CN115913640B - Large-scale network attack deduction and risk early warning method based on attack graph - Google Patents
Large-scale network attack deduction and risk early warning method based on attack graph Download PDFInfo
- Publication number
- CN115913640B CN115913640B CN202211279389.9A CN202211279389A CN115913640B CN 115913640 B CN115913640 B CN 115913640B CN 202211279389 A CN202211279389 A CN 202211279389A CN 115913640 B CN115913640 B CN 115913640B
- Authority
- CN
- China
- Prior art keywords
- attack
- graph
- community
- heterogeneous
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Computer And Data Communications (AREA)
Abstract
The application discloses a large-scale network attack deduction and risk early warning method based on an attack graph, which comprises the following steps: collecting vulnerability data and external connection relation of each server in a large-scale network and constructing a network topology graph; excavating communities in the network topology graph and generating corresponding community heterogeneous subgraphs; transforming each community heterogeneous subgraph to generate a topological skeleton diagram of the network topological diagram; deducing the topological skeleton diagram to generate a corresponding attack diagram; clustering the community heterogeneous subgraphs to generate clusters; randomly selecting a community heterogeneous subgraph from each cluster to derive and generate a corresponding attack graph containing attack paths; when an attack event is detected, dynamically reasoning an attack path according to the attack graph, and checking whether similar risks possibly attacked exist in the community heterogeneous subgraphs in the same cluster; the method not only reduces the complexity of attack deduction calculation and improves the efficiency, but also can realize the whole network investigation and early warning of the security risk of the large network.
Description
Technical Field
The application relates to a large-scale network attack deduction and risk early warning method based on an attack graph, and belongs to the technical field of information security.
Background
With the continuous development of network security attack and defense technology, the security problems of networks facing national key information infrastructure are continuously increased, the network security risk is continuously increased, the network threat is developing towards the direction of intellectualization and automation, and the attack means often adopts various attack steps to combine to form a complex attack process. An attacker often utilizes the existing vulnerabilities of the system, including system vulnerabilities, business vulnerabilities, and non-compliant configurations, etc. to launch an attack. Traditional network security monitoring equipment can detect single-step attack events to a certain extent and report the single-step attack events to a situation awareness platform, but attack behavior detection and attack behavior deduction aiming at multi-step combination have difficult problems. By using the attack path analysis based on the network topology diagram and the attack diagram and the dynamic deduction of the attack behavior, and further based on the attack event which has occurred, the risk investigation is carried out on the system which is not attacked, so that the analysis capability of the network security can be effectively improved, the timeliness of the network security response is improved, the integral protection capability of the network security is improved, and further the hanging diagram fight is realized.
The traditional network security attack graph comprises an attribute attack graph and a state attack graph, but on a large-scale system such as a national key information infrastructure, the network assets are usually huge in quantity, and the attribute attack graph and the state attack graph have the problem of state explosion, so that the analysis efficiency is low. Meanwhile, the traditional attack graph pays more attention to the utilizing process of the loopholes, so that the attack process cannot be intuitively displayed at a higher level.
Disclosure of Invention
The application aims to overcome the defects in the prior art, and provides a large network attack deduction and risk early warning method based on an attack graph, which can reduce the complexity of attack deduction calculation so as to improve the efficiency and realize the safety risk early warning of a large network.
In order to achieve the above purpose, the application is realized by adopting the following technical scheme:
in a first aspect, the present application provides a large-scale network attack deduction method based on an attack graph, including:
after an attack event is detected, vulnerability data and attack target information in the attack event are obtained;
inquiring a corresponding attack graph from a pre-constructed attack graph library according to attack target information;
according to the vulnerability data, matching and acquiring corresponding attack paths from the attack graph;
analyzing an attack path to obtain an attack step sequence, and taking the next attack step as a deduction result;
the construction of the attack gallery comprises the following steps:
collecting vulnerability data and external connection relation of each server in a large-scale network and constructing a network topology graph;
mining communities in the network topological graph by adopting a BigCLAM algorithm and generating corresponding community heterogeneous subgraphs;
transforming the non-overlapping areas of the heterogeneous subgraphs of each community to generate a topology skeleton diagram of the network topology diagram;
deducing the topological skeleton diagram by using a MulVAL tool to generate a corresponding attack diagram containing attack paths;
calculating vector representation of each community heterogeneous subgraph by using a MetaPath2vec method, and clustering according to the vector representation to generate a cluster;
randomly selecting a community heterogeneous subgraph from each cluster, and deducing by using a MulVAL tool to generate a corresponding attack graph containing an attack path;
and summarizing the topological skeleton diagram and the attack diagram of the cluster to generate an attack diagram library.
Optionally, the constructing a network topology graph includes: and constructing a network topology graph by taking the server as a node, the vulnerability data as an attribute of the node and the external connection relationship as an edge of the node.
Optionally, the generating a topology skeleton map of the network topology map includes: and replacing non-overlapping nodes in each group of heterogeneous subgraphs by using supernodes, and inheriting the attribute and the edge of the corresponding non-overlapping nodes by the supernodes to generate a topological skeleton diagram of the network topological graph.
Optionally, the querying the corresponding attack graph from the pre-constructed attack graph library according to the attack target information includes:
inquiring whether nodes corresponding to attack target information exist in the topological skeleton diagram, and if so, acquiring an attack diagram of the topological skeleton diagram;
if the node corresponding to the attack target information does not exist, inquiring whether the node corresponding to the attack target information exists in each community heterogeneous subgraph, and if the node corresponding to the attack target information exists, acquiring an attack graph of a cluster where the corresponding community heterogeneous subgraph exists.
Optionally, if the vulnerability data cannot be matched from the attack graphs of the cluster where the community heterogeneous subgraphs are located to obtain corresponding attack paths, deducing the community heterogeneous subgraphs by using a MulVAL tool to generate corresponding attack graphs; and re-matching the attack graph corresponding to the community heterogeneous subgraph with vulnerability data.
In a second aspect, the present application provides a risk early warning method based on the above-mentioned large-scale network attack deduction method based on an attack graph, including:
acquiring a community heterogeneous subgraph of a node corresponding to attack target information, and determining a cluster to which the community heterogeneous subgraph belongs;
searching whether paths containing all attack step sequences exist in other community heterogeneous subgraphs in the cluster, and if so, enabling the corresponding community heterogeneous subgraphs to have risks of being attacked by the attack event.
Compared with the prior art, the application has the beneficial effects that:
the application provides a large network attack deduction and risk early warning method based on an attack graph, which comprises the steps of firstly collecting vulnerability data and external connection relations of servers in a large network, constructing a network topology graph, secondly generating a community heterogeneous subgraph and a topology skeleton graph according to the network topology graph, and then generating the attack graph for the community heterogeneous subgraph and the topology skeleton graph respectively; when an attack event is detected, dynamically reasoning an attack path according to the attack graph, and checking whether similar risks possibly attacked exist in the community heterogeneous subgraphs in the same cluster; the method not only reduces the complexity of attack deduction calculation and improves the efficiency, but also can realize the whole network investigation and early warning of the security risk of the large network.
Drawings
FIG. 1 is a flowchart of an attack gallery construction provided in a first embodiment of the present application;
fig. 2 is a flowchart of a large-scale network attack deduction method based on an attack graph according to an embodiment of the present application.
Detailed Description
The application is further described below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and are not intended to limit the scope of the present application.
Embodiment one:
as shown in fig. 1, an attack gallery needs to be constructed before attack deduction, which specifically includes the following steps:
s101, collecting vulnerability data and external connection relations of all servers in a large-scale network and constructing a network topological graph;
constructing a network topology map includes: and constructing a network topology graph by taking the server as a node, the vulnerability data as an attribute of the node and the external connection relationship as an edge of the node.
S102, mining communities in the network topological graph by adopting a BigCLAM algorithm and generating corresponding community heterogeneous subgraphs.
S103, transforming non-overlapping areas of the community heterogeneous subgraphs to generate a topological skeleton diagram of the network topological diagram;
generating a topology skeleton graph of the network topology graph includes: and replacing non-overlapping nodes in each group of heterogeneous subgraphs by using supernodes, and inheriting the attribute and the edge of the corresponding non-overlapping nodes by the supernodes to generate a topological skeleton diagram of the network topological graph.
S104, deducing the topological skeleton diagram by using a MulVAL tool to generate a corresponding attack diagram containing an attack path;
s105, calculating vector representations of each community heterogeneous subgraph by using a MetaPath2vec method, and clustering according to the vector representations to generate clusters;
s106, randomly selecting a community heterogeneous subgraph from each cluster, and deducing by using a MulVAL tool to generate a corresponding attack graph containing an attack path;
and S107, summarizing the topological skeleton diagram and the attack diagram of the cluster to generate an attack diagram library.
As shown in fig. 2, the large network attack deduction method based on the attack graph specifically comprises the following steps:
s201, after an attack event is detected, vulnerability data and attack target information in the attack event are obtained.
S202, inquiring a corresponding attack graph from a pre-constructed attack graph library according to attack target information; comprising the following steps:
inquiring whether nodes corresponding to attack target information exist in the topological skeleton diagram, and if so, acquiring an attack diagram of the topological skeleton diagram;
if the node corresponding to the attack target information does not exist, inquiring whether the node corresponding to the attack target information exists in each community heterogeneous subgraph, and if the node corresponding to the attack target information exists, acquiring an attack graph of a cluster where the corresponding community heterogeneous subgraph exists.
If the vulnerability data cannot be matched from the attack graphs of the cluster where the community heterogeneous subgraphs are located to obtain corresponding attack paths, deducing the community heterogeneous subgraphs by using a MulVAL tool to generate corresponding attack graphs; and re-matching the attack graph corresponding to the community heterogeneous subgraph with vulnerability data.
S203, matching and acquiring corresponding attack paths from the attack graph according to vulnerability data.
S204, analyzing the attack path to obtain an attack step sequence, and taking the next attack step as a deduction result.
Embodiment two:
based on the first embodiment, the first embodiment of the application provides a risk early warning method based on the large-scale network attack deduction method based on the attack graph, which comprises the following steps:
acquiring a community heterogeneous subgraph of a node corresponding to attack target information, and determining a cluster to which the community heterogeneous subgraph belongs;
searching whether paths containing all attack step sequences exist in other community heterogeneous subgraphs in the cluster, and if so, enabling the corresponding community heterogeneous subgraphs to have risks of being attacked by the attack event.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is merely a preferred embodiment of the present application, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present application, and such modifications and variations should also be regarded as being within the scope of the application.
Claims (2)
1. The large network attack deduction method based on the attack graph is characterized by comprising the following steps of:
after an attack event is detected, vulnerability data and attack target information in the attack event are obtained;
inquiring a corresponding attack graph from a pre-constructed attack graph library according to attack target information; the inquiring the corresponding attack graph from the pre-constructed attack graph library according to the attack target information comprises the following steps: inquiring whether nodes corresponding to attack target information exist in the topological skeleton diagram, and if so, acquiring an attack diagram of the topological skeleton diagram; if the node corresponding to the attack target information does not exist, inquiring whether the node corresponding to the attack target information exists in each community heterogeneous subgraph, and if the node corresponding to the attack target information exists, acquiring an attack graph of a cluster where the corresponding community heterogeneous subgraph exists;
according to the vulnerability data, matching and acquiring corresponding attack paths from the attack graph;
analyzing an attack path to obtain an attack step sequence, and taking the next attack step as a deduction result;
the construction of the attack gallery comprises the following steps:
collecting vulnerability data and external connection relation of each server in a large-scale network and constructing a network topology graph; the constructing the network topology graph comprises the following steps: constructing a network topology graph by taking a server as a node, vulnerability data as an attribute of the node and an external connection relationship as an edge of the node;
mining communities in the network topological graph by adopting a BigCLAM algorithm and generating corresponding community heterogeneous subgraphs;
transforming the non-overlapping areas of the heterogeneous subgraphs of each community to generate a topology skeleton diagram of the network topology diagram; the generating the topology skeleton graph of the network topology graph comprises the following steps: replacing non-overlapping nodes in each group of heterogeneous subgraphs by supernodes, and inheriting the attribute and the edge of the corresponding non-overlapping nodes by the supernodes to generate a topology skeleton diagram of the network topology diagram;
deducing the topological skeleton diagram by using a MulVAL tool to generate a corresponding attack diagram containing attack paths;
calculating vector representation of each community heterogeneous subgraph by using a MetaPath2vec method, and clustering according to the vector representation to generate a cluster;
randomly selecting a community heterogeneous subgraph from each cluster, and deducing by using a MulVAL tool to generate a corresponding attack graph containing an attack path;
summarizing the topological skeleton diagram and the attack diagram of the cluster to generate an attack diagram library;
if the vulnerability data cannot be matched from the attack graphs of the cluster where the community heterogeneous subgraphs are located to obtain corresponding attack paths, deducing the community heterogeneous subgraphs by using a MulVAL tool to generate corresponding attack graphs; and re-matching the attack graph corresponding to the community heterogeneous subgraph with vulnerability data.
2. A risk early warning method based on the attack graph-based large-scale network attack deduction method as defined in claim 1, comprising the steps of:
acquiring a community heterogeneous subgraph of a node corresponding to attack target information, and determining a cluster to which the community heterogeneous subgraph belongs;
searching whether paths containing all attack step sequences exist in other community heterogeneous subgraphs in the cluster, and if so, enabling the corresponding community heterogeneous subgraphs to have risks of being attacked by the attack event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211279389.9A CN115913640B (en) | 2022-10-19 | 2022-10-19 | Large-scale network attack deduction and risk early warning method based on attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211279389.9A CN115913640B (en) | 2022-10-19 | 2022-10-19 | Large-scale network attack deduction and risk early warning method based on attack graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913640A CN115913640A (en) | 2023-04-04 |
| CN115913640B true CN115913640B (en) | 2023-09-05 |
Family
ID=86475295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211279389.9A Active CN115913640B (en) | 2022-10-19 | 2022-10-19 | Large-scale network attack deduction and risk early warning method based on attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913640B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394177A (en) * | 2014-12-16 | 2015-03-04 | 云南电力调度控制中心 | Calculating method of attack target accessibility based on global attack graph |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN109218276A (en) * | 2017-08-01 | 2019-01-15 | 全球能源互联网研究院 | A kind of network attack drawing generating method and system |
| CN110138762A (en) * | 2019-05-09 | 2019-08-16 | 南京邮电大学 | Tender spots detection system, method and storage medium based on attack graph network |
| CN112311780A (en) * | 2020-10-23 | 2021-02-02 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112769869A (en) * | 2021-02-09 | 2021-05-07 | 浙江工商大学 | SDN network security prediction method based on Bayesian attack graph and corresponding system |
| KR20210074891A (en) * | 2019-12-12 | 2021-06-22 | 국방과학연구소 | Method and apparatus for predicting attack target based on attack graph |
| CN114915476A (en) * | 2022-05-19 | 2022-08-16 | 南京南瑞信息通信科技有限公司 | Attack deduction graph generation method and system based on network security evaluation process |
| CA3154249A1 (en) * | 2021-04-08 | 2022-10-08 | Nozomi Networks Sagl | Method for automatic derivation of attack paths in a network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10425429B2 (en) * | 2013-04-10 | 2019-09-24 | Gabriel Bassett | System and method for cyber security analysis and human behavior prediction |
-
2022
- 2022-10-19 CN CN202211279389.9A patent/CN115913640B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394177A (en) * | 2014-12-16 | 2015-03-04 | 云南电力调度控制中心 | Calculating method of attack target accessibility based on global attack graph |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN109218276A (en) * | 2017-08-01 | 2019-01-15 | 全球能源互联网研究院 | A kind of network attack drawing generating method and system |
| CN110138762A (en) * | 2019-05-09 | 2019-08-16 | 南京邮电大学 | Tender spots detection system, method and storage medium based on attack graph network |
| KR20210074891A (en) * | 2019-12-12 | 2021-06-22 | 국방과학연구소 | Method and apparatus for predicting attack target based on attack graph |
| CN112311780A (en) * | 2020-10-23 | 2021-02-02 | 国网吉林省电力有限公司电力科学研究院 | Method for generating multi-dimensional attack path and attack graph |
| CN112769869A (en) * | 2021-02-09 | 2021-05-07 | 浙江工商大学 | SDN network security prediction method based on Bayesian attack graph and corresponding system |
| CA3154249A1 (en) * | 2021-04-08 | 2022-10-08 | Nozomi Networks Sagl | Method for automatic derivation of attack paths in a network |
| CN114915476A (en) * | 2022-05-19 | 2022-08-16 | 南京南瑞信息通信科技有限公司 | Attack deduction graph generation method and system based on network security evaluation process |
Non-Patent Citations (1)
| Title |
|---|
| 基于改进攻击图的电力信息物理系统跨空间连锁故障危害评估;王宇飞;高昆仑;赵婷;邱健;;中国电机工程学报(06);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913640A (en) | 2023-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN110933101B (en) | Security event log processing method, device and storage medium | |
| CN102790706B (en) | Safety analyzing method and device of mass events | |
| Wang et al. | A network gene-based framework for detecting advanced persistent threats | |
| US7530105B2 (en) | Tactical and strategic attack detection and prediction | |
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| KR20150084123A (en) | Apparatus and method for detecting abnormal behavior | |
| WO2015187566A1 (en) | Real-time model of states of monitored devices | |
| US11159564B2 (en) | Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time | |
| CN113987492A (en) | Method and device for determining alarm event | |
| CN111191683A (en) | Network security situation assessment method based on random forest and Bayesian network | |
| Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids | |
| Sen et al. | On holistic multi-step cyberattack detection via a graph-based correlation approach | |
| CN115913640B (en) | Large-scale network attack deduction and risk early warning method based on attack graph | |
| CN110493218B (en) | Situation awareness virtualization method and device | |
| CN116938587A (en) | Threat detection method and system based on trace-source diagram behavior semantic extraction | |
| Cortés et al. | A hybrid alarm management strategy in signature-based intrusion detection systems | |
| CN115842684A (en) | Multi-step attack detection method based on MDATA subgraph matching | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| Li et al. | A threat recognition solution of edge data security in industrial internet | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN115801458B (en) | Real-time attack scene reconstruction method, system and equipment aiming at multi-step attack | |
| CN108540322A (en) | A kind of optimization method of attack graph effect of visualization | |
| CN115622796B (en) | Network security linkage response combat map generation method, system, device and medium | |
| CN111431865B (en) | Network deep threat detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |