabilities of the system, including system vulnerabilities, service vulnerabilities, and non-compliant configurations, to launch attacks. The traditional network security monitoring equipment can detect a single-step attack event to a certain extent and report the single-step attack event to a situation awareness platform, but has a difficult problem in multi-step combined attack behavior detection and attack behavior deduction. By using attack path analysis and dynamic deduction of attack behaviors based on a network topological graph and an attack graph, risk investigation is carried out on a system which is not attacked based on an attack event which occurs, the analysis capability of network safety can be effectively improved, the timeliness of network safety response is improved, the overall protection capability of the network safety is improved, and the wall map battle is realized.
The traditional attack graph of network security comprises an attribute attack graph and a state attack graph, but on a large-scale system such as a national key information infrastructure, the number of network assets is large, the attribute attack graph and the state attack graph have the problem of state explosion, and the analysis efficiency is low. Meanwhile, the traditional attack graph focuses more on the utilization process of the vulnerability, so that the attack process cannot be intuitively displayed at a higher level.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, provides a large-scale network attack deduction and risk early warning method based on an attack graph, can reduce the complexity of attack deduction calculation so as to improve the efficiency, and can realize safety risk early warning on a large-scale network.
In order to achieve the purpose, the invention is realized by adopting the following technical scheme:
in a first aspect, the present invention provides a method for deducing a large-scale network attack based on an attack graph, including:
when an attack event is detected, acquiring vulnerability data and attack target information in the attack event;
inquiring a corresponding attack graph from a pre-constructed attack graph library according to the attack target information;
matching and acquiring a corresponding attack path from the attack graph according to the vulnerability data;
analyzing the attack path to obtain an attack step sequence, and taking the next attack step as a deduction result;
wherein the construction of the attack gallery comprises the following steps:
collecting vulnerability data and external connection relation of each server in a large network and constructing a network topological graph;
adopting a BigCLAM algorithm to mine communities in the network topological graph and generating corresponding community heterogeneous subgraphs;
transforming the non-overlapping areas of the heterogeneous subgraphs of the communities to generate a topological skeleton graph of a network topological graph;
deducing the topological skeleton graph by using a MulVAL tool to generate a corresponding attack graph containing an attack path;
calculating vector representation of heterogeneous subgraphs of each community by using a MetaPath2vec method, and clustering according to the vector representation to generate clustering clusters;
randomly selecting a community heterogeneous subgraph from each cluster, and deducing to generate a corresponding attack graph containing an attack path by using a MulVAL tool;
and summarizing the topological skeleton graph and the attack graph of the clustering cluster to generate an attack graph library.
Optionally, the constructing the network topology includes: and constructing a network topology graph by taking the server as a node, the vulnerability data as the attribute of the node and the external connection relation as the edge of the node.
Optionally, the generating a topology skeleton diagram of the network topology diagram includes: and replacing non-overlapping nodes in each group of heterogeneous subgraphs by using super nodes, and enabling the super nodes to inherit the attributes and edges of the corresponding non-overlapping nodes to generate a topological skeleton graph of the network topological graph.
Optionally, the querying, according to the attack target information, the corresponding attack graph from the pre-constructed attack graph library includes:
inquiring whether a node corresponding to attack target information exists in the topological skeleton graph, and if so, acquiring an attack graph of the topological skeleton graph;
and if not, inquiring whether a node corresponding to the attack target information exists in each community heterogeneous subgraph, and if so, acquiring an attack graph of a cluster where the corresponding community heterogeneous subgraph is located.
Optionally, if the vulnerability data cannot be matched with and obtain a corresponding attack path from an attack graph of a cluster in which the community heterogeneous subgraph is located, the community heterogeneous subgraph is deduced by using a MulVAL tool to generate a corresponding attack graph; and (5) carrying out re-matching on the attack graph corresponding to the community heterogeneous subgraph and the vulnerability data.
In a second aspect, the present invention provides a risk early warning method based on the attack graph-based large-scale network attack deduction method, including:
acquiring a community heterogeneous subgraph where a node corresponding to attack target information is located, and determining a cluster to which the node belongs;
and searching whether paths containing all attack step sequences exist in other community heterogeneous subgraphs in the cluster, and if so, risking being attacked by the attack event in the corresponding community heterogeneous subgraph.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a large-scale network attack deduction and risk early warning method based on an attack graph, which comprises the steps of firstly collecting vulnerability data and external connection relation of each server in a large-scale network and constructing a network topological graph, secondly generating a community heterogeneous subgraph and a topological skeleton graph according to the network topological graph, and then respectively generating the attack graph for the community heterogeneous subgraph and the topological skeleton graph; after an attack event is detected, dynamically reasoning an attack path according to an attack graph, and simultaneously checking whether similar risks possibly attacked exist in community heterogeneous subgraphs in the same cluster; the method not only reduces the complexity of attack deduction calculation and improves the efficiency, but also can realize the whole network investigation and early warning of the security risk of the large network.
Drawings
FIG. 1 is a flowchart of constructing an attack graph library according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for deducing a large-scale network attack based on an attack graph according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The first embodiment is as follows:
as shown in fig. 1, before the attack deduction, an attack gallery needs to be constructed, which specifically includes the following steps:
s101, collecting vulnerability data and external connection relation of each server in a large network and constructing a network topological graph;
the method for constructing the network topology graph comprises the following steps: and constructing a network topology graph by taking the server as a node, taking the vulnerability data as the attribute of the node and taking the external connection relation as the edge of the node.
S102, mining communities in the network topological graph by adopting a BigCLAM algorithm and generating corresponding community heterogeneous subgraphs.
S103, transforming non-overlapping areas of the heterogeneous subgraphs of the communities to generate a topological skeleton graph of a network topological graph;
the method for generating the topological skeleton graph of the network topological graph comprises the following steps: and replacing non-overlapping nodes in each group of heterogeneous subgraphs by using super nodes, and enabling the super nodes to inherit the attributes and edges of the corresponding non-overlapping nodes to generate a topological skeleton graph of the network topological graph.
S104, deducing the topological skeleton graph by using a MulVAL tool to generate a corresponding attack graph containing an attack path;
s105, calculating vector representation of the heterogeneous subgraphs of each community by using a MetaPath2vec method, and clustering according to the vector representation to generate clustering clusters;
s106, randomly selecting a community heterogeneous subgraph from each cluster, and deducing to generate a corresponding attack graph containing an attack path by using a mulVAL tool;
and S107, summarizing the topological skeleton graph and the attack graph of the clustering cluster to generate an attack graph library.
As shown in fig. 2, the method for deducing a large-scale network attack based on an attack graph specifically includes the following steps:
s201, after the attack event is checked, vulnerability data and attack target information in the attack event are obtained.
S202, inquiring a corresponding attack graph from a pre-constructed attack graph library according to attack target information; the method comprises the following steps:
inquiring whether a node corresponding to attack target information exists in the topological skeleton graph, and if so, acquiring an attack graph of the topological skeleton graph;
and if not, inquiring whether a node corresponding to the attack target information exists in each community heterogeneous subgraph, and if so, acquiring an attack graph of a cluster where the corresponding community heterogeneous subgraph is located.
If the vulnerability data cannot be matched with and acquire a corresponding attack path from an attack graph of a cluster where the community heterogeneous subgraph is located, deducing the community heterogeneous subgraph by using a MulVAL tool to generate a corresponding attack graph; and carrying out re-matching on the attack graph corresponding to the community heterogeneous subgraph and the vulnerability data.
And S203, matching and acquiring a corresponding attack path from the attack graph according to the vulnerability data.
And S204, analyzing the attack path to obtain an attack step sequence, and taking the next attack step as a deduction result.
Example two:
based on the first embodiment, the first embodiment of the present invention provides a risk early warning method based on the above large-scale network attack deduction method based on an attack graph, including:
acquiring a community heterogeneous subgraph where a node corresponding to attack target information is located, and determining a cluster to which the node belongs;
and searching whether paths containing all attack step sequences exist in other community heterogeneous subgraphs in the cluster, and if yes, judging that the corresponding community heterogeneous subgraphs are attacked by the attack event.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, it is possible to make various improvements and modifications without departing from the technical principle of the present invention, and those improvements and modifications should be considered as the protection scope of the present invention.
Claims (6)
1. A large network attack deduction method based on an attack graph is characterized by comprising the following steps:
when an attack event is detected, acquiring vulnerability data and attack target information in the attack event;
inquiring a corresponding attack graph from a pre-constructed attack graph library according to the attack target information;
matching and acquiring a corresponding attack path from the attack graph according to the vulnerability data;
analyzing the attack path to obtain an attack step sequence, and taking the next attack step as a deduction result;
wherein the construction of the attack gallery comprises the following steps:
collecting vulnerability data and external connection relation of each server in a large network and constructing a network topological graph;
mining communities in the network topological graph by adopting a BigCLAM algorithm and generating corresponding community heterogeneous subgraphs;
transforming the non-overlapping areas of the heterogeneous subgraphs of the communities to generate a topological skeleton graph of a network topological graph;
deducing the topological skeleton graph by using a MulVAL tool to generate a corresponding attack graph containing an attack path;
calculating vector representation of heterogeneous subgraphs of each community by using a MetaPath2vec method, and clustering according to the vector representation to generate clustering clusters;
randomly selecting a community heterogeneous subgraph from each cluster, and deducing to generate a corresponding attack graph containing an attack path by using a MulVAL tool;
and summarizing the topological skeleton graph and the attack graph of the clustering cluster to generate an attack graph library.
2. The method according to claim 1, wherein the constructing the network topology map comprises: and constructing a network topology graph by taking the server as a node, the vulnerability data as the attribute of the node and the external connection relation as the edge of the node.
3. The large-scale network attack deduction method based on the attack graph according to claim 2, wherein the generating of the topological skeleton graph of the network topological graph comprises: and replacing non-overlapping nodes in each group of heterogeneous subgraphs by using super nodes, and enabling the super nodes to inherit the attributes and edges of the corresponding non-overlapping nodes to generate a topological skeleton graph of the network topological graph.
4. The large-scale network attack deduction method based on the attack graph according to claim 3, wherein the querying of the corresponding attack graph from the pre-constructed attack graph library according to the attack target information comprises:
inquiring whether a node corresponding to the attack target information exists in the topological skeleton graph, and if so, acquiring an attack graph of the topological skeleton graph;
and if not, inquiring whether a node corresponding to the attack target information exists in each community heterogeneous subgraph, and if so, acquiring an attack graph of a cluster where the corresponding community heterogeneous subgraph is located.
5. The method as claimed in claim 4, wherein if the vulnerability data cannot be matched with the attack graph of the cluster in which the community heterogeneous subgraph is located to obtain the corresponding attack path, the community heterogeneous subgraph is deduced by using a MulVAL tool to generate the corresponding attack graph; and carrying out re-matching on the attack graph corresponding to the community heterogeneous subgraph and the vulnerability data.
6. A risk early warning method based on the attack graph-based large-scale network attack deduction method of any one of claims 1 to 5, characterized by comprising:
obtaining a community heterogeneous subgraph where a node corresponding to attack target information is located, and determining a cluster to which the node belongs;
and searching whether paths containing all attack step sequences exist in other community heterogeneous subgraphs in the cluster, and if yes, judging that the corresponding community heterogeneous subgraphs are attacked by the attack event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211279389.9A CN115913640B (en) | 2022-10-19 | 2022-10-19 | Large-scale network attack deduction and risk early warning method based on attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211279389.9A CN115913640B (en) | 2022-10-19 | 2022-10-19 | Large-scale network attack deduction and risk early warning method based on attack graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913640A true CN115913640A (en) | 2023-04-04 |
| CN115913640B CN115913640B (en) | 2023-09-05 |
Family
ID=86475295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211279389.9A Active CN115913640B (en) | 2022-10-19 | 2022-10-19 | Large-scale network attack deduction and risk early warning method based on attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913640B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394177A (en) * | 2014-12-16 | 2015-03-04 | 云南电力调度控制中心 | Calculating method of attack target accessibility based on global attack graph |
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN109218276A (en) * | 2017-08-01 | 2019-01-15 | 全球能源互联网研究院 | A kind of network attack drawing generating method and system |
| CN110138762A (en) * | 2019-05-09 | 2019-08-16 | 南京邮电大学 | Tender spots detection system, method and storage medium based on attack graph network |
| CN112311780A (en) * | 2020-10-23 | 2021-02-02 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112769869A (en) * | 2021-02-09 | 2021-05-07 | 浙江工商大学 | SDN network security prediction method based on Bayesian attack graph and corresponding system |
| KR20210074891A (en) * | 2019-12-12 | 2021-06-22 | 국방과학연구소 | Method and apparatus for predicting attack target based on attack graph |
| CN114915476A (en) * | 2022-05-19 | 2022-08-16 | 南京南瑞信息通信科技有限公司 | Attack deduction graph generation method and system based on network security evaluation process |
| CA3154249A1 (en) * | 2021-04-08 | 2022-10-08 | Nozomi Networks Sagl | Method for automatic derivation of attack paths in a network |
-
2022
- 2022-10-19 CN CN202211279389.9A patent/CN115913640B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN104394177A (en) * | 2014-12-16 | 2015-03-04 | 云南电力调度控制中心 | Calculating method of attack target accessibility based on global attack graph |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN109218276A (en) * | 2017-08-01 | 2019-01-15 | 全球能源互联网研究院 | A kind of network attack drawing generating method and system |
| CN110138762A (en) * | 2019-05-09 | 2019-08-16 | 南京邮电大学 | Tender spots detection system, method and storage medium based on attack graph network |
| KR20210074891A (en) * | 2019-12-12 | 2021-06-22 | 국방과학연구소 | Method and apparatus for predicting attack target based on attack graph |
| CN112311780A (en) * | 2020-10-23 | 2021-02-02 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112769869A (en) * | 2021-02-09 | 2021-05-07 | 浙江工商大学 | SDN network security prediction method based on Bayesian attack graph and corresponding system |
| CA3154249A1 (en) * | 2021-04-08 | 2022-10-08 | Nozomi Networks Sagl | Method for automatic derivation of attack paths in a network |
| CN114915476A (en) * | 2022-05-19 | 2022-08-16 | 南京南瑞信息通信科技有限公司 | Attack deduction graph generation method and system based on network security evaluation process |
Non-Patent Citations (2)
| Title |
|---|
| 王宇飞;高昆仑;赵婷;邱健;: "基于改进攻击图的电力信息物理系统跨空间连锁故障危害评估", 中国电机工程学报, no. 06 * |
| 胡浩;叶润国;张红旗;杨英杰;刘玉岭;: "基于攻击预测的网络安全态势量化方法", 通信学报, no. 10 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913640B (en) | 2023-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110933101B (en) | Security event log processing method, device and storage medium | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| EP3205072B1 (en) | Differential dependency tracking for attack forensics | |
| KR102017756B1 (en) | Apparatus and method for detecting abnormal behavior | |
| CN102790706B (en) | Safety analyzing method and device of mass events | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| WO2007109721A2 (en) | Tactical and strategic attack detection and prediction | |
| US20200145455A1 (en) | Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time | |
| CN105138916A (en) | Multi-track malicious program feature detecting method based on data mining | |
| CN113572719B (en) | Domain name detection method, device, equipment and readable storage medium | |
| CN112581027B (en) | Risk information management method and device, electronic equipment and storage medium | |
| CN116938587A (en) | Threat detection method and system based on trace-source diagram behavior semantic extraction | |
| CN115913640B (en) | Large-scale network attack deduction and risk early warning method based on attack graph | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN111191683A (en) | Network security situation assessment method based on random forest and Bayesian network | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN115567325A (en) | Threat hunting method based on graph matching | |
| CN116032576A (en) | Uncertainty attack-based resource map construction method and system | |
| CN115859305A (en) | Knowledge graph-based industrial control security situation sensing method and system | |
| CN111431865B (en) | Network deep threat detection method | |
| CN111209149B (en) | Server stability testing method and system | |
| CN113987492A (en) | Method and device for determining alarm event | |
| CN113297582A (en) | Safety portrait generation method based on information safety big data and big data system | |
| Li et al. | A threat recognition solution of edge data security in industrial internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |